Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Experiencing Redirects With Google Search Results


  • Please log in to reply
20 replies to this topic

#1 SBR249

SBR249

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 16 June 2008 - 10:17 AM

Hi,

I'm experiencing redirects when using search engines such as Google or Yahoo. The redirects take me to a variety of ad sites such as btcar.com, smartbizsearch.com, etc. I have tried to scan my computer both in normal and in safe mode with Spybot, Ad-Aware, and McAfee Enterprise Virusscan and I haven't been able to find anything. All scans were conducted using the most up to date definition files. Below are the DSS reports. I'm doing a Kaspersky scan right now and will post the report if needed when I'm done.

Thanks for your help


main.txt:

Deckard's System Scanner v20071014.68
Run by SBR249 on 2008-06-16 09:06:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 1 Restore Point(s) --
1: 2008-06-16 05:33:46 UTC - RP356 - Windows Vista Service Pack 1


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as SBR249.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:43 AM, on 6/16/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:Windowssystem32taskeng.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Program FilesWindows DefenderMSASCui.exe
C:Program FilesLenovoHOTKEYTPOSDSVC.exe
C:WindowsSystem32TpShocks.exe
C:Program FilesThinkPadUtilitiesEZEJMNAP.EXE
C:WindowsSystem32rundll32.exe
C:Program FilesThinkVantagePrdCtrLPMGR.EXE
C:Program FilesMcAfeeVirusScan Enterpriseshstat.exe
C:Program FilesMcAfeeCommon FrameworkUdaterUI.exe
C:Program FilesMicrosoft IntelliPointipoint.exe
D:SoftwareWinPatrolWinPatrol.exe
C:Program FilesLenovoAwayTaskAwaySch.EXE
C:Program FilesCommon FilesLenovoSchedulerscheduler_proxy.exe
C:Program FilesLenovoClient Security Solutioncssauth.exe
D:SoftwareiTunesiTunesHelper.exe
C:WindowsSystem32igfxtray.exe
C:WindowsSystem32hkcmd.exe
C:WindowsSystem32igfxpers.exe
C:Program FilesAnalog DevicesCoresmax4pnp.exe
C:Program FilesWindows Sidebarsidebar.exe
C:UsersSBR249AppDataLocalFolderShareFolderShare.exe
C:Program FilesThinkPadBluetooth SoftwareBTTray.exe
C:Program FilesDigital Line DetectDLG.exe
C:Program FilesLenovoHOTKEYTPONSCR.exe
C:Program FilesLenovoZoomTpScrex.exe
C:Windowssystem32igfxsrvc.exe
C:Program FilesMicrosoft IntelliPointdpupdchk.exe
c:PROGRA~1mcafee.comagentmcagent.exe
C:Program FilesMcAfeeCommon FrameworkMcTray.exe
C:Program FilesLenovoClient Security Solutiontvtpwm_tray.exe
D:SoftwareMozilla Firefoxfirefox.exe
D:SoftwareSpywareGuardsgmain.exe
D:SoftwareSpywareGuardsgbhp.exe
D:SoftwareTrilliantrillian.exe
D:UtilitiesProgram Setupsdss.exe
C:Windowssystem32conime.exe
D:SoftwareHIJACK~1SBR249.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:SoftwareRealPlayerrpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:SoftwareBitComettoolsBitCometBHO_1.1.8.30.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:SoftwareSpywareGuarddlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:SoftwareSPYBOT~1SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:Program FilesMicrosoft OfficeOffice12GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_03binssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:Program FilesMcAfeeVirusScan Enterprisescriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:Program FilesLenovoClient Security Solutiontvtpwm_ie_com.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:SoftwareVeohTVPluginsregVeohToolbar.dll
O4 - HKLM..Run: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
O4 - HKLM..Run: [TPHOTKEY] C:Program FilesLenovoHOTKEYTPOSDSVC.exe
O4 - HKLM..Run: [TpShocks] TpShocks.exe
O4 - HKLM..Run: [EZEJMNAP] C:PROGRA~1ThinkPadUTILIT~1EzEjMnAp.Exe
O4 - HKLM..Run: [PWMTRV] rundll32 C:PROGRA~1ThinkPadUTILIT~1PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM..Run: [BLOG] rundll32 C:PROGRA~1ThinkPadUTILIT~1BTVLogEx.DLL,StartBattLog
O4 - HKLM..Run: [LPManager] C:PROGRA~1THINKV~2PrdCtrLPMGR.exe
O4 - HKLM..Run: [ShStatEXE] "C:Program FilesMcAfeeVirusScan EnterpriseSHSTAT.EXE" /STANDALONE
O4 - HKLM..Run: [McAfeeUpdaterUI] "C:Program FilesMcAfeeCommon FrameworkUdaterUI.exe" /StartedFromRunKey
O4 - HKLM..Run: [TPKMAPHELPER] C:Program FilesThinkPadUtilitiesTpKmapAp.exe -helper
O4 - HKLM..Run: [IntelliPoint] "C:Program FilesMicrosoft IntelliPointipoint.exe"
O4 - HKLM..Run: [WinPatrol] D:SoftwareWinPatrolWinPatrol.exe
O4 - HKLM..Run: [AwaySch] C:Program FilesLenovoAwayTaskAwaySch.EXE
O4 - HKLM..Run: [TVT Scheduler Proxy] C:Program FilesCommon FilesLenovoSchedulerscheduler_proxy.exe
O4 - HKLM..Run: [cssauth] "C:Program FilesLenovoClient Security Solutioncssauth.exe" silent
O4 - HKLM..Run: [iTunesHelper] "D:SoftwareiTunesiTunesHelper.exe"
O4 - HKLM..Run: [IgfxTray] C:Windowssystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:Windowssystem32hkcmd.exe
O4 - HKLM..Run: [Persistence] C:Windowssystem32igfxpers.exe
O4 - HKLM..Run: [SoundMAXPnP] C:Program FilesAnalog DevicesCoresmax4pnp.exe
O4 - HKLM..RunOnce: [InnoSetupRegFile.0000000001] "C:Windowsis-2B8K8.exe" /REG
O4 - HKCU..Run: [Sidebar] C:Program FilesWindows Sidebarsidebar.exe /autoRun
O4 - HKCU..Run: [FolderShare] "D:SoftwareFolderShareFolderShare.exe" /background
O4 - HKCU..Run: [Windows Live FolderShare] "C:UsersSBR249AppDataLocalFolderShareFolderShare.exe" /background
O4 - HKUSS-1-5-19..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: SpywareGuard.lnk = D:SoftwareSpywareGuardsgmain.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:Program FilesDigital Line DetectDLG.exe
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:SoftwareBitCometBitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:SoftwareBitCometBitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:SoftwareBitCometBitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Add to Evernote - res://D:SoftwareEvernote 3enbar.dll/2000
O8 - Extra context menu item: Append to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:Program FilesAdobeAcrobat 8.0AcrobatAcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~1Office12EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:Program FilesThinkPadBluetooth Softwarebtsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:Program FilesThinkPadBluetooth Softwarebtsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:Program FilesLenovoClient Security Solutiontvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:Program FilesLenovoClient Security Solutiontvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~1Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~1Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~1Office12REFIEBAR.DLL
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - D:SoftwareEvernoteenbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - D:SoftwareEvernoteenbar.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:Program FilesThinkPadBluetooth Softwarebtsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:Program FilesThinkPadBluetooth Softwarebtsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:SoftwareSPYBOT~1SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:SoftwareSPYBOT~1SDHelper.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - D:SoftwareEvernote 3enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - D:SoftwareEvernote 3enbar.dll
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:Program FilesMicrosoft OfficeOffice12GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:SoftwareAd-Awareaawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:Program FilesThinkPadConnectUtilitiesAcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:Program FilesThinkPadConnectUtilitiesAcSvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:Windowssystem32AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:SoftwareVPN Clientcvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:Windowssystem32ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1050Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:Windowssystem32IPSSVC.EXE
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:Windowssystem32lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:Windowssystem32lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:Windowssystem32lktsrv.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:SoftwareMatlab 7webserverbinwin32matlabserver.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:Program FilesCommon FilesMcAfeeHackerWatchHWAPI.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:Program FilesMcAfeeCommon FrameworkFrameworkService.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:PROGRA~1McAfeeMSCmcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:PROGRA~1McAfeeMSCmcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:PROGRA~1COMMON~1mcafeemnamcnasvc.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:PROGRA~1McAfeeMSCmcpromgr.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:Program FilesMcAfeeVirusScan Enterprisemcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:Program FilesMcAfeeVirusScan Enterprisevstskmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:Program FilesMcAfeeMPFMPFSrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - D:SoftwareNational InstrumentsSharedSecuritynidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:Windowssystem32nisvcloc.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:PROGRA~1PHAROS~1CoreCTskMstr.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:SoftwareSpybot S&DSDWinSec.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:Program FilesLenovoSystem UpdateSUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:Program FilesCommon FilesLenovotvt_reg_monitor_svc.exe
O23 - Service: tp4serv - Lenovo Group Limited - C:Program FilesLenovoTrackPointTP4SERVINST.EXE
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:WindowsSystem32TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:Program FilesLENOVOHOTKEYTPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:Program FilesLenovoClient Security Solutiontvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:Program FilesLenovoRescue and Recoveryrrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:Program FilesLenovoRescue and Recoveryrrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:Program FilesCommon FilesLenovoSchedulertvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:Program FilesLenovoRescue and RecoveryADMIUService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:Windowssystem32DRIVERSxaudio.exe

--
End of file - 16029 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ntcdrdrv - c:windowssystem32driversntcdrdrv.sys <Not Verified; NoteBurn Software; NoteBurn>
R2 cvintdrv - c:windowssystem32driverscvintdrv.sys
R2 tvtfilter - c:windowssystem32driverstvtfilter.sys <Not Verified; Lenovo; Rescue and Recovery>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:program filescommon filesapplemobile device supportbinapplemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:program filesbonjourmdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 Pharos Systems ComTaskMaster - "c:progra~1pharos~1corectskmstr.exe" <Not Verified; Pharos Systems International; PHAROS>
R2 SUService (System Update) - "c:program fileslenovosystem updatesuservice.exe" <Not Verified; Lenovo Group Limited; ThinkVantage System Update Service>
R2 TVT Backup Protection Service - "c:program fileslenovorescue and recoveryrrpservice.exe" <Not Verified; ; rrpservice Module>
R2 TVT Scheduler - "c:program filescommon fileslenovoschedulertvtsched.exe" <Not Verified; Lenovo Group Limited; tvtsched Module>
R2 tvtnetwk - c:program fileslenovorescue and recoveryadmiuservice.exe

S2 matlabserver (MATLAB Server) - d:softwarematlab 7webserverbinwin32matlabserver.exe
S3 FLEXnet Licensing Service - "c:program filescommon filesmacrovision sharedflexnet publisherfnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S4 Diskeeper - "c:program filesdiskeeper corporationdiskeeperdkservice.exe" <Not Verified; Diskeeper Corporation; Diskeeper ™ Disk Defragmenter>
S4 NILM License Manager - "d:softwarenational instrumentssharedlicense managerbinlmgrd.exe" <Not Verified; Macrovision Corporation; >


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT*6TO4MP0000
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT*6TO4MP0000
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOTNET0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOTNET0000
Service: CVirtA


-- Scheduled Tasks -------------------------------------------------------------

2008-06-16 03:00:13 338 --a------ C:WindowsTasksDailyClean.job
2008-06-16 02:43:56 298 --a------ C:WindowsTasksSpybot - Search & Destroy - Scheduled Task.job
2008-06-02 05:20:06 346 --a------ C:WindowsTasksDDefrag.job
2008-06-01 05:08:20 346 --a------ C:WindowsTasksCDefrag.job


-- Files created between 2008-05-16 and 2008-06-16 -----------------------------

2008-06-16 08:49:57 680960 --a------ C:Windowsis-2B8K8.exe
2008-06-16 08:25:22 11264 --a------ C:Windowssystem32PSS03BAB.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-06-16 08:03:59 0 d-------- C:PerfLogs
2008-06-15 01:09:44 225280 --a------ C:Windowssystem32TubeFinder.exe <Not Verified; Koyote Soft; Tube Finder>
2008-06-15 01:09:43 101888 --a------ C:Windowssystem32VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-06-15 01:09:43 119568 --a------ C:Windowssystem32VB6FR.DLL <Not Verified; Microsoft Corporation; Environnement Visual Basic>
2008-06-15 01:09:42 9728 --a------ C:Windowssystem32PCCLPFR.DLL <Not Verified; Microsoft Corporation; PicClip>
2008-06-15 01:09:42 141312 --a------ C:Windowssystem32MSCMCFR.DLL <Not Verified; Microsoft Corporation; COMCTL>
2008-06-15 01:09:42 32768 --a------ C:Windowssystem32CMDLGFR.DLL <Not Verified; Microsoft Corporation; CMDIALOG>
2008-06-03 17:38:05 691545 --a------ C:Windowsunins000.exe
2008-06-03 17:38:05 2544 --a------ C:Windowsunins000.dat
2008-05-28 08:57:59 1140 --a------ C:Windowsmozver.dat
2008-05-23 13:53:06 0 d-------- C:UsersAll UsersLavasoft
2008-05-21 01:02:47 0 d-------- C:Program FilesCommon Filesxing shared


-- Find3M Report ---------------------------------------------------------------

2008-06-16 08:24:24 174 --ahs---- C:Program Filesdesktop.ini
2008-06-16 08:08:00 12 --a------ C:Windowsbthservsdp.dat
2008-06-16 08:06:19 0 d-------- C:Program FilesWindows Sidebar
2008-06-16 08:06:19 0 d-------- C:Program FilesWindows Photo Gallery
2008-06-16 08:06:19 0 d-------- C:Program FilesWindows Mail
2008-06-16 08:06:19 0 d-------- C:Program FilesWindows Journal
2008-06-16 08:06:19 0 d-------- C:Program FilesWindows Collaboration
2008-06-16 08:06:19 0 d-------- C:Program FilesWindows Calendar
2008-06-16 08:06:19 0 d-------- C:Program FilesMovie Maker
2008-06-16 08:06:18 0 d-------- C:Program FilesWindows Defender
2008-06-16 07:10:12 0 d-------- C:UsersSBR249AppDataRoamingRuckus Network
2008-06-15 07:10:14 0 d-------- C:UsersSBR249AppDataRoaminggoombah
2008-05-29 12:58:27 0 d-------- C:UsersSBR249AppDataRoamingJoost
2008-05-28 08:59:23 0 d-------- C:Program FilesMicrosoft Silverlight
2008-05-23 22:44:21 0 d-------- C:Program FilesLenovo
2008-05-23 13:51:16 0 d-------- C:Program FilesCommon FilesWise Installation Wizard
2008-05-23 13:38:39 0 d-------- C:UsersSBR249AppDataRoamingLavasoft
2008-05-21 01:02:47 0 d-------- C:Program FilesCommon Files
2008-05-21 01:02:39 0 d-------- C:Program FilesCommon FilesReal
2008-05-09 21:43:44 0 d-------- C:UsersSBR249AppDataRoamingdvdcss
2008-04-24 22:45:59 0 d-------- C:Program FilesApple Software Update
2008-04-22 11:02:34 0 d-------- C:Program FilesMcAfee
2008-04-21 08:24:38 0 d-------- C:UsersSBR249AppDataRoamingtunebite
2008-04-21 05:39:39 0 d-------- C:Program FilesEmergent Music LLC


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"Windows Defender"="C:Program FilesWindows DefenderMSASCui.exe" [01/19/2008 03:38 AM]
"TPHOTKEY"="C:Program FilesLenovoHOTKEYTPOSDSVC.exe" [03/09/2007 01:49 AM]
"TpShocks"="TpShocks.exe" [03/29/2007 09:40 PM C:WindowsSystem32TpShocks.exe]
"EZEJMNAP"="C:PROGRA~1ThinkPadUTILIT~1EzEjMnAp.Exe" [03/28/2007 01:32 PM]
"PWMTRV"="C:PROGRA~1ThinkPadUTILIT~1PWMTR32V.DLL" [08/30/2007 02:06 AM]
"BLOG"="C:PROGRA~1ThinkPadUTILIT~1BTVLogEx.DLL" [08/30/2007 02:06 AM]
"LPManager"="C:PROGRA~1THINKV~2PrdCtrLPMGR.exe" [03/22/2007 01:02 PM]
"ShStatEXE"="C:Program FilesMcAfeeVirusScan EnterpriseSHSTAT.exe" [02/22/2007 08:50 PM]
"McAfeeUpdaterUI"="C:Program FilesMcAfeeCommon FrameworkUdaterUI.exe" [11/17/2006 01:39 PM]
"TPKMAPHELPER"="C:Program FilesThinkPadUtilitiesTpKmapAp.exe" [02/26/2007 06:45 PM]
"IntelliPoint"="C:Program FilesMicrosoft IntelliPointipoint.exe" [08/31/2007 12:01 PM]
"WinPatrol"="D:SoftwareWinPatrolWinPatrol.exe" [04/19/2007 01:33 PM]
"AwaySch"="C:Program FilesLenovoAwayTaskAwaySch.EXE" [11/07/2006 07:51 PM]
"TVT Scheduler Proxy"="C:Program FilesCommon FilesLenovoSchedulerscheduler_proxy.exe" [03/04/2008 10:34 AM]
"cssauth"="C:Program FilesLenovoClient Security Solutioncssauth.exe" [08/08/2007 05:53 PM]
"iTunesHelper"="D:SoftwareiTunesiTunesHelper.exe" [03/30/2008 10:36 AM]
"IgfxTray"="C:Windowssystem32igfxtray.exe" [02/11/2008 08:13 PM]
"HotKeysCmds"="C:Windowssystem32hkcmd.exe" [02/11/2008 08:13 PM]
"Persistence"="C:Windowssystem32igfxpers.exe" [02/11/2008 08:13 PM]
"SoundMAXPnP"="C:Program FilesAnalog DevicesCoresmax4pnp.exe" [07/10/2007 05:40 AM]

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Sidebar"="C:Program FilesWindows Sidebarsidebar.exe" [01/19/2008 03:33 AM]
"FolderShare"="D:SoftwareFolderShareFolderShare.exe" []
"@"="" []
"Windows Live FolderShare"="C:UsersSBR249AppDataLocalFolderShareFolderShare.exe" [04/15/2008 02:15 PM]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionrunonce]
"InnoSetupRegFile.0000000001"="C:Windowsis-2B8K8.exe" /REG

C:UsersSBR249AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup
SpywareGuard.lnk - D:SoftwareSpywareGuardsgmain.exe [8/29/2003 7:05:35 PM]

C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup
Bluetooth.lnk - C:Program FilesThinkPadBluetooth SoftwareBTTray.exe [3/29/2007 4:11:50 PM]
Digital Line Detect.lnk - C:Program FilesDigital Line DetectDLG.exe [6/30/2007 3:11:56 PM]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"DisableCAD"=1 (0x1)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifypsfus]
C:Windowssystem32psqlpwd.dll 08/14/2007 03:54 PM 89600 C:WindowsSystem32psqlpwd.dll

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrollsa]
"Notification Packages"= scecli ACGina psqlpwd

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalaawservice]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalAppInfo]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalKeyIso]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalNTDS]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalProfSvc]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalsacsvr]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalSWPRV]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalTabletInputService]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalTBS]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalTrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalVDS]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalvolmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalvolmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupfolderC:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:ProgramDataMicrosoftWindowsStart MenuProgramsStartupAdobe Reader Speed Launch.lnk
backup=C:WindowspssAdobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupfolderC:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:ProgramDataMicrosoftWindowsStart MenuProgramsStartupAdobe Reader Synchronizer.lnk
backup=C:WindowspssAdobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupfolderC:^Users^SBR249^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LenovoWelcome.lnk]
path=C:UsersSBR249AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupLenovoWelcome.lnk
backup=C:WindowspssLenovoWelcome.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregACTray]
C:Program FilesThinkPadConnectUtilitiesACTray.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregACWLIcon]
C:Program FilesThinkPadConnectUtilitiesACWLIcon.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAMSG]
C:Program FilesThinkVantageAMSGAmsg.exe /startup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAwaySch]
C:Program FilesLenovoAwayTaskAwaySch.EXE

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregDAEMON Tools]
"D:SoftwareDAEMON Toolsdaemon.exe" -lang 1033

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregDiskeeperSystray]
"C:Program FilesDiskeeper CorporationDiskeeperDkIcon.exe"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregiTunesHelper]
"D:SoftwareiTunesiTunesHelper.exe"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregLenovoOobeOffers]
c:SWTOOLSLenovoWelcomeLenovoOobeOffers.exe /filePath="c:swsharefirstrun.txt"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregTPFNF7]
C:Program FilesLenovoNPDIRECTTPFNF7SP.exe /r

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregTVT Scheduler Proxy]
C:Program FilesCommon FilesLenovoSchedulerscheduler_proxy.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
bthsvcs BthServ
GPSvcGroup GPSvc


[HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversionexplorermountpoints2{1cb9abc1-7c18-11dc-a4ec-0016d33e13fc}]
AutoRuncommand- H:SETUP.EXE
configurecommand- H:SETUP.EXE
installcommand- H:SETUP.EXE


[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:Windowssystem32unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINEsoftwaremicrosoftactive setupinstalled components{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%system32unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts -----------------------------------------------------------------------

127.0.0.1 apmebf.com
127.0.0.1 www.apmebf.com
127.0.0.1 emjcd.com
127.0.0.1 www.emjcd.com
127.0.0.1 kqzyfj.com
127.0.0.1 www.kqzyfj.com
127.0.0.1 registerapi.com
127.0.0.1 gamehouse.com
127.0.0.1 www.gamehouse.com
127.0.0.1 www.xat.com

8770 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-16 09:12:40 ------------


extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Business (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU T7100 @ 1.80GHz
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 2005.54 MiB / 577.54 MiB
Pagefile Memory (total/avail): 6038.83 MiB / 4381.64 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1893.3 MiB

C: is Fixed (NTFS) - 35 GiB total, 8.9 GiB free.
D: is Fixed (NTFS) - 34.7 GiB total, 14.27 GiB free.
E: is CDROM (No Media)
F: is CDROM (Unformatted)

.PHYSICALDRIVE0 - ST980811AS - 74.53 GiB - 3 partitions
PARTITION0 - Unknown - 4.83 GiB
PARTITION1 (bootable) - Installable File System - 35 GiB - C:
PARTITION2 - Installable File System - 34.7 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan Enterprise v8.5.0.781 (McAfee, Inc.) Disabled
AS: Spybot - Search and Destroy v1.0.0.5 (Safer Networking Ltd.) Disabled Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfileAuthorizedApplicationsList]

[HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList]
"D:SoftwareKingsoftPowerword 2007xdict.exe"="D:SoftwareKingsoftPowerword 2007xdict.exe:*:Enabled:Kingsoft PowerWord"
"D:SoftwareKingsoftPowerword 2007update.exe"="D:SoftwareKingsoftPowerword 2007update.exe:*:Enabled:Kingsoft PowerWord Online Update"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:ProgramData
APPDATA=C:UsersSBR249AppDataRoaming
CLASSPATH=.;C:Program FilesJavajre1.6.0_03libextQTJava.zip
CommonProgramFiles=C:Program FilesCommon Files
COMPUTERNAME=SBR249-IBM
ComSpec=C:Windowssystem32cmd.exe
DEFLOGDIR=C:ProgramDataMcAfeeDesktopProtection
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=UsersSBR249
KMP_DUPLICATE_LIB_OK=TRUE
LOCALAPPDATA=C:UsersSBR249AppDataLocal
LOGONSERVER=SBR249-IBM
MKL_SERIAL=YES
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:Windowssystem32;C:Windows;C:Windowssystem32wbem;c:program filesdiskeeper corporationdiskeeper;c:program filescommon fileslenovo;c:program filesthinkpadconnectutilities;c:program filespharossystemsoutputmanagement;c:program filespharossystemscore;c:program fileslenovoclient security solution;D:SoftwareMatlab 7binwin32;C:Program FilesQuickTimeQTSystem;D:SoftwareSSH Secure Shell
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramData=C:ProgramData
ProgramFiles=C:Program Files
PROMPT=$P$G
PUBLIC=C:UsersPublic
QTJAVA=C:Program FilesJavajre1.6.0_03libextQTJava.zip
RR=C:Program FilesLenovoRescue and Recovery
SESSIONNAME=Console
SMA=C:Program FilesThinkVantageSMA
SWSHARE=C:SWSHARE
SystemDrive=C:
SystemRoot=C:Windows
TEMP=C:UsersSBR249~1AppDataLocalTemp
TMP=C:UsersSBR249~1AppDataLocalTemp
TPCCommon=C:PROGRA~1THINKV~2PrdCtr
TVT=C:Program FilesLenovo
TVTCOMMON=C:Program FilesCommon FilesLenovo
TVTPYDIR=C:Program FilesCommon FilesLenovoPython24
USERDOMAIN=SBR249-IBM
USERNAME=SBR249
USERPROFILE=C:UsersSBR249
VSEDEFLOGDIR=C:ProgramDataMcAfeeDesktopProtection
windir=C:Windows


-- User Profiles ---------------------------------------------------------------

SBR249 (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:Program FilesCommon FilesRealUpdate_OBr1puninst.exe RealNetworks|RealPlayer|6.0
--> C:Program FilesInstallShield Installation Information{3F92ABBB-6BBF-11D5-B229-002078017FBF}SETUP.exe -l0x0009 -removeonly
--> C:Program FilesInstallShield Installation Information{E646DCF0-5A68-11D5-B229-002078017FBF}SETUP.exe -l0x0009 -removeonly
--> D:SoftwareDivXDivXConverterUninstall.exe /CONVERTER
--> D:SoftwareRUCKUS~1UNWISE.EXE /a D:SoftwareRUCKUS~1INSTALL.LOG
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Access Help --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{C6FA39A7-26B1-480A-BC74-6D17531AC222}Setup.exe" -l0x9 UNINSTALL
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 8.1.2 Professional --> msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Flash Player ActiveX --> C:Windowssystem32MacromedFlashuninstall_activeX.exe
AnyDVD --> "D:SoftwareSlysoftAnyDVDAnyDVD-uninst.exe" /D="D:SoftwareSlysoftAnyDVD"
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
AusLogics Disk Defrag --> "D:SoftwareAusLogicsunins000.exe"
BitComet 0.93 --> D:SoftwareBitCometuninst.exe
Bonjour Core for Windows --> MsiExec.exe /I{56DF5C9E-6392-46D3-B366-297B14E1DAAF}
CCleaner (remove only) --> "D:SoftwareCCleaneruninst.exe"
Cisco Systems VPN Client 5.0.00.0340 --> MsiExec.exe /X{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}
Client Security Solution --> MsiExec.exe /X{0F4EFCE8-E358-4430-A504-F55F32BA1816}
Diskeeper Home --> MsiExec.exe /X{796E076A-82F7-4D49-98C8-DEC0C3BC733A}
DivX Codec --> D:SoftwareDivXDivXCodecUninstall.exe /CODEC
DivX Content Uploader --> D:SoftwareDivXDivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> D:SoftwareDivXDivXConverterUninstall.exe /CONVERTER
DivX Player --> D:SoftwareDivXDivXPlayerUninstall.exe /PLAYER
DivX Web Player --> D:SoftwareDivXDivXWebPlayerUninstall.exe /PLUGIN
DVD Decrypter (Remove Only) --> "D:SoftwareDVD Decrypteruninstall.exe"
EndNote X.0.2 Volume License Edition --> MsiExec.exe /I{FE4BD9BD-4A26-4F39-B12C-19336204B102}
EverNote --> C:Program FilesInstallShield Installation Information{00C297B1-02F3-4BEE-8B57-7BCA695A41DA}setup.exe -runfromtemp -l0x0009 -removeonly
Evernote --> C:Program FilesInstallShield Installation Information{0D025345-1033-4F35-A5CE-68CDCDE6CC03}setup.exe -runfromtemp -l0x0009 -removeonly
ffdshow [rev 1324] [2007-07-01] --> "D:SoftwareFLV SoftwareFFDShowunins000.exe"
Free FLV Converter V 5.0 --> "D:SoftwareFree FLV Converterunins000.exe"
Free WMA to MP3 Converter 1.08 --> "D:SoftwareJodix WMA to MP3 Converterunins000.exe"
Goombah Partner COM Server --> MsiExec.exe /I{EBBE2FB2-FBED-44F6-B95F-230AB5A65B28}
Help Center --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{986F64DC-FF15-449D-998F-EE3BCEC6666A}Setup.exe" -l0x9 -AddRemove
HI-TECH C51-lite V9.60PL0 --> "C:Program FilesHI-TECH SoftwareHC51lite9.60resourcessetup.exe"
HI-TECH PICC lite V9.60PL0 --> "C:Program FilesHI-TECH SoftwarePICClite9.60resourcessetup.exe"
HijackThis 2.0.2 --> "D:SoftwareHijackThisHijackThis.exe" /uninstall
Intel® Graphics Media Accelerator Driver --> C:Windowssystem32igxpun.exe -uninstall
Intel® PRO Network Connections Drivers --> Prounstl.exe
ISI ResearchSoft - Export Helper --> C:PROGRA~1COMMON~1Risxtd_UNINST.EXE
ISO Recorder --> MsiExec.exe /I{39600969-41C3-4658-876E-16F108FC5C92}
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Joost ™ Beta 1.1.4 --> D:SoftwareJoostuninst.exe
Lenovo System Interface Driver --> RunDll32.exe setupapi.dll,InstallHinfSection DefaultUninstall.NTx86 130 C:Program FilesLenovoSMIIFlnvsmi.inf
Maintenance Manager --> Rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:WindowsINFAWAYTASK.INF
MATLAB 7.1 --> D:SoftwareMatlab 7uninstalluninstall.exe D:SoftwareMatlab 7
McAfee SecurityCenter --> C:Program FilesMcAfeeMSCmcuninst.exe
McAfee VirusScan Enterprise --> MsiExec.exe /X{35C03C04-3F1F-42C2-A989-A757EE691F65}
Message Center --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{E7E836B8-4BDD-454F-82E6-5FEA17C83AD4}Setup.exe" -l0x9 -AddRemove
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:Program FilesCommon FilesMicrosoft SharedOFFICE12Office Setup Controllersetup.exe" /uninstall ENTERPRISER /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{91120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
mIRC --> "D:SoftwareTMD-Recruitmirc.exe" -uninstall
Mozilla Firefox (2.0.0.14) --> D:SoftwareMozilla Firefoxuninstallhelper.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
National Instruments Software --> "D:SoftwareNational InstrumentsSharedNIUninstalleruninst.exe"
NoteBurner 1.34 --> "C:Program FilesNoteBurnerunins000.exe"
On Screen Display --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall.LH 132 C:Program FilesLenovoHOTKEYtphk_tp.inf
OpenSource Flash Video Splitter (remove only) --> "D:SoftwareFLV SoftwareFLV SplitterOpenSource Flash Video Splitteruninstall.exe"
Oracle Calendar --> MsiExec.exe /X{4DA016C7-9AC2-4BA7-AD31-3EBA29BC21B1}
PC-Doctor 5 for Windows --> C:Program FilesPCDR5uninst.exe
Pharos --> C:PROGRA~1PharosbinLocal.EXE
Powerword 2006 --> MsiExec.exe /I{1D44EA4F-C446-4C4F-92F7-02F72E589989}
Presentation Director --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{65706020-7B6F-41F2-8047-FC69579E386A}Setup.exe" -l0x9 -AddRemove
Productivity Center Supplement for ThinkPad --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{D728E945-256D-4477-B377-6BBA693714AC}SETUP.EXE" -l0x9 -AddRemove
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:Program FilesCommon FilesRealUpdate_OBr1puninst.exe RealNetworks|RealPlayer|6.0
Registry patch for Windows Vista USB S3 PM Enablement --> Rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 130 C:Program FilesLenovoUSBPMonUSBPMon.inf
Registry patch of Changing Timing of IDLE IRP by Finger Print Driver for Windows Vista --> Rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 130 C:Program FilesLenovoFPIRPOnFPIRPOn.inf
Registry Patch of Enabling Device Initiated Power Management(DIPM) on SATA for Windows Vista --> Rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 130 C:Program FilesLenovoDipmonDipmon.inf
Registry patch to improve USB device detection on resume from sleep for Windows Vista --> MsiExec.exe /X{4AB5764A-3894-49A2-BAA8-C4665F74CD4C}
Rescue and Recovery --> MsiExec.exe /X{7E4C16B8-8F76-4940-8505-98E93C00BF19}
Ruckus Player --> D:SoftwareRUCKUS~1UNWISE.EXE D:SoftwareRUCKUS~1INSTALL.LOG
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Visio 2007 (KB947590) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
SoundMAX --> C:Program FilesInstallShield Installation Information{F0A37341-D692-11D4-A984-009027EC0A9C}SETUP.exe -runfromtemp -l0x0009 -removeonly
Spybot - Search & Destroy --> "D:SoftwareSpybot S&Dunins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:Windowsunins000.exe"
SpywareBlaster 4.1 --> "D:SoftwareSpywareBlasterunins000.exe"
SpywareGuard v2.2 --> D:SoftwareSpywareGuardunins000.exe
SSH Secure Shell --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}Setup.exe"
System Migration Assistant --> MsiExec.exe /X{F705E3E1-A471-426B-9A09-73429F3418EE}
System Update --> MsiExec.exe /X{8675339C-128C-44DD-83BF-0A5D6ABD8297}
ThinkPad Bluetooth with Enhanced Data Rate Software 6.0.1.4900 --> MsiExec.exe /X{03D1988F-469F-4843-8E6E-E5FE9D17889D}
ThinkPad EasyEject Utility --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{1297C681-92D7-40EF-93BF-03F66EC5105C}SETUP.EXE" -l0x9 -AddRemove
ThinkPad FullScreen Magnifier --> RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:Program FilesLenovoZoomTpScrex.inf
ThinkPad Keyboard Customizer Utility --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{2111B23F-7FDA-4A41-8309-E5A1663CA296}Setup.exe" -l0x9 anything
ThinkPad Mobility Center Customization --> MsiExec.exe /X{E1A83640-A568-4B56-A4C9-AB38C7035156}
ThinkPad Modem --> C:Program FilesCONEXANTCNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588UIU32m.exe -U -ITkp0588z.inf
ThinkPad Power Management Driver --> RunDll32.exe tpinspm.dll,Uninstall
ThinkPad Power Manager --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{DAC01CEE-5BAE-42D5-81FC-B687E84E8405}SETUP.EXE" -l0x9 -AddRemove
ThinkPad TrackPoint Driver --> C:Program FilesLenovoTrackPointtp4unins.exe
ThinkVantage Access Connections --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{7EB114D8-207F-45AE-BABD-1669715F2630}Setup.exe" -l0x9 anything
ThinkVantage Active Protection System --> MsiExec.exe /X{46A84694-59EC-48F0-964C-7E76E9F8A2ED}
ThinkVantage Fingerprint Software 5.6 --> MsiExec.exe /I{A2289997-10A3-48F2-AA03-99180D761661}
ThinkVantage Productivity Center --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{CF5737AF-8550-4546-A69B-0EA9EF5A9B55}SETUP.EXE" -l0x9 -AddRemove
ThinkVantage Technologies Welcome Message --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{1007F41F-7D69-468E-8017-3849A5A973C2}Setup.exe" -l0x9 anything
TMD Recruit Pack --> D:SoftwareTMD-RecruitUninstal.exe
Tunebite 4.1.0.35 --> "D:SoftwareTunebiteunins000.exe"
Update for Office 2007 (KB946691) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
VeohTV BETA --> C:Program FilesInstallShield Installation Information{D1B11537-EA51-4DD8-BF1E-098BEE48868D}setup.exe -runfromtemp -l0x0409
VideoLAN VLC media player 0.8.6e --> D:SoftwareVLC PlayerVLCuninstall.exe
Wallpapers --> RunDll32 C:PROGRA~1COMMON~1INSTAL~1engine6INTEL3~1Ctor.dll,LaunchSetup "C:Program FilesInstallShield Installation Information{DB71210F-8314-4AE3-B7A7-EBAF85BD30E9}Setup.exe" -l0x9 UNINSTALL
Winamp --> "D:SoftwareWinampUninstWA.exe"
Windows Driver Package - Intel (e1express) Net (03/24/2007 9.7.237.0) --> C:PROGRA~1DIFX7F01D4C0B2897E27DPInst.exe /u C:WindowsSystem32DriverStoreFileRepositorye1e6032.inf_2324241ce1e6032.inf
Windows Driver Package - Intel (iaStor) hdc (02/12/2007 7.0.0.1020) --> C:PROGRA~1DIFX7F01D4C0B2897E27DPInst.exe /u C:WindowsSystem32DriverStoreFileRepositoryiaahci.inf_1cb29a96iaahci.inf
Windows Driver Package - Intel hdc (11/15/2006 8.2.0.1011) --> C:PROGRA~1DIFX7F01D4C0B2897E27DPInst.exe /u C:WindowsSystem32DriverStoreFileRepositoryich8id2.inf_a8dc8098ich8id2.inf
Windows Driver Package - Intel hdc (11/15/2006 8.2.0.1011) --> C:PROGRA~1DIFX7F01D4C0B2897E27DPInst.exe /u C:WindowsSystem32DriverStoreFileRepositoryich8ide.inf_945a5fafich8ide.inf
Windows Driver Package - Intel hdc (12/06/2006 6.8.0.3002) --> C:PROGRA~1DIFX7F01D4C0B2897E27DPInst.exe /u C:WindowsSystem32DriverStoreFileRepositoryich8ahci.inf_b3b521ecich8ahci.inf
Windows Driver Package - Intel System (09/15/2006 7.0.0.1011) --> C:PROGRA~1DIFX7F01D4C0B2897E27DPInst.exe /u C:WindowsSystem32DriverStoreFileRepositorydmi_pci.inf_0e65d7c6dmi_pci.inf
Windows Driver Package - Intel System (09/15/2006 8.0.0.1008) --> C:PROGRA~1DIFX7F01D4C0B2897E27DPInst.exe /u C:WindowsSystem32DriverStoreFileRepositoryich8smb.inf_eae3c27fich8smb.inf
Windows Driver Package - Intel System (09/15/2006 8.0.0.1010) --> C:PROGRA~1DIFX7F01D4C0B2897E27DPInst.exe /u C:WindowsSystem32DriverStoreFileRepositoryich8core.inf_a96a333fich8core.inf
Windows Driver Package - Intel System (09/15/2006 8.2.0.1000) --> C:PROGRA~1DIFX7F01D4C0B2897E27DPInst.exe /u C:WindowsSystem32DriverStoreFileRepository965m.inf_d9541021965m.inf
Windows Driver Package - Intel USB (09/15/2006 8.0.0.1008) --> C:PROGRA~1DIFX7F01D4C0B2897E27DPInst.exe /u C:WindowsSystem32DriverStoreFileRepositoryich8usb.inf_aacfb529ich8usb.inf
Windows Driver Package - Lenovo (IBMPMDRV) System (02/27/2007 1.42) --> C:PROGRA~1DIFX7F01D4C0B2897E27DPInst.exe /u C:WindowsSystem32DriverStoreFileRepositoryibmpmdrv.inf_e6c0250cibmpmdrv.inf
Windows Live FolderShare Beta --> MsiExec.exe /X{FE434300-A311-4BE1-93BA-B74BC8C4017B}
WinPatrol --> MsiExec.exe /X{8E0D233D-8B06-47A1-BA22-3A767CCD69E3}
WinRAR archiver --> D:SoftwareWinRARuninstall.exe
WinZip 11.2 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}
X-Win32 8.1 --> MsiExec.exe /I{BB412CA7-661F-49A0-BA80-02493197C3C8}


-- Application Event Log -------------------------------------------------------

Event Record #/Type203816 / Error
Event Submitted/Written: 06/16/2008 08:42:53 AM
Event ID/Source: 215 / ESENT
Event Description:
WinMail (5964) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Event Record #/Type203807 / Error
Event Submitted/Written: 06/16/2008 08:42:40 AM
Event ID/Source: 1542 / profsvc
Event Description:
Windows cannot load classes registry file.
DETAIL - The process cannot access the file because it is being used by another process.

Event Record #/Type203806 / Error
Event Submitted/Written: 06/16/2008 08:42:40 AM
Event ID/Source: 1508 / profsvc
Event Description:
Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.

DETAIL - The process cannot access the file because it is being used by another process. for C:UsersSBR249AppDataLocalMicrosoftWindowsUsrClass.dat

Event Record #/Type203772 / Warning
Event Submitted/Written: 06/16/2008 08:16:53 AM
Event ID/Source: 63 / WinMgmt
Event Description:
HiPerfCooker_v1RootWMI

Event Record #/Type203771 / Warning
Event Submitted/Written: 06/16/2008 08:16:53 AM
Event ID/Source: 63 / WinMgmt
Event Description:
HiPerfCooker_v1RootWMI



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type52127 / Warning
Event Submitted/Written: 06/16/2008 09:09:07 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%SBR249-IBM27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SBR249-IBM27 can't undo changes that you allow.

For more information please see the following:
%SBR249-IBM275

Scan ID: {7AB520ED-623C-4A12-AACF-BD28AC886E5B}

User: SBR249-IBMSBR249

Name: %SBR249-IBM271

ID: %SBR249-IBM272

Severity ID: %SBR249-IBM273

Category ID: %SBR249-IBM274

Path Found: %SBR249-IBM276

Alert Type: %SBR249-IBM278

Detection Type: 1.1.1600.02

Event Record #/Type52126 / Warning
Event Submitted/Written: 06/16/2008 09:09:06 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%SBR249-IBM27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SBR249-IBM27 can't undo changes that you allow.

For more information please see the following:
%SBR249-IBM275

Scan ID: {FF8E0E29-95ED-4027-91A9-B0AE81513364}

User: SBR249-IBMSBR249

Name: %SBR249-IBM271

ID: %SBR249-IBM272

Severity ID: %SBR249-IBM273

Category ID: %SBR249-IBM274

Path Found: %SBR249-IBM276

Alert Type: %SBR249-IBM278

Detection Type: 1.1.1600.02

Event Record #/Type52120 / Warning
Event Submitted/Written: 06/16/2008 08:50:02 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%SBR249-IBM27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %SBR249-IBM27 can't undo changes that you allow.

For more information please see the following:
%SBR249-IBM275

Scan ID: {E5E585C0-0532-4928-97AA-BF255F83584A}

User: SBR249-IBMSBR249

Name: %SBR249-IBM271

ID: %SBR249-IBM272

Severity ID: %SBR249-IBM273

Category ID: %SBR249-IBM274

Path Found: %SBR249-IBM276

Alert Type: %SBR249-IBM278

Detection Type: 1.1.1600.02

Event Record #/Type52115 / Error
Event Submitted/Written: 06/16/2008 08:43:12 AM
Event ID/Source: 10010 / DCOM
Event Description:
{C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493}

Event Record #/Type52111 / Warning
Event Submitted/Written: 06/16/2008 08:42:51 AM
Event ID/Source: 4 / Client Side Rendering Spooler
Event Description:
The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18PrintersConnections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.



-- End of Deckard's System Scanner: finished at 2008-06-16 09:12:40 ------------

Kaspersky report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, June 16, 2008
Operating System: Microsoft Windows Vista Business Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, June 16, 2008 12:08:05
Records in database: 872350
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:
D:
E:
F:

Scan statistics:
Files scanned: 218769
Threat name: 3
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 02:26:21


File name / Threat name / Threats count
C:Program FilesCommon FilesWise Installation WizardWISFE4BD9BD4A264F39B12C19336204B102_10_0_0_2131.MSI Infected: Trojan.Win32.VB.dkn 1
C:UsersSBR249AppDataRoamingMozillaFirefoxProfilesj0bargme.defaultextensionsfirebit@firebitcomponentsfirebit.dll Infected: not-a-virus:AdWare.Win32.Kitsune.b 1
C:WindowsInstaller873dc.msi Infected: Trojan.Win32.VB.dkn 1
C:WindowsInstaller{FE4BD9BD-4A26-4F39-B12C-19336204B102}IconB9CA9C5F3.ico Infected: Trojan.Win32.VB.dkn 1
D:SoftwareTMD-Recruitmirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1
D:UtilitiesProgram SetupsTMD-Recruit.5.0.zip Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1

The selected area was scanned.

Merged posts. ~ OB

Edited by Yourhighness, 16 July 2008 - 10:11 AM.


BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:04:06 AM

Posted 06 July 2008 - 10:30 AM

Hello SBR249 and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately and. If you are still having problems, then please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log. Please also post the problems you are having.

When posting your log, please make sure you post the HijackThis log as a reply and not as an attachment. If we do not hear back from you within a couple of days we will need to close your topic.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 SBR249

SBR249
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 06 July 2008 - 01:15 PM

Hi,

Thanks for the reply. I've been experiencing redirects when clicking on results from search engines such as Google, Yahoo, etc. These redirects would take me to URLs such as btcar.com, smartbizsearch.com, fullwz.com, etc. I use McAfee VirusScan Enterprise as well as Spybot daily and have also tried scanning with Ad-Aware, MalwareBytes' Anti-Malware, the F-Secure online scanner, and Kaspersky's online scanner. So far, none of them have detected any spyware/malware on my system. Below is the log from the DSS scan, any help will be appreciated thanks.


Deckard's System Scanner v20071014.68
Run by SBR249 on 2008-07-06 14:06:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as SBR249.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:07:00 PM, on 7/6/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
D:\Software\WinPatrol\WinPatrol.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
D:\Software\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\SBR249\AppData\Local\FolderShare\FolderShare.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
D:\Software\SpywareGuard\sgmain.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
D:\Software\SpywareGuard\sgbhp.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
D:\Software\Mozilla Firefox\firefox.exe
D:\Software\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
D:\Utilities\Program Setups\dss.exe
C:\Windows\system32\conime.exe
D:\Software\HIJACK~1\SBR249.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Software\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Software\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Software\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Software\VeohTV\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [WinPatrol] D:\Software\WinPatrol\WinPatrol.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [iTunesHelper] "D:\Software\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Users\SBR249\AppData\Local\FolderShare\FolderShare.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: SpywareGuard.lnk = D:\Software\SpywareGuard\sgmain.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Evernote - res://D:\Software\Evernote 3\enbar.dll/2000
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - D:\Software\Evernote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - D:\Software\Evernote\enbar.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Software\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Software\SPYBOT~1\SDHelper.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - D:\Software\Evernote 3\enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - D:\Software\Evernote 3\enbar.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Software\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Software\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\Windows\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\Windows\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\Windows\system32\lktsrv.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:\Software\Matlab 7\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - D:\Software\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\Windows\system32\nisvcloc.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Software\Spybot S&D\SDWinSec.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: tp4serv - Lenovo Group Limited - C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 15358 bytes

-- Files created between 2008-06-06 and 2008-07-06 -----------------------------

2008-06-26 10:24:23 0 d-------- C:\fsaua.data
2008-06-26 10:17:51 0 d-------- C:\Users\All Users\Malwarebytes
2008-06-16 08:25:22 11264 --a------ C:\Windows\system32\PSS03BAB.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-06-16 08:03:59 0 d-------- C:\PerfLogs
2008-06-15 01:09:44 225280 --a------ C:\Windows\system32\TubeFinder.exe <Not Verified; Koyote Soft; Tube Finder>
2008-06-15 01:09:43 101888 --a------ C:\Windows\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-06-15 01:09:43 119568 --a------ C:\Windows\system32\VB6FR.DLL <Not Verified; Microsoft Corporation; Environnement Visual Basic>
2008-06-15 01:09:42 9728 --a------ C:\Windows\system32\PCCLPFR.DLL <Not Verified; Microsoft Corporation; PicClip>
2008-06-15 01:09:42 141312 --a------ C:\Windows\system32\MSCMCFR.DLL <Not Verified; Microsoft Corporation; COMCTL>
2008-06-15 01:09:42 32768 --a------ C:\Windows\system32\CMDLGFR.DLL <Not Verified; Microsoft Corporation; CMDIALOG>


-- Find3M Report ---------------------------------------------------------------

2008-07-04 18:24:50 12 --a------ C:\Windows\bthservsdp.dat
2008-07-04 17:40:16 0 d-------- C:\Users\SBR249\AppData\Roaming\Winamp
2008-06-26 10:17:56 0 d-------- C:\Users\SBR249\AppData\Roaming\Malwarebytes
2008-06-21 19:30:20 0 d-------- C:\Users\SBR249\AppData\Roaming\vlc
2008-06-21 05:12:57 0 d-------- C:\Users\SBR249\AppData\Roaming\Ruckus Network
2008-06-20 20:50:25 0 d-------- C:\Users\SBR249\AppData\Roaming\goombah
2008-06-17 10:59:28 0 d-------- C:\Program Files\McAfee
2008-06-16 08:24:24 174 --ahs---- C:\Program Files\desktop.ini
2008-06-16 08:06:19 0 d-------- C:\Program Files\Windows Sidebar
2008-06-16 08:06:19 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-16 08:06:19 0 d-------- C:\Program Files\Windows Mail
2008-06-16 08:06:19 0 d-------- C:\Program Files\Windows Journal
2008-06-16 08:06:19 0 d-------- C:\Program Files\Windows Collaboration
2008-06-16 08:06:19 0 d-------- C:\Program Files\Windows Calendar
2008-06-16 08:06:19 0 d-------- C:\Program Files\Movie Maker
2008-06-16 08:06:18 0 d-------- C:\Program Files\Windows Defender
2008-06-03 17:38:06 2544 --a------ C:\Windows\unins000.dat
2008-06-03 17:35:56 691545 --a------ C:\Windows\unins000.exe
2008-05-29 12:58:27 0 d-------- C:\Users\SBR249\AppData\Roaming\Joost
2008-05-28 08:59:23 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-28 08:58:09 1140 --a------ C:\Windows\mozver.dat
2008-05-23 22:44:21 0 d-------- C:\Program Files\Lenovo
2008-05-23 13:51:16 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-23 13:38:39 0 d-------- C:\Users\SBR249\AppData\Roaming\Lavasoft
2008-05-21 01:02:47 0 d-------- C:\Program Files\Common Files
2008-05-21 01:02:47 0 d-------- C:\Program Files\Common Files\xing shared
2008-05-21 01:02:39 0 d-------- C:\Program Files\Common Files\Real
2008-05-09 21:43:44 0 d-------- C:\Users\SBR249\AppData\Roaming\dvdcss


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 03:38 AM]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [03/09/2007 01:49 AM]
"TpShocks"="TpShocks.exe" [03/29/2007 09:40 PM C:\Windows\System32\TpShocks.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [03/28/2007 01:32 PM]
"LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [03/22/2007 01:02 PM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [02/22/2007 08:50 PM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [11/17/2006 01:39 PM]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [02/26/2007 06:45 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 12:01 PM]
"WinPatrol"="D:\Software\WinPatrol\WinPatrol.exe" [04/19/2007 01:33 PM]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [11/07/2006 07:51 PM]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [03/04/2008 10:34 AM]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [08/08/2007 05:53 PM]
"iTunesHelper"="D:\Software\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [02/11/2008 08:13 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [02/11/2008 08:13 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [02/11/2008 08:13 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [07/10/2007 05:40 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"PWMTRV"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [01/11/2008 02:20 AM]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [01/11/2008 02:20 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 03:33 AM]
"Windows Live FolderShare"="C:\Users\SBR249\AppData\Local\FolderShare\FolderShare.exe" [04/15/2008 02:15 PM]

C:\Users\SBR249\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
SpywareGuard.lnk - D:\Software\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [3/29/2007 4:11:50 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [6/30/2007 3:11:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"DisableCAD"=1 (0x1)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Windows\system32\psqlpwd.dll 08/14/2007 03:54 PM 89600 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli ACGina psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\Windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^SBR249^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LenovoWelcome.lnk]
path=C:\Users\SBR249\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LenovoWelcome.lnk
backup=C:\Windows\pss\LenovoWelcome.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray]
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AwaySch]
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"D:\Software\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
"C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"D:\Software\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LenovoOobeOffers]
c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7]
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
bthsvcs BthServ
GPSvcGroup GPSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1cb9abc1-7c18-11dc-a4ec-0016d33e13fc}]
AutoRun\command- H:\SETUP.EXE
configure\command- H:\SETUP.EXE
install\command- H:\SETUP.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-06 14:08:36 ------------

Edited by Yourhighness, 16 July 2008 - 10:15 AM.


#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:04:06 AM

Posted 06 July 2008 - 02:11 PM

Hey,

step #1

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

step #2

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
step #3

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Program Files\Common Files\Wise Installation Wizard\WISFE4BD9BD4A264F39B12C19336204B102_10_0_0_2131.MSI
    C:\Users\SBR249\AppData\Roaming\Mozilla\Firefox\Profiles\j0bargme.default\extensions\firebit@
    firebit\components\firebit.dll
    C:\Windows\Installer\873dc.msi
    C:\Windows\Installer\{FE4BD9BD-4A26-4F39-B12C-19336204B102}\IconB9CA9C5F3.ico
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1cb9abc1-7c18-11dc-a4ec-0016d33e13fc}
  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

step #4

Lets do another Onlinescan please.

Please do a scan with Kaspersky Online Scanner (You need to use InternetExplorer or enable IEView in Firefox)
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
step #5

Please post back with the OTMoveIt log, the Kaspersky Log and let me know how your pc is doing.

Edited by Yourhighness, 16 July 2008 - 10:22 AM.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 SBR249

SBR249
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 06 July 2008 - 11:39 PM

I did the requested operations and the results are below. My PC seems to be doing better. The last few times I searched for something, I wasn't redirected. I don't know if that's because the malware was removed or because it's just dormant.

OTMoveIt2 results:

C:\Program Files\Common Files\Wise Installation Wizard\WISFE4BD9BD4A264F39B12C19336204B102_10_0_0_2131.MSI moved successfully.
< C:\Users\SBR249\AppData\Roaming\Mozilla\Firefox\Profiles\j0bargme.default\extensions\firebit@ >
File/Folder C:\Users\SBR249\AppData\Roaming\Mozilla\Firefox\Profiles\j0bargme.default\extensions\firebit@ not found.
File/Folder firebit\components\firebit.dll not found.
C:\Windows\Installer\873dc.msi moved successfully.
C:\Windows\Installer\{FE4BD9BD-4A26-4F39-B12C-19336204B102}\IconB9CA9C5F3.ico moved successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1cb9abc1-7c18-11dc-a4ec-0016d33e13fc} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1cb9abc1-7c18-11dc-a4ec-0016d33e13fc}\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07062008_193421


The Kaspersky Online Scanner Report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, July 7, 2008
Operating System: Microsoft Windows Vista Business Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, July 06, 2008 18:57:34
Records in database: 918909
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 215123
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:28:23


File name / Threat name / Threats count
C:\Users\SBR249\AppData\Roaming\Mozilla\Firefox\Profiles\j0bargme.default\extensions\firebit@firebit\components\__delete_on_reboot__f_i_r_e_b_i_t_._d_l_l_ Infected: not-a-virus:AdWare.Win32.Kitsune.b 1
D:\Utilities\Program Setups\TMD-Recruit.5.0.zip Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1

The selected area was scanned.

Edited by Yourhighness, 16 July 2008 - 10:16 AM.


#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:04:06 AM

Posted 07 July 2008 - 02:42 PM

Hi.

The little devil is this one:

Filename Result
firebit.dll MALWARE

Lets make sure all is really gone from your pc.

Step #1
  • Please double-click on "OTMoveIt.exe"
  • Navigate to the following icon and click it: Posted Image
  • OTMoveIt might ask you to reboot. If it does so, please let it do so.
Note: after reboot, OTMoveIt and your other helper tools downloaded while cleaning your Pc, will be removed. So its oke if it is not there anymore ;) .

Step #2

Please run the F-Secure Onlinescan Beta Version
(You need to use InternetExplorer or enable IEView in Firefox)
  • Follow the Instruction here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Step #3

Please post back with the F-Secure log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 SBR249

SBR249
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 07 July 2008 - 11:26 PM

Here's the F-Secure scan report:

Scanning Report
Monday, July 07, 2008 16:24:02 - 00:24:10

Computer name: SBR249-IBM
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\
Result: 1 malware found
W32/Malware (virus)

* D:\SOFTWARE\SPYWAREBLASTER\SBAUTOUPDATE.EXE (Submitted)

Statistics
Scanned:

* Files: 52950
* System: 5486
* Not scanned: 24

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 1

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\TEMP\MCMSC_D92JIHWBUVPHCNF
* C:\WINDOWS\TEMP\HSPERFDATA_SBR249-IBM$\2572
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
* C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
* C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{DF189043-4E89-4A62-B76F-B043C093BDEA}.BIN
* C:\WINDOWS\CSC\V2.0.6\PQ
* C:\WINDOWS\CSC\V2.0.6\TEMP\EA-{0738A811-3B9D-11DD-BD3F-0016D33E13FC}
* C:\USERS\SBR249\APPDATA\LOCAL\TEMP\HSPERFDATA_SBR249\1792
* C:\USERS\SBR249\APPDATA\LOCAL\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{73686870-1962-467D-831C-9AA61C43D7EE}
* C:\BOOT\BCD

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-07-07
* F-Secure Pegasus: 1.20.0, 2008-04-14
* F-Secure AVP: 7.0.171, 2008-07-07

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Edited by Yourhighness, 16 July 2008 - 10:17 AM.


#8 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:04:06 AM

Posted 08 July 2008 - 12:45 PM

Hi SBR249,

the above log makes me a bit suspicious. We will need to do a double check to see if something is on your pc that shalt not be.
  • Download Dr.Web CureIt to the desktop: drweb-cureit.exe
    • Reboot your computer in SAFEMODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click the icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv I need that log later.
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#9 SBR249

SBR249
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 09 July 2008 - 07:05 AM

I apologize for the delay in responding, the scans are taking a bit longer than anticipated. I'll try to get them done and get a log up today.

Edit:

Finally got my computer scanned. I wasn't able to find those buttons you were talking about but one file was deleted and another one was moved to the quarantine folder automatically.

Here's the log that was saved:

RegUBP2b-SBR249.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
116e4b.msi\stream005;C:\Windows\Installer\116e4b.msi;BackDoor.Pigeon.11490;;
116e4b.msi;C:\Windows\Installer;Archive contains infected objects;Moved.;

Edited by Yourhighness, 16 July 2008 - 10:17 AM.


#10 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:04:06 AM

Posted 11 July 2008 - 04:45 PM

Apologies for the delay. You edited your post and as you said you would get a post up later the day, I expected another notification :thumbsup:. Sorry bout that.
How is your pc doing now? I would like to get another DSS scan done, since the scanner found yet another items on your pc, but lets wait for your feedback first :).

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#11 SBR249

SBR249
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 12 July 2008 - 12:15 AM

Hi,

my computer is better now I think. I haven't experienced the redirects in a couple of days. Here's a log of the DSS scan I just did:

Deckard's System Scanner v20071014.68
Run by SBR249 on 2008-07-12 00:50:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as SBR249.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:37 AM, on 7/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
D:\Software\WinPatrol\WinPatrol.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\SBR249\AppData\Local\FolderShare\FolderShare.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
D:\Software\SpywareGuard\sgmain.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
D:\Software\SpywareGuard\sgbhp.exe
D:\Software\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
D:\Software\Winamp\winamp.exe
D:\Software\Trillian\trillian.exe
D:\Utilities\Program Setups\dss.exe
C:\Windows\system32\conime.exe
D:\Software\HIJACK~1\SBR249.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Software\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Software\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Software\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Software\VeohTV\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [WinPatrol] D:\Software\WinPatrol\WinPatrol.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [iTunesHelper] "D:\Software\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Users\SBR249\AppData\Local\FolderShare\FolderShare.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: SpywareGuard.lnk = D:\Software\SpywareGuard\sgmain.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Evernote - res://D:\Software\Evernote 3\enbar.dll/2000
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - D:\Software\Evernote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - D:\Software\Evernote\enbar.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Software\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Software\SPYBOT~1\SDHelper.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - D:\Software\Evernote 3\enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - D:\Software\Evernote 3\enbar.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Software\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Software\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\Windows\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\Windows\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\Windows\system32\lktsrv.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:\Software\Matlab 7\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - D:\Software\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\Windows\system32\nisvcloc.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Software\Spybot S&D\SDWinSec.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: tp4serv - Lenovo Group Limited - C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 15366 bytes

-- Files created between 2008-06-12 and 2008-07-12 -----------------------------

2008-07-08 20:33:51 0 d-------- C:\Users\SBR249\DoctorWeb
2008-07-06 19:29:25 0 d-------- C:\Program Files\Common Files\Java
2008-06-26 10:24:23 0 d-------- C:\fsaua.data
2008-06-26 10:17:51 0 d-------- C:\Users\All Users\Malwarebytes
2008-06-16 08:25:22 11264 --a------ C:\Windows\system32\PSS03BAB.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-06-16 08:03:59 0 d-------- C:\PerfLogs
2008-06-15 01:09:44 225280 --a------ C:\Windows\system32\TubeFinder.exe <Not Verified; Koyote Soft; Tube Finder>
2008-06-15 01:09:43 101888 --a------ C:\Windows\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-06-15 01:09:43 119568 --a------ C:\Windows\system32\VB6FR.DLL <Not Verified; Microsoft Corporation; Environnement Visual Basic>
2008-06-15 01:09:42 9728 --a------ C:\Windows\system32\PCCLPFR.DLL <Not Verified; Microsoft Corporation; PicClip>
2008-06-15 01:09:42 141312 --a------ C:\Windows\system32\MSCMCFR.DLL <Not Verified; Microsoft Corporation; COMCTL>
2008-06-15 01:09:42 32768 --a------ C:\Windows\system32\CMDLGFR.DLL <Not Verified; Microsoft Corporation; CMDIALOG>


-- Find3M Report ---------------------------------------------------------------

2008-07-08 20:29:30 12 --a------ C:\Windows\bthservsdp.dat
2008-07-07 02:18:25 0 d-------- C:\Users\SBR249\AppData\Roaming\Winamp
2008-07-06 19:34:22 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-06 19:30:43 0 d-------- C:\Program Files\Java
2008-07-06 19:29:25 0 d-------- C:\Program Files\Common Files
2008-06-26 10:17:56 0 d-------- C:\Users\SBR249\AppData\Roaming\Malwarebytes
2008-06-21 19:30:20 0 d-------- C:\Users\SBR249\AppData\Roaming\vlc
2008-06-21 05:12:57 0 d-------- C:\Users\SBR249\AppData\Roaming\Ruckus Network
2008-06-20 20:50:25 0 d-------- C:\Users\SBR249\AppData\Roaming\goombah
2008-06-17 10:59:28 0 d-------- C:\Program Files\McAfee
2008-06-16 08:24:24 174 --ahs---- C:\Program Files\desktop.ini
2008-06-16 08:06:19 0 d-------- C:\Program Files\Windows Sidebar
2008-06-16 08:06:19 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-16 08:06:19 0 d-------- C:\Program Files\Windows Mail
2008-06-16 08:06:19 0 d-------- C:\Program Files\Windows Journal
2008-06-16 08:06:19 0 d-------- C:\Program Files\Windows Collaboration
2008-06-16 08:06:19 0 d-------- C:\Program Files\Windows Calendar
2008-06-16 08:06:19 0 d-------- C:\Program Files\Movie Maker
2008-06-16 08:06:18 0 d-------- C:\Program Files\Windows Defender
2008-06-03 17:38:06 2544 --a------ C:\Windows\unins000.dat
2008-06-03 17:35:56 691545 --a------ C:\Windows\unins000.exe
2008-05-29 12:58:27 0 d-------- C:\Users\SBR249\AppData\Roaming\Joost
2008-05-28 08:59:23 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-28 08:58:09 1140 --a------ C:\Windows\mozver.dat
2008-05-23 22:44:21 0 d-------- C:\Program Files\Lenovo
2008-05-23 13:38:39 0 d-------- C:\Users\SBR249\AppData\Roaming\Lavasoft
2008-05-21 01:02:47 0 d-------- C:\Program Files\Common Files\xing shared
2008-05-21 01:02:39 0 d-------- C:\Program Files\Common Files\Real


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 03:38 AM]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [03/09/2007 01:49 AM]
"TpShocks"="TpShocks.exe" [03/29/2007 09:40 PM C:\Windows\System32\TpShocks.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [03/28/2007 01:32 PM]
"LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [03/22/2007 01:02 PM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [02/22/2007 08:50 PM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [11/17/2006 01:39 PM]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [02/26/2007 06:45 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 12:01 PM]
"WinPatrol"="D:\Software\WinPatrol\WinPatrol.exe" [04/19/2007 01:33 PM]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [11/07/2006 07:51 PM]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [03/04/2008 10:34 AM]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [08/08/2007 05:53 PM]
"iTunesHelper"="D:\Software\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [02/11/2008 08:13 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [02/11/2008 08:13 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [02/11/2008 08:13 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [07/10/2007 05:40 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"PWMTRV"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [01/11/2008 02:20 AM]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [01/11/2008 02:20 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 03:33 AM]
"Windows Live FolderShare"="C:\Users\SBR249\AppData\Local\FolderShare\FolderShare.exe" [04/15/2008 02:15 PM]

C:\Users\SBR249\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
SpywareGuard.lnk - D:\Software\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [3/29/2007 4:11:50 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [6/30/2007 3:11:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"DisableCAD"=1 (0x1)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Windows\system32\psqlpwd.dll 08/14/2007 03:54 PM 89600 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli ACGina psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\Windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^SBR249^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LenovoWelcome.lnk]
path=C:\Users\SBR249\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LenovoWelcome.lnk
backup=C:\Windows\pss\LenovoWelcome.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray]
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AwaySch]
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"D:\Software\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
"C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"D:\Software\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LenovoOobeOffers]
c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7]
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
bthsvcs BthServ
GPSvcGroup GPSvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-12 00:52:46 ------------

Edited by Yourhighness, 16 July 2008 - 10:19 AM.


#12 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:04:06 AM

Posted 12 July 2008 - 01:27 PM

Hey SBR249,

before I check that log, I would like you to also post the following:

Step #1

Please navigate to this link and search for HJTScanlist.zip (bottom of post #2). Follow the steps and post the log please.

Step #2

Please open Notepad and copy the following into it:

@echo off
dir /o:d /a "%userprofile%\desktop" > "%userprofile%\desktop\desktop.txt"
C:\Windows\notepad.exe "%userprofile%\desktop\desktop.txt"
del "%USERPROFILE%\Desktop\desktop.txt"
del desktop.bat
exit

Save this as "desktop.bat" Choose to save as *all files and place it on your Desktop.
Double-click desktop.bat. Soon it should disappear from your Desktop; this is fine.

Step #3

Please post back with the log from the HJTScanlist and the desktop.bat. Thanks!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#13 SBR249

SBR249
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 12 July 2008 - 03:16 PM

Hi,

Below are the results from HJTScanlist.zip and desktop.bat

HJTScanlist:

						$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 
						º									º 
									hjtscanlist v2.0			  
						º									º 
						$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 

Microsoft Windows [Version 6.0.6001]
 
 
C:

  07/12/2008 03:12 PM	 C:\SWSHARE --------- 4096   
  07/12/2008 12:37 PM	 C:\Windows --------- 53248   
  07/12/2008 05:42 AM	 C:\System Volume Information --------- 28672   
  07/12/2008 12:50 AM	 C:\Deckard --------- 0   
	   C:\pagefile.sys ---------	
  07/04/2008 05:50 PM	 C:\DRIVERS --------- 0   
  07/01/2008 03:39 AM	 C:\QUARANTINE --------- 0   
  06/26/2008 10:24 AM	 C:\fsaua.data --------- 0   
  06/26/2008 10:17 AM	 C:\ProgramData --------- 8192   
  06/17/2008 12:45 PM	 C:\Program Files --------- 20480   
  06/16/2008 08:25 AM	 C:\Boot --------- 0   
  06/16/2008 08:03 AM	 C:\PerfLogs --------- 0   
  01/19/2008 03:45 AM	 C:\bootmgr --------- 333203   
  10/08/2007 08:45 PM	 C:\tvtpktfilter.dat --------- 1732   
  10/08/2007 02:17 PM	 C:\Downloads --------- 0   
	   C:\RRbackups ---------	
  10/07/2007 12:00 AM	 C:\iagather.xml --------- 613402   
  10/06/2007 03:41 PM	 C:\MSOCache --------- 0   
  10/05/2007 09:54 PM	 C:\$Recycle.Bin --------- 4096   
  10/05/2007 09:52 PM	 C:\SWTOOLS --------- 4096   
  10/05/2007 09:50 PM	 C:\Users --------- 4096   
  06/30/2007 03:29 PM	 C:\Icons --------- 0   
  06/30/2007 03:12 PM	 C:\Intel --------- 0   
  06/30/2007 02:36 PM	 C:\syslevel.lgl --------- 53   
  06/30/2007 02:20 PM	 C:\WAUUPGRD --------- 0   
  11/09/2006 07:32 PM	 C:\BOOTSECT.BAK --------- 8192   
  11/02/2006 09:02 AM	 C:\Documents and Settings --------- 0   
  09/18/2006 05:43 PM	 C:\config.sys --------- 10   
  09/18/2006 05:43 PM	 C:\autoexec.bat --------- 24   
----------------------------------------

 
C:\Windows

  07/12/2008 12:37 PM	 C:\Windows\QTFont.for --------- 1409   
  07/12/2008 12:37 PM	 C:\Windows\QTFont.qfn --------- 54156   
  07/12/2008 08:35 AM	 C:\Windows\WindowsUpdate.log --------- 1627210   
  07/12/2008 12:47 AM	 C:\Windows\bootstat.dat --------- 67584   
  07/09/2008 08:58 AM	 C:\Windows\ntbtlog.txt --------- 716662   
  07/08/2008 08:29 PM	 C:\Windows\bthservsdp.dat --------- 12   
  07/08/2008 08:16 PM	 C:\Windows\PFRO.log --------- 12734   
  07/05/2008 02:10 AM	 C:\Windows\setupact.log --------- 714   
  07/05/2008 02:10 AM	 C:\Windows\setuperr.log --------- 0   
  06/16/2008 08:24 AM	 C:\Windows\WindowsShell.Manifest --------- 749   
  06/03/2008 05:38 PM	 C:\Windows\unins000.dat --------- 2544   
  06/03/2008 05:35 PM	 C:\Windows\unins000.exe --------- 691545   
  05/28/2008 08:58 AM	 C:\Windows\mozver.dat --------- 1140   
  04/27/2008 08:25 PM	 C:\Windows\matlab.ini --------- 156   
  03/21/2008 12:18 PM	 C:\Windows\win.ini --------- 255   
  01/19/2008 03:33 AM	 C:\Windows\regedit.exe --------- 134656   
  01/19/2008 03:33 AM	 C:\Windows\notepad.exe --------- 151040   
  01/19/2008 03:33 AM	 C:\Windows\HelpPane.exe --------- 498176   
  01/19/2008 03:33 AM	 C:\Windows\fveupdate.exe --------- 13312   
  01/19/2008 03:33 AM	 C:\Windows\explorer.exe --------- 2927104   
  01/19/2008 03:33 AM	 C:\Windows\bfsvc.exe --------- 58880   
  01/11/2008 02:20 AM	 C:\Windows\PWMBTHLV.EXE --------- 107808   
  11/29/2007 09:47 PM	 C:\Windows\AdvConfig.ini --------- 28   
  11/26/2007 08:03 PM	 C:\Windows\SFACB5910.tmp --------- 24   
  11/20/2007 01:08 PM	 C:\Windows\VPNInstall.MIF --------- 1594   
  10/06/2007 10:12 PM	 C:\Windows\x --------- 188   
  10/06/2007 06:55 PM	 C:\Windows\REGKEYNT.INI --------- 53   
  10/06/2007 03:32 PM	 C:\Windows\nsreg.dat --------- 0   
  06/30/2007 03:33 PM	 C:\Windows\ocsetup_install_OEMHelpCustomization.etl --------- 7536640   
  06/30/2007 03:33 PM	 C:\Windows\ocsetup_cbs_install_OEMHelpCustomization.perf --------- 24576   
  06/30/2007 03:33 PM	 C:\Windows\ocsetup_cbs_install_OEMHelpCustomization.dpx --------- 8192   
  06/30/2007 02:57 PM	 C:\Windows\csup.txt --------- 12   
  06/30/2007 02:40 PM	 C:\Windows\KB931573.LOG.perf --------- 24576   
  06/30/2007 02:40 PM	 C:\Windows\KB931573.LOG.dpx --------- 24576   
  06/30/2007 02:40 PM	 C:\Windows\KB930979.LOG.perf --------- 32768   
  06/30/2007 02:40 PM	 C:\Windows\KB930979.LOG.dpx --------- 24576   
  06/30/2007 02:40 PM	 C:\Windows\KB929577.LOG.perf --------- 40960   
  06/30/2007 02:40 PM	 C:\Windows\KB929577.LOG.dpx --------- 24576   
  06/30/2007 02:40 PM	 C:\Windows\KB932246.LOG.perf --------- 24576   
  06/30/2007 02:40 PM	 C:\Windows\KB932246.LOG.dpx --------- 40960   
  06/30/2007 02:40 PM	 C:\Windows\KB931768.LOG.perf --------- 24576   
  06/30/2007 02:40 PM	 C:\Windows\KB931768.LOG.dpx --------- 40960   
  06/30/2007 02:39 PM	 C:\Windows\KB931621.LOG.perf --------- 24576   
  06/30/2007 02:39 PM	 C:\Windows\KB931621.LOG.dpx --------- 24576   
  06/30/2007 02:39 PM	 C:\Windows\KB931174.LOG.perf --------- 24576   
  06/30/2007 02:39 PM	 C:\Windows\KB931174.LOG.dpx --------- 24576   
  06/30/2007 02:38 PM	 C:\Windows\KB931099.LOG.perf --------- 24576   
  06/30/2007 02:38 PM	 C:\Windows\KB931099.LOG.dpx --------- 32768   
  06/30/2007 02:38 PM	 C:\Windows\KB930857.LOG.perf --------- 24576   
  06/30/2007 02:38 PM	 C:\Windows\KB930857.LOG.dpx --------- 24576   
  06/30/2007 02:38 PM	 C:\Windows\KB930585.LOG.perf --------- 24576   
  06/30/2007 02:38 PM	 C:\Windows\KB930585.LOG.dpx --------- 57344   
  06/30/2007 02:38 PM	 C:\Windows\KB930193.LOG.perf --------- 40960   
  06/30/2007 02:38 PM	 C:\Windows\KB930193.LOG.dpx --------- 16384   
  06/30/2007 02:38 PM	 C:\Windows\KB930178.LOG.perf --------- 24576   
  06/30/2007 02:38 PM	 C:\Windows\KB930178.LOG.dpx --------- 24576   
  06/30/2007 02:38 PM	 C:\Windows\KB930163.LOG.perf --------- 24576   
  06/30/2007 02:38 PM	 C:\Windows\KB930163.LOG.dpx --------- 24576   
  06/30/2007 02:38 PM	 C:\Windows\KB929777.LOG.perf --------- 24576   
  06/30/2007 02:38 PM	 C:\Windows\KB929777.LOG.dpx --------- 24576   
  06/30/2007 02:37 PM	 C:\Windows\KB929763.LOG.perf --------- 24576   
  06/30/2007 02:37 PM	 C:\Windows\KB929763.LOG.dpx --------- 24576   
  06/30/2007 02:37 PM	 C:\Windows\KB929762.LOG.perf --------- 24576   
  06/30/2007 02:37 PM	 C:\Windows\KB929762.LOG.dpx --------- 24576   
  06/30/2007 02:37 PM	 C:\Windows\KB929735.LOG.perf --------- 24576   
  06/30/2007 02:37 PM	 C:\Windows\KB929735.LOG.dpx --------- 24576   
  06/30/2007 02:37 PM	 C:\Windows\KB929685.LOG.perf --------- 24576   
  06/30/2007 02:37 PM	 C:\Windows\KB929685.LOG.dpx --------- 24576   
  06/30/2007 02:37 PM	 C:\Windows\KB929399.LOG.perf --------- 24576   
  06/30/2007 02:37 PM	 C:\Windows\KB929399.LOG.dpx --------- 24576   
  06/30/2007 02:37 PM	 C:\Windows\KB928089.LOG.perf --------- 24576   
  06/30/2007 02:37 PM	 C:\Windows\KB928089.LOG.dpx --------- 32768   
  06/30/2007 02:37 PM	 C:\Windows\KB925902.LOG.perf --------- 24576   
  06/30/2007 02:37 PM	 C:\Windows\KB925902.LOG.dpx --------- 24576   
  06/30/2007 02:36 PM	 C:\Windows\KB925528.LOG.perf --------- 24576   
  06/30/2007 02:36 PM	 C:\Windows\KB925528.LOG.dpx --------- 32768   
  03/29/2007 04:11 PM	 C:\Windows\BtwIEProxy.exe --------- 285488   
  12/06/2006 01:05 PM	 C:\Windows\CLNDR.CMD --------- 478   
  11/02/2006 08:36 AM	 C:\Windows\WMSysPr9.prx --------- 316640   
  11/02/2006 08:35 AM	 C:\Windows\twunk_16.exe --------- 49680   
  11/02/2006 08:35 AM	 C:\Windows\twunk_32.exe --------- 31232   
  11/02/2006 08:35 AM	 C:\Windows\twain_32.dll --------- 50688   
  11/02/2006 08:35 AM	 C:\Windows\twain.dll --------- 94784   
  11/02/2006 05:45 AM	 C:\Windows\winhlp32.exe --------- 9216   
  11/02/2006 05:45 AM	 C:\Windows\hh.exe --------- 14848   
  11/02/2006 03:46 AM	 C:\Windows\mib.bin --------- 43131   
  09/19/2006 07:41 AM	 C:\Windows\Business.xml --------- 4261   
  09/18/2006 05:46 PM	 C:\Windows\system.ini --------- 219   
  09/18/2006 05:43 PM	 C:\Windows\_default.pif --------- 707   
  09/18/2006 05:43 PM	 C:\Windows\winhelp.exe --------- 256192   
  09/18/2006 05:30 PM	 C:\Windows\msdfmap.ini --------- 1405   
----------------------------------------

 
C:\Windows\System

 11/02/2006 08:35 AM	  C:\Windows\System\mciseq.drv --------- 25264 
 11/02/2006 08:35 AM	  C:\Windows\System\mciwave.drv --------- 28160 
 11/02/2006 08:35 AM	  C:\Windows\System\avifile.dll --------- 109456 
 11/02/2006 08:35 AM	  C:\Windows\System\mciavi.drv --------- 73376 
 11/02/2006 08:35 AM	  C:\Windows\System\avicap.dll --------- 69584 
 11/02/2006 08:35 AM	  C:\Windows\System\msvideo.dll --------- 126912 
 11/02/2006 03:10 AM	  C:\Windows\System\OLESVR.DLL --------- 24064 
 11/02/2006 03:10 AM	  C:\Windows\System\WFWNET.DRV --------- 12704 
 11/02/2006 03:10 AM	  C:\Windows\System\COMMDLG.DLL --------- 32816 
 11/02/2006 03:10 AM	  C:\Windows\System\TIMER.DRV --------- 4048 
 11/02/2006 03:10 AM	  C:\Windows\System\MMSYSTEM.DLL --------- 68992 
 11/02/2006 03:10 AM	  C:\Windows\System\mmtask.tsk --------- 1152 
 11/02/2006 03:10 AM	  C:\Windows\System\mouse.drv --------- 2032 
 11/02/2006 03:10 AM	  C:\Windows\System\vga.drv --------- 2176 
 11/02/2006 03:10 AM	  C:\Windows\System\sound.drv --------- 1744 
 11/02/2006 03:10 AM	  C:\Windows\System\keyboard.drv --------- 2000 
 11/02/2006 03:10 AM	  C:\Windows\System\SHELL.DLL --------- 5120 
 11/02/2006 03:10 AM	  C:\Windows\System\system.drv --------- 3360 
 09/18/2006 05:43 PM	  C:\Windows\System\ver.dll --------- 9008 
 09/18/2006 05:43 PM	  C:\Windows\System\olecli.dll --------- 82944 
 09/18/2006 05:43 PM	  C:\Windows\System\lzexpand.dll --------- 9936 
 09/18/2006 05:35 PM	  C:\Windows\System\stdole.tlb --------- 5532 
----------------------------------------

 
C:\Windows\System32

 07/12/2008 04:09 PM	 C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 --------- 3680  
 07/12/2008 04:09 PM	 C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 --------- 3680  
 07/12/2008 04:08 PM	 C:\Windows\system32\TPAPSLOG.LOG --------- 1345344  
 07/12/2008 03:47 PM	 C:\Windows\system32\TPHDLOG0.LOG --------- 544000  
 07/12/2008 12:47 AM	 C:\Windows\system32\Config.MPF --------- 23132  
 07/09/2008 12:22 PM	 C:\Windows\system32\catroot --------- 0  
 07/09/2008 12:21 PM	 C:\Windows\system32\catroot2 --------- 8192  
 07/09/2008 11:54 AM	 C:\Windows\system32\PROCDB.INI --------- 25269  
 07/09/2008 11:52 AM	 C:\Windows\system32\IPSCtrl.INI --------- 380  
 07/06/2008 07:30 PM	 C:\Windows\system32\jupdate-1.6.0_06-b02.log --------- 5964  
 07/05/2008 02:14 AM	 C:\Windows\system32\perfh009.dat --------- 598588  
 07/05/2008 02:14 AM	 C:\Windows\system32\perfc009.dat --------- 102194  
 07/05/2008 02:14 AM	 C:\Windows\system32\PerfStringBackup.INI --------- 694964  
 07/05/2008 02:10 AM	 C:\Windows\system32\drivers --------- 57344  
 07/04/2008 05:51 PM	 C:\Windows\system32\Tasks --------- 4096  
 07/04/2008 05:41 PM	 C:\Windows\system32\wbem --------- 61440  
 07/04/2008 05:40 PM	 C:\Windows\system32\spool --------- 4096  
 07/01/2008 05:00 PM	 C:\Windows\system32\LogFiles --------- 4096  
 06/25/2008 12:15 PM	 C:\Windows\system32\mrt.exe --------- 17972344  
 06/21/2008 05:11 PM	 C:\Windows\system32\config --------- 8192  
 06/16/2008 06:08 PM	 C:\Windows\system32\WDI --------- 4096  
 06/16/2008 08:25 AM	 C:\Windows\system32\PSS03BAB.DLL --------- 11264  
 06/16/2008 08:11 AM	 C:\Windows\system32\FNTCACHE.DAT --------- 376184  
 06/16/2008 08:06 AM	 C:\Windows\system32\com --------- 4096  
 06/16/2008 08:06 AM	 C:\Windows\system32\XPSViewer --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\da-DK --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\ko-KR --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\en-US --------- 270336  
 06/16/2008 08:06 AM	 C:\Windows\system32\de-DE --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\it-IT --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\el-GR --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\oobe --------- 4096  
 06/16/2008 08:06 AM	 C:\Windows\system32\sysprep --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\migration --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\AdvancedInstallers --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\ru-RU --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\ias --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\fr-FR --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\sv-SE --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\he-IL --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\setup --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\fi-FI --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\cs-CZ --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\hu-HU --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\pt-PT --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\SLUI --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\zh-CN --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\en --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\manifeststore --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\es-ES --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\zh-TW --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\pl-PL --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\ja-JP --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\ro-RO --------- 0  
 06/16/2008 08:06 AM	 C:\Windows\system32\tr-TR --------- 0  
 06/16/2008 08:05 AM	 C:\Windows\system32\nb-NO --------- 0  
 06/16/2008 08:05 AM	 C:\Windows\system32\nl-NL --------- 0  
 06/16/2008 08:05 AM	 C:\Windows\system32\ar-SA --------- 0  
 06/16/2008 08:05 AM	 C:\Windows\system32\migwiz --------- 4096  
 06/16/2008 08:05 AM	 C:\Windows\system32\pt-BR --------- 0  
 06/16/2008 08:04 AM	 C:\Windows\system32\Boot --------- 0  
 06/16/2008 01:43 AM	 C:\Windows\system32\ifxcardm.dll --------- 101888  
 06/16/2008 01:43 AM	 C:\Windows\system32\axaltocm.dll --------- 82432  
 06/13/2008 01:00 AM	 C:\Windows\system32\TubeFinder.exe --------- 225280  
 06/04/2008 06:42 PM	 C:\Windows\system32\VB6STKIT.DLL --------- 101888  
 06/04/2008 06:42 PM	 C:\Windows\system32\PICCLP32.OCX --------- 84512  
 06/04/2008 06:42 PM	 C:\Windows\system32\PropertyGrid.ocx --------- 364544  
 06/04/2008 06:42 PM	 C:\Windows\system32\ControlSubX.ocx --------- 24576  
 06/04/2008 06:42 PM	 C:\Windows\system32\VB6FR.DLL --------- 119568  
 06/04/2008 06:42 PM	 C:\Windows\system32\PCCLPFR.DLL --------- 9728  
 06/04/2008 06:42 PM	 C:\Windows\system32\CMDLGFR.DLL --------- 32768  
 06/04/2008 06:42 PM	 C:\Windows\system32\ReyXpBasics.tlb --------- 208500  
 06/04/2008 06:42 PM	 C:\Windows\system32\MSCMCFR.DLL --------- 141312  
 05/21/2008 01:02 AM	 C:\Windows\system32\rmoc3260.dll --------- 185944  
 05/21/2008 01:02 AM	 C:\Windows\system32\pndx5032.dll --------- 5632  
 05/21/2008 01:02 AM	 C:\Windows\system32\pndx5016.dll --------- 6656  
 05/21/2008 01:02 AM	 C:\Windows\system32\msvcr71.dll --------- 348160  
 05/21/2008 01:02 AM	 C:\Windows\system32\pncrt.dll --------- 278528  
 05/16/2008 11:58 AM	 C:\Windows\system32\lsdelete.exe --------- 12632  
 05/09/2008 11:35 PM	 C:\Windows\system32\RacEngn.dll --------- 885248  
 05/09/2008 06:22 PM	 C:\Windows\system32\RacUR.xml --------- 9127  
 05/09/2008 06:22 PM	 C:\Windows\system32\RacUREx.xml --------- 153  
 04/28/2008 11:54 PM	 C:\Windows\system32\fsquirt.exe --------- 181760  
 04/26/2008 04:08 AM	 C:\Windows\system32\quartz.dll --------- 1314816  
 04/25/2008 12:35 AM	 C:\Windows\system32\wininet.dll --------- 826880  
 04/25/2008 12:35 AM	 C:\Windows\system32\urlmon.dll --------- 1166336  
 04/25/2008 12:35 AM	 C:\Windows\system32\mstime.dll --------- 671232  
 04/25/2008 12:35 AM	 C:\Windows\system32\mshtml.dll --------- 3578368  
 04/25/2008 12:35 AM	 C:\Windows\system32\jsproxy.dll --------- 28160  
 04/24/2008 10:12 PM	 C:\Windows\system32\mshtml.tlb --------- 1383424  
 04/21/2008 08:19 AM	 C:\Windows\system32\Log_20080421_081931_17F4.txt --------- 122  
 04/21/2008 08:19 AM	 C:\Windows\system32\Log_20080421_081931_140C.txt --------- 122  
 03/28/2008 11:37 PM	 C:\Windows\system32\QuickTimeVR.qtx --------- 90112  
 03/28/2008 11:37 PM	 C:\Windows\system32\QuickTime.qts --------- 57344  
 03/25/2008 02:37 AM	 C:\Windows\system32\javaws.exe --------- 139264  
 03/25/2008 01:28 AM	 C:\Windows\system32\javaw.exe --------- 135168  
 03/25/2008 01:28 AM	 C:\Windows\system32\java.exe --------- 135168  
 03/21/2008 12:30 PM	 C:\Windows\system32\Macromed --------- 0  
 03/12/2008 04:21 PM	 C:\Windows\system32\gpprefcl.dll --------- 678408  
 03/08/2008 12:21 AM	 C:\Windows\system32\gameux.dll --------- 1695744  
----------------------------------------

 
C:\Windows\Prefetch

 07/12/2008 04:10 PM	 C:\Windows\Prefetch\CMD.EXE-4A81B364.pf --------- 12478  
 07/12/2008 04:10 PM	 C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf --------- 42882  
 07/12/2008 04:10 PM	 C:\Windows\Prefetch\RUNDLL32.EXE-CE79B3A7.pf --------- 22712  
 07/12/2008 04:10 PM	 C:\Windows\Prefetch\SEARCHFILTERHOST.EXE-77482212.pf --------- 14434  
 07/12/2008 04:10 PM	 C:\Windows\Prefetch\SEARCHPROTOCOLHOST.EXE-0CB8CADE.pf --------- 24604  
 07/12/2008 04:10 PM	 C:\Windows\Prefetch\WINZIP32.EXE-189C6BEE.pf --------- 98402  
 07/12/2008 04:06 PM	 C:\Windows\Prefetch\AgGlFgAppHistory.db --------- 632775  
 07/12/2008 04:06 PM	 C:\Windows\Prefetch\AgGlFaultHistory.db --------- 774719  
 07/12/2008 04:06 PM	 C:\Windows\Prefetch\AgGlGlobalHistory.db --------- 2905393  
 07/12/2008 04:06 PM	 C:\Windows\Prefetch\AgRobust.db --------- 334460  
 07/12/2008 03:58 PM	 C:\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pf --------- 27594  
 07/12/2008 03:47 PM	 C:\Windows\Prefetch\TASKENG.EXE-48D4E289.pf --------- 18240  
 07/12/2008 03:17 PM	 C:\Windows\Prefetch\VERCLSID.EXE-7C52E31C.pf --------- 41408  
 07/12/2008 03:12 PM	 C:\Windows\Prefetch\AgGlUAD_P_S-1-5-21-2301203564-2383269524-2497708116-1003.db --------- 1000163  
 07/12/2008 03:12 PM	 C:\Windows\Prefetch\AgGlUAD_S-1-5-21-2301203564-2383269524-2497708116-1003.db --------- 958412  
 07/12/2008 03:08 PM	 C:\Windows\Prefetch\MCUIMGR.EXE-B6D1A252.pf --------- 44430  
 07/12/2008 03:07 PM	 C:\Windows\Prefetch\LOGONUI.EXE-09140401.pf --------- 41956  
 07/12/2008 02:45 PM	 C:\Windows\Prefetch\MCSCRIPT_INUSE.EXE-37308CAA.pf --------- 47818  
 07/12/2008 02:45 PM	 C:\Windows\Prefetch\MCUPDATE.EXE-323C4391.pf --------- 42056  
 07/12/2008 02:33 PM	 C:\Windows\Prefetch\MCUPDMGR.EXE-D515E3C4.pf --------- 130492  
 07/12/2008 02:33 PM	 C:\Windows\Prefetch\HWUPDCHK.EXE-17789F96.pf --------- 42902  
 07/12/2008 02:33 PM	 C:\Windows\Prefetch\MCUPDATE.EXE-3BDA89ED.pf --------- 55600  
 07/12/2008 02:33 PM	 C:\Windows\Prefetch\MCSYNC.EXE-94E92097.pf --------- 40778  
 07/12/2008 02:33 PM	 C:\Windows\Prefetch\MCINFO.EXE-63EEF562.pf --------- 38952  
 07/12/2008 02:33 PM	 C:\Windows\Prefetch\MCSVRCNT.EXE-7C466466.pf --------- 14766  
 07/12/2008 12:57 PM	 C:\Windows\Prefetch\LOGON.SCR-30601369.pf --------- 30320  
 07/12/2008 12:38 PM	 C:\Windows\Prefetch\DISTNOTED.EXE-04155A8C.pf --------- 19862  
 07/12/2008 12:38 PM	 C:\Windows\Prefetch\APPLEMOBILEDEVICEHELPER.EXE-4AA961B8.pf --------- 53904  
 07/12/2008 12:37 PM	 C:\Windows\Prefetch\ITUNES.EXE-306A470B.pf --------- 160290  
 07/12/2008 12:13 PM	 C:\Windows\Prefetch\WINWORD.EXE-C91725A1.pf --------- 110184  
 07/12/2008 09:41 AM	 C:\Windows\Prefetch\layout.ini --------- 1064774  
 07/12/2008 05:43 AM	 C:\Windows\Prefetch\DLLHOST.EXE-861F96F8.pf --------- 74334  
 07/12/2008 05:42 AM	 C:\Windows\Prefetch\SVCHOST.EXE-7CFEDEA3.pf --------- 19272  
 07/12/2008 05:42 AM	 C:\Windows\Prefetch\VSSVC.EXE-B8AFC319.pf --------- 33636  
 07/12/2008 05:42 AM	 C:\Windows\Prefetch\RUNDLL32.EXE-230FC512.pf --------- 5840  
 07/12/2008 05:39 AM	 C:\Windows\Prefetch\DFRGNTFS.EXE-7E4077FE.pf --------- 24050  
 07/12/2008 05:35 AM	 C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf --------- 15470  
 07/12/2008 05:32 AM	 C:\Windows\Prefetch\PWMIDTSV.EXE-4974983C.pf --------- 3068  
 07/12/2008 04:52 AM	 C:\Windows\Prefetch\MCUIMGR.EXE-363043E5.pf --------- 45716  
 07/12/2008 03:22 AM	 C:\Windows\Prefetch\FNPLICENSINGSERVICE.EXE-FAD19408.pf --------- 13472  
 07/12/2008 03:20 AM	 C:\Windows\Prefetch\ACROBAT.EXE-B894D3AF.pf --------- 206898  
 07/12/2008 03:20 AM	 C:\Windows\Prefetch\ACROBATINFO.EXE-8D0EA9C3.pf --------- 103182  
 07/12/2008 03:14 AM	 C:\Windows\Prefetch\ACFNF5.EXE-300DEF06.pf --------- 26008  
 07/12/2008 03:14 AM	 C:\Windows\Prefetch\RUNDLL32.EXE-90539A1A.pf --------- 55492  
 07/12/2008 03:00 AM	 C:\Windows\Prefetch\SCAN32.EXE-1D9C57DC.pf --------- 98474  
 07/12/2008 03:00 AM	 C:\Windows\Prefetch\QCCONSOL.EXE-A42DAA4E.pf --------- 191842  
 07/12/2008 03:00 AM	 C:\Windows\Prefetch\IEUSER.EXE-7C0FE221.pf --------- 41290  
 07/12/2008 02:00 AM	 C:\Windows\Prefetch\SPYBOTSD.EXE-3194B081.pf --------- 259860  
 07/12/2008 12:57 AM	 C:\Windows\Prefetch\WSQMCONS.EXE-118B52B7.pf --------- 93000  
 07/12/2008 12:52 AM	 C:\Windows\Prefetch\NOTEPAD.EXE-86E0E9B9.pf --------- 45126  
 07/12/2008 12:52 AM	 C:\Windows\Prefetch\FIND.EXE-E2237F6D.pf --------- 7378  
 07/12/2008 12:52 AM	 C:\Windows\Prefetch\CSCRIPT.EXE-D1EF4768.pf --------- 55924  
 07/12/2008 12:52 AM	 C:\Windows\Prefetch\SWREG.EXE-D78B02E6.pf --------- 9450  
 07/12/2008 12:52 AM	 C:\Windows\Prefetch\SED.EXE-ADAB5722.pf --------- 5212  
 07/12/2008 12:52 AM	 C:\Windows\Prefetch\FINDSTR.EXE-2E9C6FE2.pf --------- 8584  
 07/12/2008 12:50 AM	 C:\Windows\Prefetch\SBR249.EXE-8F446EEC.pf --------- 119048  
 07/12/2008 12:50 AM	 C:\Windows\Prefetch\CONIME.EXE-9781FD5F.pf --------- 40066  
 07/12/2008 12:50 AM	 C:\Windows\Prefetch\DSS.EXE-4F2FAAF6.pf --------- 61998  
 07/12/2008 12:50 AM	 C:\Windows\Prefetch\MD5DEEP.EXE-863EC89A.pf --------- 8698  
 07/12/2008 12:48 AM	 C:\Windows\Prefetch\AgCx_SC1.db --------- 829515  
 07/12/2008 12:47 AM	 C:\Windows\Prefetch\WERCON.EXE-E36BD04E.pf --------- 81074  
 07/12/2008 12:47 AM	 C:\Windows\Prefetch\WERMGR.EXE-0F2AC88C.pf --------- 18844  
 07/12/2008 12:47 AM	 C:\Windows\Prefetch\MOBSYNC.EXE-C5E2284F.pf --------- 49320  
 07/12/2008 12:47 AM	 C:\Windows\Prefetch\AgCx_SC1.db.trx --------- 286394  
 07/11/2008 04:22 PM	 C:\Windows\Prefetch\WMPNSCFG.EXE-FC0D39BF.pf --------- 12264  
 07/11/2008 02:16 PM	 C:\Windows\Prefetch\SOFTWAREUPDATE.EXE-631B74E4.pf --------- 5524  
 07/11/2008 02:16 PM	 C:\Windows\Prefetch\DLLHOST.EXE-7ED62AA2.pf --------- 44768  
 07/11/2008 08:55 AM	 C:\Windows\Prefetch\RUNDLL32.EXE-1E613929.pf --------- 116524  
 07/11/2008 08:55 AM	 C:\Windows\Prefetch\TPFNF8.EXE-5994088E.pf --------- 6066  
 07/11/2008 08:52 AM	 C:\Windows\Prefetch\MPFSRV.EXE-B8B2B7DC.pf --------- 19320  
 07/11/2008 03:00 AM	 C:\Windows\Prefetch\QCCONSOL.EXE-C53BB569.pf --------- 204080  
 07/11/2008 02:21 AM	 C:\Windows\Prefetch\MPCMDRUN.EXE-F401FBB4.pf --------- 3328  
 07/11/2008 02:21 AM	 C:\Windows\Prefetch\MPSIGSTUB.EXE-BD887690.pf --------- 16986  
 07/11/2008 02:21 AM	 C:\Windows\Prefetch\MPAS-D.EXE-40FE95BA.pf --------- 11326  
 07/11/2008 02:21 AM	 C:\Windows\Prefetch\WUAUCLT.EXE-70318591.pf --------- 27024  
 07/10/2008 10:41 PM	 C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf --------- 46772  
 07/10/2008 10:26 PM	 C:\Windows\Prefetch\TRILLIAN.EXE-CFD94E49.pf --------- 108476  
 07/10/2008 09:26 PM	 C:\Windows\Prefetch\MCUPDATE.EXE-55CCA9E2.pf --------- 54678  
 07/10/2008 03:24 AM	 C:\Windows\Prefetch\MCSVRCNT.EXE-9D546F81.pf --------- 54878  
 07/10/2008 03:23 AM	 C:\Windows\Prefetch\MCSYNC.EXE-A4B62562.pf --------- 40588  
 07/10/2008 03:23 AM	 C:\Windows\Prefetch\MCINFO.EXE-73BBFA2D.pf --------- 39088  
 07/09/2008 10:44 PM	 C:\Windows\Prefetch\VLC.EXE-4A422743.pf --------- 112462  
 07/09/2008 10:43 PM	 C:\Windows\Prefetch\MCUPDMGR.EXE-B407D8A9.pf --------- 41264  
 07/09/2008 03:17 PM	 C:\Windows\Prefetch\EXCEL.EXE-C6BEF51C.pf --------- 174028  
 07/09/2008 01:03 PM	 C:\Windows\Prefetch\WINAMP.EXE-C3B9EAC3.pf --------- 150946  
 07/09/2008 12:29 PM	 C:\Windows\Prefetch\MSIEXEC.EXE-A2D55CB6.pf --------- 364506  
 07/09/2008 12:23 PM	 C:\Windows\Prefetch\TASKMGR.EXE-5F5F473D.pf --------- 91852  
 07/09/2008 12:00 PM	 C:\Windows\Prefetch\FIREFOX.EXE-9F5D1941.pf --------- 251298  
 07/09/2008 11:55 AM	 C:\Windows\Prefetch\ReadyBoot --------- 0  
 07/09/2008 11:53 AM	 C:\Windows\Prefetch\NTOSBOOT-B00DFAAD.pf --------- 1563898  
 07/08/2008 08:27 PM	 C:\Windows\Prefetch\PfSvPerfStats.bin --------- 508  
 07/06/2008 06:45 PM	 C:\Windows\Prefetch\AgAppLaunch.db --------- 332116  
----------------------------------------

 
C:\Windows\Tasks

 07/12/2008 03:00 AM	 C:\Windows\Tasks\DailyClean.job --------- 338  
 07/12/2008 02:37 AM	 C:\Windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job --------- 300  
 07/09/2008 11:52 AM	 C:\Windows\Tasks\SA.DAT --------- 6  
 07/08/2008 08:29 PM	 C:\Windows\Tasks\SCHEDLGU.TXT --------- 32648  
 07/02/2008 04:47 AM	 C:\Windows\Tasks\DDefrag.job --------- 346  
 07/01/2008 04:57 AM	 C:\Windows\Tasks\CDefrag.job --------- 346  
 07/01/2008 01:00 AM	 C:\Windows\Tasks\McQcTask.job --------- 334  
 06/17/2008 10:58 AM	 C:\Windows\Tasks\McDefragTask.job --------- 342  
----------------------------------------

 
C:\Windows\Temp

 07/11/2008 02:21 AM	 C:\Windows\Temp\MpCmdRun.log --------- 6722  
 07/11/2008 02:21 AM	 C:\Windows\Temp\MpSigStub.log --------- 4876  
 07/09/2008 11:55 AM	 C:\Windows\Temp\mcmsc_cJy9jh1nfnkHDja --------- 0  
 07/09/2008 11:54 AM	 C:\Windows\Temp\hsperfdata_TERRY-IBM$ --------- 0  
 07/08/2008 08:19 PM	 C:\Windows\Temp\mcmsc_flgaxj668VCGlMA --------- 0  
 07/08/2008 01:56 AM	 C:\Windows\Temp\MPTelemetrySubmit --------- 0  
 02/02/2007 11:49 AM	 C:\Windows\Temp\hpzEN4v2.chm --------- 43280  
 02/02/2007 11:49 AM	 C:\Windows\Temp\hpzEN4v2.hlp --------- 228690  
----------------------------------------

 
C:\Users\SBR249\AppData\Local\Temp

 07/12/2008 04:05 PM	 C:\Users\SBR249\AppData\Local\Temp\plugtmp-2 --------- 0  
 07/12/2008 12:14 PM	 C:\Users\SBR249\AppData\Local\Temp\VBE --------- 0  
 07/12/2008 03:21 AM	 C:\Users\SBR249\AppData\Local\Temp\libFNP_events.log --------- 819  
 07/12/2008 03:20 AM	 C:\Users\SBR249\AppData\Local\Temp\Adobe --------- 0  
 07/11/2008 01:40 AM	 C:\Users\SBR249\AppData\Local\Temp\flaC5E6.tmp --------- 20139088  
 07/09/2008 11:39 PM	 C:\Users\SBR249\AppData\Local\Temp\flaFF15.tmp --------- 252953515  
 07/09/2008 03:09 PM	 C:\Users\SBR249\AppData\Local\Temp\~DF87.tmp --------- 32768  
 07/09/2008 11:56 AM	 C:\Users\SBR249\AppData\Local\Temp\~DF3CBE.tmp --------- 16384  
 07/09/2008 11:55 AM	 C:\Users\SBR249\AppData\Local\Temp\~DF8364.tmp --------- 16384  
 07/06/2008 07:27 PM	 C:\Users\SBR249\AppData\Local\Temp\FXSAPIDebugLogFile.txt --------- 0  
 10/06/2007 11:19 PM	 C:\Users\SBR249\AppData\Local\Temp\NAILogs --------- 0  
----------------------------------------

 
C:\Program Files

 07/06/2008 07:50 PM	 C:\Program Files\Adobe --------- 0  
 07/06/2008 07:30 PM	 C:\Program Files\Java --------- 4096  
 07/06/2008 07:29 PM	 C:\Program Files\Common Files --------- 4096  
 06/17/2008 10:59 AM	 C:\Program Files\McAfee --------- 4096  
 06/16/2008 08:24 AM	 C:\Program Files\desktop.ini --------- 174  
 06/16/2008 08:06 AM	 C:\Program Files\Windows Calendar --------- 0  
 06/16/2008 08:06 AM	 C:\Program Files\Windows Sidebar --------- 4096  
 06/16/2008 08:06 AM	 C:\Program Files\Movie Maker --------- 0  
 06/16/2008 08:06 AM	 C:\Program Files\Windows Mail --------- 4096  
 06/16/2008 08:06 AM	 C:\Program Files\Internet Explorer --------- 4096  
 06/16/2008 08:06 AM	 C:\Program Files\Windows Media Player --------- 4096  
 06/16/2008 08:06 AM	 C:\Program Files\Windows Collaboration --------- 0  
 06/16/2008 08:06 AM	 C:\Program Files\Windows Photo Gallery --------- 4096  
 06/16/2008 08:06 AM	 C:\Program Files\Windows Journal --------- 0  
 06/16/2008 08:06 AM	 C:\Program Files\Windows Defender --------- 4096  
 05/28/2008 08:59 AM	 C:\Program Files\Microsoft Silverlight --------- 4096  
 05/23/2008 10:44 PM	 C:\Program Files\Lenovo --------- 4096  
 04/24/2008 10:45 PM	 C:\Program Files\Apple Software Update --------- 4096  
 04/21/2008 05:39 AM	 C:\Program Files\Emergent Music LLC --------- 0  
 04/12/2008 09:53 PM	 C:\Program Files\iPod --------- 0  
 04/12/2008 09:52 PM	 C:\Program Files\QuickTime --------- 4096  
 03/21/2008 09:54 PM	 C:\Program Files\InstallShield Installation Information --------- 8192  
 03/21/2008 12:20 PM	 C:\Program Files\Microsoft Office --------- 4096  
 11/25/2007 01:46 PM	 C:\Program Files\HI-TECH Software --------- 0  
 10/06/2007 11:49 PM	 C:\Program Files\ThinkVantage Fingerprint Software --------- 8192  
 10/06/2007 10:45 PM	 C:\Program Files\Microsoft CAPICOM 2.1.0.2 --------- 0  
 10/06/2007 10:31 PM	 C:\Program Files\Analog Devices --------- 0  
 10/06/2007 10:18 PM	 C:\Program Files\PCDR5 --------- 0  
 10/06/2007 10:10 PM	 C:\Program Files\Lenovo Group Limited --------- 0  
 10/06/2007 07:21 PM	 C:\Program Files\Bonjour --------- 0  
 10/06/2007 06:55 PM	 C:\Program Files\NoteBurner --------- 0  
 10/06/2007 06:12 PM	 C:\Program Files\Microsoft IntelliPoint --------- 8192  
 10/06/2007 04:03 PM	 C:\Program Files\Pharos --------- 0  
 10/06/2007 04:03 PM	 C:\Program Files\PharosSystems --------- 0  
 10/06/2007 03:47 PM	 C:\Program Files\Microsoft Works --------- 0  
 10/06/2007 03:47 PM	 C:\Program Files\Microsoft Visual Studio --------- 0  
 10/06/2007 03:46 PM	 C:\Program Files\Microsoft.NET --------- 0  
 10/06/2007 03:30 PM	 C:\Program Files\Intel --------- 0  
 10/05/2007 11:12 PM	 C:\Program Files\MSXML 4.0 --------- 0  
 10/05/2007 11:04 PM	 C:\Program Files\McAfee.com --------- 0  
 10/05/2007 10:53 PM	 C:\Program Files\Windows Live Toolbar --------- 0  
 10/05/2007 10:50 PM	 C:\Program Files\Microsoft SQL Server --------- 0  
 06/30/2007 03:44 PM	 C:\Program Files\Google --------- 0  
 06/30/2007 03:44 PM	 C:\Program Files\ThinkPad --------- 4096  
 06/30/2007 03:29 PM	 C:\Program Files\ThinkVantage --------- 4096  
 06/30/2007 03:25 PM	 C:\Program Files\Diskeeper Corporation --------- 0  
 06/30/2007 03:11 PM	 C:\Program Files\Digital Line Detect --------- 4096  
 06/30/2007 03:11 PM	 C:\Program Files\NetWaiting --------- 0  
 06/30/2007 03:10 PM	 C:\Program Files\CONEXANT --------- 0  
 06/30/2007 02:55 PM	 C:\Program Files\DIFX --------- 0  
 11/02/2006 09:01 AM	 C:\Program Files\Uninstall Information --------- 0  
 11/02/2006 08:37 AM	 C:\Program Files\Windows NT --------- 0  
 11/02/2006 08:37 AM	 C:\Program Files\Reference Assemblies --------- 0  
 11/02/2006 08:37 AM	 C:\Program Files\MSBuild --------- 0  
----------------------------------------

 
C:\ProgramData\.. 

SBR249
desktop.ini	
Default	
Default User	
All Users	
Public	
----------------------------------------

 
C:\Windows\system32\drivers\etc\hosts

127.0.0.1	   localhost
127.0.0.1	www.apmebf.com
127.0.0.1	emjcd.com
127.0.0.1	www.emjcd.com
127.0.0.1	kqzyfj.com
127.0.0.1	www.kqzyfj.com
127.0.0.1	registerapi.com
127.0.0.1	gamehouse.com
127.0.0.1	www.gamehouse.com
127.0.0.1	www.xat.com
127.0.0.1	xat.com
127.0.0.1	pipni.cz
127.0.0.1	www.pipni.cz
127.0.0.1	www3.pipni.cz
127.0.0.1	cool.ne.jp
127.0.0.1	urawa.cool.ne.jp
127.0.0.1	cool.ne.jp
127.0.0.1	007guard.com
127.0.0.1	www.007guard.com
127.0.0.1	008i.com
127.0.0.1	008k.com
127.0.0.1	www.008k.com
127.0.0.1	00hq.com
127.0.0.1	www.00hq.com
127.0.0.1	010402.com
127.0.0.1	032439.com
127.0.0.1	www.032439.com
127.0.0.1	1001-search.info
127.0.0.1	www.1001-search.info
127.0.0.1	100888290cs.com
127.0.0.1	www.100888290cs.com
127.0.0.1	100sexlinks.com
127.0.0.1	www.100sexlinks.com
127.0.0.1	10sek.com
127.0.0.1	www.10sek.com
127.0.0.1	123topsearch.com
127.0.0.1	www.123topsearch.com
127.0.0.1	132.com
127.0.0.1	www.132.com
127.0.0.1	136136.net
127.0.0.1	www.136136.net
127.0.0.1	139mm.com
127.0.0.1	www.139mm.com
127.0.0.1	163ns.com
127.0.0.1	www.163ns.com
127.0.0.1	171203.com
127.0.0.1	17-plus.com
127.0.0.1	1800searchonline.com
127.0.0.1	www.1800searchonline.com
127.0.0.1	180searchassistant.com
127.0.0.1	www.180searchassistant.com
127.0.0.1	180solutions.com
127.0.0.1	www.180solutions.com
127.0.0.1	181.365soft.info
127.0.0.1	www.181.365soft.info
127.0.0.1	1987324.com
127.0.0.1	www.1987324.com
127.0.0.1	1-domains-registrations.com
127.0.0.1	www.1-domains-registrations.com
127.0.0.1	1-extreme.biz
127.0.0.1	www.1-extreme.biz
127.0.0.1	1sexparty.com
127.0.0.1	www.1sexparty.com
127.0.0.1	1stantivirus.com
127.0.0.1	www.1stantivirus.com
127.0.0.1	1stpagehere.com
127.0.0.1	www.1stpagehere.com
127.0.0.1	1stsearchportal.com
127.0.0.1	www.1stsearchportal.com
127.0.0.1	2.82211.net
127.0.0.1	www.2006ooo.com
127.0.0.1	2007-download.com
127.0.0.1	www.2007-download.com
127.0.0.1	2020search.com
127.0.0.1	www.2020search.com
127.0.0.1	20x2p.com
127.0.0.1	24.365soft.info
127.0.0.1	www.24.365soft.info
127.0.0.1	24-7pharmacy.info
127.0.0.1	www.24-7pharmacy.info

----------------------------------------

 

Image Name					 PID Session Name		Session#	Mem Usage
========================= ======== ================ =========== ============
System Idle Process			  0 Services				   0		 24 K
System						   4 Services				   0	  1,872 K
smss.exe					   624 Services				   0		248 K
csrss.exe					  700 Services				   0	  2,724 K
wininit.exe					744 Services				   0		352 K
csrss.exe					  752 Console					1	  6,988 K
services.exe				   788 Services				   0	  3,292 K
lsass.exe					  800 Services				   0	  2,444 K
lsm.exe						808 Services				   0	  1,328 K
winlogon.exe				   916 Console					1	  1,320 K
svchost.exe					992 Services				   0	 10,056 K
ibmpmsvc.exe				  1036 Services				   0		736 K
svchost.exe				   1080 Services				   0	 11,952 K
svchost.exe				   1120 Services				   0	 16,568 K
svchost.exe				   1216 Services				   0	 10,992 K
svchost.exe				   1252 Services				   0	 76,912 K
svchost.exe				   1316 Services				   0	 35,292 K
audiodg.exe				   1380 Services				   0	  7,584 K
svchost.exe				   1412 Services				   0	  6,864 K
SLsvc.exe					 1452 Services				   0		884 K
svchost.exe				   1500 Services				   0	 13,328 K
svchost.exe				   1632 Services				   0	 18,204 K
upeksvr.exe				   1764 Console					1	  2,888 K
spoolsv.exe				   1988 Services				   0	  4,292 K
svchost.exe				   2012 Services				   0	 12,156 K
tp4servinst.exe			   1064 Services				   0		352 K
IPSSVC.EXE					1804 Services				   0		960 K
AcPrfMgrSvc.exe			   1920 Services				   0		304 K
AEADISRV.EXE				   472 Services				   0		212 K
AppleMobileDeviceService.	 1856 Services				   0		808 K
mDNSResponder.exe			 1000 Services				   0	  1,400 K
svchost.exe				   1324 Services				   0	  3,396 K
cvpnd.exe					 2032 Services				   0	  1,408 K
DbgSvc.exe					2064 Services				   0	  6,024 K
lkcitdl.exe				   2096 Services				   0		340 K
lkads.exe					 2164 Services				   0		304 K
lktsrv.exe					2236 Services				   0		496 K
FrameworkService.exe		  2416 Services				   0	  3,916 K
mcshield.exe				  2436 Services				   0	  1,628 K
vstskmgr.exe				  2472 Services				   0		448 K
naPrdMgr.exe				  2528 Services				   0		720 K
mdm.exe					   2720 Services				   0		916 K
MpfSrv.exe					2756 Services				   0	  1,784 K
nidmsrv.exe				   2816 Services				   0		436 K
nisvcloc.exe				  2828 Services				   0		244 K
CTskMstr.exe				  2868 Services				   0	  2,560 K
svchost.exe				   2888 Services				   0	  7,120 K
svchost.exe				   2924 Services				   0	  5,916 K
tvt_reg_monitor_svc.exe	   2960 Services				   0		372 K
TPHDEXLG.exe				  3104 Services				   0		644 K
TPHKSVC.exe				   3152 Services				   0		996 K
tvttcsd.exe				   3184 Services				   0		300 K
rrpservice.exe				3252 Services				   0		272 K
dwm.exe					   3488 Console					1	 47,284 K
explorer.exe				  3556 Console					1	 52,736 K
tp4serv.exe				   3596 Console					1	  1,768 K
taskeng.exe				   3620 Console					1	  7,732 K
rrservice.exe				 3800 Services				   0	  5,408 K
tvtsched.exe				  3828 Services				   0	  3,252 K
IUService.exe				 3840 Services				   0		312 K
svchost.exe				   3868 Services				   0		828 K
XAudio.exe					3960 Services				   0		608 K
AcSvc.exe					 3996 Services				   0	  3,964 K
logmon.exe					3320 Services				   0	  1,664 K
SDWinSec.exe				  1448 Services				   0	  4,880 K
MSASCui.exe				   2276 Console					1	  3,252 K
TPOSDSVC.exe				  3632 Console					1	  4,924 K
TpShocks.exe				  3412 Console					1	  1,212 K
EZEJMNAP.EXE				  1812 Console					1	  1,008 K
LPMGR.EXE					 1160 Console					1		880 K
shstat.exe					2020 Console					1		820 K
UdaterUI.exe				  4072 Console					1	  5,352 K
ipoint.exe					4164 Console					1	  3,348 K
WinPatrol.exe				 4192 Console					1	  9,128 K
AwaySch.EXE				   4216 Console					1	  5,424 K
scheduler_proxy.exe		   4224 Console					1	  2,552 K
cssauth.exe				   4232 Console					1	  5,876 K
igfxtray.exe				  4256 Console					1	  2,624 K
hkcmd.exe					 4268 Console					1	  4,380 K
igfxpers.exe				  4280 Console					1	  4,972 K
smax4pnp.exe				  4296 Console					1	  6,464 K
mcagent.exe				   4304 Console					1		392 K
rundll32.exe				  4312 Console					1	  7,224 K
jusched.exe				   4352 Console					1	  2,656 K
sidebar.exe				   4360 Console					1	 29,312 K
FolderShare.exe			   4400 Console					1	  8,416 K
BTTray.exe					4424 Console					1	  8,236 K
DLG.exe					   4432 Console					1	  5,788 K
taskeng.exe				   4440 Services				   0	  3,608 K
sgmain.exe					4452 Console					1	  8,128 K
Mctray.exe					4548 Console					1	  6,168 K
igfxsrvc.exe				  4652 Console					1	  5,856 K
TPONSCR.exe				   4692 Console					1	  3,576 K
TpScrex.exe				   5020 Console					1	  2,844 K
dpupdchk.exe				  5144 Console					1	  3,720 K
msdtc.exe					 6064 Services				   0	  4,164 K
SvcGuiHlpr.exe				6072 Services				   0	  4,540 K
mcmscsvc.exe				  2944 Services				   0	  1,948 K
tvtpwm_tray.exe			   4752 Console					1	 55,224 K
sgbhp.exe					 2516 Console					1	  2,104 K
iPodService.exe			   4564 Services				   0	  4,000 K
taskeng.exe				   4952 Services				   0	  6,708 K
McNASvc.exe				   5396 Services				   0	  8,724 K
firefox.exe				   1624 Console					1	495,504 K
wuauclt.exe				   2448 Console					1	  6,904 K
TrustedInstaller.exe		   952 Services				   0	  2,868 K
SearchIndexer.exe			 4672 Services				   0	 10,492 K
winamp.exe					5052 Console					1	  8,724 K
trillian.exe				  6892 Console					1	 10,556 K
conime.exe					6752 Console					1	  2,816 K
notepad.exe				   3012 Console					1	  2,412 K
dllhost.exe				   3952 Services				   0	  7,104 K
iTunes.exe					6476 Console					1	 30,400 K
AppleMobileDeviceHelper.e	 7728 Console					1	  3,424 K
distnoted.exe				 2620 Console					1	  2,388 K
cmd.exe					   1016 Console					1	  3,092 K
SearchProtocolHost.exe		5940 Services				   0	  9,248 K
SearchFilterHost.exe		  5380 Services				   0	  4,888 K
dllhost.exe				   4876 Console					1	 11,628 K
tasklist.exe				  6964 Console					1	  4,632 K
WmiPrvSE.exe				  6640 Services				   0	  5,972 K

 
***** Ende des Scans Sat 07/12/2008 um 16:11:39.75 ***


Desktop.bat:

Volume in drive C is Windows
Volume Serial Number is 703A-02D6

Directory of C:\Users\SBR249\desktop

10/06/2007 06:47 PM 921 Windows Media Player.lnk
10/06/2007 06:47 PM 456 desktop.ini
10/06/2007 09:15 PM 649 Jodix Free WMA to MP3 Converter.lnk
10/06/2007 09:32 PM 678 CCleaner.lnk
10/06/2007 09:34 PM 1,582 WinPatrol.lnk
11/08/2007 10:10 PM 30,259 hjtscanlist.bat
11/21/2007 01:26 PM 577 AusLogics Disk Defrag.lnk
11/26/2007 07:04 PM 747 DVD Decrypter.lnk
11/29/2007 10:23 PM 664 Powerword 2006.lnk
02/13/2008 10:06 PM 2,209 X-Win32.lnk
03/18/2008 01:46 PM 674 Launch VeohTV.lnk
03/21/2008 12:23 PM 2,611 Microsoft Office PowerPoint 2007.lnk
03/24/2008 12:41 PM 2,627 Microsoft Office Word 2007.lnk
04/21/2008 05:41 AM 681 Ruckus Player.lnk
05/29/2008 12:57 PM 557 Joost.lnk
06/03/2008 05:39 PM 752 Spybot - Search & Destroy.lnk
06/16/2008 08:47 AM 572 SpywareGuard.lnk
06/16/2008 08:49 AM 604 SpywareBlaster.lnk
06/16/2008 03:09 PM 1,513 Kaspersky report.txt
06/17/2008 03:41 PM 1,500 Kaspersky report 6-17.txt
06/26/2008 10:02 AM 702 HijackThis.lnk
06/30/2008 12:26 AM 1,973,255 Stinger.exe
07/07/2008 12:37 AM 1,145 Kaspersky report 7-06.txt
07/08/2008 08:09 PM 10,795,352 drweb-cureit.exe
07/08/2008 08:26 PM 10,795,352 launch.exe
07/09/2008 09:02 AM 298 DrWeb.csv
07/09/2008 11:50 AM 298 DrWeb2.csv
07/09/2008 11:51 AM <DIR> %USERPROFILE%
07/09/2008 02:17 PM 446,272 Voter Registration.pdf
07/09/2008 03:17 PM 2,585 Microsoft Office Excel 2007.lnk
07/10/2008 10:26 PM 752 Trillian.lnk
07/12/2008 03:17 PM 2,097 hjtscanlist.zip
07/12/2008 04:12 PM 26,110 hjtscanlist.txt
07/12/2008 04:13 PM 208 desktop.bat
07/12/2008 04:13 PM <DIR> ..
07/12/2008 04:13 PM <DIR> .
07/12/2008 04:13 PM 0 desktop.txt
34 File(s) 24,095,259 bytes
3 Dir(s) 7,814,332,416 bytes free

Edited by Yourhighness, 16 July 2008 - 10:21 AM.


#14 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:04:06 AM

Posted 16 July 2008 - 09:57 AM

Hey SBR249,

as explained in the pm - apologies for the delay. Seems the notification didnt quite get through.

Just as a reiteration. Some nasty files have been found and deleted, but you should be aware of this:

Please note that you are infected with a trojan or a Backdoor / Backdoor Server.

Due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately:
  • Disconnect the infected computer from the internet until the computer can be cleaned.
  • From a clean computer, change your online passwords-- for email, for banks, eBay, forums etc.... (Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information).
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall?

However, since the infection looks relatively small from first sight, I am happy to try and clean your PC (I am just providing you with the above information to underline the impact that can occur with files like these on your pc).

Should you have any questions, please feel free to ask.

Now, on to the fix.

Step #1

Java got updated again with some critical fixes.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
Step #2

Please open Notepad and copy the following into it:

@echo off
dir "C:\Windows\x" >> "%userprofile%\desktop\look.txt"
del "%userprofile%\desktop\hjtscanlist.bat"
del "%userprofile%\desktop\Kaspersky report.txt"
del "%userprofile%\desktop\Kaspersky report 6-17.txt"
del "%userprofile%\desktop\Stinger.exe"
del "%userprofile%\desktop\Kaspersky report 7-06.txt"
del "%userprofile%\desktop\drweb-cureit.exe"
del "%userprofile%\desktop\DrWeb.csv"
del "%userprofile%\desktop\DrWeb2.csv"
del "%userprofile%\desktop\hjtscanlist.zip"
del "%userprofile%\desktop\hjtscanlist.txt"
del "%userprofile%\desktop\desktop.bat"
del "%userprofile%\desktop\desktop.txt"
dir "%userprofile%\desktop\" >> "%userprofile%\desktop\look.txt"
notepad "%userprofile%\desktop\look.txt"
del "%userprofile%\desktop\look.txt"
del look.bat

Save this as "look.bat" Choose to save as *all files and place it on your Desktop.
Double-click look.bat. Soon it should disappear from your Desktop; this is fine.

Step #3

Please go to the Malware Upload Channel and upload the following file by reproducing the below steps:
  • Please enter the link to the topic in the text box next to: Link to topic where this file was requested:
  • Then click "Browse" on the line below and navigate to the following file:

    C:\iagather.xml (the file path should now appear in the text box next to the browse button)

  • In the comment section, please make a note that I asked you to upload the file here: Yourhighness
  • Click Send File
Please let me know when the submission has finished. Thanks.

Step #4

Ok. Lets take it from here. Please post back with the following:
  • The contents of look.txt
  • A fresh HijackThis log.
Thanks!

Edited by Yourhighness, 16 July 2008 - 10:22 AM.
edited users name into nick in all posts

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#15 SBR249

SBR249
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 16 July 2008 - 11:31 AM

Hi,

If you don't mind me asking, do you know the name of the trojan/backdoor that has infected my computer? As for reformatting and reinstalling, I want to avoid that as much as possible for another 6 months until things have calmed down a little. At the moment, it would be extremely inconvenient.

Anyway, I have done the following:

1) Updated Java to RTE 6 Update 7
2) Copied, saved, and ran look.bat, look.txt is shown below
3) Uploaded C:\iagather.xml to the Malware Upload Channel
4) Ran DSS again, the HJT log is posted below as well

Thanks
SBR249


look.txt

Volume in drive C is Windows
Volume Serial Number is 703A-02D6

Directory of C:\Windows

10/06/2007 10:12 PM 188 x
1 File(s) 188 bytes
0 Dir(s) 6,454,337,536 bytes free
Volume in drive C is Windows
Volume Serial Number is 703A-02D6

Directory of C:\Users\Terry Wu\desktop

07/16/2008 12:20 PM <DIR> .
07/16/2008 12:20 PM <DIR> ..
11/21/2007 01:26 PM 577 AusLogics Disk Defrag.lnk
07/16/2008 12:04 PM <DIR> Bleepingcomputer
10/06/2007 09:32 PM 678 CCleaner.lnk
11/26/2007 07:04 PM 747 DVD Decrypter.lnk
06/26/2008 10:02 AM 702 HijackThis.lnk
10/06/2007 09:15 PM 649 Jodix Free WMA to MP3 Converter.lnk
05/29/2008 12:57 PM 557 Joost.lnk
03/18/2008 01:46 PM 674 Launch VeohTV.lnk
07/08/2008 08:26 PM 10,795,352 launch.exe
07/16/2008 12:18 PM 768 look.bat
07/16/2008 12:20 PM 238 look.txt
07/09/2008 03:17 PM 2,585 Microsoft Office Excel 2007.lnk
03/21/2008 12:23 PM 2,611 Microsoft Office PowerPoint 2007.lnk
03/24/2008 12:41 PM 2,627 Microsoft Office Word 2007.lnk
11/29/2007 10:23 PM 664 Powerword 2006.lnk
04/21/2008 05:41 AM 681 Ruckus Player.lnk
06/03/2008 05:39 PM 752 Spybot - Search & Destroy.lnk
06/16/2008 08:49 AM 604 SpywareBlaster.lnk
06/16/2008 08:47 AM 572 SpywareGuard.lnk
07/10/2008 10:26 PM 752 Trillian.lnk
07/09/2008 02:17 PM 446,272 Voter Registration.pdf
10/06/2007 06:47 PM 921 Windows Media Player.lnk
10/06/2007 09:34 PM 1,582 WinPatrol.lnk
02/13/2008 10:06 PM 2,209 X-Win32.lnk
23 File(s) 11,263,774 bytes
3 Dir(s) 6,467,186,688 bytes free


Deckard's System Scanner v20071014.68
Run by Terry Wu on 2008-07-16 12:25:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Terry Wu.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:38 PM, on 7/16/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
D:\Software\WinPatrol\WinPatrol.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Terry Wu\AppData\Local\FolderShare\FolderShare.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
D:\Software\SpywareGuard\sgmain.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
D:\Software\SpywareGuard\sgbhp.exe
C:\Windows\system32\wuauclt.exe
D:\Software\Winamp\winamp.exe
D:\Software\Trillian\trillian.exe
C:\Windows\system32\conime.exe
D:\Software\Mozilla Firefox\firefox.exe
C:\Windows\System32\notepad.exe
D:\Utilities\Program Setups\dss.exe
D:\Software\HIJACK~1\TERRYW~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Software\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Software\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Software\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Software\VeohTV\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [WinPatrol] D:\Software\WinPatrol\WinPatrol.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [iTunesHelper] "D:\Software\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Users\Terry Wu\AppData\Local\FolderShare\FolderShare.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: SpywareGuard.lnk = D:\Software\SpywareGuard\sgmain.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Evernote - res://D:\Software\Evernote 3\enbar.dll/2000
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - D:\Software\Evernote\enbar.dll
O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - D:\Software\Evernote\enbar.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Software\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Software\SPYBOT~1\SDHelper.dll
O9 - Extra button: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - D:\Software\Evernote 3\enbar.dll
O9 - Extra 'Tools' menuitem: Add to Evernote - {E0B8C461-F8FB-49b4-8373-FE32E9252800} - D:\Software\Evernote 3\enbar.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Software\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Software\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\Windows\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\Windows\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\Windows\system32\lktsrv.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - D:\Software\Matlab 7\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - D:\Software\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\Windows\system32\nisvcloc.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Software\Spybot S&D\SDWinSec.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: tp4serv - Lenovo Group Limited - C:\Program Files\Lenovo\TrackPoint\TP4SERVINST.EXE
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 15348 bytes

-- Files created between 2008-06-16 and 2008-07-16 -----------------------------

2008-07-16 12:14:36 0 d-------- C:\Program Files\Common Files\Java
2008-07-08 20:33:51 0 d-------- C:\Users\Terry Wu\DoctorWeb
2008-06-26 10:24:23 0 d-------- C:\fsaua.data
2008-06-26 10:17:51 0 d-------- C:\Users\All Users\Malwarebytes
2008-06-16 08:25:22 11264 --a------ C:\Windows\system32\PSS03BAB.DLL <Not Verified; Pharos Systems International; PHAROS>
2008-06-16 08:03:59 0 d-------- C:\PerfLogs


-- Find3M Report ---------------------------------------------------------------

2008-07-16 12:16:31 0 d-------- C:\Program Files\Java
2008-07-16 12:14:36 0 d-------- C:\Program Files\Common Files
2008-07-16 01:24:57 0 d-------- C:\Users\Terry Wu\AppData\Roaming\tunebite
2008-07-16 00:58:28 0 d-------- C:\Users\Terry Wu\AppData\Roaming\Ruckus Network
2008-07-14 09:07:15 0 d-------- C:\Users\Terry Wu\AppData\Roaming\goombah
2008-07-08 20:29:30 12 --a------ C:\Windows\bthservsdp.dat
2008-07-07 02:18:25 0 d-------- C:\Users\Terry Wu\AppData\Roaming\Winamp
2008-07-06 19:34:22 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-26 10:17:56 0 d-------- C:\Users\Terry Wu\AppData\Roaming\Malwarebytes
2008-06-21 19:30:20 0 d-------- C:\Users\Terry Wu\AppData\Roaming\vlc
2008-06-17 10:59:28 0 d-------- C:\Program Files\McAfee
2008-06-16 08:24:24 174 --ahs---- C:\Program Files\desktop.ini
2008-06-16 08:06:19 0 d-------- C:\Program Files\Windows Sidebar
2008-06-16 08:06:19 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-16 08:06:19 0 d-------- C:\Program Files\Windows Mail
2008-06-16 08:06:19 0 d-------- C:\Program Files\Windows Journal
2008-06-16 08:06:19 0 d-------- C:\Program Files\Windows Collaboration
2008-06-16 08:06:19 0 d-------- C:\Program Files\Windows Calendar
2008-06-16 08:06:19 0 d-------- C:\Program Files\Movie Maker
2008-06-16 08:06:18 0 d-------- C:\Program Files\Windows Defender
2008-06-13 01:00:08 225280 --a------ C:\Windows\system32\TubeFinder.exe <Not Verified; Koyote Soft; Tube Finder>
2008-06-04 18:42:54 101888 --a------ C:\Windows\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-06-04 18:42:54 119568 --a------ C:\Windows\system32\VB6FR.DLL <Not Verified; Microsoft Corporation; Environnement Visual Basic>
2008-06-04 18:42:54 9728 --a------ C:\Windows\system32\PCCLPFR.DLL <Not Verified; Microsoft Corporation; PicClip>
2008-06-04 18:42:54 141312 --a------ C:\Windows\system32\MSCMCFR.DLL <Not Verified; Microsoft Corporation; COMCTL>
2008-06-04 18:42:54 32768 --a------ C:\Windows\system32\CMDLGFR.DLL <Not Verified; Microsoft Corporation; CMDIALOG>
2008-06-03 17:38:06 2544 --a------ C:\Windows\unins000.dat
2008-06-03 17:35:56 691545 --a------ C:\Windows\unins000.exe
2008-05-29 12:58:27 0 d-------- C:\Users\Terry Wu\AppData\Roaming\Joost
2008-05-28 08:59:23 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-28 08:58:09 1140 --a------ C:\Windows\mozver.dat
2008-05-23 22:44:21 0 d-------- C:\Program Files\Lenovo
2008-05-23 13:38:39 0 d-------- C:\Users\Terry Wu\AppData\Roaming\Lavasoft
2008-05-21 01:02:47 0 d-------- C:\Program Files\Common Files\xing shared
2008-05-21 01:02:39 0 d-------- C:\Program Files\Common Files\Real


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 03:38 AM]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [03/09/2007 01:49 AM]
"TpShocks"="TpShocks.exe" [03/29/2007 09:40 PM C:\Windows\System32\TpShocks.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [03/28/2007 01:32 PM]
"LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [03/22/2007 01:02 PM]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [02/22/2007 08:50 PM]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [11/17/2006 01:39 PM]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [02/26/2007 06:45 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [08/31/2007 12:01 PM]
"WinPatrol"="D:\Software\WinPatrol\WinPatrol.exe" [04/19/2007 01:33 PM]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [11/07/2006 07:51 PM]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [03/04/2008 10:34 AM]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [08/08/2007 05:53 PM]
"iTunesHelper"="D:\Software\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [02/11/2008 08:13 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [02/11/2008 08:13 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [02/11/2008 08:13 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [07/10/2007 05:40 AM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"PWMTRV"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [01/11/2008 02:20 AM]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [01/11/2008 02:20 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 03:33 AM]
"Windows Live FolderShare"="C:\Users\Terry Wu\AppData\Local\FolderShare\FolderShare.exe" [04/15/2008 02:15 PM]

C:\Users\Terry Wu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
SpywareGuard.lnk - D:\Software\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [3/29/2007 4:11:50 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [6/30/2007 3:11:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"DisableCAD"=1 (0x1)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Windows\system32\psqlpwd.dll 08/14/2007 03:54 PM 89600 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli ACGina psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\Windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Terry Wu^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LenovoWelcome.lnk]
path=C:\Users\Terry Wu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LenovoWelcome.lnk
backup=C:\Windows\pss\LenovoWelcome.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray]
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMSG]
C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AwaySch]
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"D:\Software\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
"C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"D:\Software\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LenovoOobeOffers]
c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7]
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
bthsvcs BthServ
GPSvcGroup GPSvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-16 12:27:45 ------------




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users