Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Vundo Trojan In Vista


  • This topic is locked This topic is locked
19 replies to this topic

#1 Ainvar

Ainvar

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 09 July 2008 - 04:56 PM

I was experiencing sluggish internet and pop-ups, so I ran HijackThis and deleted files similar to the ones immediately below. They re-appeared at the next boot with the current names and locations, so I used the Software Control feature of Windows Defender to block these items (programs?) from starting up.

cmds at rundll32.exe
c:/Users/THINKPAD/AppData/Local/Temp/pmnoNDWn.dll, c
HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Run

MSServer at rundll32.exe
c:/Users/THINKPAD/AppData/Local/Temp/wvUnNgEw.dll, #1
HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Run

Now I get these two messages on boot:
"
RunDLL

Error loading
c:/Users/THINKPAD/AppData/Local/Temp/pmnoNDWn.dll

The specified module could not be found.
"
and
"
RunDLL

Error loading
c:/Users/THINKPAD/AppData/Local/Temp/wvUnNgEw.dll

The specified module could not be found.
"

I want these messages to go away. Also, my system will often slow to a standstill now for minutes at a time. I also want the "Windows has blocked some startup programs" message to go away. Now I know I should have gone straight to you guys! Thanks in advance.

Kaspersky Online Scanner found no malware.

Deckard's System Scanner v20071014.68
Run by THINKPAD on 2008-07-10 05:40:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 3 Restore Point(s) --
3: 2008-07-09 19:00:32 UTC - RP196 - Windows Update
2: 2008-07-07 22:16:30 UTC - RP195 - Windows Update
1: 2008-07-05 15:03:58 UTC - RP194 - Windows Update


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as THINKPAD.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:21 AM, on 7/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\THINKPAD\Desktop\dss.exe
C:\Windows\system32\conime.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\THINKPAD.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\THINKPAD\AppData\Local\Temp\wvUnNgEw.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\THINKPAD\AppData\Local\Temp\pmnoNDWn.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: System Update (SUService) - - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 15080 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080612-234722-185 O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\THINKPAD\AppData\Local\Temp\pmnoNDWn.dll,c
backup-20080612-234722-468 O4 - HKCU\..\Run: [BM7b2c1914] Rundll32.exe "C:\Users\THINKPAD\AppData\Local\Temp\dhxqvcsr.dll",s
backup-20080612-234722-789 O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\THINKPAD\AppData\Local\Temp\efcAPFxV.dll,#1
backup-20080613-000129-148 O4 - HKCU\..\Run: [781f2a88] rundll32.exe "C:\Users\THINKPAD\AppData\Local\Temp\ahohrnej.dll",b
backup-20080613-000129-467 O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\THINKPAD\AppData\Local\Temp\pmnoNDWn.dll,c
backup-20080613-000129-687 O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\THINKPAD\AppData\Local\Temp\efcAPFxV.dll,#1
backup-20080613-000129-862 O4 - HKCU\..\Run: [BM7b2c1914] Rundll32.exe "C:\Users\THINKPAD\AppData\Local\Temp\dhxqvcsr.dll",s

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 tvtfilter - c:\windows\system32\drivers\tvtfilter.sys <Not Verified; Lenovo; Rescue and Recovery>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Diskeeper - "c:\program files\diskeeper corporation\diskeeper\dkservice.exe" <Not Verified; Diskeeper Corporation; Diskeeper ™ Disk Defragmenter>
R2 SUService (System Update) - "c:\program files\lenovo\system update\suservice.exe"
R2 TVT Backup Protection Service - "c:\program files\lenovo\rescue and recovery\rrpservice.exe" <Not Verified; ; rrpservice Module>
R2 TVT Scheduler - "c:\program files\common files\lenovo\scheduler\tvtsched.exe" <Not Verified; Lenovo Group Limited; tvtsched Module>
R2 tvtnetwk - c:\program files\lenovo\rescue and recovery\adm\iuservice.exe
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-10 05:18:01 256 --a------ C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job
2008-07-09 07:06:22 424 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{7FB51E8E-F57E-4D8A-916A-1207E2509139}.job
2008-05-09 21:04:55 494 -----n--- C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - THINKPAD.job


-- Files created between 2008-06-10 and 2008-07-10 -----------------------------

2008-07-09 23:32:50 0 --a------ C:\ltojmpsv
2008-07-09 21:18:40 0 d-------- C:\!KillBox
2008-06-14 17:05:49 0 d-------- C:\PerfLogs
2008-06-13 10:31:51 0 d-------- C:\Program Files\Sun
2008-06-13 00:20:11 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-06-13 00:19:26 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-13 00:09:49 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 23:48:23 0 d-------- C:\Users\All Users\Malwarebytes
2008-06-12 23:48:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-12 23:46:27 0 d-------- C:\Program Files\Trend Micro
2008-06-12 10:15:50 0 d-------- C:\Users\All Users\Lavasoft
2008-06-12 09:45:33 0 d-------- C:\Users\THINKPAD\.housecall6.6
2008-06-12 09:13:37 0 d-------- C:\VundoFix Backups
2008-06-11 23:59:31 0 d-------- C:\Program Files\Common Files\Macrovision Shared


-- Find3M Report ---------------------------------------------------------------

2008-07-10 03:07:34 12 --a------ C:\Windows\bthservsdp.dat
2008-06-14 17:34:07 174 --ahs---- C:\Program Files\desktop.ini
2008-06-14 17:10:02 0 d-------- C:\Program Files\Windows Sidebar
2008-06-14 17:10:02 0 d-------- C:\Program Files\Windows Calendar
2008-06-14 17:10:02 0 d-------- C:\Program Files\Movie Maker
2008-06-14 17:10:01 0 d-------- C:\Program Files\Windows Mail
2008-06-14 17:09:58 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-14 17:09:58 0 d-------- C:\Program Files\Windows Collaboration
2008-06-14 17:09:57 0 d-------- C:\Program Files\Windows Journal
2008-06-14 17:09:49 0 d-------- C:\Program Files\Windows Defender
2008-06-13 11:10:25 0 d-------- C:\Users\THINKPAD\AppData\Roaming\Skype
2008-06-13 10:31:05 0 d-------- C:\Program Files\Java
2008-06-13 00:19:26 0 d-------- C:\Users\THINKPAD\AppData\Roaming\SUPERAntiSpyware.com
2008-06-13 00:09:49 0 d-------- C:\Program Files\Common Files
2008-06-12 23:48:34 0 d-------- C:\Users\THINKPAD\AppData\Roaming\Malwarebytes
2008-06-09 03:06:23 0 d-------- C:\Users\THINKPAD\AppData\Roaming\uTorrent
2008-06-08 11:03:09 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-04 12:43:32 0 d-------- C:\Users\THINKPAD\AppData\Roaming\Adobe
2008-06-04 12:01:09 0 d-------- C:\Program Files\7-Zip
2008-05-31 10:27:22 0 d-------- C:\Program Files\Norton Internet Security
2008-05-31 10:27:22 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-31 10:27:20 0 d-------- C:\Program Files\Symantec
2008-05-19 15:03:19 0 d-------- C:\Program Files\AIM6
2008-05-19 11:38:38 0 d-------- C:\Program Files\Viewpoint
2008-05-19 11:38:12 0 d-------- C:\Program Files\Common Files\AOL


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 03:38 PM]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [01/18/2007 02:01 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [08/14/2007 12:53 PM]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [11/10/2006 12:26 PM]
"TpShocks"="TpShocks.exe" [12/26/2006 12:15 PM C:\Windows\System32\TpShocks.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [11/29/2006 01:30 AM]
"PWMTRV"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [12/20/2006 01:01 AM]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [12/20/2006 01:01 AM]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [12/14/2006 02:23 PM]
"LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [02/01/2007 01:01 AM]
"AMSG"="C:\Program Files\ThinkVantage\AMSG\Amsg.exe" [12/21/2006 05:50 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [11/07/2006 06:51 PM]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [08/09/2007 09:53 AM]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [11/16/2006 07:21 AM]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [03/10/2007 05:23 AM]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [03/10/2007 05:23 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/25/2006 01:08 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [10/27/2006 03:18 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [04/02/2008 02:49 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/29/2007 11:51 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/12/2008 02:16 PM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [01/11/2008 07:54 PM]
"@"="" []
"MSConfig"="C:\Windows\system32\msconfig.exe" [01/19/2008 03:33 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/17/2006 01:55 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 03:33 PM]
"@"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/11/2006 03:35 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [09/01/2007 08:46 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]
"MSServer"="C:\Users\THINKPAD\AppData\Local\Temp\wvUnNgEw.dll,#1" []
"cmds"="C:\Users\THINKPAD\AppData\Local\Temp\pmnoNDWn.dll,c" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [12/1/2006 2:10:24 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [8/24/2007 5:58:18 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 5:01:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"DisableCAD"=1 (0x1)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Windows\system32\psqlpwd.dll 12/09/2006 10:44 AM 89600 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli psqlpwd ACGina

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]
rundll32.exe C:\Users\THINKPAD\AppData\Local\Temp\pmnoNDWn.dll,c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LenovoOobeOffers]
c:\swtools\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LenovoRegistration]
C:\SWTOOLS\LenovoWelcome\LenovoRegistration.exe /inif="C:\SWSHARE\leadertech.ini"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
rundll32.exe C:\Users\THINKPAD\AppData\Local\Temp\wvUnNgEw.dll,#1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSServer"=rundll32.exe C:\Users\THINKPAD\AppData\Local\Temp\opnnoLFv.dll,#1

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d430820-9622-11dc-a8db-0016d32bb831}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{689f66b5-c780-11dc-b560-0016d3295a3d}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9aff7651-9092-11dc-ac24-0016d32bb831}]
Auto\command- F:\Recycler\USBplice.exe
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\Recycler\USBplice.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9aff7656-9092-11dc-ac24-0016d32bb831}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e08510ec-c2e8-11dc-8b9f-0016d3295a3d}]
Auto\command- auto.exe
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {AB42B423-B596-3C2F-21B2-64AAB0FA6D1B} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

8753 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-10 05:45:39 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Business (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU T7200 @ 2.00GHz
Percentage of Memory in Use: 43%
Physical Memory (total/avail): 2045.66 MiB / 1151.25 MiB
Pagefile Memory (total/avail): 4330.36 MiB / 3294.92 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1904.81 MiB

C: is Fixed (NTFS) - 106.82 GiB total, 16.48 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1200BEVS-08RST2 - 111.79 GiB - 2 partitions
\PARTITION0 - Unknown - 4.97 GiB
\PARTITION1 (bootable) - Installable File System - 106.82 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Norton Internet Security v2007 (Symantec Corporation)
AV: Norton Internet Security v2007 (Symantec Corporation) Disabled
AS: Spybot - Search and Destroy v1.0.0.4 (Safer Networking Ltd.) Disabled Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: SUPERAntiSpyware v4, 15, 0, 1000 (SUPERAntiSpyware.com) Disabled
AS: Norton Internet Security v2007 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\THINKPAD\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=THINKPAD-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\THINKPAD
LOCALAPPDATA=C:\Users\THINKPAD\AppData\Local
LOGONSERVER=\\THINKPAD-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Common Files\Lenovo;C:\Program Files\Lenovo\Client Security Solution;C:\Program Files\Diskeeper Corporation\Diskeeper;C:\Program Files\ThinkPad\ConnectUtilities
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
RR=C:\Program Files\Lenovo\Rescue and Recovery
SMA=C:\Program Files\ThinkVantage\SMA\
SWSHARE=C:\SWSHARE
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\THINKPAD\AppData\Local\Temp
TMP=C:\Users\THINKPAD\AppData\Local\Temp
TPCCommon=C:\PROGRA~1\THINKV~2\PrdCtr
TVT=C:\Program Files\Lenovo
TVTCOMMON=C:\Program Files\Common Files\Lenovo
TVTPYDIR=C:\Program Files\Common Files\Lenovo\Python24
USERDOMAIN=THINKPAD-PC
USERNAME=THINKPAD
USERPROFILE=C:\Users\THINKPAD
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

THINKPAD


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\SETUP.exe -runfromtemp -l0x0009 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\SETUP.EXE" -l0x9 ControlPanel
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe"
Access Help --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C6FA39A7-26B1-480A-BC74-6D17531AC222}\Setup.exe" -l0x9 UNINSTALL
Adobe Acrobat 8.1.2 Professional --> msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
ATI Uninstaller --> C:\Program Files\ATI\CIM\Bin\Atisetup.exe -uninstall all
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Chinese Simplified Fonts Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-2447-0000-800000000003}
Client Security Solution --> MsiExec.exe /X{0F4EFCE8-E358-4430-A504-F55F32BA1816}
Combined Community Codec Pack 2007-07-22 --> "C:\Program Files\Combined Community Codec Pack\unins000.exe"
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Diskeeper Home --> MsiExec.exe /X{796E076A-82F7-4D49-98C8-DEC0C3BC733A}
Help Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{986F64DC-FF15-449D-998F-EE3BCEC6666A}\Setup.exe" -l0x9 -AddRemove
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Japanese Fonts Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5760-0000-800000000003}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Lenovo System Interface Driver --> RunDll32.exe setupapi.dll,InstallHinfSection DefaultUninstall.NTx86 130 C:\Program Files\Lenovo\SMIIF\lnvsmi.inf
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Magic ISO Maker v5.4 (build 0251) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Maintenance Manager --> Rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\Windows\INF\AWAYTASK.INF
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Message Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E7E836B8-4BDD-454F-82E6-5FEA17C83AD4}\Setup.exe" -l0x9 -AddRemove
Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office 2007 Primary Interop Assemblies --> MsiExec.exe /X{50120000-1105-0000-0000-0000000FF1CE}
Microsoft Office Small Business Connectivity Components --> MsiExec.exe /X{A939D341-5A04-4E0A-BB55-3E65B386432D}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
NJStar Chinese WP --> C:\Program Files\NJStar Chinese WP\uninst.exe
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447A-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}_10_1_0_26\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}.exe" /X
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
On Screen Display --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall.LH 132 C:\Program Files\Lenovo\HOTKEY\tphk_tp.inf
OpenOffice.org Installer 1.0 --> MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
PC-Doctor 5 for Windows --> C:\Program Files\PCDR5\uninst.exe
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Presentation Director --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{65706020-7B6F-41F2-8047-FC69579E386A}\Setup.exe" -l0x9 -AddRemove
Productivity Center Supplement for ThinkPad --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D728E945-256D-4477-B377-6BBA693714AC}\SETUP.EXE" -l0x9 -AddRemove
Registry patch for Windows Vista USB S3 PM Enablement --> Rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 130 C:\Program Files\Lenovo\USBPMon\USBPMon.inf
Registry patch of Changing Timing of IDLE IRP by Finger Print Driver for Windows Vista --> Rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 130 C:\Program Files\Lenovo\FPIRPOn\FPIRPOn.inf
Registry Patch of Enabling Device Initiated Power Management(DIPM) on SATA for Windows Vista --> Rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 130 C:\Program Files\Lenovo\Dipmon\Dipmon.inf
Rescue and Recovery --> MsiExec.exe /X{7E4C16B8-8F76-4940-8505-98E93C00BF19}
Skype™ 3.5 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SoundMAX --> C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.exe -runfromtemp -l0x0009 -removeonly
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
System Migration Assistant --> MsiExec.exe /X{F705E3E1-A471-426B-9A09-73429F3418EE}
System Update --> MsiExec.exe /X{8675339C-128C-44DD-83BF-0A5D6ABD8297}
ThinkPad Bluetooth with Enhanced Data Rate Software 6.0.1.3500 --> MsiExec.exe /X{A13E07E1-A423-44FB-9DEE-B24C75C1BAF2}
ThinkPad EasyEject Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1297C681-92D7-40EF-93BF-03F66EC5105C}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad FullScreen Magnifier --> RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\Lenovo\Zoom\TpScrex.inf
ThinkPad Mobility Center Customization --> MsiExec.exe /X{E0EF321A-1949-451B-9484-7886F4F4719E}
ThinkPad Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588\UIU32m.exe -U -ITkp0588z.inf
ThinkPad Power Management Driver --> RunDll32.exe tpinspm.dll,Uninstall
ThinkPad Power Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAC01CEE-5BAE-42D5-81FC-B687E84E8405}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad UltraNav Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
ThinkPad UltraNav Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17CBC505-D1AE-459D-B445-3D2000A85842}\SETUP.EXE" -l0x9 UNINSTALL
Thinkpad Wireless LAN Adapters Software (11a/b/g/n) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8485F313-4B62-42F3-ADD8-0DE34A4DDAEF}\setup.exe" -l0x9 -removeonly
ThinkVantage Access Connections --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7EB114D8-207F-45AE-BABD-1669715F2630}\Setup.exe" -l0x9 anything
ThinkVantage Active Protection System --> MsiExec.exe /X{46A84694-59EC-48F0-964C-7E76E9F8A2ED}
ThinkVantage Productivity Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CF5737AF-8550-4546-A69B-0EA9EF5A9B55}\SETUP.EXE" -l0x9 -AddRemove
ThinkVantage Technologies Welcome Message --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1007F41F-7D69-468E-8017-3849A5A973C2}\SETUP.EXE" -l0x9 anything
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Wallpapers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DB71210F-8314-4AE3-B7A7-EBAF85BD30E9}\Setup.exe" -l0x9 UNINSTALL
Wenlin 3.4.1 --> "C:\Program Files\Wenlin3\unins000.exe"
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Driver Package - Broadcom (b57nd60x) Net (11/09/2006 9.36.0.0) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\b57nd60x.inf_88aa7d08\b57nd60x.inf
Windows Driver Package - Intel (iaStor) hdc (02/12/2007 7.0.0.1020) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_1cb29a96\iaahci.inf
Windows Driver Package - Intel hdc (09/15/2006 8.2.0.1008) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\ich7id2.inf_103d01c3\ich7id2.inf
Windows Driver Package - Intel hdc (09/15/2006 8.2.0.1008) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\ich7ide.inf_4cc59aa4\ich7ide.inf
Windows Driver Package - Intel System (09/15/2006 7.0.0.1011) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\dmi_pci.inf_0e65d7c6\dmi_pci.inf
Windows Driver Package - Intel System (09/15/2006 7.0.0.1020) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\ich7core.inf_9c74ea21\ich7core.inf
Windows Driver Package - Intel System (09/15/2006 8.2.0.1008) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\945gm.inf_20363d8e\945gm.inf
Windows Driver Package - Intel USB (09/13/2006 8.2.0.1008) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\ich7usb.inf_f4517067\ich7usb.inf
Windows Driver Package - Lenovo (IBMPMDRV) System (11/01/2006 1.41) --> C:\PROGRA~1\DIFX\7F01D4C0B2897E27\DPInst.exe /u C:\Windows\System32\DriverStore\FileRepository\ibmpmdrv.inf_3462dfa4\ibmpmdrv.inf
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}


-- Application Event Log -------------------------------------------------------

Event Record #/Type138547 / Success
Event Submitted/Written: 07/10/2008 03:10:03 AM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type138543 / Success
Event Submitted/Written: 07/10/2008 03:10:02 AM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type138535 / Success
Event Submitted/Written: 07/10/2008 03:09:49 AM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type138261 / Success
Event Submitted/Written: 07/09/2008 11:35:03 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type138255 / Success
Event Submitted/Written: 07/09/2008 11:34:59 PM
Event ID/Source: 5615 / WinMgmt
Event Description:




-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type81427 / Warning
Event Submitted/Written: 07/10/2008 05:43:59 AM
Event ID/Source: 4 / b57nd60x
Event Description:
Broadcom NetXtreme Gigabit Ethernet #2: The network link is down. Check to make sure the network cable is properly connected.

Event Record #/Type81424 / Warning
Event Submitted/Written: 07/10/2008 05:42:42 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%THINKPAD-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %THINKPAD-PC27 can't undo changes that you allow.

For more information please see the following:
%THINKPAD-PC275

Scan ID: {6A67461D-115A-42C5-BED4-5D121F59E912}

User: THINKPAD-PC\THINKPAD

Name: %THINKPAD-PC271

ID: %THINKPAD-PC272

Severity ID: %THINKPAD-PC273

Category ID: %THINKPAD-PC274

Path Found: %THINKPAD-PC276

Alert Type: %THINKPAD-PC278

Detection Type: 1.1.1600.02

Event Record #/Type81423 / Warning
Event Submitted/Written: 07/10/2008 05:42:41 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%THINKPAD-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %THINKPAD-PC27 can't undo changes that you allow.

For more information please see the following:
%THINKPAD-PC275

Scan ID: {A8D10ECA-A690-43E1-9F0B-BEA16C4E58EF}

User: THINKPAD-PC\THINKPAD

Name: %THINKPAD-PC271

ID: %THINKPAD-PC272

Severity ID: %THINKPAD-PC273

Category ID: %THINKPAD-PC274

Path Found: %THINKPAD-PC276

Alert Type: %THINKPAD-PC278

Detection Type: 1.1.1600.02

Event Record #/Type81422 / Warning
Event Submitted/Written: 07/10/2008 05:42:41 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%THINKPAD-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %THINKPAD-PC27 can't undo changes that you allow.

For more information please see the following:
%THINKPAD-PC275

Scan ID: {DDD90ABE-46F3-437A-A34C-9B60ADD807CC}

User: THINKPAD-PC\THINKPAD

Name: %THINKPAD-PC271

ID: %THINKPAD-PC272

Severity ID: %THINKPAD-PC273

Category ID: %THINKPAD-PC274

Path Found: %THINKPAD-PC276

Alert Type: %THINKPAD-PC278

Detection Type: 1.1.1600.02

Event Record #/Type81421 / Warning
Event Submitted/Written: 07/10/2008 05:42:41 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%THINKPAD-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %THINKPAD-PC27 can't undo changes that you allow.

For more information please see the following:
%THINKPAD-PC275

Scan ID: {50B42B01-C5A1-4DC9-A7F2-1CC313A88109}

User: THINKPAD-PC\THINKPAD

Name: %THINKPAD-PC271

ID: %THINKPAD-PC272

Severity ID: %THINKPAD-PC273

Category ID: %THINKPAD-PC274

Path Found: %THINKPAD-PC276

Alert Type: %THINKPAD-PC278

Detection Type: 1.1.1600.02



-- End of Deckard's System Scanner: finished at 2008-07-10 05:45:39 ------------

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:07 AM

Posted 10 July 2008 - 08:36 AM

Hello Ainvar,

Please disable Spybot Teatimer and the Software Control feature of Windows they will prevent MalwareBytes from working.

please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh DSS Main.txt log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Ainvar

Ainvar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 10 July 2008 - 09:52 AM

SifuMike,

Thanks for your help. Here are the mbam and dss logs:

Malwarebytes' Anti-Malware 1.20
Database version: 937
Windows 6.0.6001 Service Pack 1

10:43:44 PM 7/10/2008
mbam-log-7-10-2008 (22-43-44).txt

Scan type: Quick Scan
Objects scanned: 36869
Time elapsed: 4 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer
(Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Trojan.
Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Deckard's System Scanner v20071014.68
Run by THINKPAD on 2008-07-10 22:48:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 15.41 GiB (less than 15%) free.


-- HijackThis (run as THINKPAD.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:25 PM, on 7/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Users\THINKPAD\Desktop\dss.exe
C:\Windows\system32\conime.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\THINKPAD.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: System Update (SUService) - - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 14925 bytes

-- Files created between 2008-06-10 and 2008-07-10 -----------------------------

2008-07-09 23:32:50 0 --a------ C:\ltojmpsv
2008-07-09 21:18:40 0 d-------- C:\!KillBox
2008-06-14 17:05:49 0 d-------- C:\PerfLogs
2008-06-13 10:31:51 0 d-------- C:\Program Files\Sun
2008-06-13 00:20:11 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-06-13 00:19:26 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-13 00:09:49 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 23:48:23 0 d-------- C:\Users\All Users\Malwarebytes
2008-06-12 23:48:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-12 23:46:27 0 d-------- C:\Program Files\Trend Micro
2008-06-12 10:15:50 0 d-------- C:\Users\All Users\Lavasoft
2008-06-12 09:45:33 0 d-------- C:\Users\THINKPAD\.housecall6.6
2008-06-12 09:13:37 0 d-------- C:\VundoFix Backups
2008-06-11 23:59:31 0 d-------- C:\Program Files\Common Files\Macrovision Shared


-- Find3M Report ---------------------------------------------------------------

2008-07-10 22:03:05 12 --a------ C:\Windows\bthservsdp.dat
2008-06-14 17:34:07 174 --ahs---- C:\Program Files\desktop.ini
2008-06-14 17:10:02 0 d-------- C:\Program Files\Windows Sidebar
2008-06-14 17:10:02 0 d-------- C:\Program Files\Windows Calendar
2008-06-14 17:10:02 0 d-------- C:\Program Files\Movie Maker
2008-06-14 17:10:01 0 d-------- C:\Program Files\Windows Mail
2008-06-14 17:09:58 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-14 17:09:58 0 d-------- C:\Program Files\Windows Collaboration
2008-06-14 17:09:57 0 d-------- C:\Program Files\Windows Journal
2008-06-14 17:09:49 0 d-------- C:\Program Files\Windows Defender
2008-06-13 11:10:25 0 d-------- C:\Users\THINKPAD\AppData\Roaming\Skype
2008-06-13 10:31:05 0 d-------- C:\Program Files\Java
2008-06-13 00:19:26 0 d-------- C:\Users\THINKPAD\AppData\Roaming\SUPERAntiSpyware.com
2008-06-13 00:09:49 0 d-------- C:\Program Files\Common Files
2008-06-12 23:48:34 0 d-------- C:\Users\THINKPAD\AppData\Roaming\Malwarebytes
2008-06-09 03:06:23 0 d-------- C:\Users\THINKPAD\AppData\Roaming\uTorrent
2008-06-08 11:03:09 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-04 12:43:32 0 d-------- C:\Users\THINKPAD\AppData\Roaming\Adobe
2008-06-04 12:01:09 0 d-------- C:\Program Files\7-Zip
2008-05-31 10:27:22 0 d-------- C:\Program Files\Norton Internet Security
2008-05-31 10:27:22 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-31 10:27:20 0 d-------- C:\Program Files\Symantec
2008-05-19 15:03:19 0 d-------- C:\Program Files\AIM6
2008-05-19 11:38:38 0 d-------- C:\Program Files\Viewpoint
2008-05-19 11:38:12 0 d-------- C:\Program Files\Common Files\AOL


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 03:38 PM]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [01/18/2007 02:01 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [08/14/2007 12:53 PM]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [11/10/2006 12:26 PM]
"TpShocks"="TpShocks.exe" [12/26/2006 12:15 PM C:\Windows\System32\TpShocks.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [11/29/2006 01:30 AM]
"PWMTRV"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [12/20/2006 01:01 AM]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [12/20/2006 01:01 AM]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [12/14/2006 02:23 PM]
"LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [02/01/2007 01:01 AM]
"AMSG"="C:\Program Files\ThinkVantage\AMSG\Amsg.exe" [12/21/2006 05:50 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [11/07/2006 06:51 PM]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [08/09/2007 09:53 AM]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [11/16/2006 07:21 AM]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [03/10/2007 05:23 AM]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [03/10/2007 05:23 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/25/2006 01:08 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [10/27/2006 03:18 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [04/02/2008 02:49 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/29/2007 11:51 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/12/2008 02:16 PM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [01/11/2008 07:54 PM]
"@"="" []
"MSConfig"="C:\Windows\system32\msconfig.exe" [01/19/2008 03:33 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/17/2006 01:55 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 03:33 PM]
"@"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/11/2006 03:35 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [12/1/2006 2:10:24 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [8/24/2007 5:58:18 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 5:01:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"DisableCAD"=1 (0x1)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Windows\system32\psqlpwd.dll 12/09/2006 10:44 AM 89600 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli psqlpwd ACGina

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]
rundll32.exe C:\Users\THINKPAD\AppData\Local\Temp\pmnoNDWn.dll,c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LenovoOobeOffers]
c:\swtools\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LenovoRegistration]
C:\SWTOOLS\LenovoWelcome\LenovoRegistration.exe /inif="C:\SWSHARE\leadertech.ini"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
rundll32.exe C:\Users\THINKPAD\AppData\Local\Temp\wvUnNgEw.dll,#1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSServer"=rundll32.exe C:\Users\THINKPAD\AppData\Local\Temp\opnnoLFv.dll,#1

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d430820-9622-11dc-a8db-0016d32bb831}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{689f66b5-c780-11dc-b560-0016d3295a3d}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9aff7651-9092-11dc-ac24-0016d32bb831}]
Auto\command- F:\Recycler\USBplice.exe
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\Recycler\USBplice.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9aff7656-9092-11dc-ac24-0016d32bb831}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e08510ec-c2e8-11dc-8b9f-0016d3295a3d}]
Auto\command- auto.exe
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {AB42B423-B596-3C2F-21B2-64AAB0FA6D1B} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-10 22:49:35 ------------

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:07 AM

Posted 10 July 2008 - 09:57 AM

Looks good except for Viewpoint. :thumbsup:


Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player


If you uninstalled, please navigate to and delete the following folders
C:\Program Files\Viewpoint

I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware, so we would like you to reenable those startup entries by doing the following:

Please click on start, then run, and type msconfig and then press enter. When the window opens click on the startup tab and make sure there are checkmarks in every entry. Then press ok until you are out of the program.
If it asks to reboot, do not reboot. It is not necessary to reboot to get the items to show up in HijackThis.



Post a fresh DSS Main.txt log. How is the computer running?

Edited by SifuMike, 10 July 2008 - 10:02 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Ainvar

Ainvar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 10 July 2008 - 10:44 AM

SifuMike,

I got rid of Viewpoint. Thanks.

I enabled the four disabled items under msconfig's startup tab. Lenovo Registration and Lenovo First Run never worked at all. They simply give me big black error boxes on startup. I'd like to disable those after we are finished cleaning up my machine.

I also re-enabled MSServer and cmds. On startup I still get these two dialog error boxes (regardless of whether MSServer and cmds are startup-enabled or not):

RunDLL
Error loading
c:/Users/THINKPAD/AppData/Local/Temp/pmnoNDWn.dll

The specified module could not be found.

and

RunDLL
Error loading
c:/Users/THINKPAD/AppData/Local/Temp/wvUnNgEw.dll

The specified module could not be found.

The computer hangs on startup after I click OK on the dialog boxes, so I'd like to be rid of them. It also might be running a bit slow because of anti-malware overkill:

Windows Defender
Norton
Malware Bytes
Superantispyware
Lavasoft Anti-Spyware
Spybot SD

If you could point me in the direction of a forum that recommends a security setup, I'd appreciate it (of you could just say do X)

Deckard's System Scanner v20071014.68
Run by THINKPAD on 2008-07-10 23:26:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 15.31 GiB (less than 15%) free.


-- HijackThis (run as THINKPAD.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:06 PM, on 7/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\THINKPAD\Desktop\dss.exe
C:\Windows\system32\conime.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\THINKPAD.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LenovoRegistration] C:\SWTOOLS\LenovoWelcome\LenovoRegistration.exe /inif="C:\SWSHARE\leadertech.ini"
O4 - HKLM\..\Run: [LenovoOobeOffers] c:\swtools\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\THINKPAD\AppData\Local\Temp\wvUnNgEw.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\THINKPAD\AppData\Local\Temp\pmnoNDWn.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: System Update (SUService) - - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 15146 bytes

-- Files created between 2008-06-10 and 2008-07-10 -----------------------------

2008-07-09 23:32:50 0 --a------ C:\ltojmpsv
2008-07-09 21:18:40 0 d-------- C:\!KillBox
2008-06-14 17:05:49 0 d-------- C:\PerfLogs
2008-06-13 10:31:51 0 d-------- C:\Program Files\Sun
2008-06-13 00:20:11 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-06-13 00:19:26 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-13 00:09:49 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 23:48:23 0 d-------- C:\Users\All Users\Malwarebytes
2008-06-12 23:48:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-12 23:46:27 0 d-------- C:\Program Files\Trend Micro
2008-06-12 10:15:50 0 d-------- C:\Users\All Users\Lavasoft
2008-06-12 09:45:33 0 d-------- C:\Users\THINKPAD\.housecall6.6
2008-06-12 09:13:37 0 d-------- C:\VundoFix Backups
2008-06-11 23:59:31 0 d-------- C:\Program Files\Common Files\Macrovision Shared


-- Find3M Report ---------------------------------------------------------------

2008-07-10 23:20:58 12 --a------ C:\Windows\bthservsdp.dat
2008-06-14 17:34:07 174 --ahs---- C:\Program Files\desktop.ini
2008-06-14 17:10:02 0 d-------- C:\Program Files\Windows Sidebar
2008-06-14 17:10:02 0 d-------- C:\Program Files\Windows Calendar
2008-06-14 17:10:02 0 d-------- C:\Program Files\Movie Maker
2008-06-14 17:10:01 0 d-------- C:\Program Files\Windows Mail
2008-06-14 17:09:58 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-14 17:09:58 0 d-------- C:\Program Files\Windows Collaboration
2008-06-14 17:09:57 0 d-------- C:\Program Files\Windows Journal
2008-06-14 17:09:49 0 d-------- C:\Program Files\Windows Defender
2008-06-13 11:10:25 0 d-------- C:\Users\THINKPAD\AppData\Roaming\Skype
2008-06-13 10:31:05 0 d-------- C:\Program Files\Java
2008-06-13 00:19:26 0 d-------- C:\Users\THINKPAD\AppData\Roaming\SUPERAntiSpyware.com
2008-06-13 00:09:49 0 d-------- C:\Program Files\Common Files
2008-06-12 23:48:34 0 d-------- C:\Users\THINKPAD\AppData\Roaming\Malwarebytes
2008-06-09 03:06:23 0 d-------- C:\Users\THINKPAD\AppData\Roaming\uTorrent
2008-06-08 11:03:09 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-04 12:43:32 0 d-------- C:\Users\THINKPAD\AppData\Roaming\Adobe
2008-06-04 12:01:09 0 d-------- C:\Program Files\7-Zip
2008-05-31 10:27:22 0 d-------- C:\Program Files\Norton Internet Security
2008-05-31 10:27:22 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-31 10:27:20 0 d-------- C:\Program Files\Symantec
2008-05-19 15:03:19 0 d-------- C:\Program Files\AIM6
2008-05-19 11:38:12 0 d-------- C:\Program Files\Common Files\AOL


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 03:38 PM]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [01/18/2007 02:01 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [08/14/2007 12:53 PM]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [11/10/2006 12:26 PM]
"TpShocks"="TpShocks.exe" [12/26/2006 12:15 PM C:\Windows\System32\TpShocks.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [11/29/2006 01:30 AM]
"PWMTRV"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [12/20/2006 01:01 AM]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [12/20/2006 01:01 AM]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [12/14/2006 02:23 PM]
"LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [02/01/2007 01:01 AM]
"AMSG"="C:\Program Files\ThinkVantage\AMSG\Amsg.exe" [12/21/2006 05:50 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [11/07/2006 06:51 PM]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [08/09/2007 09:53 AM]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [11/16/2006 07:21 AM]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [03/10/2007 05:23 AM]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [03/10/2007 05:23 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/25/2006 01:08 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [10/27/2006 03:18 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [04/02/2008 02:49 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/29/2007 11:51 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/12/2008 02:16 PM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [01/11/2008 07:54 PM]
"@"="" []
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/17/2006 01:55 PM]
"LenovoRegistration"="C:\SWTOOLS\LenovoWelcome\LenovoRegistration.exe" [02/16/2007 03:36 AM]
"LenovoOobeOffers"="c:\swtools\LenovoWelcome\LenovoOobeOffers.exe" [12/30/2006 01:01 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 03:33 PM]
"@"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/11/2006 03:35 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]
"MSServer"="C:\Users\THINKPAD\AppData\Local\Temp\wvUnNgEw.dll,#1" []
"cmds"="C:\Users\THINKPAD\AppData\Local\Temp\pmnoNDWn.dll,c" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [12/1/2006 2:10:24 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [8/24/2007 5:58:18 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 5:01:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"DisableCAD"=1 (0x1)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Windows\system32\psqlpwd.dll 12/09/2006 10:44 AM 89600 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli psqlpwd ACGina

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSServer"=rundll32.exe C:\Users\THINKPAD\AppData\Local\Temp\opnnoLFv.dll,#1

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d430820-9622-11dc-a8db-0016d32bb831}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{689f66b5-c780-11dc-b560-0016d3295a3d}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9aff7651-9092-11dc-ac24-0016d32bb831}]
Auto\command- F:\Recycler\USBplice.exe
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\Recycler\USBplice.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9aff7656-9092-11dc-ac24-0016d32bb831}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e08510ec-c2e8-11dc-8b9f-0016d3295a3d}]
Auto\command- auto.exe
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {AB42B423-B596-3C2F-21B2-64AAB0FA6D1B} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-10 23:31:23 ------------

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:07 AM

Posted 10 July 2008 - 12:39 PM

Hi,

The reason MalwareBytes did not work is that you had msconfig, windows Defender and Spybot Teatimer enabled.


The computer hangs on startup after I click OK on the dialog boxes, so I'd like to be rid of them. It also might be running a bit slow because of anti-malware overkill:
Windows Defender
Norton
Malware Bytes
Superantispyware
Lavasoft Anti-Spyware
Spybot SD


After we have you clean then I will tell you which ones you need and which you dont need.

Disable Spybot Teatimer and Windows Defender, as those prevents MalwareBytes from working.


Run Malwarebytes again.
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire report in your next reply along with a fresh DSS Main.txt log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Ainvar

Ainvar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 10 July 2008 - 01:36 PM

SifuMike,

As far as I can tell, that did it. I rebooted with no errors and the reboot took a reasonable amount of time. I'm sorry I misread your note about disabling Windows Defender the first time.

I'll let you validate my system's cleanliness and point me in the direction of a less cumbersome security software suite.

Malwarebytes' Anti-Malware 1.20
Database version: 937
Windows 6.0.6001 Service Pack 1

2:20:21 AM 7/11/2008
mbam-log-7-11-2008 (02-20-21).txt

Scan type: Quick Scan
Objects scanned: 36578
Time elapsed: 3 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer
(Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmds (Trojan.
Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Deckard's System Scanner v20071014.68
Run by THINKPAD on 2008-07-11 02:26:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 15.38 GiB (less than 15%) free.


-- HijackThis (run as THINKPAD.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:37 AM, on 7/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\THINKPAD\Desktop\dss.exe
C:\Windows\system32\conime.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\THINKPAD.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LenovoRegistration] C:\SWTOOLS\LenovoWelcome\LenovoRegistration.exe /inif="C:\SWSHARE\leadertech.ini"
O4 - HKLM\..\Run: [LenovoOobeOffers] c:\swtools\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: System Update (SUService) - - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 14855 bytes

-- Files created between 2008-06-11 and 2008-07-11 -----------------------------

2008-07-09 23:32:50 0 --a------ C:\ltojmpsv
2008-07-09 21:18:40 0 d-------- C:\!KillBox
2008-06-14 17:05:49 0 d-------- C:\PerfLogs
2008-06-13 10:31:51 0 d-------- C:\Program Files\Sun
2008-06-13 00:20:11 0 d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-06-13 00:19:26 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-13 00:09:49 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 23:48:23 0 d-------- C:\Users\All Users\Malwarebytes
2008-06-12 23:48:22 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-12 23:46:27 0 d-------- C:\Program Files\Trend Micro
2008-06-12 10:15:50 0 d-------- C:\Users\All Users\Lavasoft
2008-06-12 09:45:33 0 d-------- C:\Users\THINKPAD\.housecall6.6
2008-06-12 09:13:37 0 d-------- C:\VundoFix Backups
2008-06-11 23:59:31 0 d-------- C:\Program Files\Common Files\Macrovision Shared


-- Find3M Report ---------------------------------------------------------------

2008-07-11 02:21:24 12 --a------ C:\Windows\bthservsdp.dat
2008-06-14 17:34:07 174 --ahs---- C:\Program Files\desktop.ini
2008-06-14 17:10:02 0 d-------- C:\Program Files\Windows Sidebar
2008-06-14 17:10:02 0 d-------- C:\Program Files\Windows Calendar
2008-06-14 17:10:02 0 d-------- C:\Program Files\Movie Maker
2008-06-14 17:10:01 0 d-------- C:\Program Files\Windows Mail
2008-06-14 17:09:58 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-14 17:09:58 0 d-------- C:\Program Files\Windows Collaboration
2008-06-14 17:09:57 0 d-------- C:\Program Files\Windows Journal
2008-06-14 17:09:49 0 d-------- C:\Program Files\Windows Defender
2008-06-13 11:10:25 0 d-------- C:\Users\THINKPAD\AppData\Roaming\Skype
2008-06-13 10:31:05 0 d-------- C:\Program Files\Java
2008-06-13 00:19:26 0 d-------- C:\Users\THINKPAD\AppData\Roaming\SUPERAntiSpyware.com
2008-06-13 00:09:49 0 d-------- C:\Program Files\Common Files
2008-06-12 23:48:34 0 d-------- C:\Users\THINKPAD\AppData\Roaming\Malwarebytes
2008-06-09 03:06:23 0 d-------- C:\Users\THINKPAD\AppData\Roaming\uTorrent
2008-06-08 11:03:09 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-04 12:43:32 0 d-------- C:\Users\THINKPAD\AppData\Roaming\Adobe
2008-06-04 12:01:09 0 d-------- C:\Program Files\7-Zip
2008-05-31 10:27:22 0 d-------- C:\Program Files\Norton Internet Security
2008-05-31 10:27:22 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-31 10:27:20 0 d-------- C:\Program Files\Symantec
2008-05-19 15:03:19 0 d-------- C:\Program Files\AIM6
2008-05-19 11:38:12 0 d-------- C:\Program Files\Common Files\AOL


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/19/2008 03:38 PM]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [01/18/2007 02:01 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [08/14/2007 12:53 PM]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [11/10/2006 12:26 PM]
"TpShocks"="TpShocks.exe" [12/26/2006 12:15 PM C:\Windows\System32\TpShocks.exe]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [11/29/2006 01:30 AM]
"PWMTRV"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [12/20/2006 01:01 AM]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [12/20/2006 01:01 AM]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [12/14/2006 02:23 PM]
"LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [02/01/2007 01:01 AM]
"AMSG"="C:\Program Files\ThinkVantage\AMSG\Amsg.exe" [12/21/2006 05:50 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [11/07/2006 06:51 PM]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [08/09/2007 09:53 AM]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [11/16/2006 07:21 AM]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [03/10/2007 05:23 AM]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [03/10/2007 05:23 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/25/2006 01:08 PM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [10/27/2006 03:18 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [04/02/2008 02:49 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [11/29/2007 11:51 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/12/2008 02:16 PM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [01/11/2008 07:54 PM]
"@"="" []
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/17/2006 01:55 PM]
"LenovoRegistration"="C:\SWTOOLS\LenovoWelcome\LenovoRegistration.exe" [02/16/2007 03:36 AM]
"LenovoOobeOffers"="c:\swtools\LenovoWelcome\LenovoOobeOffers.exe" [12/30/2006 01:01 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/19/2008 03:33 PM]
"@"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/11/2006 03:35 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [05/28/2008 10:33 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [12/1/2006 2:10:24 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [8/24/2007 5:58:18 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 5:01:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"DisableCAD"=1 (0x1)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Windows\system32\psqlpwd.dll 12/09/2006 10:44 AM 89600 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli psqlpwd ACGina

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSServer"=rundll32.exe C:\Users\THINKPAD\AppData\Local\Temp\opnnoLFv.dll,#1

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d430820-9622-11dc-a8db-0016d32bb831}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{689f66b5-c780-11dc-b560-0016d3295a3d}]
AutoRun\command- F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9aff7651-9092-11dc-ac24-0016d32bb831}]
Auto\command- F:\Recycler\USBplice.exe
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\Recycler\USBplice.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9aff7656-9092-11dc-ac24-0016d32bb831}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e08510ec-c2e8-11dc-8b9f-0016d3295a3d}]
Auto\command- auto.exe
AutoRun\command- C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {AB42B423-B596-3C2F-21B2-64AAB0FA6D1B} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-11 02:30:44 ------------

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:07 AM

Posted 10 July 2008 - 01:49 PM

Hi Ainvar,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6u7-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
I see one sticky registry item we need to remove, so we will use OTScanit.

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck

      File - Additional Folder Scans

  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post.

If the file is too big to post, then you can upload it to me here.

Edited by SifuMike, 10 July 2008 - 01:49 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Ainvar

Ainvar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 12 July 2008 - 08:26 AM

SifuMike,

I have sent in the requested OTScanIt file.

Thanks for all your help,

-Ainvar

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:07 AM

Posted 12 July 2008 - 12:29 PM

Hi Ainvar,

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%allusersprofile%\bm7b2c1914.xml
%allusersprofile%\pskt.ini
Folders to delete:
%allusersprofile%\viewpoint

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Script Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> BM7b2c1914.xml -> %AllUsersProfile%\BM7b2c1914.xml
NY -> pskt.ini -> %AllUsersProfile%\pskt.ini
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> BM7b2c1914.xml -> %AllUsersProfile%\BM7b2c1914.xml
NY -> pskt.ini -> %AllUsersProfile%\pskt.ini
NY -> Viewpoint -> %AllUsersProfile%\Viewpoint
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Under Additional Scans click the checkboxes in front of the following items to select them:


    • File - Additional Folder Scans

  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Step #5

Post the following back here:
1. The Avenger report (c:\Avenger.txt). This is a short report so you will be able to post it.

2. The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. ) This is a short report so you will be able to post it.

3. The new OTScanIt scan log. This is a short report so you should will be able to post it.
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Ainvar

Ainvar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 12 July 2008 - 06:13 PM

I ran the Avenger as you said, but the avenger.txt file is in c:/avenger/backup.zip which is password protected.

Explorer killed successfully
[Files Created - Additional Folder Scans - Non-Microsoft Only]
File C:\ProgramData\BM7b2c1914.xml not found!
File C:\ProgramData\pskt.ini not found!
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
File C:\ProgramData\BM7b2c1914.xml not found!
File C:\ProgramData\pskt.ini not found!
File C:\ProgramData\Viewpoint not found!
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
FireFox cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.1 fix logfile created on 07132008_051932

#12 Ainvar

Ainvar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 12 July 2008 - 06:15 PM

OTScanIt logfile created on: 7/13/2008 7:04:46 AM
OTScanIt by OldTimer - Version 1.0.16.1	 Folder = C:\Users\THINKPAD\Desktop\OTScanIt
Windows Vista  Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: 
M/d/yyyy
 
2.00 Gb Total Physical Memory | 1.18 Gb Available Physical Memory | 58.97% 
Memory free
4.00 Gb Paging File | 3.21 Gb Available in Paging File | 80.20% Paging File 
free
Paging file location(s): ?:\pagefile.sys;
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program 
Files
Drive C: | 106.82 Gb Total Space | 14.27 Gb Free Space | 13.36% Space Free 
| Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: THINKPAD-PC
Current User Name: THINKPAD
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
ibmpmsvc.exe -> %SystemRoot%\System32\ibmpmsvc.exe -> Lenovo [Ver = 1.43 
| Size = 36400 bytes | Modified Date = 6/1/2007 6:02:06 PM | Attr =	]
ati2evxx.exe -> %SystemRoot%\System32\Ati2evxx.exe -> ATI Technologies Inc. 
[Ver = 6.14.10.4155 | Size = 557056 bytes | Modified Date = 1/5/2007 11:40:56 
AM | Attr =	]
ati2evxx.exe -> %SystemRoot%\System32\Ati2evxx.exe -> ATI Technologies Inc. 
[Ver = 6.14.10.4155 | Size = 557056 bytes | Modified Date = 1/5/2007 11:40:56 
AM | Attr =	]
ccsvchst.exe -> %CommonProgramFiles%\Symantec Shared\ccSvcHst.exe -> Symantec 
Corporation [Ver = 106.1.1.4 | Size = 107624 bytes | Modified Date = 10/25/2006 
1:08:20 PM | Attr =	]
upeksvr.exe -> %ProgramFiles%\ThinkVantage Fingerprint Software\upeksvr.exe 
-> UPEK Inc. [Ver = 5.6.0.3297 | Size = 21504 bytes | Modified Date = 12/9/2006 
10:45:48 AM | Attr =	]
appsvc32.exe -> %CommonProgramFiles%\Symantec Shared\AppCore\AppSvc32.exe 
-> Symantec Corporation [Ver = 1.1.00.7 | Size = 46736 bytes | Modified 
Date = 9/21/2006 9:05:16 AM | Attr =	]
ipssvc.exe -> %SystemRoot%\System32\IPSSVC.EXE -> Lenovo Group Limited [Ver 
= 3, 0, 0, 0 | Size = 108080 bytes | Modified Date = 11/20/2006 1:14:14 
PM | Attr =	]
acprfmgrsvc.exe -> %ProgramFiles%\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe 
-> Lenovo [Ver = 4.31a | Size = 83504 bytes | Modified Date = 3/10/2007 
5:23:02 AM | Attr =	]
aluschedulersvc.exe -> %ProgramFiles%\Symantec\LiveUpdate\AluSchedulerSvc.exe 
-> Symantec Corporation [Ver = 3.2.0.68 | Size = 554352 bytes | Modified 
Date = 9/13/2007 10:27:24 AM | Attr =	]
dkservice.exe -> %ProgramFiles%\Diskeeper Corporation\Diskeeper\DkService.exe 
-> Diskeeper Corporation [Ver = 9.0.545.0 | Size = 634988 bytes | Modified 
Date = 11/16/2006 7:20:46 AM | Attr =	]
suservice.exe -> %ProgramFiles%\Lenovo\System Update\SUService.exe ->   
[Ver = 0.0.0.0 | Size = 11776 bytes | Modified Date = 12/16/2006 7:50:52 
AM | Attr =	]
tvt_reg_monitor_svc.exe -> %CommonProgramFiles%\Lenovo\tvt_reg_monitor_svc.exe 
-> Lenovo Group Limited [Ver = 1.20.0301.00 | Size = 644408 bytes | Modified 
Date = 8/9/2007 5:26:16 AM | Attr =	]
tphdexlg.exe -> %SystemRoot%\System32\TPHDEXLG.exe -> Lenovo. [Ver = 1.51.0.0 
| Size = 37168 bytes | Modified Date = 12/26/2006 1:06:00 PM | Attr =   
 ]
tphksvc.exe -> %ProgramFiles%\Lenovo\HOTKEY\TPHKSVC.exe ->  [Ver =  | Size 
= 55928 bytes | Modified Date = 10/13/2006 12:08:56 PM | Attr =	]
tvttcsd.exe -> %ProgramFiles%\Lenovo\Client Security Solution\tvttcsd.exe 
-> IBM [Ver = 1,1,3,301 | Size = 722232 bytes | Modified Date = 8/9/2007 
5:35:18 AM | Attr =	]
rrpservice.exe -> %ProgramFiles%\Lenovo\Rescue and Recovery\rrpservice.exe 
->  [Ver = 4,0,118,0 | Size = 569344 bytes | Modified Date = 12/14/2006 
2:13:02 PM | Attr =	]
rrservice.exe -> %ProgramFiles%\Lenovo\Rescue and Recovery\rrservice.exe 
-> Lenovo Group Limited [Ver = 4,0,118,0 | Size = 950272 bytes | Modified 
Date = 12/14/2006 2:11:14 PM | Attr =	]
tvtsched.exe -> %CommonProgramFiles%\Lenovo\Scheduler\tvtsched.exe -> Lenovo 
Group Limited [Ver = 4,0,112,0 | Size = 1118208 bytes | Modified Date = 
12/14/2006 2:23:42 PM | Attr =	]
iuservice.exe -> %ProgramFiles%\Lenovo\Rescue and Recovery\ADM\IUService.exe 
->  [Ver =  | Size = 45056 bytes | Modified Date = 12/14/2006 12:46:08 PM 
| Attr =	]
xaudio.exe -> %SystemRoot%\System32\drivers\XAudio.exe -> Conexant Systems, 
Inc. [Ver = 1.02 | Size = 386560 bytes | Modified Date = 11/28/2006 9:44:58 
AM | Attr =	]
acsvc.exe -> %ProgramFiles%\ThinkPad\ConnectUtilities\AcSvc.exe -> Lenovo 
[Ver = 4.31a | Size = 194096 bytes | Modified Date = 3/10/2007 5:23:08 AM 
| Attr =	]
sdwinsec.exe -> %ProgramFiles%\Spybot - Search & Destroy\SDWinSec.exe -> 
Safer Networking Ltd. [Ver = 1, 0, 0, 8 | Size = 600912 bytes | Modified 
Date = 9/1/2007 8:46:18 AM | Attr =	]
tpfnf7sp.exe -> %ProgramFiles%\Lenovo\NPDIRECT\tpfnf7sp.exe -> Lenovo Group 
Limited [Ver = 1.00 | Size = 58416 bytes | Modified Date = 1/18/2007 2:01:00 
AM | Attr =	]
logmon.exe -> %CommonProgramFiles%\Lenovo\Logger\logmon.exe ->  [Ver =  
| Size = 22016 bytes | Modified Date = 12/14/2006 1:59:04 PM | Attr =   
 ]
svcguihlpr.exe -> %ProgramFiles%\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe 
-> Lenovo [Ver = 4.31a | Size = 124464 bytes | Modified Date = 3/10/2007 
5:24:04 AM | Attr =	]
syntpenh.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe -> Synaptics, 
Inc. [Ver = 9.1.3.5 13Aug07 | Size = 820520 bytes | Modified Date = 8/14/2007 
12:53:00 PM | Attr =	]
tposdsvc.exe -> %ProgramFiles%\Lenovo\HOTKEY\TPOSDSVC.exe ->  [Ver =  | 
Size = 64128 bytes | Modified Date = 11/10/2006 12:26:08 PM | Attr =	
]
tpshocks.exe -> %SystemRoot%\System32\TpShocks.exe -> Lenovo. [Ver = 1.51.0.0 
| Size = 181808 bytes | Modified Date = 12/26/2006 12:15:18 PM | Attr = 
   ]
ezejmnap.exe -> %ProgramFiles%\ThinkPad\Utilities\EZEJMNAP.EXE -> Lenovo 
Group Limited [Ver = 1, 0, 0, 0 | Size = 243248 bytes | Modified Date = 
11/29/2006 1:30:00 AM | Attr =	]
scheduler_proxy.exe -> %CommonProgramFiles%\Lenovo\Scheduler\scheduler_proxy.
exe -> Lenovo Group Limited [Ver = 4,0,112,0 | Size = 536576 bytes | Modified 
Date = 12/14/2006 2:23:50 PM | Attr =	]
lpmgr.exe -> %ProgramFiles%\ThinkVantage\PrdCtr\LPMGR.EXE -> Lenovo Group 
Limited [Ver = 1, 0, 0, 2 | Size = 120368 bytes | Modified Date = 2/1/2007 
1:01:00 AM | Attr =	]
awaysch.exe -> %ProgramFiles%\Lenovo\AwayTask\AwaySch.EXE -> Lenovo Group 
Limited [Ver = 3, 0, 0, 0 | Size = 91688 bytes | Modified Date = 11/7/2006 
6:51:40 PM | Attr =	]
cssauth.exe -> %ProgramFiles%\Lenovo\Client Security Solution\cssauth.exe 
-> Lenovo Group Limited [Ver = 8.00.0306.00 | Size = 2630968 bytes | Modified 
Date = 8/9/2007 9:53:12 AM | Attr =	]
actray.exe -> %ProgramFiles%\ThinkPad\ConnectUtilities\ACTray.exe -> Lenovo 
[Ver = 4.31a | Size = 419376 bytes | Modified Date = 3/10/2007 5:23:18 AM 
| Attr =	]
acwlicon.exe -> %ProgramFiles%\ThinkPad\ConnectUtilities\ACWLIcon.exe -> 
Lenovo [Ver = 4.31a | Size = 120368 bytes | Modified Date = 3/10/2007 5:23:36 
AM | Attr =	]
ccapp.exe -> %CommonProgramFiles%\Symantec Shared\ccApp.exe -> Symantec 
Corporation [Ver = 106.1.1.4 | Size = 107112 bytes | Modified Date = 10/25/2006 
1:08:40 PM | Attr =	]
acrotray.exe -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe -> 
Adobe Systems Inc. [Ver = 8.1.2.2008011100 | Size = 623992 bytes | Modified 
Date = 1/11/2008 7:54:31 PM | Attr =	]
smax4pnp.exe -> %ProgramFiles%\Analog Devices\Core\smax4pnp.exe -> Analog 
Devices, Inc. [Ver = 6,1,0,80 | Size = 1097728 bytes | Modified Date = 10/17/
2006 1:55:20 PM | Attr =	]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe -> Sun Microsystems,
 Inc. [Ver = 6.0.70.6 | Size = 144784 bytes | Modified Date = 6/10/2008 4:27:04 
AM | Attr =	]
tponscr.exe -> %ProgramFiles%\Lenovo\HOTKEY\TPONSCR.exe ->  [Ver =  | Size 
= 73256 bytes | Modified Date = 10/13/2006 12:09:00 PM | Attr =	]
bttray.exe -> %ProgramFiles%\ThinkPad\Bluetooth Software\BTTray.exe -> Broadcom 
Corporation. [Ver = 6.0.1.3500 | Size = 719664 bytes | Modified Date = 12/1/2006 
2:10:24 AM | Attr =	]
dlg.exe -> %ProgramFiles%\Digital Line Detect\DLG.exe -> Avanquest Software 
 [Ver = 1, 0, 0, 2 | Size = 45056 bytes | Modified Date = 9/23/2006 12:35:58 
AM | Attr =	]
mom.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\Core-Static\MOM.exe -> 
ATI Technologies Inc. [Ver = 2.0.0.0 | Size = 49152 bytes | Modified Date 
= 9/30/2006 12:57:30 AM | Attr =	]
tpscrex.exe -> %ProgramFiles%\Lenovo\ZOOM\TpScrex.exe -> Lenovo Group Limited 
[Ver = 1.17 | Size = 91688 bytes | Modified Date = 9/6/2006 3:39:10 PM | 
Attr =	]
syntplpr.exe -> %ProgramFiles%\Synaptics\SynTP\SynTPLpr.exe -> Synaptics, 
Inc. [Ver = 9.1.3.5 13Aug07 | Size = 110592 bytes | Modified Date = 8/14/2007 
12:33:00 PM | Attr =	]
fnplicensingservice.exe -> %CommonProgramFiles%\Macrovision Shared\FLEXnet 
Publisher\FNPLicensingService.exe -> Macrovision Europe Ltd. [Ver = 11.03.005 
| Size = 654848 bytes | Modified Date = 6/11/2008 11:59:31 PM | Attr =  
  ]
ccc.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\Core-Static\CCC.exe -> 
ATI Technologies Inc. [Ver = 2.0.0.0 | Size = 49152 bytes | Modified Date 
= 9/30/2006 12:57:36 AM | Attr =	]
dkicon.exe -> %ProgramFiles%\Diskeeper Corporation\Diskeeper\DkIcon.exe 
-> Diskeeper Corporation [Ver = 9.0.545.0 | Size = 217176 bytes | Modified 
Date = 11/16/2006 7:21:56 AM | Attr =	]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer 
Tools [Ver = 1.0.16.1 | Size = 396800 bytes | Modified Date = 7/5/2008 11:19:06 
AM | Attr =	]

[Win32 Services - Non-Microsoft Only]
(AcPrfMgrSvc) Ac Profile Manager Service [Win32_Own | Auto | Running] -> 
%ProgramFiles%\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe -> Lenovo [Ver 
= 4.31a | Size = 83504 bytes | Modified Date = 3/10/2007 5:23:02 AM | Attr 
=	]
(AcSvc) Access Connections Main Service [Win32_Own | Auto | Running] -> 
%ProgramFiles%\ThinkPad\ConnectUtilities\AcSvc.exe -> Lenovo [Ver = 4.31a 
| Size = 194096 bytes | Modified Date = 3/10/2007 5:23:08 AM | Attr =   
 ]
(Ati External Event Utility) Ati External Event Utility [Win32_Own | Auto 
| Running] -> %SystemRoot%\System32\Ati2evxx.exe -> ATI Technologies Inc. 
[Ver = 6.14.10.4155 | Size = 557056 bytes | Modified Date = 1/5/2007 11:40:56 
AM | Attr =	]
(Automatic LiveUpdate Scheduler) Automatic LiveUpdate Scheduler [Win32_Own 
| Auto | Running] -> %ProgramFiles%\Symantec\LiveUpdate\AluSchedulerSvc.exe 
-> Symantec Corporation [Ver = 3.2.0.68 | Size = 554352 bytes | Modified 
Date = 9/13/2007 10:27:24 AM | Attr =	]
(ccEvtMgr) Symantec Event Manager [Win32_Shared | Auto | Running] -> %CommonProgramFiles%
\Symantec Shared\ccSvcHst.exe -> Symantec Corporation [Ver = 106.1.1.4 | 
Size = 107624 bytes | Modified Date = 10/25/2006 1:08:20 PM | Attr =	
]
(ccSetMgr) Symantec Settings Manager [Win32_Shared | Auto | Running] -> 
%CommonProgramFiles%\Symantec Shared\ccSvcHst.exe -> Symantec Corporation 
[Ver = 106.1.1.4 | Size = 107624 bytes | Modified Date = 10/25/2006 1:08:20 
PM | Attr =	]
(CertPropSvc) Certificate Propagation [Win32_Shared | Unknown | Stopped] 
-> %SystemRoot%\system32\svchost.exe -> File not found
(CLTNetCnService) Symantec Lic NetConnect service [Win32_Shared | Auto | 
Running] -> %CommonProgramFiles%\Symantec Shared\ccSvcHst.exe -> Symantec 
Corporation [Ver = 106.1.1.4 | Size = 107624 bytes | Modified Date = 10/25/2006 
1:08:20 PM | Attr =	]
(comHost) COM Host [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec 
Shared\VAScanner\comHost.exe -> Symantec Corporation [Ver = 1.1.0.9 | Size 
= 49296 bytes | Modified Date = 10/14/2006 6:29:12 AM | Attr =	]
(DcomLaunch) DCOM Server Process Launcher [Win32_Shared | Unknown | Running] 
-> %SystemRoot%\system32\svchost.exe -> File not found
(Diskeeper) Diskeeper [Win32_Own | Auto | Running] -> %ProgramFiles%\Diskeeper 
Corporation\Diskeeper\DkService.exe -> Diskeeper Corporation [Ver = 9.0.545.0 
| Size = 634988 bytes | Modified Date = 11/16/2006 7:20:46 AM | Attr =  
  ]
(FLEXnet Licensing Service) FLEXnet Licensing Service [Win32_Own | On_Demand 
| Running] -> %CommonProgramFiles%\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.
exe -> Macrovision Europe Ltd. [Ver = 11.03.005 | Size = 654848 bytes | 
Modified Date = 6/11/2008 11:59:31 PM | Attr =	]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%
\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 
2.0.711.37800.beta | Size = 136120 bytes | Modified Date = 1/4/2007 9:40:21 
AM | Attr =	]
(IBMPMSVC) ThinkPad PM Service [Win32_Own | Auto | Running] -> %SystemRoot%\System32\ibmpmsvc.
exe -> Lenovo [Ver = 1.43 | Size = 36400 bytes | Modified Date = 6/1/2007 
6:02:06 PM | Attr =	]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] 
-> %CommonProgramFiles%\InstallShield\Driver\1150\Intel 32\IDriverT.exe 
-> Macrovision Corporation [Ver = 11.50.42618 | Size = 69632 bytes | Modified 
Date = 11/14/2005 4:06:04 PM | Attr =	]
(idsvc) Windows CardSpace [Win32_Shared | Unknown | Stopped] -> %systemroot%\Microsoft.
NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -> File 
not found
(IPSSVC) IPS Core Service [Win32_Own | Auto | Running] -> %SystemRoot%\System32\IPSSVC.
EXE -> Lenovo Group Limited [Ver = 3, 0, 0, 0 | Size = 108080 bytes | Modified 
Date = 11/20/2006 1:14:14 PM | Attr =	]
(ISPwdSvc) Symantec IS Password Validation [Win32_Own | On_Demand | Stopped] 
-> %ProgramFiles%\Norton Internet Security\isPwdSvc.exe -> Symantec Corporation 
[Ver = 10.1.0.38 | Size = 80552 bytes | Modified Date = 10/27/2006 3:18:36 
PM | Attr =	]
(LiveUpdate) LiveUpdate [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Symantec\LiveUpdate\LuComServer_3_2.
EXE -> Symantec Corporation [Ver = 3.2.0.68 | Size = 2999664 bytes | Modified 
Date = 9/13/2007 10:27:24 AM | Attr =	]
(LiveUpdate Notice Ex) LiveUpdate Notice Service Ex [Win32_Shared | Auto 
| Running] -> %CommonProgramFiles%\Symantec Shared\ccSvcHst.exe -> Symantec 
Corporation [Ver = 106.1.1.4 | Size = 107624 bytes | Modified Date = 10/25/2006 
1:08:20 PM | Attr =	]
(LiveUpdate Notice Service) LiveUpdate Notice Service [Win32_Own | Auto 
| Stopped] -> %CommonProgramFiles%\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-
2F227FCA9A08}\PIFSvc.exe -> Symantec Corporation [Ver = 1.4.5.73 | Size 
= 583048 bytes | Modified Date = 11/29/2007 11:51:10 AM | Attr =	]
(MSDTC) Distributed Transaction Coordinator [Win32_Own | Unknown | Stopped] 
-> %SystemRoot%\System32\msdtc.exe -> File not found
(SBSDWSCService) SBSD Security Center Service [Win32_Own | Auto | Running] 
-> %ProgramFiles%\Spybot - Search & Destroy\SDWinSec.exe -> Safer Networking 
Ltd. [Ver = 1, 0, 0, 8 | Size = 600912 bytes | Modified Date = 9/1/2007 
8:46:18 AM | Attr =	]
(Schedule) Task Scheduler [Win32_Shared | Unknown | Running] -> %systemroot%\system32\svchost.
exe -> File not found
(SCPolicySvc) Smart Card Removal Policy [Win32_Shared | Unknown | Stopped] 
-> %SystemRoot%\system32\svchost.exe -> File not found
(Steam Client Service) Steam Client Service [Win32_Own | On_Demand | Stopped] 
-> %CommonProgramFiles%\Steam\SteamService.exe -> Valve Corporation [Ver 
= 1, 0, 0, 1 | Size = 87288 bytes | Modified Date = 2/17/2008 4:09:54 AM 
| Attr =	]
(SUService) System Update [Win32_Own | Auto | Running] -> %ProgramFiles%\Lenovo\System 
Update\SUService.exe ->   [Ver = 0.0.0.0 | Size = 11776 bytes | Modified 
Date = 12/16/2006 7:50:52 AM | Attr =	]
(Symantec Core LC) Symantec Core LC [Win32_Own | On_Demand | Stopped] -> 
%CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe ->  [Ver =  | 
Size = 1251720 bytes | Modified Date = 2/13/2008 4:21:29 AM | Attr =	
]
(SymAppCore) Symantec AppCore Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%
\Symantec Shared\AppCore\AppSvc32.exe -> Symantec Corporation [Ver = 1.1.00.7 
| Size = 46736 bytes | Modified Date = 9/21/2006 9:05:16 AM | Attr =	
]
(ThinkVantage Registry Monitor Service) ThinkVantage Registry Monitor Service 
[Win32_Own | Auto | Running] -> %CommonProgramFiles%\Lenovo\tvt_reg_monitor_svc.
exe -> Lenovo Group Limited [Ver = 1.20.0301.00 | Size = 644408 bytes | 
Modified Date = 8/9/2007 5:26:16 AM | Attr =	]
(TPHDEXLGSVC) ThinkPad HDD APS Logging Service [Win32_Own | Auto | Running] 
-> %SystemRoot%\System32\TPHDEXLG.exe -> Lenovo. [Ver = 1.51.0.0 | Size 
= 37168 bytes | Modified Date = 12/26/2006 1:06:00 PM | Attr =	]
(TPHKSVC) On Screen Display [Win32_Own | Auto | Running] -> %ProgramFiles%\Lenovo\HOTKEY\TPHKSVC.
exe ->  [Ver =  | Size = 55928 bytes | Modified Date = 10/13/2006 12:08:56 
PM | Attr =	]
(TrustedInstaller) Windows Modules Installer [Win32_Own | Unknown | Stopped] 
-> %SystemRoot%\servicing\TrustedInstaller.exe -> File not found
(TSSCoreService) TSS Core Service [Win32_Own | Auto | Running] -> %ProgramFiles%
\Lenovo\Client Security Solution\tvttcsd.exe -> IBM [Ver = 1,1,3,301 | Size 
= 722232 bytes | Modified Date = 8/9/2007 5:35:18 AM | Attr =	]
(TVT Backup Protection Service) TVT Backup Protection Service [Win32_Own 
| Auto | Running] -> %ProgramFiles%\Lenovo\Rescue and Recovery\rrpservice.exe 
->  [Ver = 4,0,118,0 | Size = 569344 bytes | Modified Date = 12/14/2006 
2:13:02 PM | Attr =	]
(TVT Backup Service) TVT Backup Service [Win32_Own | Auto | Running] -> 
%ProgramFiles%\Lenovo\Rescue and Recovery\rrservice.exe -> Lenovo Group 
Limited [Ver = 4,0,118,0 | Size = 950272 bytes | Modified Date = 12/14/2006 
2:11:14 PM | Attr =	]
(TVT Scheduler) TVT Scheduler [Win32_Own | Auto | Running] -> %CommonProgramFiles%
\Lenovo\Scheduler\tvtsched.exe -> Lenovo Group Limited [Ver = 4,0,112,0 
| Size = 1118208 bytes | Modified Date = 12/14/2006 2:23:42 PM | Attr = 
   ]
(tvtnetwk) tvtnetwk [Win32_Own | Auto | Running] -> %ProgramFiles%\Lenovo\Rescue 
and Recovery\ADM\IUService.exe ->  [Ver =  | Size = 45056 bytes | Modified 
Date = 12/14/2006 12:46:08 PM | Attr =	]
(WdiServiceHost) Diagnostic Service Host [Win32_Shared | Unknown | Stopped] 
-> %SystemRoot%\System32\svchost.exe -> File not found
(WdiSystemHost) Diagnostic System Host [Win32_Shared | Unknown | Running] 
-> %SystemRoot%\System32\svchost.exe -> File not found
(XAudioService) XAudioService [Win32_Own | Auto | Running] -> %SystemRoot%\System32\drivers\XAudio.
exe -> Conexant Systems, Inc. [Ver = 1.02 | Size = 386560 bytes | Modified 
Date = 11/28/2006 9:44:58 AM | Attr =	]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
-> 
 ->  [] -> File not found
Acrobat Assistant 8.0 -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe 
["C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"] -> Adobe Systems 
Inc. [Ver = 8.1.2.2008011100 | Size = 623992 bytes | Modified Date = 1/11/2008 
7:54:31 PM | Attr =	]
ACTray -> %ProgramFiles%\ThinkPad\ConnectUtilities\ACTray.exe [C:\Program 
Files\ThinkPad\ConnectUtilities\ACTray.exe] -> Lenovo [Ver = 4.31a | Size 
= 419376 bytes | Modified Date = 3/10/2007 5:23:18 AM | Attr =	]
ACWLIcon -> %ProgramFiles%\ThinkPad\ConnectUtilities\ACWLIcon.exe [C:\Program 
Files\ThinkPad\ConnectUtilities\ACWLIcon.exe] -> Lenovo [Ver = 4.31a | Size 
= 120368 bytes | Modified Date = 3/10/2007 5:23:36 AM | Attr =	]
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\reader_sl.
exe ["C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"] -> Adobe 
Systems Incorporated [Ver = 8.0.0.0 | Size = 39792 bytes | Modified Date 
= 1/12/2008 2:16:38 PM | Attr =	]
AMSG -> %ProgramFiles%\ThinkVantage\AMSG\Amsg.exe [C:\Program Files\ThinkVantage\AMSG\Amsg.
exe /startup] -> LENOVO [Ver = 3, 0, 0, 0 | Size = 468528 bytes | Modified 
Date = 12/21/2006 5:50:37 PM | Attr =	]
AwaySch -> %ProgramFiles%\Lenovo\AwayTask\AwaySch.EXE [C:\Program Files\Lenovo\AwayTask\AwaySch.
EXE] -> Lenovo Group Limited [Ver = 3, 0, 0, 0 | Size = 91688 bytes | Modified 
Date = 11/7/2006 6:51:40 PM | Attr =	]
BLOG -> %ProgramFiles%\ThinkPad\Utilities\BTVLOGEX.DLL [rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.
DLL,StartBattLog] ->  [Ver =  | Size = 214576 bytes | Modified Date = 12/20/2006 
1:01:00 AM | Attr =	]
ccApp -> %CommonProgramFiles%\Symantec Shared\ccApp.exe ["C:\Program Files\Common 
Files\Symantec Shared\ccApp.exe"] -> Symantec Corporation [Ver = 106.1.1.4 
| Size = 107112 bytes | Modified Date = 10/25/2006 1:08:40 PM | Attr =   
 ]
cssauth -> %ProgramFiles%\Lenovo\Client Security Solution\cssauth.exe ["C:\Program 
Files\Lenovo\Client Security Solution\cssauth.exe" silent] -> Lenovo Group 
Limited [Ver = 8.00.0306.00 | Size = 2630968 bytes | Modified Date = 8/9/2007 
9:53:12 AM | Attr =	]
DiskeeperSystray -> %ProgramFiles%\Diskeeper Corporation\Diskeeper\DkIcon.exe 
["C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"] -> Diskeeper 
Corporation [Ver = 9.0.545.0 | Size = 217176 bytes | Modified Date = 11/16/2006 
7:21:56 AM | Attr =	]
EZEJMNAP -> %ProgramFiles%\ThinkPad\Utilities\EZEJMNAP.EXE [C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.
Exe] -> Lenovo Group Limited [Ver = 1, 0, 0, 0 | Size = 243248 bytes | Modified 
Date = 11/29/2006 1:30:00 AM | Attr =	]
LPManager -> %ProgramFiles%\ThinkVantage\PrdCtr\LPMGR.EXE [C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.
exe] -> Lenovo Group Limited [Ver = 1, 0, 0, 2 | Size = 120368 bytes | Modified 
Date = 2/1/2007 1:01:00 AM | Attr =	]
osCheck -> %ProgramFiles%\Norton Internet Security\osCheck.exe ["C:\Program 
Files\Norton Internet Security\osCheck.exe"] -> Symantec Corporation [Ver 
= 10.1.0.38 | Size = 22696 bytes | Modified Date = 10/27/2006 3:18:38 PM 
| Attr =	]
PWMTRV -> %ProgramFiles%\ThinkPad\Utilities\PWMTR32V.DLL [rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.
DLL,PwrMgrBkGndMonitor] -> Lenovo Group Limited [Ver = 1, 0, 0, 0 | Size 
= 263728 bytes | Modified Date = 12/20/2006 1:01:00 AM | Attr =	]
SoundMAXPnP -> %ProgramFiles%\Analog Devices\Core\smax4pnp.exe [C:\Program 
Files\Analog Devices\Core\smax4pnp.exe] -> Analog Devices, Inc. [Ver = 6,1,0,
80 | Size = 1097728 bytes | Modified Date = 10/17/2006 1:55:20 PM | Attr 
=	]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe ["C:\Program 
Files\Java\jre1.6.0_07\bin\jusched.exe"] -> Sun Microsystems, Inc. [Ver = 
6.0.70.6 | Size = 144784 bytes | Modified Date = 6/10/2008 4:27:04 AM | 
Attr =	]
Symantec PIF AlertEng -> %CommonProgramFiles%\Symantec Shared\PIF\{B8E1DD85-8582-
4c61-B58F-2F227FCA9A08}\PIFSvc.exe ["C:\Program Files\Common Files\Symantec 
Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program 
Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.
dll"] -> Symantec Corporation [Ver = 1.4.5.73 | Size = 583048 bytes | Modified 
Date = 11/29/2007 11:51:10 AM | Attr =	]
SynTPEnh -> %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [C:\Program Files\Synaptics\SynTP\SynTPEnh.
exe] -> Synaptics, Inc. [Ver = 9.1.3.5 13Aug07 | Size = 820520 bytes | Modified 
Date = 8/14/2007 12:53:00 PM | Attr =	]
TPFNF7 -> %ProgramFiles%\Lenovo\NPDIRECT\tpfnf7sp.exe [C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.
exe /r] -> Lenovo Group Limited [Ver = 1.00 | Size = 58416 bytes | Modified 
Date = 1/18/2007 2:01:00 AM | Attr =	]
TPHOTKEY -> %ProgramFiles%\Lenovo\HOTKEY\TPOSDSVC.exe [C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.
exe] ->  [Ver =  | Size = 64128 bytes | Modified Date = 11/10/2006 12:26:08 
PM | Attr =	]
TpShocks -> %SystemRoot%\System32\TpShocks.exe [TpShocks.exe] -> Lenovo. 
[Ver = 1.51.0.0 | Size = 181808 bytes | Modified Date = 12/26/2006 12:15:18 
PM | Attr =	]
TVT Scheduler Proxy -> %CommonProgramFiles%\Lenovo\Scheduler\scheduler_proxy.
exe [C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe] 
-> Lenovo Group Limited [Ver = 4,0,112,0 | Size = 536576 bytes | Modified 
Date = 12/14/2006 2:23:50 PM | Attr =	]
WinampAgent -> %ProgramFiles%\Winamp\winampa.exe ["C:\Program Files\Winamp\winampa.
exe"] ->  [Ver =  | Size = 36352 bytes | Modified Date = 7/10/2008 5:33:34 
AM | Attr =	]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ 
-> 
IMAIL-> Installed = 1 -> 
MAPI-> Installed = 1 -> 
MSFS-> Installed = 1 -> 
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
-> 
 ->  [] -> File not found
StartCCC -> %ProgramFiles%\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe 
[C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe] -> 
 [Ver =  | Size = 90112 bytes | Modified Date = 11/11/2006 3:35:24 AM | 
Attr =	]
SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe 
[C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe] -> SUPERAntiSpyware.
com [Ver = 4, 15, 0, 1000 | Size = 1506544 bytes | Modified Date = 5/28/2008 
10:33:34 AM | Attr =	]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks 
-> 
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%
\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1012 
| Size = 77824 bytes | Modified Date = 5/13/2008 10:13:36 AM | Attr =	
]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders 
-> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell 
-> 
explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver 
= 6.0.6000.16386 (vista_rtm.061101-2205) | Size = 2927104 bytes | Modified 
Date = 1/19/2008 3:33:10 PM | Attr =	]
*MultiFile Done* -> -> 
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit 
-> 
C:\Windows\system32\userinit.exe -> %SystemRoot%\System32\userinit.exe -> 
Microsoft Corporation [Ver = 6.0.6000.16386 (vista_rtm.061101-2205) | Size 
= 25088 bytes | Modified Date = 1/19/2008 3:33:33 PM | Attr =	]
*MultiFile Done* -> -> 
*GinaDLL* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\GinaDLL 
-> 
vrlogon.dll -> %SystemRoot%\System32\vrlogon.dll -> UPEK Inc. [Ver = 5.6.0.3297 
| Size = 615424 bytes | Modified Date = 12/9/2006 10:46:42 AM | Attr =  
  ]
*MultiFile Done* -> -> 
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet 
-> 
rundll32 shell32 -> %SystemRoot%\System32\shell32.dll -> Microsoft Corporation 
[Ver = 6.0.6001.18000 (longhorn_rtm.080118-1840) | Size = 11580416 bytes 
| Modified Date = 4/24/2008 12:58:20 PM | Attr =	]
Control_RunDLL "sysdm.cpl" -> %SystemRoot%\System32\sysdm.cpl -> Microsoft 
Corporation [Ver = 6.0.6000.16386 (vista_rtm.061101-2205) | Size = 242688 
bytes | Modified Date = 1/19/2008 3:32:57 PM | Attr =	]
*MultiFile Done* -> -> 
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Notify\ -> 
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.
com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 
1:41:36 PM | Attr =	]
psfus -> %SystemRoot%\System32\psqlpwd.dll -> UPEK Inc. [Ver = 5.6.0.3297 
| Size = 89600 bytes | Modified Date = 12/9/2006 10:44:38 AM | Attr =   
 ]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ 
-> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\ 
-> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments\\ScanWithAntiVirus 
-> 3 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ 
-> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-
C265-11D0-BCED-00A0C90AB50F} -> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-
2451-11d3-A299-00C04F8EF6AF} -> 1073741857 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-
FF21-4412-828E-260A8728E7F1} -> 32 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ 
-> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorAdmin 
-> 2 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ConsentPromptBehaviorUser 
-> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableInstallerDetection 
-> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableLUA 
-> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableSecureUIAPaths 
-> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableVirtualization 
-> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\PromptOnSecureDesktop 
-> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\ValidateAdminCodeSignatures 
-> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\dontdisplaylastusername 
-> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticecaption 
->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticetext 
->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\scforceoption 
-> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\shutdownwithoutlogon 
-> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\undockwithoutlogon 
-> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\FilterAdministratorToken 
-> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableCAD 
-> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\EnableUIADesktopToggle 
-> 0 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\ 
-> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ 
-> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\ 
-> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_TEXT 
-> 1 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_BITMAP 
-> 2 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_OEMTEXT 
-> 7 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_DIB 
-> 8 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_PALETTE 
-> 9 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_UNICODETEXT 
-> 13 -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats\\CF_DIBV5 
-> 17 -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ 
-> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> 
->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ 
-> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun 
-> 145 -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ 
-> -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\disableregistrytools 
-> 0 -> 
< CDROM Autorun Settings > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] 
-> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 
-> 
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable 
-> 
TORiSAN CD-ROM CDR_C36 ->  -> File not found
NEC	 MBR-7	->  -> File not found
NEC	 MBR-7.4  ->  -> File not found
PIONEER CHANGR DRM-1804X ->  -> File not found
PIONEER CD-ROM DRM-6324X ->  -> File not found
PIONEER CD-ROM DRM-624X  ->  -> File not found
*MultiFile Done* -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName 
-> CD-ROM Driver -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI 
CDROM Class -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> 
%SystemRoot%\System32\drivers\cdrom.sys [system32\DRIVERS\cdrom.sys] -> 
Microsoft Corporation [Ver = 6.0.6001.18000 (longhorn_rtm.080118-1840) | 
Size = 67072 bytes | Modified Date = 1/19/2008 1:49:51 PM | Attr =	]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl 
-> 1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 3 -> 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\0 -> IDE\CdRomHL-
DT-ST_DVDRAM_GMA-4082N_______________PX07____\5&1e66847&0&0.0.0 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\Count -> 
1 -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\NextInstance 
-> 1 -> 
< Drives - Autoruns > ->  -> 
autoexec.bat [REM Dummy file for NTVDM | ] -> %SystemDrive%\autoexec.bat 
[ NTFS ] ->  [Ver =  | Size = 24 bytes | Modified Date = 9/19/2006 5:43:36 
AM | Attr =	]
< HOSTS File > (252492 bytes) -> C:\Windows\System32\drivers\etc\Hosts -> 

::1			 localhost -> -> 
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/
redir.dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.
dll?prd=ie&ar=iesearch -> 
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.microsoft.com/isapi/redir.
dll?prd=ie&pver=6&ar=msnhome -> 
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/
srchasst/srchcust.htm -> 
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/
srchasst/srchasst.htm -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> -> 
HKEY_CURRENT_USER\: Main\\Local Page -> C:\Windows\system32\blank.htm -> 

HKEY_CURRENT_USER\: Main\\Search Bar -> http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR 
-> 
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.
dll?prd=ie&ar=iesearch -> 
HKEY_CURRENT_USER\: Main\\Start Page -> about:blank -> 
HKEY_CURRENT_USER\: SearchURL\\ -> http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR[Reg 
Error: Value provider does not exist or could not be read.] -> 
HKEY_CURRENT_USER\: ProxyEnable -> 0 -> 
HKEY_CURRENT_USER\: ProxyOverride -> local -> 
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet 
Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ 
-> [Key] 4632 domain(s) found. -> 
41 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet 
Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ 
-> [Key] 77 range(s) found. -> 
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet 
Settings\ZoneMap\Domains\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ 
-> [Key] 4632 domain(s) found. -> 
41 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet 
Settings\ZoneMap\Ranges\ -> 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ 
-> [Key] 77 range(s) found. -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser 
Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%
\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> 
Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes 
| Modified Date = 10/23/2006 3:08:42 PM | Attr =	]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%
\Symantec Shared\coShared\Browser\1.0\NppBHO.dll [Reg Error: Value  does 
not exist or could not be read.] -> Symantec Corporation [Ver = 2007.1.3.6 
| Size = 96984 bytes | Modified Date = 10/24/2006 12:34:20 PM | Attr = R 
 ]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%
\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [Skype add-on (mastermind)
] -> Skype Technologies S.A. [Ver = 2, 2, 0, 117 | Size = 1312040 bytes | 
Modified Date = 9/14/2007 5:31:40 AM | Attr =	]
{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%
\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> Safer 
Networking Limited [Ver = 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date 
= 9/1/2007 8:46:14 AM | Attr =	]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%
\Java\jre1.6.0_07\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. 
[Ver = 6.0.70.6 | Size = 509328 bytes | Modified Date = 6/10/2008 4:27:02 
AM | Attr =	]
{AE7CD045-E861-484f-8273-0445EE161910} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%
\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [Adobe PDF Conversion Toolbar 
Helper] -> Adobe Systems Incorporated [Ver = 8.1.0.0 | Size = 321120 bytes 
| Modified Date = 5/10/2007 10:47:03 PM | Attr =	]
{F040E541-A427-4CF7-85D8-75E3E0F476C5} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%
\Lenovo\Client Security Solution\tvtpwm_ie_com.dll [CPwmIEBrowserHelper 
Object] -> Lenovo Group Limited [Ver = 2.10.0302.00 | Size = 795960 bytes 
| Modified Date = 8/9/2007 6:01:10 AM | Attr =	]
< Internet Explorer Bars [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet 
Explorer\Explorer Bars\ -> 
{182EC0BE-5110-49C8-A062-BEB1D02A220B} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%
\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems 
Incorporated [Ver = 8.1.0.0 | Size = 321120 bytes | Modified Date = 5/10/2007 
10:47:03 PM | Attr =	]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet 
Explorer\ToolBar -> 
{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%
\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems 
Incorporated [Ver = 8.1.0.0 | Size = 321120 bytes | Modified Date = 5/10/2007 
10:47:03 PM | Attr =	]
{90222687-F593-4738-B738-FBEE9C7B26DF} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%
\Symantec Shared\coShared\Browser\1.0\UIBHO.dll [Show Norton Toolbar] -> 
Symantec Corporation [Ver = 2007.1.3.6 | Size = 565960 bytes | Modified 
Date = 10/24/2006 12:34:30 PM | Attr = R  ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet 
Explorer\Toolbar\ -> 
WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKEY_LOCAL_MACHINE] 
-> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] 
-> Adobe Systems Incorporated [Ver = 8.1.0.0 | Size = 321120 bytes | Modified 
Date = 5/10/2007 10:47:03 PM | Attr =	]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet 
Explorer\Extensions\ -> 
{0045D4BC-5189-4b67-969C-83BB1906C421}:{0FE81B52-73FA-425F-8F06-3F32451AC73F} 
[HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Lenovo\Client Security Solution\tvtpwm_ie_com.
dll [ThinkVantage Password Manager...] -> Lenovo Group Limited [Ver = 2.10.0302.
00 | Size = 795960 bytes | Modified Date = 8/9/2007 6:01:10 AM | Attr = 
   ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} 
[HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll 
[Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 132496 
bytes | Modified Date = 6/10/2008 4:27:02 AM | Attr =	]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} 
[HKEY_CURRENT_USER] -> %ProgramFiles%\Java\jre1.6.0_07\bin\ssv.dll [Sun 
Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 509328 
bytes | Modified Date = 6/10/2008 4:27:02 AM | Attr =	]
{77BF5300-1474-4EC7-9980-D32B190E9B07}:{77BF5300-1474-4EC7-9980-D32B190E9B07} 
[HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.
dll [Skype] -> Skype Technologies S.A. [Ver = 2, 2, 0, 117 | Size = 1312040 
bytes | Modified Date = 9/14/2007 5:31:40 AM | Attr =	]
{CCA281CA-C863-46ef-9331-5C8D4460577F}: [HKEY_LOCAL_MACHINE] -> Reg Error: 
Key does not exist or could not be opened. [@btrez.dll,-4015] -> File not 
found
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} 
[HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll 
[Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver 
= 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date = 9/1/2007 8:46:14 AM 
| Attr =	]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet 
Explorer\Extensions\ -> 
CmdMapping\\{CCA281CA-C863-46ef-9331-5C8D4460577F} [HKEY_LOCAL_MACHINE] 
->  [@btrez.dll,-4015] -> File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet 
Explorer\MenuExt\ -> 
Append to existing PDF -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.
dll -> Adobe Systems Incorporated [Ver = 8.1.0.0 | Size = 321120 bytes | 
Modified Date = 5/10/2007 10:47:03 PM | Attr =	]
Convert link target to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.
dll -> Adobe Systems Incorporated [Ver = 8.1.0.0 | Size = 321120 bytes | 
Modified Date = 5/10/2007 10:47:03 PM | Attr =	]
Convert link target to existing PDF -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.
dll -> Adobe Systems Incorporated [Ver = 8.1.0.0 | Size = 321120 bytes | 
Modified Date = 5/10/2007 10:47:03 PM | Attr =	]
Convert selected links to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.
dll -> Adobe Systems Incorporated [Ver = 8.1.0.0 | Size = 321120 bytes | 
Modified Date = 5/10/2007 10:47:03 PM | Attr =	]
Convert selected links to existing PDF -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.
dll -> Adobe Systems Incorporated [Ver = 8.1.0.0 | Size = 321120 bytes | 
Modified Date = 5/10/2007 10:47:03 PM | Attr =	]
Convert selection to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.
dll -> Adobe Systems Incorporated [Ver = 8.1.0.0 | Size = 321120 bytes | 
Modified Date = 5/10/2007 10:47:03 PM | Attr =	]
Convert selection to existing PDF -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.
dll -> Adobe Systems Incorporated [Ver = 8.1.0.0 | Size = 321120 bytes | 
Modified Date = 5/10/2007 10:47:03 PM | Attr =	]
Convert to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.
dll -> Adobe Systems Incorporated [Ver = 8.1.0.0 | Size = 321120 bytes | 
Modified Date = 5/10/2007 10:47:03 PM | Attr =	]
Send image to &Bluetooth Device... -> %ProgramFiles%\ThinkPad\Bluetooth 
Software\btsendto_ie_ctx.htm ->  [Ver =  | Size = 2773 bytes | Modified 
Date = 8/30/2006 6:12:28 AM | Attr =	]
Send page to &Bluetooth Device... -> %ProgramFiles%\ThinkPad\Bluetooth Software\btsendto_ie.
htm ->  [Ver =  | Size = 5601 bytes | Modified Date = 10/27/2006 10:28:50 
AM | Attr =	]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet 
Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s 
-> 
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ 
-> 
{101B65E7-40F5-4CDA-8CC1-3424FABD2EE5} ->	(Broadcom NetXtreme Gigabit 
Ethernet) -> 
{14757751-3F6D-41EB-9518-AC5520D39CD9} ->	(Broadcom NetXtreme Gigabit 
Ethernet) -> 
{46D57A08-E39E-48D8-B346-CB0D7F2EDC60} ->	(11a/b/g/n Wireless LAN Mini-PCI 
Express Adapter) -> 
{5C6B200A-5BAF-4340-ABA3-CF03F19EBE40} ->	() -> 
< Default Protocols [HKEY_LOCAL_MACHINE\] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet 
Settings\ZoneMap\ProtocolDefaults -> 
ldap -> 4 = Restricted sites (Not a Default Protocol) -> 
news -> 4 = Restricted sites (Not a Default Protocol) -> 
nntp -> 4 = Restricted sites (Not a Default Protocol) -> 
oecmd -> 4 = Restricted sites (Not a Default Protocol) -> 
snews -> 4 = Restricted sites (Not a Default Protocol) -> 
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ 
-> 
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
skype4com:{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} [HKEY_LOCAL_MACHINE] -> 
%CommonProgramFiles%\Skype\Skype4COM.dll[IEProtocolHandler Class] -> Skype 
Technologies [Ver = 1, 0, 27, 2 | Size = 1828176 bytes | Modified Date = 
9/14/2007 5:31:38 AM | Attr = R  ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code 
Store Database\Distribution Units\ -> 
{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}[HKEY_LOCAL_MACHINE] -> http://upload.facebook.
com/controls/FacebookPhotoUploader3.cab[Facebook Photo Uploader 4 Control] 
-> 
{8AD9C840-044E-11D1-B3E9-00805F499D93}[HKEY_LOCAL_MACHINE] -> http://java.sun.
com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] 
-> 
{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876}[HKEY_LOCAL_MACHINE] -> http://support.
f-secure.com/ols/fscax.cab[F-Secure Online Scanner 3.3] -> 
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.
com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] 
-> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}[HKEY_LOCAL_MACHINE] -> http://java.sun.
com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab[Java Plug-in 1.6.0_07] 
-> 
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://fpdownload2.
macromedia.com/get/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] 
-> 
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ 
-> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ 
-> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/auc_lib.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/auc_lib.dll\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} 
-> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/auc_lib.dll\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} 
->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/ca.pub\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/ca.pub\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} 
-> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/ca.pub\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} 
->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/daas_s.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/daas_s.dll\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} 
-> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/daas_s.dll\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} 
->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/FP_AX_CAB_INSTALLER.exe\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/FP_AX_CAB_INSTALLER.exe\\.Owner -> {D27CDB6E-AE6D-11CF-
96B8-444553540000} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/FP_AX_CAB_INSTALLER.exe\\{D27CDB6E-AE6D-11CF-96B8-444553540000} 
->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/fscax.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/fscax.dll\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} 
-> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/fscax.dll\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} 
->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/gatelauncher.exe\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/gatelauncher.exe\\.Owner -> {BDBDE413-7B1C-4C68-A8FF-
C5B2B4090876} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/gatelauncher.exe\\{BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} 
->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/ImageUploader4.1.ocx\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/ImageUploader4.1.ocx\\.Owner -> {5C6698D9-7BE4-4122-
8EC5-291D84DBD4A0} -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/ImageUploader4.1.ocx\\{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} 
->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/ImageUploader4.ocx\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/ImageUploader4.ocx\\.Owner -> Unknown Owner -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
Downloaded Program Files/ImageUploader4.ocx\\{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} 
->  -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
System32/unicows.dll\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
System32/unicows.dll\\.Owner -> {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} -> 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/
System32/unicows.dll\\{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} ->  -> 



[Files/Folders - Created Within 30 days]
Avenger -> %SystemDrive%\Avenger ->  [Folder | Created Date = 7/13/2008 
5:12:51 AM | Attr =	]
ComboFix -> %SystemDrive%\ComboFix ->  [Folder | Created Date = 7/9/2008 
9:17:21 PM | Attr =	]
Deckard -> %SystemDrive%\Deckard ->  [Folder | Created Date = 7/10/2008 
5:40:09 AM | Attr =	]
ltojmpsv -> %SystemDrive%\ltojmpsv ->  [Ver =  | Size = 0 bytes | Created 
Date = 7/9/2008 11:32:50 PM | Attr =	]
PerfLogs -> %SystemDrive%\PerfLogs ->  [Folder | Created Date = 6/14/2008 
5:05:49 PM | Attr =	]
QooBox -> %SystemDrive%\QooBox ->  [Folder | Created Date = 7/9/2008 9:00:46 
PM | Attr =	]
MsftWdf_Kernel_01007_Inbox_Critical.Wdf -> %SystemRoot%\System32\drivers\MsftWdf_Kernel_01007_Inbox_Critical.
Wdf ->  [Ver =  | Size = 3 bytes | Created Date = 6/13/2008 12:13:37 PM 
| Attr =	]
Msft_User_WpdFs_01_00_00.Wdf -> %SystemRoot%\System32\drivers\Msft_User_WpdFs_01_00_00.
Wdf ->  [Ver =  | Size = 0 bytes | Created Date = 7/9/2008 6:22:14 AM | 
Attr =  H ]
atmfd.dll -> %SystemRoot%\System32\atmfd.dll -> Adobe Systems Incorporated 
[Ver = 5.1 Build 226 | Size = 289792 bytes | Created Date = 6/13/2008 12:14:07 
PM | Attr =	]
Defrag.exe -> %SystemRoot%\System32\Defrag.exe -> Microsoft Corp. [Ver = 
6.0.6000.16386 (vista_rtm.061101-2205) | Size = 226816 bytes | Created Date 
= 6/13/2008 12:15:09 PM | Attr =	]
dfrgfat.exe -> %SystemRoot%\System32\dfrgfat.exe -> Microsoft Corp. [Ver 
= 6.0.6000.16386 (vista_rtm.061101-2205) | Size = 96768 bytes | Created 
Date = 6/13/2008 12:15:14 PM | Attr =	]
DfrgNtfs.exe -> %SystemRoot%\System32\DfrgNtfs.exe -> Microsoft Corp. [Ver 
= 6.0.6000.16386 (vista_rtm.061101-2205) | Size = 163840 bytes | Created 
Date = 6/13/2008 12:16:11 PM | Attr =	]
dot3.tmf -> %SystemRoot%\System32\dot3.tmf ->  [Ver =  | Size = 289467 bytes 
| Created Date = 6/13/2008 12:15:15 PM | Attr =	]
eaphost.tmf -> %SystemRoot%\System32\eaphost.tmf ->  [Ver =  | Size = 206830 
bytes | Created Date = 6/13/2008 12:16:48 PM | Attr =	]
fsmgmt.msc -> %SystemRoot%\System32\fsmgmt.msc ->  [Ver =  | Size = 144909 
bytes | Created Date = 6/13/2008 12:13:42 PM | Attr =	]
GameUXLegacyGDFs.dll -> %SystemRoot%\System32\GameUXLegacyGDFs.dll -> Microsoft 
[Ver = 1.0.0.1 | Size = 4240384 bytes | Created Date = 6/13/2008 12:16:09 
PM | Attr =	]
gatherWiredInfo.vbs -> %SystemRoot%\System32\gatherWiredInfo.vbs ->  [Ver 
=  | Size = 12198 bytes | Created Date = 6/13/2008 12:13:43 PM | Attr = 
   ]
gatherWirelessInfo.vbs -> %SystemRoot%\System32\gatherWirelessInfo.vbs -> 
 [Ver =  | Size = 15181 bytes | Created Date = 6/13/2008 12:13:42 PM | Attr 
=	]
gpedit.msc -> %SystemRoot%\System32\gpedit.msc ->  [Ver =  | Size = 147439 
bytes | Created Date = 6/13/2008 12:15:42 PM | Attr =	]
IasMigPlugin.dll -> %SystemRoot%\System32\IasMigPlugin.dll -> Microsoft 
[Ver = 1.0.0.1 | Size = 445952 bytes | Created Date = 6/13/2008 12:16:33 
PM | Attr =	]
java.exe -> %SystemRoot%\System32\java.exe -> Sun Microsystems, Inc. [Ver 
= 6.0.70.6 | Size = 135168 bytes | Created Date = 7/12/2008 8:59:04 PM | 
Attr =	]
javaw.exe -> %SystemRoot%\System32\javaw.exe -> Sun Microsystems, Inc. [Ver 
= 6.0.70.6 | Size = 135168 bytes | Created Date = 7/12/2008 8:59:04 PM | 
Attr =	]
javaws.exe -> %SystemRoot%\System32\javaws.exe -> Sun Microsystems, Inc. 
[Ver = 6.0.70.6 | Size = 139264 bytes | Created Date = 7/12/2008 8:59:05 
PM | Attr =	]
l3codeca.acm -> %SystemRoot%\System32\l3codeca.acm -> Fraunhofer Institut 
Integrierte Schaltungen IIS [Ver = 1, 9, 0, 0401 | Size = 62464 bytes | 
Created Date = 6/13/2008 12:14:01 PM | Attr =	]
l3codecp.acm -> %SystemRoot%\System32\l3codecp.acm -> Fraunhofer Institut 
Integrierte Schaltungen IIS [Ver = 3, 4, 0, 0 | Size = 220672 bytes | Created 
Date = 6/13/2008 12:14:23 PM | Attr =	]
locale.nls -> %SystemRoot%\System32\locale.nls ->  [Ver =  | Size = 3662296 
bytes | Created Date = 6/13/2008 12:16:12 PM | Attr =	]
msjetoledb40.dll -> %SystemRoot%\System32\msjetoledb40.dll ->  [Ver =  | 
Size = 368640 bytes | Created Date = 6/13/2008 12:14:30 PM | Attr =	]
onex.tmf -> %SystemRoot%\System32\onex.tmf ->  [Ver =  | Size = 261163 bytes 
| Created Date = 6/13/2008 12:15:09 PM | Attr =	]
perfmon.msc -> %SystemRoot%\System32\perfmon.msc ->  [Ver =  | Size = 145455 
bytes | Created Date = 6/13/2008 12:13:38 PM | Attr =	]
PresentationCFFRasterizerNative_v0300.dll -> %SystemRoot%\System32\PresentationCFFRasterizerNative_v0300.
dll -> Adobe Systems Incorporated [Ver = 3.0.6920.1109 (lh_tools_devdiv_wpf.071009-
1109) | Size = 106520 bytes | Created Date = 6/13/2008 12:14:55 PM | Attr 
=	]
PrintBrmUi.exe -> %SystemRoot%\System32\PrintBrmUi.exe ->  [Ver = 1, 0, 
0, 0 | Size = 62976 bytes | Created Date = 6/13/2008 12:14:28 PM | Attr 
=	]
RacUR.xml -> %SystemRoot%\System32\RacUR.xml ->  [Ver =  | Size = 9987 bytes 
| Created Date = 6/13/2008 12:14:03 PM | Attr =	]
RacUREx.xml -> %SystemRoot%\System32\RacUREx.xml ->  [Ver =  | Size = 150 
bytes | Created Date = 6/13/2008 12:13:40 PM | Attr =	]
Robocopy.exe -> %SystemRoot%\System32\Robocopy.exe -> Microsoft [Ver = 5, 
1, 10, 1027 | Size = 87552 bytes | Created Date = 6/13/2008 12:14:52 PM 
| Attr =	]
secpol.msc -> %SystemRoot%\System32\secpol.msc ->  [Ver =  | Size = 120458 
bytes | Created Date = 6/13/2008 12:13:38 PM | Attr =	]
slmgr.vbs -> %SystemRoot%\System32\slmgr.vbs ->  [Ver =  | Size = 80047 
bytes | Created Date = 6/13/2008 12:14:47 PM | Attr =	]
SMBHelperClass.dll -> %SystemRoot%\System32\SMBHelperClass.dll -> Microsoft 
[Ver = 1.0.0.1 | Size = 83456 bytes | Created Date = 6/13/2008 12:16:39 
PM | Attr =	]
StructuredQuerySchema.bin -> %SystemRoot%\System32\StructuredQuerySchema.bin 
->  [Ver =  | Size = 100043 bytes | Created Date = 6/13/2008 12:14:09 PM 
| Attr =	]
systemsf.ebd -> %SystemRoot%\System32\systemsf.ebd ->  [Ver =  | Size = 
132148 bytes | Created Date = 6/13/2008 12:16:19 PM | Attr =	]
tcpmon.ini -> %SystemRoot%\System32\tcpmon.ini ->  [Ver =  | Size = 60124 
bytes | Created Date = 6/13/2008 12:14:03 PM | Attr =	]
WFP.TMF -> %SystemRoot%\System32\WFP.TMF ->  [Ver =  | Size = 175508 bytes 
| Created Date = 6/13/2008 12:15:40 PM | Attr =	]
winrm.vbs -> %SystemRoot%\System32\winrm.vbs ->  [Ver =  | Size = 195122 
bytes | Created Date = 6/13/2008 12:15:13 PM | Attr =	]
wlan.tmf -> %SystemRoot%\System32\wlan.tmf ->  [Ver =  | Size = 1675370 
bytes | Created Date = 6/13/2008 12:16:48 PM | Attr =	]
WlanMmHC.dll -> %SystemRoot%\System32\WlanMmHC.dll -> Microsoft [Ver = 1.0.0.
1 | Size = 41472 bytes | Created Date = 6/13/2008 12:14:06 PM | Attr =   
 ]
ERDNT -> %SystemRoot%\ERDNT ->  [Folder | Created Date = 7/10/2008 5:40:53 
AM | Attr =	]
Nircmd.exe -> %SystemRoot%\Nircmd.exe -> NirSoft [Ver = 2.10 | Size = 28672 
bytes | Created Date = 7/9/2008 9:00:42 PM | Attr =	]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
Ceedo -> %AppData%\Ceedo ->  [Folder | Created Date = 7/12/2008 9:32:25 
AM | Attr =	]
Adobe -> %UserProfile%\AppData\Local\Adobe ->  [Folder | Created Date = 
7/13/2008 5:16:29 AM | Attr =	]
IconCache.db -> %UserProfile%\AppData\Local\IconCache.db ->  [Ver =  | Size 
= 3580423 bytes | Created Date = 6/13/2008 7:54:12 AM | Attr =  H ]
?¥R.NJX -> %UserProfile%\Documents\ǚ¥R.NJX ->  [Ver =  | Size = 3704 bytes 
| Modified Date = 12/8/2007 2:56:00 AM | Attr =	]
ATF-Cleaner.exe -> %UserProfile%\Desktop\ATF-Cleaner.exe -> Atribune.org 
[Ver = 3.00.0002 | Size = 50688 bytes | Created Date = 7/12/2008 8:30:45 
PM | Attr =	]
dss.exe -> %UserProfile%\Desktop\dss.exe ->  [Ver = 3, 2, 8, 1 | Size = 
686630 bytes | Created Date = 7/10/2008 3:23:57 AM | Attr =	]
KillBox.exe -> %UserProfile%\Desktop\KillBox.exe -> Option^Explicit Software 
					   vbtechcd@gmail.com [Ver = 2.00.0881 | Size = 92672 
bytes | Created Date = 7/9/2008 9:12:02 PM | Attr =	]
OTScanIt -> %UserProfile%\Desktop\OTScanIt ->  [Folder | Created Date = 
7/12/2008 9:05:34 PM | Attr =	]
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe ->  [Ver =  | Size = 
568114 bytes | Created Date = 7/12/2008 8:31:20 PM | Attr =	]
??? -> %UserProfile%\Desktop\公安局 ->  [Folder | Modified Date = 5/19/2008 
12:33:45 PM | Attr =	]
???? -> %UserProfile%\Desktop\学习汉语 ->  [Folder | Modified Date = 5/15/2008 
5:35:05 PM | Attr =	]
??? -> %UserProfile%\Desktop\汉语歌 ->  [Folder | Modified Date = 7/6/2008 
7:29:35 PM | Attr =	]
Java -> %CommonProgramFiles%\Java ->  [Folder | Created Date = 7/12/2008 
8:52:49 PM | Attr =	]
Java -> %ProgramFiles%\Java ->  [Folder | Created Date = 7/12/2008 8:52:52 
PM | Attr =	]
Sun -> %ProgramFiles%\Sun ->  [Folder | Created Date = 6/13/2008 10:31:51 
AM | Attr =	]

[Files/Folders - Modified Within 30 days]
Avenger -> %SystemDrive%\Avenger ->  [Folder | Modified Date = 7/13/2008 
5:13:54 AM | Attr =	]
Boot -> %SystemDrive%\Boot ->  [Folder | Modified Date = 6/14/2008 5:34:20 
PM | Attr =  HS]
ComboFix -> %SystemDrive%\ComboFix ->  [Folder | Modified Date = 7/9/2008 
9:18:23 PM | Attr =	]
Deckard -> %SystemDrive%\Deckard ->  [Folder | Modified Date = 7/10/2008 
5:40:09 AM | Attr =	]
hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 2145837056 
bytes | Modified Date = 7/13/2008 5:20:56 AM | Attr =  HS]
ltojmpsv -> %SystemDrive%\ltojmpsv ->  [Ver =  | Size = 0 bytes | Modified 
Date = 7/9/2008 11:32:52 PM | Attr =	]
PerfLogs -> %SystemDrive%\PerfLogs ->  [Folder | Modified Date = 6/14/2008 
5:05:49 PM | Attr =	]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 7/12/2008 
8:52:52 PM | Attr = R  ]
ProgramData -> %AllUsersProfile% ->  [Folder | Modified Date = 7/13/2008 
5:12:52 AM | Attr =  H ]
QooBox -> %SystemDrive%\QooBox ->  [Folder | Modified Date = 7/9/2008 9:00:46 
PM | Attr =	]
SWSHARE -> %SystemDrive%\SWSHARE ->  [Folder | Modified Date = 7/13/2008 
4:15:52 AM | Attr =	]
System Volume Information -> %SystemDrive%\System Volume Information -> 
 [Folder | Modified Date = 7/13/2008 5:23:09 AM | Attr =  HS]
Windows -> %SystemRoot% ->  [Folder | Modified Date = 7/10/2008 5:40:53 
AM | Attr =	]
en-US -> %SystemRoot%\System32\drivers\en-US ->  [Folder | Modified Date 
= 6/14/2008 5:08:49 PM | Attr =	]
etc -> %SystemRoot%\System32\drivers\etc ->  [Folder | Modified Date = 7/10/2008 
6:03:07 AM | Attr =	]
hosts -> %SystemRoot%\System32\drivers\etc\hosts ->  [Ver =  | Size = 252492 
bytes | Modified Date = 7/10/2008 6:03:07 AM | Attr = R  ]
mbam.sys -> %SystemRoot%\System32\drivers\mbam.sys -> Malwarebytes Corporation 
[Ver = 1, 0, 0, 1 | Size = 17144 bytes | Modified Date = 7/7/2008 5:35:30 
PM | Attr =	]
mbamcatchme.sys -> %SystemRoot%\System32\drivers\mbamcatchme.sys ->  [Ver 
=  | Size = 34296 bytes | Modified Date = 7/7/2008 5:35:36 PM | Attr =  
  ]
Msft_User_WpdFs_01_00_00.Wdf -> %SystemRoot%\System32\drivers\Msft_User_WpdFs_01_00_00.
Wdf ->  [Ver =  | Size = 0 bytes | Modified Date = 7/9/2008 6:22:14 AM | 
Attr =  H ]
UMDF -> %SystemRoot%\System32\drivers\UMDF ->  [Folder | Modified Date = 
6/14/2008 4:58:56 PM | Attr =	]
7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 
-> %SystemRoot%\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-
439d-8115-601632D005A0 ->  [Ver =  | Size = 5536 bytes | Modified Date = 
7/13/2008 7:01:39 AM | Attr =  H ]
7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 
-> %SystemRoot%\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-
439d-8115-601632D005A0 ->  [Ver =  | Size = 5536 bytes | Modified Date = 
7/13/2008 7:01:39 AM | Attr =  H ]
AdvancedInstallers -> %SystemRoot%\System32\AdvancedInstallers ->  [Folder 
| Modified Date = 6/14/2008 5:09:00 PM | Attr =	]
ar-SA -> %SystemRoot%\System32\ar-SA ->  [Folder | Modified Date = 6/14/2008 
5:08:38 PM | Attr =	]
axaltocm.dll -> %SystemRoot%\System32\axaltocm.dll -> Gemalto, Inc. [Ver 
= 6.0.6001.18000 (longhorn_rtm.080118-1840) | Size = 82432 bytes | Modified 
Date = 6/14/2008 2:46:30 PM | Attr =	]
Boot -> %SystemRoot%\System32\Boot ->  [Folder | Modified Date = 6/14/2008 
5:05:51 PM | Attr =	]
catroot -> %SystemRoot%\System32\catroot ->  [Folder | Modified Date = 7/11/2008 
9:38:11 AM | Attr =	]
catroot2 -> %SystemRoot%\System32\catroot2 ->  [Folder | Modified Date = 
7/11/2008 9:38:08 AM | Attr =	]
com -> %SystemRoot%\System32\com ->  [Folder | Modified Date = 6/14/2008 
5:09:26 PM | Attr =	]
cs-CZ -> %SystemRoot%\System32\cs-CZ ->  [Folder | Modified Date = 6/14/2008 
5:08:59 PM | Attr =	]
da-DK -> %SystemRoot%\System32\da-DK ->  [Folder | Modified Date = 6/14/2008 
5:09:26 PM | Attr =	]
de-DE -> %SystemRoot%\System32\de-DE ->  [Folder | Modified Date = 6/14/2008 
5:09:11 PM | Attr =	]
drivers -> %SystemRoot%\System32\drivers ->  [Folder | Modified Date = 7/13/2008 
5:12:51 AM | Attr =	]
el-GR -> %SystemRoot%\System32\el-GR ->  [Folder | Modified Date = 6/14/2008 
5:09:11 PM | Attr =	]
en -> %SystemRoot%\System32\en ->  [Folder | Modified Date = 6/14/2008 5:08:53 
PM | Attr =	]
en-US -> %SystemRoot%\System32\en-US ->  [Folder | Modified Date = 7/9/2008 
9:17:21 PM | Attr =	]
es-ES -> %SystemRoot%\System32\es-ES ->  [Folder | Modified Date = 6/14/2008 
5:08:51 PM | Attr =	]
fi-FI -> %SystemRoot%\System32\fi-FI ->  [Folder | Modified Date = 6/14/2008 
5:08:59 PM | Attr =	]
FNTCACHE.DAT -> %SystemRoot%\System32\FNTCACHE.DAT ->  [Ver =  | Size = 
370224 bytes | Modified Date = 6/14/2008 5:15:03 PM | Attr =	]
fr-FR -> %SystemRoot%\System32\fr-FR ->  [Folder | Modified Date = 6/14/2008 
5:08:59 PM | Attr =	]
he-IL -> %SystemRoot%\System32\he-IL ->  [Folder | Modified Date = 6/14/2008 
5:08:59 PM | Attr =	]
hu-HU -> %SystemRoot%\System32\hu-HU ->  [Folder | Modified Date = 6/14/2008 
5:08:59 PM | Attr =	]
ias -> %SystemRoot%\System32\ias ->  [Folder | Modified Date = 6/14/2008 
5:08:59 PM | Attr =	]
ifxcardm.dll -> %SystemRoot%\System32\ifxcardm.dll -> Infineon Technologies 
AG [Ver = 6.0.6001.18000 (longhorn_rtm.080118-1840) | Size = 101888 bytes 
| Modified Date = 6/14/2008 2:46:37 PM | Attr =	]
IPSCtrl.INI -> %SystemRoot%\System32\IPSCtrl.INI ->  [Ver =  | Size = 480 
bytes | Modified Date = 7/13/2008 5:21:17 AM | Attr =	]
it-IT -> %SystemRoot%\System32\it-IT ->  [Folder | Modified Date = 6/14/2008 
5:09:11 PM | Attr =	]
ja-JP -> %SystemRoot%\System32\ja-JP ->  [Folder | Modified Date = 6/14/2008 
5:08:51 PM | Attr =	]
ko-KR -> %SystemRoot%\System32\ko-KR ->  [Folder | Modified Date = 6/14/2008 
5:09:26 PM | Attr =	]
manifeststore -> %SystemRoot%\System32\manifeststore ->  [Folder | Modified 
Date = 6/14/2008 5:08:51 PM | Attr =	]
migration -> %SystemRoot%\System32\migration ->  [Folder | Modified Date 
= 6/14/2008 5:09:07 PM | Attr =	]
migwiz -> %SystemRoot%\System32\migwiz ->  [Folder | Modified Date = 6/14/2008 
5:08:32 PM | Attr =	]
nb-NO -> %SystemRoot%\System32\nb-NO ->  [Folder | Modified Date = 6/14/2008 
5:08:38 PM | Attr =	]
nl-NL -> %SystemRoot%\System32\nl-NL ->  [Folder | Modified Date = 6/14/2008 
5:08:38 PM | Attr =	]
oobe -> %SystemRoot%\System32\oobe ->  [Folder | Modified Date = 6/14/2008 
5:09:09 PM | Attr =	]
perfc009.dat -> %SystemRoot%\System32\perfc009.dat ->  [Ver =  | Size = 
101350 bytes | Modified Date = 7/13/2008 5:29:26 AM | Attr =	]
perfh009.dat -> %SystemRoot%\System32\perfh009.dat ->  [Ver =  | Size = 
595684 bytes | Modified Date = 7/13/2008 5:29:26 AM | Attr =	]
PerfStringBackup.INI -> %SystemRoot%\System32\PerfStringBackup.INI ->  [Ver 
=  | Size = 690960 bytes | Modified Date = 7/13/2008 5:29:26 AM | Attr = 
   ]
pl-PL -> %SystemRoot%\System32\pl-PL ->  [Folder | Modified Date = 6/14/2008 
5:08:51 PM | Attr =	]
PROCDB.INI -> %SystemRoot%\System32\PROCDB.INI ->  [Ver =  | Size = 25269 
bytes | Modified Date = 7/13/2008 5:21:18 AM | Attr =	]
pt-BR -> %SystemRoot%\System32\pt-BR ->  [Folder | Modified Date = 6/14/2008 
5:08:30 PM | Attr =	]
pt-PT -> %SystemRoot%\System32\pt-PT ->  [Folder | Modified Date = 6/14/2008 
5:08:59 PM | Attr =	]
ro-RO -> %SystemRoot%\System32\ro-RO ->  [Folder | Modified Date = 6/14/2008 
5:08:50 PM | Attr =	]
ru-RU -> %SystemRoot%\System32\ru-RU ->  [Folder | Modified Date = 6/14/2008 
5:08:59 PM | Attr =	]
setup -> %SystemRoot%\System32\setup ->  [Folder | Modified Date = 6/14/2008 
5:08:59 PM | Attr =	]
SLUI -> %SystemRoot%\System32\SLUI ->  [Folder | Modified Date = 6/14/2008 
5:08:57 PM | Attr =	]
sv-SE -> %SystemRoot%\System32\sv-SE ->  [Folder | Modified Date = 6/14/2008 
5:08:59 PM | Attr =	]
sysprep -> %SystemRoot%\System32\sysprep ->  [Folder | Modified Date = 6/14/2008 
5:09:07 PM | Attr =	]
tr-TR -> %SystemRoot%\System32\tr-TR ->  [Folder | Modified Date = 6/14/2008 
5:08:44 PM | Attr =	]
wbem -> %SystemRoot%\System32\wbem ->  [Folder | Modified Date = 6/14/2008 
5:08:43 PM | Attr =	]
WDI -> %SystemRoot%\System32\WDI ->  [Folder | Modified Date = 7/13/2008 
1:30:10 AM | Attr =	]
XPSViewer -> %SystemRoot%\System32\XPSViewer ->  [Folder | Modified Date 
= 6/14/2008 5:09:26 PM | Attr =	]
zh-CN -> %SystemRoot%\System32\zh-CN ->  [Folder | Modified Date = 6/14/2008 
5:08:53 PM | Attr =	]
zh-TW -> %SystemRoot%\System32\zh-TW ->  [Folder | Modified Date = 6/14/2008 
5:08:51 PM | Attr =	]
AppPatch -> %SystemRoot%\AppPatch ->  [Folder | Modified Date = 6/14/2008 
5:06:12 PM | Attr =	]
assembly -> %SystemRoot%\assembly ->  [Folder | Modified Date = 6/14/2008 
5:40:40 PM | Attr = R S]
Boot -> %SystemRoot%\Boot ->  [Folder | Modified Date = 6/14/2008 5:05:55 
PM | Attr =	]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 67584 bytes 
| Modified Date = 7/13/2008 5:21:08 AM | Attr =   S]
bthservsdp.dat -> %SystemRoot%\bthservsdp.dat ->  [Ver =  | Size = 12 bytes 
| Modified Date = 7/13/2008 5:19:49 AM | Attr =	]
DigitalLocker -> %SystemRoot%\DigitalLocker ->  [Folder | Modified Date 
= 6/14/2008 5:09:30 PM | Attr =	]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder 
| Modified Date = 7/13/2008 7:02:32 AM | Attr =   S]
ERDNT -> %SystemRoot%\ERDNT ->  [Folder | Modified Date = 7/10/2008 5:40:53 
AM | Attr =	]
IME -> %SystemRoot%\IME ->  [Folder | Modified Date = 6/14/2008 5:09:30 
PM | Attr =	]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 7/13/2008 5:29:26 
AM | Attr =	]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 7/12/2008 
8:59:34 PM | Attr =  HS]
L2Schemas -> %SystemRoot%\L2Schemas ->  [Folder | Modified Date = 6/14/2008 
5:09:30 PM | Attr =	]
Logs -> %SystemRoot%\Logs ->  [Folder | Modified Date = 6/14/2008 6:10:30 
PM | Attr =	]
MEMORY.DMP -> %SystemRoot%\MEMORY.DMP ->  [Ver =  | Size = 286309986 bytes 
| Modified Date = 7/9/2008 11:34:24 PM | Attr =	]
Microsoft.NET -> %SystemRoot%\Microsoft.NET ->  [Folder | Modified Date 
= 6/14/2008 5:40:43 PM | Attr =	]
Minidump -> %SystemRoot%\Minidump ->  [Folder | Modified Date = 7/9/2008 
11:34:35 PM | Attr =	]
MSAgent -> %SystemRoot%\MSAgent ->  [Folder | Modified Date = 6/14/2008 
5:09:32 PM | Attr =	]
PolicyDefinitions -> %SystemRoot%\PolicyDefinitions ->  [Folder | Modified 
Date = 6/14/2008 5:09:28 PM | Attr =	]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 7/13/2008 
7:02:02 AM | Attr =	]
rescache -> %SystemRoot%\rescache ->  [Folder | Modified Date = 6/14/2008 
5:40:00 PM | Attr =	]
servicing -> %SystemRoot%\servicing ->  [Folder | Modified Date = 6/14/2008 
5:09:49 PM | Attr =	]
System32 -> %SystemRoot%\System32 ->  [Folder | Modified Date = 7/13/2008 
5:29:26 AM | Attr =	]
Temp -> %SystemRoot%\Temp ->  [Folder | Modified Date = 7/13/2008 7:03:27 
AM | Attr =	]
WindowsShell.Manifest -> %SystemRoot%\WindowsShell.Manifest ->  [Ver =  
| Size = 749 bytes | Modified Date = 6/14/2008 5:34:08 PM | Attr = RH ]
winsxs -> %SystemRoot%\winsxs ->  [Folder | Modified Date = 7/11/2008 9:45:48 
AM | Attr =	]
Check Updates for Windows Live Toolbar.job -> %SystemRoot%\tasks\Check Updates 
for Windows Live Toolbar.job ->  [Ver =  | Size = 256 bytes | Modified Date 
= 7/13/2008 6:18:06 AM | Attr =	]
Norton Internet Security - Run Full System Scan - THINKPAD.job -> %SystemRoot%
\tasks\Norton Internet Security - Run Full System Scan - THINKPAD.job -> 
 [Ver =  | Size = 494 bytes | Modified Date = 7/11/2008 9:05:23 PM | Attr 
=	]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified 
Date = 7/13/2008 5:21:15 AM | Attr =  H ]
User_Feed_Synchronization-{7FB51E8E-F57E-4D8A-916A-1207E2509139}.job -> 
%SystemRoot%\tasks\User_Feed_Synchronization-{7FB51E8E-F57E-4D8A-916A-1207E2509139}.
job ->  [Ver =  | Size = 424 bytes | Modified Date = 7/12/2008 10:19:21 AM 
| Attr =  H ]
C:\ProgramData\Microsoft\Network\Downloader\ -> C:\ProgramData\Microsoft\Network\Downloader 
->  [Folder | Modified Date = 11/2/2006 9:04:24 PM | Attr =	]
qmgr0.dat -> C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat ->  [Ver 
=  | Size = 4194304 bytes | Modified Date = 7/13/2008 5:25:43 AM | Attr 
=	]
qmgr1.dat -> C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat ->  [Ver 
=  | Size = 4194304 bytes | Modified Date = 7/13/2008 5:25:43 AM | Attr 
=	]
C:\ProgramData\Microsoft\OFFICE\DATA\ -> C:\ProgramData\Microsoft\OFFICE\DATA 
->  [Folder | Modified Date = 11/14/2007 2:32:42 AM | Attr =	]
data.dat -> C:\ProgramData\Microsoft\OFFICE\DATA\data.dat ->  [Ver =  | 
Size = 1372 bytes | Modified Date = 11/12/2007 1:25:53 PM | Attr =	]
opa12.dat -> C:\ProgramData\Microsoft\OFFICE\DATA\opa12.dat ->  [Ver =  
| Size = 8268 bytes | Modified Date = 11/12/2007 4:42:40 AM | Attr =	
]
C:\ProgramData\Microsoft\RAC\PublishedData\ -> C:\ProgramData\Microsoft\RAC\PublishedData 
->  [Folder | Modified Date = 3/9/2008 6:20:01 AM | Attr =	]
PublishedRacMonAFLTable.DAT -> C:\ProgramData\Microsoft\RAC\PublishedData\PublishedRacMonAFLTable.
DAT ->  [Ver =  | Size = 2760 bytes | Modified Date = 7/13/2008 1:02:13 
AM | Attr =	]
PublishedRacMonCLKTable.DAT -> C:\ProgramData\Microsoft\RAC\PublishedData\PublishedRacMonCLKTable.
DAT ->  [Ver =  | Size = 48 bytes | Modified Date = 7/13/2008 1:02:13 AM 
| Attr =	]
PublishedRacMonHFLTable.DAT -> C:\ProgramData\Microsoft\RAC\PublishedData\PublishedRacMonHFLTable.
DAT ->  [Ver =  | Size = 0 bytes | Modified Date = 7/13/2008 1:02:13 AM 
| Attr =	]
PublishedRacMonIndex.DAT -> C:\ProgramData\Microsoft\RAC\PublishedData\PublishedRacMonIndex.
DAT ->  [Ver =  | Size = 3048 bytes | Modified Date = 7/13/2008 1:02:13 
AM | Attr =	]
PublishedRacMonOSFTable.DAT -> C:\ProgramData\Microsoft\RAC\PublishedData\PublishedRacMonOSFTable.
DAT ->  [Ver =  | Size = 3036 bytes | Modified Date = 7/13/2008 1:02:13 
AM | Attr =	]
PublishedRacMonSWITable.DAT -> C:\ProgramData\Microsoft\RAC\PublishedData\PublishedRacMonSWITable.
DAT ->  [Ver =  | Size = 80656 bytes | Modified Date = 7/13/2008 1:02:13 
AM | Attr =	]
C:\ProgramData\Microsoft\User Account Pictures\ -> C:\ProgramData\Microsoft\User 
Account Pictures ->  [Folder | Modified Date = 11/11/2007 6:19:17 AM | Attr 
=	]
THINKPAD.dat -> C:\ProgramData\Microsoft\User Account Pictures\THINKPAD.dat 
->  [Ver =  | Size = 0 bytes | Modified Date = 11/11/2007 6:19:17 AM | Attr 
=	]
C:\Users\THINKPAD\AppData\Local\Temp\ -> C:\Users\THINKPAD\AppData\Local\Temp 
->  [Folder | Modified Date = 7/13/2008 7:05:49 AM | Attr =	]
fsgk32.exe -> C:\Users\THINKPAD\AppData\Local\Temp\fsgk32.exe -> F-Secure 
Corp. [Ver = 7.60.14020.0 | Size = 413696 bytes | Modified Date = 7/13/2008 
5:41:53 AM | Attr =	]
fssm32.exe -> C:\Users\THINKPAD\AppData\Local\Temp\fssm32.exe -> F-Secure 
Corp. [Ver = 7.60.14020.0 | Size = 494592 bytes | Modified Date = 7/13/2008 
5:41:53 AM | Attr =	]
SSUPDATE.EXE -> C:\Users\THINKPAD\AppData\Local\Temp\SSUPDATE.EXE -> SUPERAntiSpyware.
com [Ver = 1, 0, 0, 1034 | Size = 158960 bytes | Modified Date = 5/28/2008 
10:33:32 AM | Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\ -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-
Virus ->  [Folder | Modified Date = 7/13/2008 5:47:30 AM | Attr =	]
fsgk32.exe -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fsgk32.
exe -> F-Secure Corp. [Ver = 7.60.14020.0 | Size = 413696 bytes | Modified 
Date = 7/13/2008 5:41:53 AM | Attr =	]
fssm32.exe -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fssm32.
exe -> F-Secure Corp. [Ver = 7.60.14020.0 | Size = 494592 bytes | Modified 
Date = 7/13/2008 5:41:53 AM | Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\fsav_beta\ 
-> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\fsav_beta 
->  [Folder | Modified Date = 7/13/2008 5:41:54 AM | Attr =	]
fsgk32.exe -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\fsav_beta\fsgk32.
exe -> F-Secure Corp. [Ver = 7.60.14020.0 | Size = 413696 bytes | Modified 
Date = 7/13/2008 5:41:53 AM | Attr =	]
fssm32.exe -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\fsav_beta\fssm32.
exe -> F-Secure Corp. [Ver = 7.60.14020.0 | Size = 494592 bytes | Modified 
Date = 7/13/2008 5:41:53 AM | Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\ -> C:\Users\THINKPAD\AppData\Local\Temp 
->  [Folder | Modified Date = 7/13/2008 7:05:49 AM | Attr =	]
daas_s.dll -> C:\Users\THINKPAD\AppData\Local\Temp\daas_s.dll -> F-Secure 
Corporation [Ver = 6.00.14023 | Size = 495616 bytes | Modified Date = 7/13/2008 
5:47:20 AM | Attr =	]
fm4av.dll -> C:\Users\THINKPAD\AppData\Local\Temp\fm4av.dll ->  [Ver =  
| Size = 514048 bytes | Modified Date = 7/13/2008 5:41:53 AM | Attr =   
 ]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\ -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-
Virus ->  [Folder | Modified Date = 7/13/2008 5:47:30 AM | Attr =	]
AVPFPI0.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\AVPFPI0.
dll -> Kaspersky Lab [Ver = 7.0.171.8410 | Size = 147538 bytes | Modified 
Date = 7/13/2008 5:41:53 AM | Attr =	]
avpproxy.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\avpproxy.
dll -> F-Secure Corporation [Ver = 1.2.12160 | Size = 77910 bytes | Modified 
Date = 7/13/2008 5:41:53 AM | Attr =	]
daas_s.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\daas_s.
dll -> F-Secure Corporation [Ver = 6.00.14023 | Size = 495616 bytes | Modified 
Date = 2/27/2008 3:59:28 PM | Attr =	]
fm4av.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fm4av.
dll ->  [Ver =  | Size = 514048 bytes | Modified Date = 7/13/2008 5:41:53 
AM | Attr =	]
fpinor.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fpinor.
dll -> F-Secure Corporation [Ver = 1.20.13330 | Size = 113664 bytes | Modified 
Date = 7/13/2008 5:41:53 AM | Attr =	]
fsbl.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fsbl.
dll -> F-Secure Corporation [Ver = 1, 0, 0, 1 | Size = 49152 bytes | Modified 
Date = 7/13/2008 5:41:53 AM | Attr =	]
fsblu.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fsblu.
dll -> F-Secure Corporation [Ver = 1, 0, 0, 68 | Size = 544768 bytes | Modified 
Date = 7/13/2008 5:39:26 AM | Attr =	]
fsecr32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fsecr32.
dll -> F-Secure Corporation [Ver = 2.08.8110 | Size = 262144 bytes | Modified 
Date = 7/13/2008 5:40:19 AM | Attr =	]
fsgkiapi.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fsgkiapi.
dll -> F-Secure Corp. [Ver = 7.60.13372.8144 | Size = 82432 bytes | Modified 
Date = 7/13/2008 5:41:53 AM | Attr =	]
fsmart.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fsmart.
dll -> F-Secure Corporation [Ver = 1, 0, 0, 29 | Size = 147456 bytes | Modified 
Date = 7/13/2008 5:41:40 AM | Attr =	]
fspe32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fspe32.
dll -> F-Secure Corporation [Ver = 1.4.420 | Size = 385024 bytes | Modified 
Date = 7/13/2008 5:40:19 AM | Attr =	]
fssubmit.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fssubmit.
dll -> F-Secure Corporation [Ver = 1.0.11 | Size = 651264 bytes | Modified 
Date = 7/13/2008 5:39:54 AM | Attr =	]
fsup32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fsup32.
dll -> F-Secure Corporation [Ver = 1.4.420 | Size = 577536 bytes | Modified 
Date = 7/13/2008 5:40:19 AM | Attr =	]
fsupcx32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fsupcx32.
dll -> F-Secure Corporation [Ver = 1.4.420 | Size = 73728 bytes | Modified 
Date = 7/13/2008 5:40:19 AM | Attr =	]
fsupfg32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fsupfg32.
dll -> F-Secure Corporation [Ver = 1.4.420 | Size = 98304 bytes | Modified 
Date = 7/13/2008 5:40:20 AM | Attr =	]
fsupmw32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fsupmw32.
dll -> F-Secure Corporation [Ver = 1.4.420 | Size = 86016 bytes | Modified 
Date = 7/13/2008 5:40:20 AM | Attr =	]
fsupnp32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fsupnp32.
dll -> F-Secure Corporation [Ver = 1.4.420 | Size = 98304 bytes | Modified 
Date = 7/13/2008 5:40:20 AM | Attr =	]
fsupux32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fsupux32.
dll -> F-Secure Corporation [Ver = 1.4.420 | Size = 90112 bytes | Modified 
Date = 7/13/2008 5:40:20 AM | Attr =	]
fsupwu32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fsupwu32.
dll -> F-Secure Corporation [Ver = 1.4.420 | Size = 90112 bytes | Modified 
Date = 7/13/2008 5:40:20 AM | Attr =	]
fsusscr.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fsusscr.
dll -> F-Secure Corporation [Ver = 2.30.14205 | Size = 888832 bytes | Modified 
Date = 7/13/2008 5:41:40 AM | Attr =	]
Nse_w32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\Nse_w32.
dll -> Norman ASA [Ver = 5,92,06 | Size = 588856 bytes | Modified Date = 
7/13/2008 5:39:51 AM | Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\fsav_beta\ 
-> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\fsav_beta 
->  [Folder | Modified Date = 7/13/2008 5:41:54 AM | Attr =	]
AVPFPI0.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\fsav_beta\AVPFPI0.
dll -> Kaspersky Lab [Ver = 7.0.171.8410 | Size = 147538 bytes | Modified 
Date = 7/13/2008 5:41:53 AM | Attr =	]
avpproxy.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\fsav_beta\avpproxy.
dll -> F-Secure Corporation [Ver = 1.2.12160 | Size = 77910 bytes | Modified 
Date = 7/13/2008 5:41:53 AM | Attr =	]
fm4av.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\fsav_beta\fm4av.
dll ->  [Ver =  | Size = 514048 bytes | Modified Date = 7/13/2008 5:41:53 
AM | Attr =	]
fpinor.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\fsav_beta\fpinor.
dll -> F-Secure Corporation [Ver = 1.20.13330 | Size = 113664 bytes | Modified 
Date = 7/13/2008 5:41:53 AM | Attr =	]
fsbl.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\fsav_beta\fsbl.
dll -> F-Secure Corporation [Ver = 1, 0, 0, 1 | Size = 49152 bytes | Modified 
Date = 7/13/2008 5:41:53 AM | Attr =	]
fsgkiapi.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\fsav_beta\fsgkiapi.
dll -> F-Secure Corp. [Ver = 7.60.13372.8144 | Size = 82432 bytes | Modified 
Date = 7/13/2008 5:41:53 AM | Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin\ 
-> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin 
->  [Folder | Modified Date = 7/13/2008 5:40:20 AM | Attr =	]
fsecr32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin\fsecr32.
dll -> F-Secure Corporation [Ver = 2.08.8110 | Size = 262144 bytes | Modified 
Date = 7/13/2008 5:40:19 AM | Attr =	]
fspe32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin\fspe32.
dll -> F-Secure Corporation [Ver = 1.4.420 | Size = 385024 bytes | Modified 
Date = 7/13/2008 5:40:19 AM | Attr =	]
fsup32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin\fsup32.
dll -> F-Secure Corporation [Ver = 1.4.420 | Size = 577536 bytes | Modified 
Date = 7/13/2008 5:40:19 AM | Attr =	]
fsupcx32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin\fsupcx32.
dll -> F-Secure Corporation [Ver = 1.4.420 | Size = 73728 bytes | Modified 
Date = 7/13/2008 5:40:19 AM | Attr =	]
fsupfg32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin\fsupfg32.
dll -> F-Secure Corporation [Ver = 1.4.420 | Size = 98304 bytes | Modified 
Date = 7/13/2008 5:40:20 AM | Attr =	]
fsupmw32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin\fsupmw32.
dll -> F-Secure Corporation [Ver = 1.4.420 | Size = 86016 bytes | Modified 
Date = 7/13/2008 5:40:20 AM | Attr =	]
fsupnp32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin\fsupnp32.
dll -> F-Secure Corporation [Ver = 1.4.420 | Size = 98304 bytes | Modified 
Date = 7/13/2008 5:40:20 AM | Attr =	]
fsupux32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin\fsupux32.
dll -> F-Secure Corporation [Ver = 1.4.420 | Size = 90112 bytes | Modified 
Date = 7/13/2008 5:40:20 AM | Attr =	]
fsupwu32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin\fsupwu32.
dll -> F-Secure Corporation [Ver = 1.4.420 | Size = 90112 bytes | Modified 
Date = 7/13/2008 5:40:20 AM | Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\mlcwin\ -> 
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\mlcwin -> 
 [Folder | Modified Date = 7/13/2008 5:41:40 AM | Attr =	]
fsmart.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\mlcwin\fsmart.
dll -> F-Secure Corporation [Ver = 1, 0, 0, 29 | Size = 147456 bytes | Modified 
Date = 7/13/2008 5:41:40 AM | Attr =	]
fsusscr.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\mlcwin\fsusscr.
dll -> F-Secure Corporation [Ver = 2.30.14205 | Size = 888832 bytes | Modified 
Date = 7/13/2008 5:41:40 AM | Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\ols_30_pegdb\ 
-> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\ols_30_pegdb 
->  [Folder | Modified Date = 7/13/2008 5:39:52 AM | Attr =	]
Nse_w32.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\ols_30_pegdb\Nse_w32.
dll -> Norman ASA [Ver = 5,92,06 | Size = 588856 bytes | Modified Date = 
7/13/2008 5:39:51 AM | Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\ols_33_bin\ 
-> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\ols_33_bin 
->  [Folder | Modified Date = 7/13/2008 5:39:54 AM | Attr =	]
fssubmit.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\ols_33_bin\fssubmit.
dll -> F-Secure Corporation [Ver = 1.0.11 | Size = 651264 bytes | Modified 
Date = 7/13/2008 5:39:54 AM | Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\ols_bl\ -> 
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\ols_bl -> 
 [Folder | Modified Date = 7/13/2008 5:39:26 AM | Attr =	]
fsblu.dll -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\ols_bl\fsblu.
dll -> F-Secure Corporation [Ver = 1, 0, 0, 68 | Size = 544768 bytes | Modified 
Date = 7/13/2008 5:39:26 AM | Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\ -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-
Virus ->  [Folder | Modified Date = 7/13/2008 5:47:30 AM | Attr =	]
ext.dat -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\ext.
dat ->  [Ver =  | Size = 444 bytes | Modified Date = 7/13/2008 5:39:24 AM 
| Attr =	]
fsedb.dat -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fsedb.
dat ->  [Ver =  | Size = 1003330 bytes | Modified Date = 7/13/2008 5:40:19 
AM | Attr =	]
fsupdllb.dat -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fsupdllb.
dat ->  [Ver =  | Size = 422594 bytes | Modified Date = 7/13/2008 5:40:19 
AM | Attr =	]
fsupplgn.dat -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fsupplgn.
dat ->  [Ver =  | Size = 226 bytes | Modified Date = 7/13/2008 5:40:20 AM 
| Attr =	]
fsuptmpl.dat -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\fsuptmpl.
dat ->  [Ver =  | Size = 5828 bytes | Modified Date = 7/13/2008 5:40:20 
AM | Attr =	]
perf.dat -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\perf.
dat ->  [Ver =  | Size = 128 bytes | Modified Date = 7/13/2008 7:02:31 AM 
| Attr =	]
sae.dat -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\sae.
dat ->  [Ver =  | Size = 243 bytes | Modified Date = 7/13/2008 5:39:24 AM 
| Attr =	]
sai.dat -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\sai.
dat ->  [Ver =  | Size = 1348 bytes | Modified Date = 7/13/2008 5:39:24 
AM | Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\avmisc\ -> 
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\avmisc -> 
 [Folder | Modified Date = 7/13/2008 5:39:24 AM | Attr =	]
ext.dat -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\avmisc\ext.
dat ->  [Ver =  | Size = 444 bytes | Modified Date = 7/13/2008 5:39:24 AM 
| Attr =	]
sae.dat -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\avmisc\sae.
dat ->  [Ver =  | Size = 243 bytes | Modified Date = 7/13/2008 5:39:24 AM 
| Attr =	]
sai.dat -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\avmisc\sai.
dat ->  [Ver =  | Size = 1348 bytes | Modified Date = 7/13/2008 5:39:24 
AM | Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin\ 
-> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin 
->  [Folder | Modified Date = 7/13/2008 5:40:20 AM | Attr =	]
fsedb.dat -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin\fsedb.
dat ->  [Ver =  | Size = 1003330 bytes | Modified Date = 7/13/2008 5:40:19 
AM | Attr =	]
fsupdllb.dat -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin\fsupdllb.
dat ->  [Ver =  | Size = 422594 bytes | Modified Date = 7/13/2008 5:40:19 
AM | Attr =	]
fsupplgn.dat -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin\fsupplgn.
dat ->  [Ver =  | Size = 226 bytes | Modified Date = 7/13/2008 5:40:20 AM 
| Attr =	]
fsuptmpl.dat -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin\fsuptmpl.
dat ->  [Ver =  | Size = 5828 bytes | Modified Date = 7/13/2008 5:40:20 AM 
| Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\ -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-
Virus ->  [Folder | Modified Date = 7/13/2008 5:47:30 AM | Attr =	]
FS@av.ini -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\FS@av.
ini ->  [Ver =  | Size = 203 bytes | Modified Date = 7/13/2008 5:39:24 AM 
| Attr =	]
FS@avpe.ini -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\FS@avpe.
ini ->  [Ver =  | Size = 205 bytes | Modified Date = 7/13/2008 5:39:05 AM 
| Attr =	]
FS@bleng.ini -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\FS@bleng.
ini ->  [Ver =  | Size = 241 bytes | Modified Date = 7/13/2008 5:39:26 AM 
| Attr =	]
FS@corp.ini -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\FS@corp.
ini ->  [Ver =  | Size = 176 bytes | Modified Date = 7/13/2008 5:41:53 AM 
| Attr =	]
FS@hydra.ini -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\FS@hydra.
ini ->  [Ver =  | Size = 250 bytes | Modified Date = 7/13/2008 5:40:19 AM 
| Attr =	]
FS@mlc.ini -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\FS@mlc.
ini ->  [Ver =  | Size = 204 bytes | Modified Date = 7/13/2008 5:41:40 AM 
| Attr =	]
FS@ols.ini -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\FS@ols.
ini ->  [Ver =  | Size = 168 bytes | Modified Date = 7/13/2008 5:39:54 AM 
| Attr =	]
FS@peg.ini -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\FS@peg.
ini ->  [Ver =  | Size = 204 bytes | Modified Date = 7/13/2008 5:39:51 AM 
| Attr =	]
verdicts.ini -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\Anti-Virus\verdicts.
ini ->  [Ver =  | Size = 4181 bytes | Modified Date = 7/13/2008 5:39:06 
AM | Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\avmisc\ -> 
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\avmisc -> 
 [Folder | Modified Date = 7/13/2008 5:39:24 AM | Attr =	]
FS@av.ini -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\avmisc\FS@av.
ini ->  [Ver =  | Size = 203 bytes | Modified Date = 7/13/2008 5:39:24 AM 
| Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\avpe\ -> 
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\avpe ->  
[Folder | Modified Date = 7/13/2008 5:39:23 AM | Attr =	]
FS@avpe.ini -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\avpe\FS@avpe.
ini ->  [Ver =  | Size = 205 bytes | Modified Date = 7/13/2008 5:39:05 AM 
| Attr =	]
verdicts.ini -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\avpe\verdicts.
ini ->  [Ver =  | Size = 4181 bytes | Modified Date = 7/13/2008 5:39:06 
AM | Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\fsav_beta\ 
-> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\fsav_beta 
->  [Folder | Modified Date = 7/13/2008 5:41:54 AM | Attr =	]
FS@corp.ini -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\fsav_beta\FS@corp.
ini ->  [Ver =  | Size = 176 bytes | Modified Date = 7/13/2008 5:41:53 AM 
| Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin\ 
-> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin 
->  [Folder | Modified Date = 7/13/2008 5:40:20 AM | Attr =	]
FS@hydra.ini -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\hydrawin\FS@hydra.
ini ->  [Ver =  | Size = 250 bytes | Modified Date = 7/13/2008 5:40:19 AM 
| Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\mlcwin\ -> 
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\mlcwin -> 
 [Folder | Modified Date = 7/13/2008 5:41:40 AM | Attr =	]
FS@mlc.ini -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\mlcwin\FS@mlc.
ini ->  [Ver =  | Size = 204 bytes | Modified Date = 7/13/2008 5:41:40 AM 
| Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\ols_30_pegdb\ 
-> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\ols_30_pegdb 
->  [Folder | Modified Date = 7/13/2008 5:39:52 AM | Attr =	]
FS@peg.ini -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\ols_30_pegdb\FS@peg.
ini ->  [Ver =  | Size = 204 bytes | Modified Date = 7/13/2008 5:39:51 AM 
| Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\ols_33_bin\ 
-> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\ols_33_bin 
->  [Folder | Modified Date = 7/13/2008 5:39:54 AM | Attr =	]
FS@ols.ini -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\ols_33_bin\FS@ols.
ini ->  [Ver =  | Size = 168 bytes | Modified Date = 7/13/2008 5:39:54 AM 
| Attr =	]
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\ols_bl\ -> 
C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\ols_bl -> 
 [Folder | Modified Date = 7/13/2008 5:39:26 AM | Attr =	]
FS@bleng.ini -> C:\Users\THINKPAD\AppData\Local\Temp\Low\OnlineScanner\updates\ols_bl\FS@bleng.
ini ->  [Ver =  | Size = 241 bytes | Modified Date = 7/13/2008 5:39:26 AM 
| Attr =	]
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
Ceedo -> %AppData%\Ceedo ->  [Folder | Modified Date = 7/12/2008 9:32:25 
AM | Attr =	]
Lenovo -> %AppData%\Lenovo ->  [Folder | Modified Date = 7/12/2008 9:43:37 
AM | Attr =	]
Skype -> %AppData%\Skype ->  [Folder | Modified Date = 6/13/2008 11:10:25 
AM | Attr =	]
uTorrent -> %AppData%\uTorrent ->  [Folder | Modified Date = 7/11/2008 6:56:52 
PM | Attr =	]
Winamp -> %AppData%\Winamp ->  [Folder | Modified Date = 7/11/2008 7:02:45 
PM | Attr =	]
Adobe -> %UserProfile%\AppData\Local\Adobe ->  [Folder | Modified Date = 
7/13/2008 5:16:29 AM | Attr =	]
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> %UserProfile%\AppData\Local\DCBC2A71-
70D8-4DAN-EHR8-E0D61DEA3FDF.ini ->  [Ver =  | Size = 17920 bytes | Modified 
Date = 7/13/2008 12:05:40 AM | Attr =	]
IconCache.db -> %UserProfile%\AppData\Local\IconCache.db ->  [Ver =  | Size 
= 3580423 bytes | Modified Date = 7/13/2008 5:19:46 AM | Attr =  H ]
Temp -> %UserProfile%\AppData\Local\Temp ->  [Folder | Modified Date = 7/13/2008 
7:05:49 AM | Attr =	]
desktop.ini -> %SystemDrive%\Users\Public\Documents\desktop.ini ->  [Ver 
=  | Size = 280 bytes | Modified Date = 6/14/2008 5:34:07 PM | Attr =  HS]
Downloads -> %UserProfile%\Documents\Downloads ->  [Folder | Modified Date 
= 7/11/2008 6:55:30 PM | Attr =	]
lesson plans - scott -> %UserProfile%\Documents\lesson plans - scott -> 
 [Folder | Modified Date = 7/11/2008 2:48:56 AM | Attr =	]
personal -> %UserProfile%\Documents\personal ->  [Folder | Modified Date 
= 7/6/2008 7:26:01 PM | Attr =	]
personal program participant information -> %UserProfile%\Documents\personal 
program participant information ->  [Folder | Modified Date = 7/6/2008 7:22:15 
PM | Attr = R  ]
Scanned Documents -> %UserProfile%\Documents\Scanned Documents ->  [Folder 
| Modified Date = 7/11/2008 2:52:32 AM | Attr = R  ]
utilities for new comp -> %UserProfile%\Documents\utilities for new comp 
->  [Folder | Modified Date = 7/6/2008 7:34:21 PM | Attr =	]
?¥R.NJX -> %UserProfile%\Documents\ǚ¥R.NJX ->  [Ver =  | Size = 3704 bytes 
| Modified Date = 12/8/2007 2:56:00 AM | Attr =	]
desktop.ini -> %SystemDrive%\Users\Public\Desktop\desktop.ini ->  [Ver = 
 | Size = 174 bytes | Modified Date = 6/14/2008 5:34:07 PM | Attr =  HS]
CTLC -> %UserProfile%\Desktop\CTLC ->  [Folder | Modified Date = 7/10/2008 
6:05:25 PM | Attr = R  ]
OTScanIt -> %UserProfile%\Desktop\OTScanIt ->  [Folder | Modified Date = 
7/13/2008 5:19:32 AM | Attr =	]
OTScanIt.exe -> %UserProfile%\Desktop\OTScanIt.exe ->  [Ver =  | Size = 
568114 bytes | Modified Date = 7/5/2008 11:26:16 PM | Attr =	]
??? -> %UserProfile%\Desktop\公安局 ->  [Folder | Modified Date = 5/19/2008 
12:33:45 PM | Attr =	]
???? -> %UserProfile%\Desktop\学习汉语 ->  [Folder | Modified Date = 5/15/2008 
5:35:05 PM | Attr =	]
??? -> %UserProfile%\Desktop\汉语歌 ->  [Folder | Modified Date = 7/6/2008 
7:29:35 PM | Attr =	]
desktop.ini -> %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.
ini ->  [Ver =  | Size = 174 bytes | Modified Date = 6/14/2008 5:34:07 PM 
| Attr =  HS]
Java -> %CommonProgramFiles%\Java ->  [Folder | Modified Date = 7/12/2008 
8:52:49 PM | Attr =	]
System -> %CommonProgramFiles%\System ->  [Folder | Modified Date = 6/14/2008 
5:09:50 PM | Attr =	]

< End of report >

I am not running Windows Defender or Spybot SD as I normally would (so that I don't interfere with the scans). But my computer is running normally.

Thanks for your continued support.

What is next?

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:07 AM

Posted 12 July 2008 - 06:16 PM

It should have made a txt file when it ran listing all the files it deleted.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 Ainvar

Ainvar
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 12 July 2008 - 06:23 PM

Sorry about the delay SifuMike. My textfiles open in NinjaStar, and the avenger one was initially illegible.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\ProgramData\bm7b2c1914.xml" deleted successfully.
File "C:\ProgramData\pskt.ini" deleted successfully.
Folder "C:\ProgramData\viewpoint" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Edited by Ainvar, 12 July 2008 - 06:24 PM.


#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:07 AM

Posted 12 July 2008 - 07:05 PM

Hi Ainvar,

we must fix all your file associations:

To repair the faulty file associations, please do the following:
Make sure that DSS.exe is located on your Desktop.
Click on your START button, then choose Run. A little box will appear.
Now copy and paste all the following in bold (including the "" marks into the run box and click OK.

"%userprofile%\desktop\dss.exe" /daft


This will start DSS in a different way. A small window will appear.
Click on the Scan button.
If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a tick in the boxes in question.
Click the Fix button.
Re-scan and save a logfile. By default, it will save as daft.txt.

Post the contents of that logfile with your next post
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users