Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With "systempre.exe" And Some Hidden Morphing Installer


  • This topic is locked This topic is locked
17 replies to this topic

#1 dcarwin

dcarwin

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 21 August 2008 - 03:37 PM

Lenovo T60 has a hidden (I can't find it) systempre deployer. I have done manual cleanup (using SDFix and HJT) and the system appears clean/normal right now. However if I were to plug in the network cable, the deployer would install and run systempre.exe, close all "admin" apps and also create two new randomly-named executables which are also deployed.


Symptoms observed before manual cleanup:
============================
System originally had v6msn.exe infection as well, and I believe I removed this.

- taskmgr disabled
- msconfig disabled
- regedit disabled
- many websites blocked (including bleeping computer)
- hijackthis prevented from running (runs if renamed to something else)

NOTE: gpedit.msc is not disabled and will run, allowing you to manually throw DISABLE on the taskmanager blocking etc.
On next reboot the DISABLE setting is ignored and must be bounced.

- systempre.exe sitting in WINDOWS\system32\
- <random named exe file> sitting in WINDOWS\system32\ (examples iafxqxs.exe, ygyvosm.exe, vscnnq.exe)
- <randome named exe file> sitting in \Documents and Settings\<user that was logged in when virus last deployed>

- HKLM\..\Run: [System Presets] systempre.exe
- HKLM\..\Run: [System Presets] <random named file>.exe

"Userinit"="C:\\WINDOWS\\SYSTEM32\\Userinit.exe," changed to load <random>.exe
===

SDFix fails to remove as virus reinstates systempre.exe as soon as network cable is plugged in next time.

Prep steps taken
===========
cleanmgr - run
adaware - clean
spybit - cannot run because it forces an internet check, and infected box is off the net. (Plugging box into net activates virus host which deploys systempre.exe etc)
Stinger - clean
housecall/panda/bitdefender - not run. all require net connection.
Firewall - Sygate firewall installed (windows firewall off)
Updates - SP3 installed, loaded batch of 21 recent stored updates, not sure if completely updated.

HJT Log
=====
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:53 PM, on 8/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192779822406
O17 - HKLM\System\CCS\Services\Tcpip\..\{93008F3B-85B5-41D8-B1FB-9225D9F2B837}: NameServer = 208.201.224.11,208.201.224.33
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5813 bytes



Additional Notes:
===========
System originally had v6msn.exe infection as well, and I believe I removed this.

Portion of SDFIX log BEFORE manual cleanup:
===
C:\PROGRA~1\PEAZIP\RES\LPAQ\LPAQ1.EXE - Deleted
C:\WINDOWS\system32\systempre.exe - Deleted
C:\WINDOWS\system32\v6msn.exe - Deleted


Files with Hidden Attributes :

Sun 13 Jul 2008 6,104,632 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Thu 1 Nov 2007 59,392 ..SHR --- "C:\WINDOWS\system32\ESaudio.exe"
Wed 23 Jul 2008 49,664 ..SHR --- "C:\WINDOWS\system32\msnchat6.1.7.exe"
Mon 21 Jul 2008 49,664 ..SHR --- "C:\WINDOWS\system32\msnv6.1.exe"

Actions Taken
===
ESaudio - I renamed it
Picasa2\setup.exe - deleted
deleted all exe's mentions
removed all reg keys mentioned (run keys as well as firewall keys)

Full text of SDFIX systemreport.txt
======================

System Report
*************

Run on Thu 08/21/2008 at 01:24 PM

Microsoft Windows XP [Version 5.1.2600]

Current user is an administrator

Running Processes:

\SystemRoot\System32\smss.exe [1056]
\??\C:\WINDOWS\system32\csrss.exe [1148]
\??\C:\WINDOWS\system32\winlogon.exe [1176]
C:\WINDOWS\system32\services.exe [1220]
C:\WINDOWS\system32\lsass.exe [1232]
C:\WINDOWS\system32\ibmpmsvc.exe [1400]
C:\WINDOWS\system32\svchost.exe [1428]
C:\WINDOWS\system32\svchost.exe [1472]
C:\WINDOWS\System32\svchost.exe [1512]
C:\Program Files\Sygate\SPF\smc.exe [1640]
C:\WINDOWS\system32\svchost.exe [1744]
C:\WINDOWS\system32\svchost.exe [1788]
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008]
C:\WINDOWS\system32\spoolsv.exe [344]
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [388]
C:\WINDOWS\system32\acs.exe [732]
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe [780]
C:\WINDOWS\system32\svchost.exe [904]
C:\WINDOWS\System32\TPHDEXLG.exe [928]
C:\WINDOWS\system32\TpKmpSVC.exe [948]
C:\WINDOWS\System32\alg.exe [1600]
C:\WINDOWS\system32\wbem\wmiprvse.exe [1632]
C:\WINDOWS\Explorer.EXE [1928]
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe [2200]
C:\WINDOWS\system32\igfxtray.exe [2320]
C:\WINDOWS\system32\igfxpers.exe [2372]
C:\Program Files\Analog Devices\Core\smax4pnp.exe [2400]
C:\WINDOWS\system32\igfxsrvc.exe [2456]
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe [2512]
C:\WINDOWS\system32\rundll32.exe [2540]
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe [2580]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2596]
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe [2624]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2636]
C:\WINDOWS\system32\TpShocks.exe [2716]
C:\Program Files\Lenovo\Zoom\TpScrex.exe [2740]
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe [2760]
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe [2772]
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe [2796]
C:\Program Files\Logitech\QuickCam\Quickcam.exe [2808]
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe [3332]


Drivers - Running:

ACPI
ACPIEC
ADIHdAudAddService
AEAudio
AFD
AR5211
Arp1394
atapi
audstub
Beep
Cdfs
Cdrom
CmBatt
Compbatt
Disk
e1express
Fastfat
Fips
FltMgr
Ftdisk
Gpc
HDAudBus
HSFHWAZL
HSF_DPV
HTTP
i8042prt
ialm
iastor
IBMPMDRV
Imapi
intelppm
IpNat
IPSec
isapnp
Kbdclass
kmixer
KSecDD
LVPr2Mon
mdmxsdk
mnmdd
Modem
Mouclass
MountMgr
MRxDAV
MRxSmb
Msfs
mssmbios
Mup
NDIS
NdisTapi
Ndisuio
NdisWan
NDProxy
NetBIOS
NetBT
NIC1394
Npfs
Ntfs
Null
ohci1394
PartMgr
PCI
PCIIde
Pcmcia
PptpMiniport
PSched
Ptilink
PxHelp20
RasAcd
Rasl2tp
RasPppoe
Raspti
Rdbss
RDPCDD
rdpdr
redbook
rimmptsk
rimsptsk
RimVSerPort
rismxdp
ROOTMODEM
sdbus
Secdrv
Shockprf
sr
Srv
swenum
SynTP
sysaudio
Tcpip
Teefer
TermDD
TPDIGIMN
TPHKDRV
TPPWRIF
TSMAPIP
Update
usbehci
usbhub
usbuhci
VgaSave
VolSnap
Wanarp
wdmaud
wg3n
wg4n
wg5n
wg6n
winachsf
WmiAcpi
wpsdrvnt
WSIMD


Drivers - Stopped:

Abiosdsk
abp480n5
adpu160m
aec
Aha154x
aic78u2
aic78xx
AliIde
amsint
asc
asc3350p
asc3550
AsyncMac
Atdisk
Atmarpc
catchme
cbidf2k
CCDECODE
cd20xrnt
Cdaudio
Changer
CmdIde
Cpqarray
dac960nt
dmboot
dmio
dmload
DMusic
dpti2o
drmkaud
Fdc
Flpydisk
hidusb
hpn
i2omgmt
i2omp
ini910u
IntelIde
Ip6Fw
IpFilterDriver
IpInIp
IRENUM
lbrtfdc
LVcKap
LVMVDrv
LVUSBSta
mouhid
mraid35x
MSKSSRV
MSPCLOCK
MSPQM
MSTEE
NABTSFEC
NdisIP
NwlnkFlt
NwlnkFwd
Parport
ParVdm
PCIDump
PDCOMP
PDFRAME
PDRELI
PDRFRAME
perc2
perc2hib
PID_0928
ql1080
Ql10wnt
ql12160
ql1240
ql1280
RDPWD
RimUsb
Serial
sffdisk
sffp_sd
Sfloppy
Simbad
SLIP
Sparrow
splitter
streamip
swmidi
symc810
symc8xx
sym_hi
sym_u3
TDPIPE
TDTCP
TosIde
Udfs
UIUSys
ultra
usbccgp
usbprint
usbscan
USBSTOR
ViaIde
vsdatant
WDICA
WSTCODEC


Services - Running:

aawservice
acs
ALG
AudioSrv
Browser
CryptSvc
DcomLaunch
Dhcp
Dnscache
ERSvc
Eventlog
EventSystem
helpsvc
IBMPMSVC
lanmanserver
lanmanworkstation
LmHosts
LVCOMSer
LVPrcSrv
Netman
Nla
PlugPlay
PolicyAgent
ProtectedStorage
RasMan
RemoteRegistry
RpcSs
SamSs
Schedule
seclogon
SENS
SharedAccess
ShellHWDetection
SmcService
Spooler
srservice
SSDPSRV
stisvc
TapiSrv
TermService
Themes
TPHDEXLGSVC
TpKmpSVC
TrkWks
W32Time
WebClient
winmgmt
wscsvc
wuauserv
WZCSVC


Services - Stopped:

Alerter
AppMgmt
BITS
CiSvc
ClipSrv
COMSysApp
dmadmin
dmserver
Dot3svc
EapHost
FastUserSwitchingCompatibility
gusvc
HidServ
hkmsvc
HTTPFilter
IDriverT
ImapiService
LVSrvLauncher
Messenger
mnmsrvc
MSDTC
MSIServer
napagent
NetDDE
NetDDEdsdm
Netlogon
NtLmSsp
NtmsSvc
ose
RasAuto
RDSessMgr
RemoteAccess
RpcLocator
RSVP
SCardSvr
SwPrv
SysmonLog
TlntSvr
upnphost
UPS
VSS
WinVNC4
WmdmPmSN
Wmi
WmiApSrv
xmlprov


Files Created/Modified - 60 Days:


C:\

Aug 21 2008 12:58:20p 1,046,786,048 A.SH. "C:\hiberfil.sys"
Aug 20 2008 4:52:36p 250,048 A.SHR "C:\ntldr"
Aug 21 2008 12:58:02p 1,572,864,000 A.SH. "C:\pagefile.sys"
Aug 20 2008 1:11:32a 244 A..H. "C:\sqmnoopt12.sqm"
Aug 20 2008 1:53:58a 244 A..H. "C:\sqmnoopt13.sqm"
Aug 19 2008 5:40:36p 244 A..H. "C:\sqmnoopt10.sqm"
Aug 19 2008 6:24:40p 244 A..H. "C:\sqmnoopt11.sqm"
Aug 20 2008 2:53:14a 244 A..H. "C:\sqmnoopt16.sqm"
Aug 18 2008 9:44:20p 244 A..H. "C:\sqmnoopt17.sqm"
Aug 20 2008 2:12:34a 244 A..H. "C:\sqmnoopt14.sqm"
Aug 20 2008 2:15:46a 244 A..H. "C:\sqmnoopt15.sqm"
Aug 19 2008 2:44:26p 244 A..H. "C:\sqmnoopt06.sqm"
Aug 19 2008 3:28:28p 244 A..H. "C:\sqmnoopt07.sqm"
Aug 19 2008 1:16:20p 244 A..H. "C:\sqmnoopt04.sqm"
Aug 19 2008 2:00:22p 244 A..H. "C:\sqmnoopt05.sqm"
Aug 18 2008 10:24:22p 244 A..H. "C:\sqmnoopt18.sqm"
Aug 19 2008 9:36:04a 244 A..H. "C:\sqmnoopt19.sqm"
Aug 19 2008 4:12:32p 244 A..H. "C:\sqmnoopt08.sqm"
Aug 19 2008 4:56:34p 244 A..H. "C:\sqmnoopt09.sqm"
Aug 19 2008 5:40:36p 232 A..H. "C:\sqmdata10.sqm"
Aug 20 2008 2:12:34a 268 A..H. "C:\sqmdata14.sqm"
Aug 19 2008 1:16:20p 232 A..H. "C:\sqmdata04.sqm"
Aug 18 2008 10:24:22p 232 A..H. "C:\sqmdata18.sqm"
Aug 19 2008 4:12:32p 232 A..H. "C:\sqmdata08.sqm"
Aug 19 2008 6:24:40p 232 A..H. "C:\sqmdata11.sqm"
Aug 20 2008 2:15:46a 268 A..H. "C:\sqmdata15.sqm"
Aug 19 2008 2:00:22p 232 A..H. "C:\sqmdata05.sqm"
Aug 19 2008 9:36:04a 232 A..H. "C:\sqmdata19.sqm"
Aug 19 2008 4:56:34p 232 A..H. "C:\sqmdata09.sqm"
Aug 20 2008 1:11:32a 268 A..H. "C:\sqmdata12.sqm"
Aug 20 2008 2:53:14a 268 A..H. "C:\sqmdata16.sqm"
Aug 19 2008 2:44:26p 232 A..H. "C:\sqmdata06.sqm"
Aug 20 2008 1:53:58a 232 A..H. "C:\sqmdata13.sqm"
Aug 18 2008 9:44:20p 232 A..H. "C:\sqmdata17.sqm"
Aug 19 2008 3:28:28p 232 A..H. "C:\sqmdata07.sqm"
Aug 19 2008 10:20:08a 232 A..H. "C:\sqmdata00.sqm"
Aug 19 2008 11:04:10a 232 A..H. "C:\sqmdata01.sqm"
Aug 19 2008 11:48:14a 232 A..H. "C:\sqmdata02.sqm"
Aug 19 2008 12:32:16p 232 A..H. "C:\sqmdata03.sqm"
Aug 19 2008 10:20:08a 244 A..H. "C:\sqmnoopt00.sqm"
Aug 19 2008 11:04:10a 244 A..H. "C:\sqmnoopt01.sqm"
Aug 19 2008 11:48:14a 244 A..H. "C:\sqmnoopt02.sqm"
Aug 19 2008 12:32:16p 244 A..H. "C:\sqmnoopt03.sqm"
Aug 21 2008 12:58:24p 3,432 A.... "C:\TPHKLOCK.TXT"


C:\WINDOWS\

Aug 21 2008 12:58:44p 0 A.... "C:\WINDOWS\0.log"
Aug 21 2008 12:58:22p 2,048 A.S.. "C:\WINDOWS\bootstat.dat"
Jul 5 2008 10:46:48p 136 A.... "C:\WINDOWS\ChssBase.ini"
Aug 20 2008 4:58:38p 373 A.... "C:\WINDOWS\cmsetacl.log"
Aug 20 2008 5:40:08p 204,052 A.... "C:\WINDOWS\comsetup.log"
Aug 20 2008 5:03:52p 359 A.... "C:\WINDOWS\DtcInstall.log"
Aug 20 2008 5:40:08p 586,533 A.... "C:\WINDOWS\FaxSetup.log"
Aug 20 2008 5:40:08p 661,066 A.... "C:\WINDOWS\iis6.log"
Aug 20 2008 5:40:02p 1,374 A.... "C:\WINDOWS\imsins.BAK"
Aug 20 2008 5:40:08p 1,374 A.... "C:\WINDOWS\imsins.log"
Aug 20 2008 9:42:36a 4,194 A.... "C:\WINDOWS\KB944338-v2.log"
Aug 20 2008 9:42:48a 3,779 A.... "C:\WINDOWS\KB950749.log"
Aug 20 2008 5:38:24p 10,674 A.... "C:\WINDOWS\KB950762.log"
Aug 20 2008 5:39:42p 16,060 A.... "C:\WINDOWS\KB950974.log"
Aug 20 2008 5:38:10p 10,700 A.... "C:\WINDOWS\KB951066.log"
Aug 20 2008 5:38:20p 29,074 A.... "C:\WINDOWS\KB951072-v2.log"
Aug 20 2008 5:40:08p 11,592 A.... "C:\WINDOWS\KB951376-v2.log"
Aug 20 2008 5:39:22p 15,257 A.... "C:\WINDOWS\KB951698.log"
Aug 20 2008 5:35:56p 14,939 A.... "C:\WINDOWS\KB951748.log"
Aug 20 2008 5:38:14p 10,443 A.... "C:\WINDOWS\KB952287.log"
Aug 20 2008 5:40:02p 16,586 A.... "C:\WINDOWS\KB952954.log"
Aug 20 2008 5:36:12p 16,425 A.... "C:\WINDOWS\KB953838.log"
Aug 20 2008 5:39:58p 10,508 A.... "C:\WINDOWS\KB953839.log"
Aug 20 2008 5:40:08p 41,523 A.... "C:\WINDOWS\MedCtrOC.log"
Aug 20 2008 5:40:08p 29,380 A.... "C:\WINDOWS\msgsocm.log"
Aug 20 2008 5:40:06p 184,854 A.... "C:\WINDOWS\msmqinst.log"
Aug 20 2008 5:40:08p 103,183 A.... "C:\WINDOWS\netfxocm.log"
Jun 23 2008 11:35:22p 395 A.... "C:\WINDOWS\nsw.log"
Aug 20 2008 7:13:20p 2,237,828 A.... "C:\WINDOWS\ntbtlog.txt"
Aug 20 2008 5:40:08p 121,837 A.... "C:\WINDOWS\ntdtcsetup.log"
Aug 20 2008 5:40:08p 286,349 A.... "C:\WINDOWS\ocgen.log"
Aug 20 2008 5:40:08p 32,510 A.... "C:\WINDOWS\ocmsn.log"
Aug 21 2008 12:22:38p 376 A.... "C:\WINDOWS\ODBC.INI"
Aug 20 2008 5:03:56p 1,868 A.... "C:\WINDOWS\OEWABLog.txt"
Aug 10 2008 11:47:36p 1,409 A.... "C:\WINDOWS\QTFont.for"
Aug 10 2008 11:47:36p 54,156 A..H. "C:\WINDOWS\QTFont.qfn"
Aug 21 2008 12:57:26p 32,642 A.... "C:\WINDOWS\SchedLgU.Txt"
Aug 20 2008 4:58:30p 1,281 A.... "C:\WINDOWS\sessmgr.setup.log"
Aug 21 2008 12:22:38p 179,190 A.... "C:\WINDOWS\setupact.log"
Aug 20 2008 11:44:46p 4,815 A.... "C:\WINDOWS\setupapi.log"
Aug 20 2008 5:00:02p 1,057,463 A.... "C:\WINDOWS\setupapi.log.0.old"
Aug 20 2008 5:03:18p 876,870 A.... "C:\WINDOWS\setuplog.txt"
Aug 20 2008 5:04:16p 69,776 A.... "C:\WINDOWS\spupdsvc.log"
Aug 20 2008 5:03:34p 187 A.... "C:\WINDOWS\spupdsvc.log.1.log"
Aug 20 2008 5:01:32p 551,790 A.... "C:\WINDOWS\svcpack.log"
Aug 20 2008 5:40:08p 30,331 A.... "C:\WINDOWS\tabletoc.log"
Aug 20 2008 5:40:08p 271,598 A.... "C:\WINDOWS\tsoc.log"
Aug 20 2008 5:40:02p 117,725 A.... "C:\WINDOWS\updspapi.log"
Aug 21 2008 12:58:40p 159 A.... "C:\WINDOWS\wiadebug.log"
Aug 21 2008 12:58:46p 49 A.... "C:\WINDOWS\wiaservc.log"
Aug 20 2008 5:37:10p 756 A.... "C:\WINDOWS\win.ini"
Aug 21 2008 12:59:26p 1,086,806 A.... "C:\WINDOWS\WindowsUpdate.log"
Aug 20 2008 5:04:16p 5,073 A.... "C:\WINDOWS\wmsetup.log"
Aug 20 2008 5:04:14p 316,640 A.... "C:\WINDOWS\WMSysPr9.prx"
Aug 20 2008 4:50:38p 8,192 A.... "C:\WINDOWS\$NtServicePackUninstall$\reg00003"
Aug 20 2008 4:50:38p 8,192 A.... "C:\WINDOWS\$NtServicePackUninstall$\reg00004"
...
<NOTE I REMOVED A LONG LIST OF SP3 UNINSTALL FILES HERE TO SAVE SPACE>
...
Aug 20 2008 4:51:20p 8,192 A.... "C:\WINDOWS\$NtServicePackUninstall$\reg02390"
Aug 20 2008 5:03:54p 572 A.... "C:\WINDOWS\Debug\blastcln.log"
Jun 23 2008 11:35:16p 5,733 A.... "C:\WINDOWS\Debug\NetSetup.LOG"
Aug 21 2008 12:58:22p 0 A.... "C:\WINDOWS\Debug\PASSWD.LOG"
Aug 20 2008 11:44:26p 4,676 A.... "C:\WINDOWS\inf\branches.PNF"
Aug 20 2008 4:59:56p 25,780 A.... "C:\WINDOWS\inf\bth.PNF"
Aug 20 2008 11:44:26p 6,224 A.... "C:\WINDOWS\inf\bthprint.PNF"
Aug 20 2008 11:44:26p 5,972 A.... "C:\WINDOWS\inf\bthspp.PNF"
Aug 20 2008 5:00:58p 134,788 A.... "C:\WINDOWS\inf\comnt5.PNF"
Aug 20 2008 11:44:28p 326,568 A.... "C:\WINDOWS\inf\defltwk.PNF"
Aug 20 2008 4:59:56p 222,468 A.... "C:\WINDOWS\inf\drvindex.PNF"
Aug 20 2008 5:00:58p 10,240 A.... "C:\WINDOWS\inf\dtcnt5.PNF"
Aug 20 2008 11:44:28p 334,564 A.... "C:\WINDOWS\inf\dwup.PNF"
Aug 20 2008 11:44:28p 5,004 A.... "C:\WINDOWS\inf\fltmgr.PNF"
Aug 20 2008 5:00:58p 17,568 A.... "C:\WINDOWS\inf\fp40ext.PNF"
Aug 20 2008 5:00:02p 6,796 A.... "C:\WINDOWS\inf\hdaudbus.PNF"
Aug 20 2008 11:44:28p 7,780 A.... "C:\WINDOWS\inf\hidbth.PNF"
Aug 20 2008 11:44:28p 9,476 A.... "C:\WINDOWS\inf\HidDigi.PNF"
Aug 20 2008 11:44:28p 12,720 A.... "C:\WINDOWS\inf\hidserv.PNF"
Aug 20 2008 11:44:28p 83,728 A.... "C:\WINDOWS\inf\ie.PNF"
Aug 20 2008 5:00:58p 4,464 A.... "C:\WINDOWS\inf\ieaccess.PNF"
Aug 20 2008 5:00:58p 971,036 A.... "C:\WINDOWS\inf\iis.PNF"
Aug 20 2008 5:00:58p 105,208 A.... "C:\WINDOWS\inf\ims.PNF"
Aug 20 2008 11:44:38p 1,433,016 A.... "C:\WINDOWS\inf\INFCACHE.1"
Aug 20 2008 11:44:28p 108,916 A.... "C:\WINDOWS\inf\input.PNF"
Aug 20 2008 11:44:30p 432,252 A.... "C:\WINDOWS\inf\intl.PNF"
Aug 20 2008 11:44:30p 28,188 A.... "C:\WINDOWS\inf\irbus.PNF"
Aug 20 2008 11:44:30p 67,708 A.... "C:\WINDOWS\inf\keyboard.PNF"
Aug 20 2008 5:00:56p 2,916 A.... "C:\WINDOWS\inf\koc.PNF"
Aug 20 2008 11:44:30p 91,444 A.... "C:\WINDOWS\inf\ks.PNF"
Aug 20 2008 11:44:30p 43,500 A.... "C:\WINDOWS\inf\kscaptur.PNF"
Aug 20 2008 11:44:30p 24,640 A.... "C:\WINDOWS\inf\ksfilter.PNF"
Aug 20 2008 4:59:54p 1,068,864 A.... "C:\WINDOWS\inf\LAYOUT.PNF"
Aug 20 2008 5:00:02p 187,380 A.... "C:\WINDOWS\inf\machine.PNF"
Aug 20 2008 11:44:30p 30,564 A.... "C:\WINDOWS\inf\mchgr.PNF"
Aug 20 2008 11:44:32p 17,572 A.... "C:\WINDOWS\inf\mdac.PNF"
Aug 20 2008 11:44:32p 40,560 A.... "C:\WINDOWS\inf\mdmbtmdm.PNF"
Aug 20 2008 11:44:32p 108,224 A.... "C:\WINDOWS\inf\mdmirmdm.PNF"
Aug 20 2008 11:44:32p 8,284 A.... "C:\WINDOWS\inf\mpe.PNF"
Aug 20 2008 11:44:32p 49,540 A.... "C:\WINDOWS\inf\mshdc.PNF"
Aug 20 2008 5:03:56p 35,964 A.... "C:\WINDOWS\inf\msoe50.PNF"
Aug 20 2008 11:44:32p 23,816 A.... "C:\WINDOWS\inf\mstape.PNF"
Aug 20 2008 11:44:32p 9,636 A.... "C:\WINDOWS\inf\nabtsfec.PNF"
Aug 20 2008 11:44:32p 9,096 A.... "C:\WINDOWS\inf\ndisip.PNF"
Aug 20 2008 5:01:00p 3,652 A.... "C:\WINDOWS\inf\netbeac.PNF"
Aug 20 2008 5:03:42p 3,704 A.... "C:\WINDOWS\inf\netfw.PNF"
Aug 20 2008 5:01:00p 174,876 A.... "C:\WINDOWS\inf\netfxocm.PNF"
Aug 20 2008 11:44:32p 13,020 A.... "C:\WINDOWS\inf\netip6.PNF"
Aug 20 2008 11:44:34p 20,344 A.... "C:\WINDOWS\inf\netmscli.PNF"
Aug 20 2008 5:00:58p 16,448 A.... "C:\WINDOWS\inf\netoc.PNF"
Aug 20 2008 11:44:34p 45,180 A.... "C:\WINDOWS\inf\netrass.PNF"
Aug 20 2008 11:44:34p 6,800 A.... "C:\WINDOWS\inf\netrndis.PNF"
Aug 20 2008 11:44:34p 39,216 A.... "C:\WINDOWS\inf\nettcpip.PNF"
Aug 20 2008 11:44:34p 6,348 A.... "C:\WINDOWS\inf\nettun.PNF"
Aug 20 2008 11:44:34p 8,932 A.... "C:\WINDOWS\inf\netupnph.PNF"
Aug 20 2008 11:44:34p 7,028 A.... "C:\WINDOWS\inf\netwzc.PNF"
Aug 20 2008 11:44:34p 1,317,388 A.... "C:\WINDOWS\inf\ntprint.PNF"
Aug 20 2008 5:01:00p 4,384 A.... "C:\WINDOWS\inf\oeaccess.PNF"
Aug 20 2008 3:14:02a 0 ...H. "C:\WINDOWS\inf\oem46.inf"
Aug 20 2008 11:44:36p 17,240 A.... "C:\WINDOWS\inf\oobe.PNF"
Aug 20 2008 5:01:00p 14,492 A.... "C:\WINDOWS\inf\p2p.PNF"
Aug 20 2008 11:44:36p 105,552 A.... "C:\WINDOWS\inf\pnpscsi.PNF"
Jul 18 2008 4:58:54p 6,496 A.... "C:\WINDOWS\inf\pxhelp20.PNF"
Aug 20 2008 11:44:36p 11,920 A.... "C:\WINDOWS\inf\qmgr.PNF"
Aug 20 2008 11:44:36p 7,172 A.... "C:\WINDOWS\inf\ramdisk.PNF"
Aug 20 2008 5:03:56p 39,428 A.... "C:\WINDOWS\inf\sceregvl.PNF"
Aug 20 2008 11:44:36p 21,944 A.... "C:\WINDOWS\inf\scsi.PNF"
Aug 20 2008 4:59:56p 10,732 A.... "C:\WINDOWS\inf\sdbus.PNF"
Aug 20 2008 11:44:36p 26,712 A.... "C:\WINDOWS\inf\secrecs.PNF"
Aug 20 2008 4:59:58p 10,036 A.... "C:\WINDOWS\inf\sffdisk.PNF"
Aug 20 2008 11:44:36p 38,476 A.... "C:\WINDOWS\inf\shell.PNF"
Aug 20 2008 11:44:36p 15,720 A.... "C:\WINDOWS\inf\shl_img.PNF"
Aug 20 2008 11:44:36p 9,196 A.... "C:\WINDOWS\inf\slip.PNF"
Aug 20 2008 11:44:36p 36,372 A.... "C:\WINDOWS\inf\smartcrd.PNF"
Aug 20 2008 11:44:36p 11,956 A.... "C:\WINDOWS\inf\streamip.PNF"
Aug 20 2008 11:44:36p 5,724 A.... "C:\WINDOWS\inf\swflash.PNF"
Aug 20 2008 5:00:56p 7,356 A.... "C:\WINDOWS\inf\SYSOC.PNF"
Aug 20 2008 11:44:38p 101,276 A.... "C:\WINDOWS\inf\syssetup.PNF"
Aug 20 2008 5:01:00p 558,428 A.... "C:\WINDOWS\inf\tabletpc.PNF"
Aug 20 2008 11:44:38p 59,804 A.... "C:\WINDOWS\inf\tape.PNF"
Aug 20 2008 11:44:38p 9,424 A.... "C:\WINDOWS\inf\tdibth.PNF"
Aug 20 2008 5:00:58p 131,204 A.... "C:\WINDOWS\inf\tsoc.PNF"
Aug 20 2008 11:44:38p 51,448 A.... "C:\WINDOWS\inf\usbport.PNF"
Aug 20 2008 11:44:38p 20,324 A.... "C:\WINDOWS\inf\usbvideo.PNF"
Aug 20 2008 5:00:56p 14,228 A.... "C:\WINDOWS\inf\wbemoc.PNF"
Aug 20 2008 11:44:38p 74,520 A.... "C:\WINDOWS\inf\wdma_ali.PNF"
Aug 20 2008 11:44:38p 33,508 A.... "C:\WINDOWS\inf\wdma_via.PNF"
Aug 20 2008 4:59:54p 57,172 A.... "C:\WINDOWS\inf\wmp.PNF"
Aug 20 2008 11:44:38p 9,200 A.... "C:\WINDOWS\inf\wstcodec.PNF"
Jul 7 2008 1:26:58p 253,952 A.... "C:\WINDOWS\system32\es.dll"
Aug 20 2008 5:42:52p 204,120 A.... "C:\WINDOWS\system32\FNTCACHE.DAT"
Aug 20 2008 4:47:18p 1,053 A.... "C:\WINDOWS\system32\lvcoinst.log"
Jun 24 2008 9:43:16a 74,240 A.... "C:\WINDOWS\system32\mscms.dll"
Jun 23 2008 8:09:28a 3,067,392 A.... "C:\WINDOWS\system32\mshtml.dll"
Aug 20 2008 6:31:20p 1,786 A.... "C:\WINDOWS\system32\PerfStringBackup.TMP"
Jun 26 2008 1:15:30a 1,499,136 A.... "C:\WINDOWS\system32\shdocvw.dll"
Aug 20 2008 5:03:32p 255 A.... "C:\WINDOWS\system32\spupdwxp.log"
Aug 21 2008 11:07:20a 384 A.... "C:\WINDOWS\system32\TPAPSLOG.LOG"
Aug 21 2008 12:58:42p 2,560 A.... "C:\WINDOWS\system32\TPHDLOG0.LOG"
Jul 11 2008 5:42:28a 62,976 ..... "C:\WINDOWS\system32\tzchange.exe"
Aug 20 2008 5:38:16p 349,202 A.... "C:\WINDOWS\system32\TZLog.log"
Jun 26 2008 1:15:30a 619,520 A.... "C:\WINDOWS\system32\urlmon.dll"
Jun 23 2008 8:09:28a 666,112 A.... "C:\WINDOWS\system32\wininet.dll"
Aug 20 2008 11:23:08a 13,588 A.... "C:\WINDOWS\system32\wpa.bak"
Aug 21 2008 12:58:44p 13,646 A.... "C:\WINDOWS\system32\wpa.dbl"
Aug 21 2008 12:58:48p 302 A.... "C:\WINDOWS\Tasks\PMTask.job"
Aug 21 2008 12:58:30p 6 A..H. "C:\WINDOWS\Tasks\SA.DAT"
Aug 21 2008 1:19:12p 3,845 A.... "C:\WINDOWS\Temp\LVCOMSX.LOG"
Aug 21 2008 1:23:38p 37,695 A.... "C:\WINDOWS\Temp\scs4.tmp"
Aug 20 2008 4:58:12p 4,828 A.... "C:\WINDOWS\$NtServicePackUninstall$\spuninst\Service Pack 3.asms"
Aug 20 2008 5:01:00p 1,161,355 A.... "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.inf"
Aug 20 2008 4:51:20p 508,435 A.... "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.txt"
Aug 20 2008 10:12:10a 562,784 A.... "C:\WINDOWS\Debug\Setup\UpdSh.bak"
Aug 20 2008 5:01:12p 543,504 A.... "C:\WINDOWS\Debug\Setup\UpdSh.log"
Jul 1 2008 9:02:24p 308,376 A.... "C:\WINDOWS\Debug\UserMode\userenv.bak"
Aug 21 2008 12:58:22p 231,232 A.... "C:\WINDOWS\Debug\UserMode\userenv.log"
Aug 20 2008 5:01:02p 1,056,768 A.... "C:\WINDOWS\security\Database\Service Pack 3.sdb"
Aug 20 2008 5:03:52p 732 A.... "C:\WINDOWS\security\logs\scecomp.old"
Aug 20 2008 5:01:02p 7,168 A.... "C:\WINDOWS\security\logs\update.log"
Jul 7 2008 1:26:58p 253,952 ..... "C:\WINDOWS\system32\dllcache\es.dll"
Jun 24 2008 9:43:16a 74,240 ..... "C:\WINDOWS\system32\dllcache\mscms.dll"
Jun 23 2008 8:09:28a 3,067,392 ..... "C:\WINDOWS\system32\dllcache\mshtml.dll"
Jun 26 2008 1:15:30a 1,499,136 ..... "C:\WINDOWS\system32\dllcache\shdocvw.dll"
Jun 26 2008 1:15:30a 619,520 ..... "C:\WINDOWS\system32\dllcache\urlmon.dll"
Aug 20 2008 6:19:36p 578,560 A.... "C:\WINDOWS\system32\dllcache\user32.dll"
Jun 23 2008 8:09:28a 666,112 ..... "C:\WINDOWS\system32\dllcache\wininet.dll"
Aug 20 2008 3:01:22a 156 A.... "C:\WINDOWS\system32\GroupPolicy\gpt.ini"
Aug 20 2008 5:03:14p 3,201 A.... "C:\WINDOWS\system32\oobe\agtscrp2.js"
Aug 20 2008 5:03:14p 9,607 A.... "C:\WINDOWS\system32\oobe\oobeutil.js"
Aug 20 2008 5:03:14p 32,004 A.... "C:\WINDOWS\system32\oobe\updshell.htm"
Aug 20 2008 4:58:12p 500 A.... "C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63.Manifest"
Aug 20 2008 4:58:10p 1,237 A.... "C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.SystemCompatible_6595b64144ccf1df_5.1.2600.2000_x-ww_bcc9a281.Manifest"
Aug 20 2008 4:58:12p 1,822 A.... "C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a.Manifest"
Aug 20 2008 4:58:10p 1,883 A.... "C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7.Manifest"
Aug 20 2008 4:58:10p 1,187 A.... "C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95.Manifest"
Aug 20 2008 4:58:10p 460 A.... "C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0.Manifest"
Aug 20 2008 4:58:12p 1,862 A.... "C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83.Manifest"
Aug 20 2008 4:58:10p 397 A.... "C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c.Manifest"
Aug 20 2008 4:46:12p 0 A.... "C:\WINDOWS\Debug\Setup\Backup\HDAUDIO_Backup.bak"
Aug 20 2008 4:46:12p 4 A.... "C:\WINDOWS\Debug\Setup\Backup\INTPPM_Backup.bak"
Aug 20 2008 5:00:10p 14,688,256 A.... "C:\WINDOWS\pchealth\helpctr\Database\HCdata.edb"
Aug 20 2008 4:59:42p 2,974,155 A.... "C:\WINDOWS\pchealth\helpctr\Indices\merged.hhk"
Aug 20 2008 4:59:42p 13,328 A.... "C:\WINDOWS\pchealth\helpctr\Indices\scoped_2.hhk"
Aug 20 2008 4:59:42p 16,703 A.... "C:\WINDOWS\pchealth\helpctr\Indices\scoped_3.hhk"
Aug 20 2008 4:59:42p 35,565 A.... "C:\WINDOWS\pchealth\helpctr\Indices\scoped_4.hhk"
Aug 20 2008 4:59:42p 20,016 A.... "C:\WINDOWS\pchealth\helpctr\Indices\scoped_5.hhk"
Aug 20 2008 4:59:42p 15,646 A.... "C:\WINDOWS\pchealth\helpctr\Indices\scoped_6.hhk"
Aug 20 2008 4:59:42p 102,895 A.... "C:\WINDOWS\pchealth\helpctr\Indices\scoped_7.hhk"
Aug 20 2008 4:59:42p 209,095 A.... "C:\WINDOWS\pchealth\helpctr\Indices\scoped_8.hhk"
Aug 20 2008 4:59:42p 51,061 A.... "C:\WINDOWS\pchealth\helpctr\Indices\scoped_9.hhk"
Aug 20 2008 4:59:52p 935,163 A.... "C:\WINDOWS\pchealth\helpctr\Logs\hcupdate.log"
Aug 20 2008 4:59:52p 86,327 A.... "C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat"
Aug 20 2008 4:59:52p 4 A.... "C:\WINDOWS\pchealth\helpctr\PackageStore\CRC_Disk"
Aug 20 2008 4:58:40p 309,519 ..SHR "C:\WINDOWS\pchealth\helpctr\PackageStore\package_7.cab"
Aug 20 2008 4:59:52p 68,704 ..SHR "C:\WINDOWS\pchealth\helpctr\PackageStore\package_8.cab"
Aug 20 2008 4:59:52p 3,460 A.... "C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin"
Aug 20 2008 4:58:44p 6,150 A.... "C:\WINDOWS\pchealth\helpctr\System\Headlines.htm"
Aug 20 2008 4:58:44p 5,812 A.... "C:\WINDOWS\pchealth\helpctr\System\HelpCtr.mmf"
Aug 20 2008 4:58:44p 7,737 A.... "C:\WINDOWS\pchealth\helpctr\System\HomePage__DESKTOP.htm"
Aug 20 2008 4:58:44p 7,355 A.... "C:\WINDOWS\pchealth\helpctr\System\HomePage__SERVER.htm"
Aug 20 2008 6:20:24p 686 A.... "C:\WINDOWS\system32\drivers\etc\HOSTS"
Aug 20 2008 1:13:42a 81 ...H. "C:\WINDOWS\system32\GroupPolicy\Adm\admfiles.ini"
Aug 20 2008 3:01:22a 384 A.... "C:\WINDOWS\system32\GroupPolicy\User\Registry.pol"
Aug 20 2008 2:08:06p 8,239 A.... "C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log"
Aug 20 2008 5:03:14p 5,579 A.... "C:\WINDOWS\system32\oobe\setup\autoupdt.htm"
Aug 20 2008 5:03:14p 13,568 A.... "C:\WINDOWS\system32\oobe\setup\au_plcy.htm"
Jun 27 2008 11:34:16p 1,468 A.... "C:\WINDOWS\system32\spool\PRINTERS\FP00000.SHD"
Jun 27 2008 8:40:32p 10,792 A.... "C:\WINDOWS\system32\spool\PRINTERS\FP00000.SPL"
Jun 27 2008 11:34:16p 1,468 A.... "C:\WINDOWS\system32\spool\PRINTERS\FP00001.SHD"
Jun 27 2008 8:41:38p 10,792 A.... "C:\WINDOWS\system32\spool\PRINTERS\FP00001.SPL"
Jul 1 2008 2:00:40p 1,396 A.... "C:\WINDOWS\system32\spool\PRINTERS\FP00002.SHD"
Jul 1 2008 1:55:12p 36,544 A.... "C:\WINDOWS\system32\spool\PRINTERS\FP00002.SPL"
Jul 1 2008 2:00:40p 1,396 A.... "C:\WINDOWS\system32\spool\PRINTERS\FP00003.SHD"
Jul 1 2008 1:55:20p 34,368 A.... "C:\WINDOWS\system32\spool\PRINTERS\FP00003.SPL"
Jul 1 2008 2:00:40p 1,396 A.... "C:\WINDOWS\system32\spool\PRINTERS\FP00004.SHD"
Jul 1 2008 1:55:22p 34,368 A.... "C:\WINDOWS\system32\spool\PRINTERS\FP00004.SPL"
Jul 13 2008 9:39:20p 1,344 A.... "C:\WINDOWS\system32\spool\PRINTERS\FP00005.SHD"
Jul 13 2008 6:54:48p 5,409,320 A.... "C:\WINDOWS\system32\spool\PRINTERS\FP00005.SPL"
Aug 20 2008 4:58:34p 2,775,948 A.... "C:\WINDOWS\system32\wbem\AutoRecover\26C097A9392F8C541AD42E89B7909073.mof"
Aug 20 2008 4:58:32p 15,698 A.... "C:\WINDOWS\system32\wbem\AutoRecover\4DE29A3EB9A6B944E8035563044DBE7E.mof"
Aug 20 2008 5:03:56p 8,820 A.... "C:\WINDOWS\system32\wbem\AutoRecover\6FFF7467A5B40765D5740A413CA8BB8A.mof"
Aug 20 2008 4:58:24p 1,394 A.... "C:\WINDOWS\system32\wbem\AutoRecover\7F417E1A6D819A9B2FEB55DA6858EA0A.mof"
Jun 22 2008 1:56:40p 149,398 A.... "C:\WINDOWS\system32\wbem\AutoRecover\8858F1BA0D460E5A5B27AB13DE3ACB5D.mof"
Aug 20 2008 4:58:24p 8,102 A.... "C:\WINDOWS\system32\wbem\AutoRecover\903E49C444C46FEF5F2C3A189C9CEF71.mof"
Aug 20 2008 4:58:34p 2,566 A.... "C:\WINDOWS\system32\wbem\AutoRecover\9AD3182A2F39A3E091E15109132EC6CC.mof"
Aug 20 2008 5:03:56p 88,742 A.... "C:\WINDOWS\system32\wbem\AutoRecover\C3A0BE17B37ACE48BE78B31580231AE9.mof"
Aug 20 2008 4:58:32p 99,856 A.... "C:\WINDOWS\system32\wbem\AutoRecover\C6300BFE37ADE6B52EC023F66124985F.mof"
Aug 20 2008 4:58:12p 621 A.... "C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy"
Aug 20 2008 4:58:12p 623 A.... "C:\WINDOWS\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_x-ww_a317e4b3\7.0.2600.5512.Policy"
Aug 20 2008 4:58:10p 641 A.... "C:\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd\5.2.2.3.Policy"
Aug 20 2008 4:58:10p 605 A.... "C:\WINDOWS\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_x-ww_4e8510ac\1.0.2600.5512.Policy"
Aug 20 2008 4:58:10p 641 A.... "C:\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f\5.2.2.3.Policy"
Aug 20 2008 4:58:12p 644 A.... "C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_x-ww_527a1c68\6.0.9792.0.Policy"
Aug 20 2008 4:58:10p 625 A.... "C:\WINDOWS\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510\5.1.2600.2000.Policy"
Aug 20 2008 4:59:44p 62 A.... "C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\00000000.query"
Aug 20 2008 4:59:44p 752 A.... "C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\00000001.query"
Aug 20 2008 4:59:44p 752 A.... "C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\00000002.query"
Aug 20 2008 4:59:44p 194 A.... "C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\00000004.query"
Aug 20 2008 4:59:46p 266 A.... "C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\00000100.query"
...
<NOTE ALSO REMOVED LONG LIST OF LIKE FILES HERE>
...
Aug 20 2008 4:59:44p 304 A.... "C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\0000007c.query"
Aug 20 2008 4:59:46p 4,312 A.... "C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\0000017a.query"
Aug 20 2008 4:59:44p 3,096 A.... "C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\0000007a.query"
Aug 20 2008 4:58:44p 2,352 A.... "C:\WINDOWS\pchealth\helpctr\System\blurbs\about_support.htm"
Aug 20 2008 4:58:44p 1,453 A.... "C:\WINDOWS\pchealth\helpctr\System\blurbs\Favorites.htm"
Aug 20 2008 4:58:44p 1,740 A.... "C:\WINDOWS\pchealth\helpctr\System\blurbs\ftshelp.htm"
Aug 20 2008 4:58:44p 1,386 A.... "C:\WINDOWS\pchealth\helpctr\System\blurbs\History.htm"
Aug 20 2008 4:58:44p 1,477 A.... "C:\WINDOWS\pchealth\helpctr\System\blurbs\Index.htm"
Aug 20 2008 4:58:44p 3,873 A.... "C:\WINDOWS\pchealth\helpctr\System\blurbs\isupport.htm"
Aug 20 2008 4:58:44p 1,816 A.... "C:\WINDOWS\pchealth\helpctr\System\blurbs\keywordhelp.htm"
Aug 20 2008 4:58:44p 1,679 A.... "C:\WINDOWS\pchealth\helpctr\System\blurbs\options.htm"
Aug 20 2008 4:58:44p 1,763 A.... "C:\WINDOWS\pchealth\helpctr\System\blurbs\searchblurb.htm"
Aug 20 2008 4:58:44p 10,376 A.... "C:\WINDOWS\pchealth\helpctr\System\blurbs\searchtips.htm"
Aug 20 2008 4:58:44p 1,411 A.... "C:\WINDOWS\pchealth\helpctr\System\blurbs\tools.htm"
Aug 20 2008 4:58:44p 360,054 A.... "C:\WINDOWS\pchealth\helpctr\System\blurbs\watermark_300x.bmp"
Aug 20 2008 4:58:44p 2,368 A.... "C:\WINDOWS\pchealth\helpctr\System\blurbs\windows_newsgroups.htm"
Aug 20 2008 4:58:44p 3,155 A.... "C:\WINDOWS\pchealth\helpctr\System\CompatCtr\AboutCompat.htm"
Aug 20 2008 4:58:50p 77,245 A.... "C:\WINDOWS\pchealth\helpctr\System\CompatCtr\CompatMode.htm"
Aug 20 2008 4:58:44p 1,340 A.... "C:\WINDOWS\pchealth\helpctr\System\CompatCtr\CompatOffline.htm"
Aug 20 2008 4:58:44p 2,588 A.... "C:\WINDOWS\pchealth\helpctr\System\CompatCtr\LearnCompat.htm"
Aug 20 2008 4:58:44p 1,175 A.... "C:\WINDOWS\pchealth\helpctr\System\css\Behaviors.css"
Aug 20 2008 4:58:44p 492 A.... "C:\WINDOWS\pchealth\helpctr\System\css\Layout.css"
Aug 20 2008 4:58:44p 850 A.... "C:\WINDOWS\pchealth\helpctr\System\dialogs\DlgLib.js"
Aug 20 2008 4:58:44p 7,523 A.... "C:\WINDOWS\pchealth\helpctr\System\dialogs\Print.dlg"
Aug 20 2008 4:58:44p 1,656 A.... "C:\WINDOWS\pchealth\helpctr\System\DVDUpgrd\dvdupgrd.htm"
Aug 20 2008 4:58:50p 1,206 A.... "C:\WINDOWS\pchealth\helpctr\System\DVDUpgrd\dvdupgrd.js"
Aug 20 2008 4:58:44p 9,264 A.... "C:\WINDOWS\pchealth\helpctr\System\DVDUpgrd\stripe.jpg"
Aug 20 2008 4:58:44p 880 A.... "C:\WINDOWS\pchealth\helpctr\System\ErrMsg\ErrorMessagesOffline.htm"
Aug 20 2008 4:58:44p 1,663 A.... "C:\WINDOWS\pchealth\helpctr\System\errors\badurl.htm"
Aug 20 2008 4:58:50p 18,852 A.... "C:\WINDOWS\pchealth\helpctr\System\errors\connection.htm"
Aug 20 2008 4:58:44p 1,655 A.... "C:\WINDOWS\pchealth\helpctr\System\errors\indexfirstlevel.htm"
Aug 20 2008 4:58:44p 2,028 A.... "C:\WINDOWS\pchealth\helpctr\System\errors\notfound.htm"
Aug 20 2008 4:58:44p 775 A.... "C:\WINDOWS\pchealth\helpctr\System\errors\offline.htm"
Aug 20 2008 4:58:44p 1,728 A.... "C:\WINDOWS\pchealth\helpctr\System\errors\redirect.htm"
Aug 20 2008 4:58:44p 1,689 A.... "C:\WINDOWS\pchealth\helpctr\System\errors\unreachable.htm"
Aug 20 2008 4:58:44p 1,557 A.... "C:\WINDOWS\pchealth\helpctr\System\images\error.gif"
Aug 20 2008 4:58:44p 895 A.... "C:\WINDOWS\pchealth\helpctr\System\images\feedback.gif"
Aug 20 2008 4:58:44p 70 A.... "C:\WINDOWS\pchealth\helpctr\System\images\flyout_arrow.gif"
Aug 20 2008 4:58:44p 1,383 A.... "C:\WINDOWS\pchealth\helpctr\System\images\get_conn.gif"
Aug 20 2008 4:58:44p 630 A.... "C:\WINDOWS\pchealth\helpctr\System\images\icon_articles_12x.bmp"
Aug 20 2008 4:58:44p 630 A.... "C:\WINDOWS\pchealth\helpctr\System\images\icon_blank_12x.bmp"
Aug 20 2008 4:58:44p 630 A.... "C:\WINDOWS\pchealth\helpctr\System\images\icon_newwindow_12x.bmp"
Aug 20 2008 4:58:44p 630 A.... "C:\WINDOWS\pchealth\helpctr\System\images\icon_onlineinline_12x.bmp"
Aug 20 2008 4:58:44p 630 A.... "C:\WINDOWS\pchealth\helpctr\System\images\icon_tours_12x.bmp"
Aug 20 2008 4:58:44p 630 A.... "C:\WINDOWS\pchealth\helpctr\System\images\icon_tutorials_12x.bmp"
Aug 20 2008 4:58:44p 1,521 A.... "C:\WINDOWS\pchealth\helpctr\System\images\info.gif"
Aug 20 2008 4:58:44p 2,801 A.... "C:\WINDOWS\pchealth\helpctr\System\images\progbar.gif"
Aug 20 2008 4:58:44p 1,466 A.... "C:\WINDOWS\pchealth\helpctr\System\images\warning.gif"
Aug 20 2008 4:58:44p 76 A.... "C:\WINDOWS\pchealth\helpctr\System\images\wrapperhelp.gif"
Aug 20 2008 4:58:44p 55,709 A.... "C:\WINDOWS\pchealth\helpctr\System\NetDiag\dglogs.htm"
Aug 20 2008 4:58:44p 2,654 A.... "C:\WINDOWS\pchealth\helpctr\System\NetDiag\dglogshelp.htm"
Aug 20 2008 4:58:50p 19,520 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\AdvSearch.htm"
Aug 20 2008 4:58:44p 608 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm"
Aug 20 2008 4:58:44p 9,174 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\Context.htm"
Aug 20 2008 4:58:44p 714 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\firstpage.htm"
Aug 20 2008 4:58:44p 713 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\HHWrapper.htm"
Aug 20 2008 4:58:44p 4,764 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\MiniNavBar.htm"
Aug 20 2008 4:58:44p 1,990 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\MiniNavBar.xml"
Aug 20 2008 4:58:44p 20,832 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\NavBar.htm"
Aug 20 2008 4:58:44p 2,513 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\NavBar.xml"
Aug 20 2008 4:58:44p 4,418 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\Options.htm"
Aug 20 2008 4:58:44p 43,111 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\RemoteHelp.htm"
Aug 20 2008 4:58:44p 4,553 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\ShareHelp.htm"
Aug 20 2008 4:58:44p 5,547 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\Topics.htm"
Aug 20 2008 4:58:44p 2,367 A.... "C:\WINDOWS\pchealth\helpctr\System\rc\rcRequest.htm"
Aug 20 2008 4:58:48p 80,856 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\ding.wav"
Aug 20 2008 4:58:48p 3,907 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\helpeeaccept.htm"
Aug 20 2008 4:58:50p 540 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\RAClientLayout.xml"
Aug 20 2008 4:58:50p 666 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\RAHelpeeAcceptLayout.xml"
Aug 20 2008 4:58:50p 587 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\RAIMLayout.xml"
Aug 20 2008 4:58:48p 3,493 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\RAStartPage.htm"
Aug 20 2008 4:58:50p 569 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\RAURA.xml"
Aug 20 2008 4:58:48p 5,980 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\rcBuddy.htm"
Aug 20 2008 4:58:50p 3,159 A.... "C:\WINDOWS\pchealth\helpctr\System\scripts\Common.js"
Aug 20 2008 4:58:44p 4,609 A.... "C:\WINDOWS\pchealth\helpctr\System\scripts\HomePage__SHARED.js"
Aug 20 2008 4:58:44p 3,445 A.... "C:\WINDOWS\pchealth\helpctr\System\scripts\HomePage__DESKTOP.js"
Aug 20 2008 4:58:44p 8,844 A.... "C:\WINDOWS\pchealth\helpctr\System\scripts\HomePage__SERVER.js"
Aug 20 2008 4:58:44p 2,954 A.... "C:\WINDOWS\pchealth\helpctr\System\scripts\wrapperparam.js"
Aug 20 2008 4:58:50p 32,141 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\commonFunc.js"
Aug 20 2008 4:58:44p 26,520 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\loc_strings.xml"
Aug 20 2008 4:58:44p 2,501 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\msinfo.htm"
Aug 20 2008 4:58:44p 371 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\msinfo.xml"
Aug 20 2008 4:58:44p 582 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\msinfohss.css"
Aug 20 2008 4:58:44p 56,540 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\RSoP.htm"
Aug 20 2008 4:58:44p 56,777 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\RSoP.js"
Aug 20 2008 4:58:50p 25,050 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysComponentInfo.htm"
Aug 20 2008 4:58:50p 27,910 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysComponentInfo.js"
Aug 20 2008 4:58:44p 1,323 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysConfigLaunch.htm"
Aug 20 2008 4:58:44p 2,537 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysDiskTS.htm"
Aug 20 2008 4:58:44p 10,312 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysEvtLogInfo.htm"
Aug 20 2008 4:58:44p 13,556 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysHealthInfo.htm"
Aug 20 2008 4:58:44p 20,083 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysHealthInfo.js"
Aug 20 2008 4:58:44p 4,132 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysInfoLaunch.htm"
Aug 20 2008 4:58:44p 4,150 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysinfomain.htm"
Aug 20 2008 4:58:50p 16,097 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysinfosum.htm"
Aug 20 2008 4:58:44p 1,864 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysRemoteInfo.htm"
Aug 20 2008 4:58:44p 10,136 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysServicesInfo.htm"
Aug 20 2008 4:58:50p 7,840 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysSoftwareInfo.htm"
Aug 20 2008 4:58:44p 9,506 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\sysSoftwareInfo.js"
Aug 20 2008 4:58:50p 14,129 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\wmi_data.js"
Aug 20 2008 4:58:44p 4,113 A.... "C:\WINDOWS\pchealth\helpctr\System\UpdateCtr\AboutWU.htm"
Aug 20 2008 4:58:44p 2,059 A.... "C:\WINDOWS\pchealth\helpctr\System\UpdateCtr\Learn.htm"
Aug 20 2008 4:58:44p 2,500 A.... "C:\WINDOWS\pchealth\helpctr\System\UpdateCtr\LearnInternet.htm"
Aug 20 2008 4:58:44p 2,518 A.... "C:\WINDOWS\pchealth\helpctr\System\UpdateCtr\learnWU.htm"
Aug 20 2008 4:58:44p 1,132 A.... "C:\WINDOWS\pchealth\helpctr\System\UpdateCtr\updatecenter.htm"
Aug 20 2008 4:58:48p 627 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Connection.htm"
Aug 20 2008 4:58:48p 682 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\GArrow.gif"
Aug 20 2008 4:58:48p 311 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\GRect.gif"
Aug 20 2008 4:58:48p 213 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Info_Icon.gif"
Aug 20 2008 4:58:48p 2,722 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\OfflineOptions.htm"
Aug 20 2008 4:58:48p 13,050 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\OfflineDC.htm"
Aug 20 2008 4:58:48p 781 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\PSS.css"
Aug 20 2008 4:58:48p 10,912 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\pssmachinesnapshot.xml"
Aug 20 2008 4:58:48p 7,098 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\pssmachinesnapshot-less.xml"
Aug 20 2008 4:58:48p 10,755 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\pssmachinesnapshot-wo-com.xml"
Aug 20 2008 4:58:48p 30,494 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\pss_getting_worldwide_help.htm"
Aug 20 2008 4:58:48p 114 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\r1_c1.gif"
Aug 20 2008 4:58:48p 107 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\r1_c2.gif"
Aug 20 2008 4:58:48p 106 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\r1_c3.gif"
Aug 20 2008 4:58:48p 107 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\r3_c2.gif"
Aug 20 2008 4:58:48p 43 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\spacer.gif"
Aug 20 2008 4:58:48p 232 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\status_ok.gif"
Aug 20 2008 4:58:44p 2,358 A.... "C:\WINDOWS\pchealth\helpctr\System\images\16x16\arrow_blue_normal_shadow.bmp"
Aug 20 2008 4:58:44p 2,358 A.... "C:\WINDOWS\pchealth\helpctr\System\images\16x16\arrow_green_normal_shadow.bmp"
Aug 20 2008 4:58:44p 1,078 A.... "C:\WINDOWS\pchealth\helpctr\System\images\16x16\compat.bmp"
Aug 20 2008 4:58:44p 1,078 A.... "C:\WINDOWS\pchealth\helpctr\System\images\16x16\errmsg.bmp"
Aug 20 2008 4:58:44p 1,078 A.... "C:\WINDOWS\pchealth\helpctr\System\images\16x16\support.bmp"
Aug 20 2008 4:58:44p 1,078 A.... "C:\WINDOWS\pchealth\helpctr\System\images\16x16\tools.bmp"
Aug 20 2008 4:58:44p 1,078 A.... "C:\WINDOWS\pchealth\helpctr\System\images\16x16\update.bmp"
Aug 20 2008 4:58:44p 600 A.... "C:\WINDOWS\pchealth\helpctr\System\images\16x16\warning.gif"
Aug 20 2008 4:58:44p 2,358 A.... "C:\WINDOWS\pchealth\helpctr\System\images\24x24\arrow_green_mousedown.bmp"
Aug 20 2008 4:58:44p 2,358 A.... "C:\WINDOWS\pchealth\helpctr\System\images\24x24\arrow_green_mouseover.bmp"
Aug 20 2008 4:58:44p 2,358 A.... "C:\WINDOWS\pchealth\helpctr\System\images\24x24\arrow_green_normal.bmp"
Aug 20 2008 4:58:44p 2,358 A.... "C:\WINDOWS\pchealth\helpctr\System\images\32x32\logo.bmp"
Aug 20 2008 4:58:44p 9,270 A.... "C:\WINDOWS\pchealth\helpctr\System\images\48x48\desktop_icon_generic.bmp"
Aug 20 2008 4:58:44p 9,270 A.... "C:\WINDOWS\pchealth\helpctr\System\images\48x48\desktop_icon_01.bmp"
Aug 20 2008 4:58:44p 9,270 A.... "C:\WINDOWS\pchealth\helpctr\System\images\48x48\desktop_icon_02.bmp"
Aug 20 2008 4:58:44p 9,270 A.... "C:\WINDOWS\pchealth\helpctr\System\images\48x48\desktop_icon_03.bmp"
Aug 20 2008 4:58:44p 9,270 A.... "C:\WINDOWS\pchealth\helpctr\System\images\48x48\desktop_icon_04.bmp"
Aug 20 2008 4:58:44p 674 A.... "C:\WINDOWS\pchealth\helpctr\System\images\Centers\blue_arrow.gif"
Aug 20 2008 4:58:44p 1,383 A.... "C:\WINDOWS\pchealth\helpctr\System\images\Centers\Connect.gif"
Aug 20 2008 4:58:44p 1,839 A.... "C:\WINDOWS\pchealth\helpctr\System\images\Centers\IULogo.gif"
Aug 20 2008 4:58:44p 1,525 A.... "C:\WINDOWS\pchealth\helpctr\System\images\Centers\Uabrand.gif"
Aug 20 2008 4:58:44p 139 A.... "C:\WINDOWS\pchealth\helpctr\System\images\Expando\collapsed.gif"
Aug 20 2008 4:58:44p 136 A.... "C:\WINDOWS\pchealth\helpctr\System\images\Expando\endnode.gif"
Aug 20 2008 4:58:44p 135 A.... "C:\WINDOWS\pchealth\helpctr\System\images\Expando\expanded.gif"
Aug 20 2008 4:58:44p 207 A.... "C:\WINDOWS\pchealth\helpctr\System\images\Expando\helpdoc.gif"
Aug 20 2008 4:58:44p 8,494 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\subpanels\Channels.htm"
Aug 20 2008 4:58:44p 8,522 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\subpanels\Favorites.htm"
Aug 20 2008 4:58:44p 5,369 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\subpanels\History.htm"
Aug 20 2008 4:58:44p 2,911 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\subpanels\Index.htm"
Aug 20 2008 4:58:44p 3,465 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\subpanels\Options.htm"
Aug 20 2008 4:58:50p 37,469 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\subpanels\Search.htm"
Aug 20 2008 4:58:44p 6,520 A.... "C:\WINDOWS\pchealth\helpctr\System\panels\subpanels\Subsite.htm"
Aug 20 2008 4:58:50p 5,231 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Common\common.js"
Aug 20 2008 4:58:48p 5,403 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Common\ConnIssue.htm"
Aug 20 2008 4:58:48p 2,151 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Common\constants.js"
Aug 20 2008 4:58:48p 234 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Common\icon_information_32x.gif"
Aug 20 2008 4:58:48p 219 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Common\icon_warning_32x.gif"
Aug 20 2008 4:58:48p 1,633 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Common\LearnInternet.htm"
Aug 20 2008 4:58:48p 2,317 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Common\RAHelp.htm"
Aug 20 2008 4:58:48p 2,981 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Common\RCMoreInfo.htm"
Aug 20 2008 4:58:48p 1,369 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Css\RAChat.css"
Aug 20 2008 4:58:48p 2,442 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Css\rc.css"
Aug 20 2008 4:58:48p 1,308 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Css\rcbuddy.css"
Aug 20 2008 4:58:44p 118 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\alert.gif"
Aug 20 2008 4:58:44p 674 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\BArrow.gif"
Aug 20 2008 4:58:44p 162 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\card.gif"
Aug 20 2008 4:58:44p 257 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\cd.gif"
Aug 20 2008 4:58:44p 145 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\check.gif"
Aug 20 2008 4:58:44p 102 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\chip.gif"
Aug 20 2008 4:58:44p 1,498 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\down.bmp"
Aug 20 2008 4:58:44p 139 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\drive.gif"
Aug 20 2008 4:58:44p 107 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\error.gif"
Aug 20 2008 4:58:44p 159 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\floppy.gif"
Aug 20 2008 4:58:44p 682 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\GArrow.gif"
Aug 20 2008 4:58:44p 135 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\gears.gif"
Aug 20 2008 4:58:44p 677 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\greendot.jpg"
Aug 20 2008 4:58:44p 99 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\info.gif"
Aug 20 2008 4:58:44p 129 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\monitor.gif"
Aug 20 2008 4:58:44p 181 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\personalizing.gif"
Aug 20 2008 4:58:44p 1,135 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\PieChart.gif"
Aug 20 2008 4:58:44p 67 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\PieGrey.gif"
Aug 20 2008 4:58:44p 67 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\PieWhite.gif"
Aug 20 2008 4:58:44p 136 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\printer.gif"
Aug 20 2008 4:58:44p 114 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\r1_c1.gif"
Aug 20 2008 4:58:44p 107 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\r1_c2.gif"
Aug 20 2008 4:58:44p 106 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\r1_c3.gif"
Aug 20 2008 4:58:44p 107 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\r3_c2.gif"
Aug 20 2008 4:58:44p 43 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\spacer.gif"
Aug 20 2008 4:58:44p 404 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\system.gif"
Aug 20 2008 4:58:44p 1,135 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\Untitled.gif"
Aug 20 2008 4:58:44p 1,498 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\up.bmp"
Aug 20 2008 4:58:44p 262 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\usb.gif"
Aug 20 2008 4:58:44p 569 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\windows.gif"
Aug 20 2008 4:58:48p 2,843 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\confirm.htm"
Aug 20 2008 4:58:50p 16,167 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\rcstatus.htm"
Aug 20 2008 4:59:52p 16,167 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\rcstatus.htm"
Aug 20 2008 5:03:34p 40,520 A.... "C:\WINDOWS\system32\spool\drivers\w32x86\3\HPVDJ82I.BUD"
Aug 20 2008 4:58:48p 4,756 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\Animation.gif"
Aug 20 2008 4:58:48p 59 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\combobox_line.gif"
Aug 20 2008 4:58:48p 1,094 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\connected.gif"
Aug 20 2008 4:58:48p 1,024 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\DividerBar.gif"
Aug 20 2008 4:58:48p 346 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\DividerBar.htm"
Aug 20 2008 4:58:48p 838 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\DownArrow.gif"
Aug 20 2008 4:58:48p 8,969 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAChatClient.htm"
Aug 20 2008 4:58:50p 45,530 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAClient.htm"
Aug 20 2008 4:58:50p 11,254 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAClient.js"
Aug 20 2008 4:58:48p 7,140 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAStatusBar.htm"
Aug 20 2008 4:58:50p 11,187 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAToolBar.htm"
Aug 20 2008 4:58:48p 3,172 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\RAToolBar.xml"
Aug 20 2008 4:58:48p 1,290 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\rcscreen6_head.htm"
Aug 20 2008 4:58:50p 2,496 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\rctoolScreen1.htm"
Aug 20 2008 4:58:48p 6,552 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\setting.htm"
Aug 20 2008 4:58:48p 3,898 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\TakeControl.bmp"
Aug 20 2008 4:58:48p 861 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\TakeControl.gif"
Aug 20 2008 4:58:48p 834 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Client\UpArrow.gif"
Aug 20 2008 4:58:50p 690 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\attentioninteraction.gif"
Aug 20 2008 4:58:48p 2,086 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\ErrorMsgs.htm"
Aug 20 2008 4:58:48p 3,898 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\HelpCenter.bmp"
Aug 20 2008 4:58:48p 845 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\HelpCenter.gif"
Aug 20 2008 4:58:48p 379 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\hide-chat.gif"
Aug 20 2008 4:58:48p 227 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\info.gif"
Aug 20 2008 4:58:48p 3,898 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\Options.bmp"
Aug 20 2008 4:58:48p 713 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\Options.gif"
Aug 20 2008 4:58:48p 3,898 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\Quit.bmp"
Aug 20 2008 4:58:48p 750 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\Quit.gif"
Aug 20 2008 4:58:50p 15,709 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\RAControl.js"
Aug 20 2008 4:58:50p 30,918 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\RCFileXfer.htm"
Aug 20 2008 4:58:48p 1,041 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\SendChat.gif"
Aug 20 2008 4:58:48p 3,898 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\SendFile.bmp"
Aug 20 2008 4:58:48p 694 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\SendFile.gif"
Aug 20 2008 4:58:48p 3,898 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\SendVoice.bmp"
Aug 20 2008 4:58:48p 692 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\SendVoice.gif"
Aug 20 2008 4:58:48p 994 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\SendVoiceOn.gif"
Aug 20 2008 4:58:48p 380 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\show-chat.gif"
Aug 20 2008 4:58:50p 3,226 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\voicefirewallmsg.htm"
Aug 20 2008 4:58:48p 2,333 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Common\VOIPMsgs.htm"
Aug 20 2008 4:58:48p 341 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\DividerBar1.htm"
Aug 20 2008 4:58:48p 353 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\DividerBar2.htm"
Aug 20 2008 4:58:48p 2,818 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\ESC_key.gif"
Aug 20 2008 4:58:48p 75 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\Helpee_line.gif"
Aug 20 2008 4:58:48p 8,095 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\RAChatServer.htm"
Aug 20 2008 4:58:50p 21,049 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\RAServer.htm"
Aug 20 2008 4:58:50p 5,158 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\RAServer.js"
Aug 20 2008 4:58:50p 14,557 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\RAServerToolBar.htm"
Aug 20 2008 4:58:48p 4,797 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\SettingServer.htm"
Aug 20 2008 4:58:48p 3,898 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\StopControl.bmp"
Aug 20 2008 4:58:48p 640 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\StopControl.gif"
Aug 20 2008 4:58:48p 3,210 A.... "C:\WINDOWS\pchealth\helpctr\System\Remote Assistance\Interaction\Server\TakeControlMsgs.htm"
Aug 20 2008 4:58:44p 734 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\0_chart.gif"
Aug 20 2008 4:58:44p 741 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\100_chart.gif"
Aug 20 2008 4:58:44p 784 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\10_chart.gif"
Aug 20 2008 4:58:44p 778 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\15_chart.gif"
Aug 20 2008 4:58:44p 775 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\20_chart.gif"
Aug 20 2008 4:58:44p 781 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\25_chart.gif"
Aug 20 2008 4:58:44p 782 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\30_chart.gif"
Aug 20 2008 4:58:44p 793 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\35_chart.gif"
Aug 20 2008 4:58:44p 789 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\40_chart.gif"
Aug 20 2008 4:58:44p 785 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\45_chart.gif"
Aug 20 2008 4:58:44p 762 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\50_chart.gif"
Aug 20 2008 4:58:44p 777 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\55_chart.gif"
Aug 20 2008 4:58:44p 773 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\5_chart.gif"
Aug 20 2008 4:58:44p 789 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\60_chart.gif"
Aug 20 2008 4:58:44p 1,199 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\65_chart.gif"
Aug 20 2008 4:58:44p 1,190 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\70_chart.gif"
Aug 20 2008 4:58:44p 1,194 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\75_chart.gif"
Aug 20 2008 4:58:44p 1,196 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\80_chart.gif"
Aug 20 2008 4:58:44p 1,190 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\85_chart.gif"
Aug 20 2008 4:58:44p 1,196 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\90_chart.gif"
Aug 20 2008 4:58:44p 1,207 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\33x16pie\95_chart.gif"
Aug 20 2008 4:58:44p 1,345 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\0_chart.gif"
Aug 20 2008 4:58:44p 1,358 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\100_chart.gif"
Aug 20 2008 4:58:44p 1,443 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\10_chart.gif"
Aug 20 2008 4:58:44p 1,435 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\15_chart.gif"
Aug 20 2008 4:58:44p 1,421 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\20_chart.gif"
Aug 20 2008 4:58:44p 1,423 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\25_chart.gif"
Aug 20 2008 4:58:44p 1,428 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\30_chart.gif"
Aug 20 2008 4:58:44p 1,441 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\35_chart.gif"
Aug 20 2008 4:58:44p 1,446 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\40_chart.gif"
Aug 20 2008 4:58:44p 1,446 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\45_chart.gif"
Aug 20 2008 4:58:44p 1,412 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\50_chart.gif"
Aug 20 2008 4:58:44p 1,430 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\55_chart.gif"
Aug 20 2008 4:58:44p 1,413 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\5_chart.gif"
Aug 20 2008 4:58:44p 1,446 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\60_chart.gif"
Aug 20 2008 4:58:44p 1,445 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\65_chart.gif"
Aug 20 2008 4:58:44p 1,435 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\70_chart.gif"
Aug 20 2008 4:58:44p 1,442 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\75_chart.gif"
Aug 20 2008 4:58:44p 1,447 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\80_chart.gif"
Aug 20 2008 4:58:44p 1,426 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\85_chart.gif"
Aug 20 2008 4:58:44p 1,442 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\90_chart.gif"
Aug 20 2008 4:58:44p 1,445 A.... "C:\WINDOWS\pchealth\helpctr\System\sysinfo\graphics\47x24pie\95_chart.gif"
Aug 20 2008 4:58:50p 5,231 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\common.js"
Aug 20 2008 4:58:50p 5,403 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\ConnIssue.htm"
Aug 20 2008 4:58:48p 2,151 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\constants.js"
Aug 20 2008 4:58:48p 234 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\icon_information_32x.gif"
Aug 20 2008 4:58:48p 219 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\icon_warning_32x.gif"
Aug 20 2008 4:58:48p 1,633 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\LearnInternet.htm"
Aug 20 2008 4:58:48p 2,317 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\RAHelp.htm"
Aug 20 2008 4:58:50p 5,930 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common\RCMoreInfo.htm"
Aug 20 2008 4:58:48p 1,369 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Css\RAChat.css"
Aug 20 2008 4:58:48p 2,442 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Css\rc.css"
Aug 20 2008 4:58:48p 1,308 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Css\rcbuddy.css"
Aug 20 2008 4:59:52p 5,403 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Common\ConnIssue.htm"
Aug 20 2008 4:59:52p 5,930 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Common\rcmoreinfo.htm"
Aug 20 2008 4:58:48p 102 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\address_book.gif"
Aug 20 2008 4:58:48p 1,074 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\arrow.gif"
Aug 20 2008 4:58:48p 690 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\attention.gif"
Aug 20 2008 4:58:48p 384 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\buddy_offline.gif"
Aug 20 2008 4:58:48p 387 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\buddy.gif"
Aug 20 2008 4:58:48p 608 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\buddy_attention.gif"
Aug 20 2008 4:58:48p 382 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\buddy_away.gif"
Aug 20 2008 4:58:48p 373 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\buddy_busy.gif"
Aug 20 2008 4:58:48p 910 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\buddy_none.gif"
Aug 20 2008 4:58:48p 111 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\Envelope.gif"
Aug 20 2008 4:58:48p 159 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\floppy.gif"
Aug 20 2008 4:58:48p 1,047 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\generic_mail.gif"
Aug 20 2008 4:58:48p 321 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\icon_extweb.gif"
Aug 20 2008 4:58:48p 139 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\IM_icon.gif"
Aug 20 2008 4:58:48p 227 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\info.gif"
Aug 20 2008 4:58:48p 3,169 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\logon_anim.gif"
Aug 20 2008 4:58:48p 1,473 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\messenger_big.gif"
Aug 20 2008 4:58:48p 7,066 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\monitor_left.gif"
Aug 20 2008 4:58:48p 8,509 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\monitor_right.gif"
Aug 20 2008 4:58:48p 180 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\outlook.gif"
Aug 20 2008 4:58:48p 410 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\outlook_express.gif"
Aug 20 2008 4:58:48p 3,332 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcConnection.htm"
Aug 20 2008 4:58:48p 2,630 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen1.htm"
Aug 20 2008 4:58:48p 4,437 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen2.htm"
Aug 20 2008 4:58:48p 321 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\rcscreen3.htm"
Aug 20 2008 4:58:48p 53,542 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\Remote_Assistance_Graphic.png"
Aug 20 2008 4:58:48p 51 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common\square_bullet.gif"
Aug 20 2008 4:58:48p 137 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\check.gif"
Aug 20 2008 4:58:50p 3,425 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\escalationhelp.htm"
Aug 20 2008 4:58:48p 254 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\help.gif"
Aug 20 2008 4:58:48p 4,805 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcDetails.htm"
Aug 20 2008 4:58:50p 8,096 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen7.htm"
Aug 20 2008 4:58:48p 7,662 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen8.htm"
Aug 20 2008 4:58:48p 8,445 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen9.htm"
Aug 20 2008 4:58:48p 5,207 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcInviteStatus.htm"
Aug 20 2008 4:58:48p 14,603 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreenshot3.gif"
Aug 20 2008 4:58:48p 4,374 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen4.htm"
Aug 20 2008 4:58:48p 14,765 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen5.htm"
Aug 20 2008 4:58:50p 30,465 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen6.htm"
Aug 20 2008 4:58:48p 1,290 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen6_head.htm"
Aug 20 2008 4:58:50p 3,282 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\ShieldsUpMsg.htm"
Aug 20 2008 4:58:48p 13,433 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Unsolicited\UnSolicitedRCUI.htm"
Aug 20 2008 4:59:52p 3,425 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\escalationhelp.htm"
Aug 20 2008 4:59:52p 8,096 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen7.htm"
Aug 20 2008 4:59:52p 30,915 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen6.htm"
Aug 20 2008 4:59:52p 3,282 A.... "C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\ShieldsUpMsg.htm"


C:\Program Files\

Jul 16 2008 10:13:12p 13,952 A.... "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"
Jul 16 2008 10:13:14p 7,667,312 A.... "C:\Program Files\Mozilla Firefox\firefox.exe"
Jul 16 2008 10:13:14p 200,829 A.... "C:\Program Files\Mozilla Firefox\freebl3.dll"
Jul 16 2008 10:13:14p 458,856 A.... "C:\Program Files\Mozilla Firefox\js3250.dll"
Jul 16 2008 10:13:16p 161,392 A.... "C:\Program Files\Mozilla Firefox\nspr4.dll"
Jul 16 2008 10:13:16p 382,568 A.... "C:\Program Files\Mozilla Firefox\nss3.dll"
Jul 16 2008 10:13:16p 276,080 A.... "C:\Program Files\Mozilla Firefox\nssckbi.dll"
Jul 16 2008 10:13:16p 34,424 A.... "C:\Program Files\Mozilla Firefox\plc4.dll"
Jul 16 2008 10:13:16p 30,320 A.... "C:\Program Files\Mozilla Firefox\plds4.dll"
Jul 16 2008 10:13:16p 112,232 A.... "C:\Program Files\Mozilla Firefox\smime3.dll"
Jul 16 2008 10:13:16p 254,060 A.... "C:\Program Files\Mozilla Firefox\softokn3.dll"
Jul 16 2008 10:13:16p 136,808 A.... "C:\Program Files\Mozilla Firefox\ssl3.dll"
Jul 16 2008 10:13:18p 132,232 A.... "C:\Program Files\Mozilla Firefox\updater.exe"
Jul 16 2008 10:13:18p 13,416 A.... "C:\Program Files\Mozilla Firefox\xpcom.dll"
Jul 16 2008 10:13:18p 73,848 A.... "C:\Program Files\Mozilla Firefox\xpcom_compat.dll"
Jul 16 2008 10:13:18p 422,000 A.... "C:\Program Files\Mozilla Firefox\xpcom_core.dll"
Jul 16 2008 10:13:18p 73,336 A.... "C:\Program Files\Mozilla Firefox\xpicleanup.exe"
Jul 16 2008 10:13:18p 12,400 A.... "C:\Program Files\Mozilla Firefox\xpistub.dll"
Jul 13 2008 3:40:36p 127,376 A.... "C:\Program Files\Picasa2\Uninstall.exe"
Jun 29 2008 11:44:20p 3,612,656 A.... "C:\Program Files\Microsoft Office\OFFICE11\OUTLFLTR.DAT"
Jul 3 2008 6:33:40p 6,421,512 A.... "C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE"
Jul 3 2008 6:36:56p 12,313,096 A.... "C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE"
Aug 20 2008 11:45:42p 146,967 A.... "C:\Program Files\Mozilla Firefox\components\compreg.dat"
Jul 16 2008 10:13:12p 67,696 A.... "C:\Program Files\Mozilla Firefox\components\jar50.dll"
Jul 16 2008 10:13:12p 54,376 A.... "C:\Program Files\Mozilla Firefox\components\jsd3250.dll"
Jul 16 2008 10:13:12p 34,952 A.... "C:\Program Files\Mozilla Firefox\components\myspell.dll"
Jul 16 2008 10:13:12p 46,720 A.... "C:\Program Files\Mozilla Firefox\components\spellchk.dll"
Jul 16 2008 10:13:12p 172,144 A.... "C:\Program Files\Mozilla Firefox\components\xpinstal.dll"
Aug 20 2008 11:45:40p 95,003 A.... "C:\Program Files\Mozilla Firefox\components\xpti.dat"
Jul 16 2008 10:13:16p 22,664 A.... "C:\Program Files\Mozilla Firefox\plugins\npnul32.dll"
Jul 16 2008 10:13:16p 450,936 A.... "C:\Program Files\Mozilla Firefox\uninstall\helper.exe"
Jul 13 2008 3:40:56p 3 A.... "C:\Program Files\Picasa2\runtime\hlpsys.dll"
Aug 21 2008 12:58:42p 128,832 A.... "C:\Program Files\Sygate\SPF\Default.dat"
Aug 21 2008 12:58:42p 128,832 A.... "C:\Program Files\Sygate\SPF\stddef.dat"
Aug 21 2008 12:58:54p 2,912 A.... "C:\Program Files\Sygate\SPF\StdState.dat"
Aug 21 2008 12:58:54p 2,912 A.... "C:\Program Files\Sygate\SPF\TState.dat"
Aug 20 2008 1:22:12a 396,288 A.... "C:\Program Files\test55\ht\jojo.exe"
Aug 21 2008 1:03:32p 396,288 A.... "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe"
Aug 20 2008 1:09:54a 32 A.... "C:\Program Files\Yahoo!\Messenger\ystats_B.dat"
Aug 19 2008 11:51:20p 110 A.... "C:\Program Files\Yahoo!\Messenger\Cache\vQVVCHwlBkNqPKP6Dj4h4g--.Display.dat"
Aug 19 2008 11:49:02p 0 A.... "C:\Program Files\Yahoo!\Messenger\Cache\vQVVCHwlBkNqPKP6Dj4h4g--.ProfileMap.dat.tmp"
Jul 14 2008 4:32:36p 0 A.... "C:\Program Files\Yahoo!\Messenger\Cache\zXdnRdW0QMkxLx8rJRgugw--.ProfileMap.dat.tmp"
Aug 19 2008 11:49:12p 344 A.... "C:\Program Files\Yahoo!\Messenger\Profiles\<removed for privacy>\iconindex.dat"


Files with hidden attributes:

Thu 1 Nov 2007 59,392 A..H. --- "C:\WINDOWS\system32\zzz-was-ESaudio.exe"

<You can see I renamed this file>


Program Folders:

C:\Program Files\

3ivx
ACD Systems
Adobe
Analog Devices
ArcSoft
Brutal Chess
Canon
ChessBase
Common Files
ComPlus Applications
CONEXANT
Digital Line Detect
Foxit Software
FritzAndChesster2
Google
InstallShield Installation Information
Intel
Internet Explorer
I-SPY-Treasure-Hunt
Java
Lavasoft
Lenovo
Logitech
mediaplayerclassic
Microsoft ActiveSync
Microsoft CAPICOM 2.1.0.2
microsoft frontpage
Microsoft Office
Movie Maker
Mozilla Firefox
MSN
MSN Gaming Zone
muvee Technologies
NetMeeting
NetWaiting
Online Services
Outlook Express
PeaZip
Picasa2
QuickTime Alternative
Real Alternative
RealVNC
Research In Motion
ScanSoft
Skype
Sygate
Synaptics
test55
ThinkPad
Trend Micro
Uninstall Information
Windows Media Player
Windows NT
WindowsUpdate
xerox
Yahoo!

C:\Program Files\Common Files\

ACD Systems
Adobe
DESIGNER
InstallShield
Java
LogiShrd
Microsoft Shared
MSSoap
muvee Technologies
ODBC
Research In Motion
ScanSoft Shared
Services
Skype
SpeechEngines
System
WindowsLiveInstaller
Wise Installation Wizard


Add/Remove Programs:

3ivx MPEG-4 5.0.1 Decoder (remove only)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Shockwave Player
BlackBerry Desktop Software 4.2
Brutal Chess
ThinkPad Modem
Foxit Reader
Google Calendar Sync
Intel® Graphics Media Accelerator Driver
HijackThis 2.0.2
High Definition Audio Driver Package - KB888111
Windows Genuine Advantage Validation Tool (KB892130)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for CAPICOM (KB931906)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Update for Windows XP (KB951072-v2)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Hotfix for Windows XP (KB952287)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Logitech Legacy USB Camera Driver Package
Logitech QuickCam Driver Package
Mozilla Firefox (2.0.0.16)
On Screen Display
PeaZip 1.9.2
Picasa 2
ThinkPad Power Management Driver
Intel® PRO Network Connections Drivers
QuickTime Alternative 1.77
Real Alternative 1.51
VNC Free Edition 4.1.2
Scholastic's I SPY Treasure Hunt
ThinkPad UltraNav Driver
ThinkPad FullScreen Magnifier
Windows Genuine Advantage Validation Tool (KB892130)
Windows XP Service Pack 3
Yahoo! Messenger
ArcSoft PhotoStudio 5
Security Update for CAPICOM (KB931906)
ThinkPad EasyEject Utility
ThinkPad UltraNav Utility
ThinkPad Keyboard Customizer Utility
Java™ 6 Update 3
MVision
BlackBerry Desktop Software 4.2
ThinkVantage Active Protection System
ACDSee 5.0 PowerPack
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Skype™ 3.2
OmniPage SE
Presentation Director
Windows Media Player Firefox Plugin
Internet Chess
muvee Plugin 1.0
Learn to Play Chess with Fritz and Chesster 2
Microsoft Office Professional Edition 2003
Logitech QuickCam
ThinkPad Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g)
ThinkPad Power Manager
Microsoft Visual C++ 2005 Redistributable
Canon CanoScan Toolbox 4.1
Ad-Aware
SoundMAX
Sygate Personal Firewall
Manual CanoScan 5000,5000F,8000F


Run Values:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"TPHOTKEY"="C:\\Program Files\\Lenovo\\HOTKEY\\TPOSDSVC.exe"
"PWRMGRTR"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\PWRMGRTR.DLL,PwrMgrBkGndMonitor"
"BLOG"="rundll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\BatLogEx.DLL,StartBattLog"
"TPFNF7"="C:\\Program Files\\Lenovo\\NPDIRECT\\TPFNF7SP.exe /r"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"TpShocks"="TpShocks.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"Omnipage"="C:\\Program Files\\ScanSoft\\OmniPageSE\\opware32.exe"
"LogitechCommunicationsManager"="\"C:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\Communications_Helper.exe\""
"LogitechQuickCamRibbon"="\"C:\\Program Files\\Logitech\\QuickCam\\Quickcam.exe\" /hide"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


Bot Check:

SERVICE_NAME: wscsvc
DISPLAY_NAME : Security Center
START_TYPE : 2 AUTO_START

SERVICE_NAME: sharedaccess
DISPLAY_NAME : Windows Firewall/Internet Connection Sharing (ICS)
START_TYPE : 2 AUTO_START

SERVICE_NAME: wuauserv
DISPLAY_NAME : Automatic Updates
START_TYPE : 2 AUTO_START

SERVICE_NAME: srservice
DISPLAY_NAME : System Restore Service
START_TYPE : 2 AUTO_START

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"WaitToKillServiceTimeout"="20000"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"SFCDisable"=dword:00000000
"Shell"="Explorer.exe"
"Userinit"="C:\\WINDOWS\\SYSTEM32\\Userinit.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions]



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
"TransportBindName"="\\Device\\"


ShellExecuteHooks:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""



Environment:


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\environment
ComSpec REG_EXPAND_SZ %SystemRoot%\system32\cmd.exe
Path REG_EXPAND_SZ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
windir REG_EXPAND_SZ %SystemRoot%
OS REG_SZ Windows_NT
PATHEXT REG_SZ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
TEMP REG_EXPAND_SZ %SystemRoot%\TEMP
TMP REG_EXPAND_SZ %SystemRoot%\TEMP

SecurityProviders:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
SecurityProviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Authentication Packages:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0


Subsystem Startup:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Windows"="%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"


Midi Drivers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midi"="wdmaud.drv"


Non-Default IFEO Debugger:


Non-Default Installed Components:


Non-Default Safeboot Minimal:


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice
<NO NAME> REG_SZ Service


File Associations:


[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\cmdfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\comfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\htafile\shell\open\command]
@="C:\\WINDOWS\\system32\\mshta.exe \"%1\" %*"

[HKEY_CLASSES_ROOT\http\shell\open\command]
@="C:\\PROGRA~1\\MOZILL~1\\FIREFOX.EXE -requestPending -osint -url \"%1\""

[HKEY_CLASSES_ROOT\htmlfile\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" -nohome"

[HKEY_CLASSES_ROOT\regedit\shell\open\command]
@="regedit.exe %1"

[HKEY_CLASSES_ROOT\regfile\shell\open\command]
@="regedit.exe \"%1\""

[HKEY_CLASSES_ROOT\scrfile\shell\open\command]
@="\"%1\" /S"

[HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"


Finished!

BC AdBot (Login to Remove)

 


m

#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:02 AM

Posted 06 September 2008 - 11:30 PM

Hello, dcarwin.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)

I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.

If you would still like help, please post a new HiJack This log below, as things may have changed on your system.

If you do not still need help, please let me know, so that I can move on to other users who still need help.

In the future, DO NOT run specialized tools such as SDFix/ComboFix without first consulting here. These tools can severely harm your system when they are not used properly!!

Please take note of the following:
  • While a HJT Team member is working with you, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please reply using the Posted Image button in the lower left hand corner of your screen.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" :).
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 dcarwin

dcarwin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 07 September 2008 - 11:20 PM

Hello, dcarwin.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you.


Thanks Billy. I am baffled by this one, I hope we can remove it.

My name is Dan.

I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.


Not an issue. this is a free service and there are a lot of folks with infections out there.

If you would still like help, please post a new HiJack This log below, as things may have changed on your system.


Posted below. The system has been turned off the whole time, so I expect the log are identical.

In the future, DO NOT run specialized tools such as SDFix/ComboFix without first consulting here. These tools can severely harm your system when they are not used properly!!


Understood and acknowledged, however the script has been useful so far and I am good at following instructions. It can't be worse than this stinking infection. :)

HJT Log 9-5-08

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:55 PM, on 9/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\PROGRA~1\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\test55\ht\jojo.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-21-299502267-854245398-725345543-1003\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User 'annapy')
O4 - HKUS\S-1-5-21-299502267-854245398-725345543-1003\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User 'annapy')
O4 - HKUS\S-1-5-21-299502267-854245398-725345543-1003\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'annapy')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192779822406
O17 - HKLM\System\CCS\Services\Tcpip\..\{93008F3B-85B5-41D8-B1FB-9225D9F2B837}: NameServer = 208.201.224.11,208.201.224.33
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6350 bytes

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:02 AM

Posted 08 September 2008 - 05:44 AM

Hello, Dan.
We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • OTViewIt.txt
  • Extra.txt
  • Kaspersky's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 dcarwin

dcarwin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 08 September 2008 - 01:54 PM

OTVIEWIT.txt
===
OTViewIt logfile created on: 9/8/2008 11:48:59 AM - Run 1
OTViewIt by OldTimer - Version 1.0.1.8 Folder = C:\Documents and Settings\dcarwin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

998.22 Mb Total Physical Memory | 558.23 Mb Available Physical Memory | 55.92% Memory free
2.35 Gb Paging File | 1.86 Gb Available in Paging File | 79.15% Paging File free
Paging file location(s): C:\pagefile.sys 1500 3000;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.16 Gb Total Space | 68.78 Gb Free Space | 73.84% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 1.97 Gb Total Space | 1.57 Gb Free Space | 79.63% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ANNA-T61
Current User Name: dcarwin
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On

===== Processes - Non-Microsoft Only =====

[05/31/2007 07:02 PM | 00,036,400 | ---- | M] (Lenovo) - C:\WINDOWS\system32\ibmpmsvc.exe
[10/15/2004 07:40 PM | 02,577,632 | ---- | M] (Sygate Technologies, Inc.) - C:\Program Files\Sygate\SPF\Smc.exe
[10/19/2007 02:19 PM | 00,141,848 | ---- | M] (Logitech Inc.) - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
[03/21/2007 01:42 PM | 00,364,629 | ---- | M] (Atheros) - C:\WINDOWS\system32\acs.exe
[10/19/2007 02:17 PM | 00,186,904 | ---- | M] (Logitech Inc.) - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
[03/02/2007 05:49 PM | 00,037,680 | ---- | M] (Lenovo.) - C:\WINDOWS\system32\TPHDEXLG.exe
[06/29/2006 09:57 PM | 00,032,768 | ---- | M] () - C:\WINDOWS\system32\TpKmpSvc.exe
[10/19/2007 02:17 PM | 00,186,904 | ---- | M] (Logitech Inc.) - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
[03/09/2007 02:49 PM | 00,066,176 | ---- | M] (Lenovo Group Limited) - C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
[04/10/2007 03:03 AM | 00,058,416 | ---- | M] (Lenovo Group Limited) - C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
[08/10/2007 06:30 PM | 00,110,592 | ---- | M] (Synaptics, Inc.) - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[03/08/2007 01:16 PM | 00,073,776 | ---- | M] (Lenovo Group Limited) - C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
[08/10/2007 06:30 PM | 00,512,000 | ---- | M] (Synaptics, Inc.) - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[03/29/2007 06:40 PM | 00,181,808 | ---- | M] (Lenovo.) - C:\WINDOWS\system32\TpShocks.exe
[09/06/2006 04:39 PM | 00,091,688 | ---- | M] (Lenovo Group Limited) - C:\Program Files\Lenovo\ZOOM\TpScrex.exe
[04/27/2007 02:33 AM | 00,243,248 | ---- | M] (Lenovo Group Ltd.) - C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
[06/03/2002 12:38 PM | 00,049,152 | ---- | M] (ScanSoft, Inc) - C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
[10/25/2007 05:33 PM | 00,563,984 | ---- | M] () - C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
[10/25/2007 05:37 PM | 02,178,832 | ---- | M] () - C:\Program Files\Logitech\QuickCam\Quickcam.exe
[10/25/2007 05:32 PM | 00,407,824 | ---- | M] (Logitech Inc.) - C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
[10/19/2007 02:17 PM | 00,186,904 | ---- | M] (Logitech Inc.) - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
[03/09/2007 02:49 PM | 00,066,176 | ---- | M] (Lenovo Group Limited) - C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
[04/10/2007 03:03 AM | 00,058,416 | ---- | M] (Lenovo Group Limited) - C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
[08/10/2007 06:30 PM | 00,110,592 | ---- | M] (Synaptics, Inc.) - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[03/08/2007 01:16 PM | 00,073,776 | ---- | M] (Lenovo Group Limited) - C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
[08/10/2007 06:30 PM | 00,512,000 | ---- | M] (Synaptics, Inc.) - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[09/06/2006 04:39 PM | 00,091,688 | ---- | M] (Lenovo Group Limited) - C:\Program Files\Lenovo\ZOOM\TpScrex.exe
[03/29/2007 06:40 PM | 00,181,808 | ---- | M] (Lenovo.) - C:\WINDOWS\system32\TpShocks.exe
[04/27/2007 02:33 AM | 00,243,248 | ---- | M] (Lenovo Group Ltd.) - C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
[06/03/2002 12:38 PM | 00,049,152 | ---- | M] (ScanSoft, Inc) - C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
[10/25/2007 05:33 PM | 00,563,984 | ---- | M] () - C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
[10/25/2007 05:37 PM | 02,178,832 | ---- | M] () - C:\Program Files\Logitech\QuickCam\Quickcam.exe
[06/08/2007 03:18 PM | 23,233,576 | R--- | M] (Skype Technologies S.A.) - C:\Program Files\Skype\Phone\Skype.exe
[10/25/2007 05:32 PM | 00,407,824 | ---- | M] (Logitech Inc.) - C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
[06/08/2007 03:18 PM | 01,928,136 | R--- | M] (Skype Technologies) - C:\Program Files\Skype\Plugin Manager\skypePM.exe
[07/16/2008 10:13 PM | 07,667,312 | ---- | M] (Mozilla Corporation) - C:\Program Files\Mozilla Firefox\firefox.exe
[10/19/2007 02:17 PM | 00,186,904 | ---- | M] (Logitech Inc.) - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
[03/09/2007 02:49 PM | 00,066,176 | ---- | M] (Lenovo Group Limited) - C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
[04/10/2007 03:03 AM | 00,058,416 | ---- | M] (Lenovo Group Limited) - C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
[08/10/2007 06:30 PM | 00,110,592 | ---- | M] (Synaptics, Inc.) - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[03/08/2007 01:16 PM | 00,073,776 | ---- | M] (Lenovo Group Limited) - C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
[09/06/2006 04:39 PM | 00,091,688 | ---- | M] (Lenovo Group Limited) - C:\Program Files\Lenovo\ZOOM\TpScrex.exe
[08/10/2007 06:30 PM | 00,512,000 | ---- | M] (Synaptics, Inc.) - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[03/29/2007 06:40 PM | 00,181,808 | ---- | M] (Lenovo.) - C:\WINDOWS\system32\TpShocks.exe
[04/27/2007 02:33 AM | 00,243,248 | ---- | M] (Lenovo Group Ltd.) - C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
[06/03/2002 12:38 PM | 00,049,152 | ---- | M] (ScanSoft, Inc) - C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
[10/25/2007 05:33 PM | 00,563,984 | ---- | M] () - C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
[10/25/2007 05:37 PM | 02,178,832 | ---- | M] () - C:\Program Files\Logitech\QuickCam\Quickcam.exe
[10/15/2004 07:40 PM | 02,577,632 | ---- | M] (Sygate Technologies, Inc.) - C:\Program Files\Sygate\SPF\Smc.exe
[10/25/2007 05:32 PM | 00,407,824 | ---- | M] (Logitech Inc.) - C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe

===== Win32 Services - Non-Microsoft Only =====

(acs) Atheros Configuration Service [Auto | Running]
[03/21/2007 01:42 PM | 00,364,629 | ---- | M] (Atheros) - C:\WINDOWS\system32\acs.exe

(IBMPMSVC) ThinkPad PM Service [Auto | Running]
[05/31/2007 07:02 PM | 00,036,400 | ---- | M] (Lenovo) - C:\WINDOWS\system32\ibmpmsvc.exe

(LVCOMSer) LVCOMSer [Auto | Running]
[10/19/2007 02:17 PM | 00,186,904 | ---- | M] (Logitech Inc.) - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

(LVPrcSrv) Process Monitor [Auto | Running]
[10/19/2007 02:19 PM | 00,141,848 | ---- | M] (Logitech Inc.) - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

(LVSrvLauncher) LVSrvLauncher [Auto | Stopped]
[10/19/2007 02:21 PM | 00,141,848 | ---- | M] (Logitech Inc.) - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

(SmcService) Sygate Personal Firewall [Auto | Running]
[10/15/2004 07:40 PM | 02,577,632 | ---- | M] (Sygate Technologies, Inc.) - C:\Program Files\Sygate\SPF\Smc.exe

(TPHDEXLGSVC) ThinkPad HDD APS Logging Service [Auto | Running]
[03/02/2007 05:49 PM | 00,037,680 | ---- | M] (Lenovo.) - C:\WINDOWS\system32\TPHDEXLG.exe

(TpKmpSVC) IBM KCU Service [Auto | Running]
[06/29/2006 09:57 PM | 00,032,768 | ---- | M] () - C:\WINDOWS\system32\TpKmpSvc.exe

(WinVNC4) VNC Server Version 4 [On_Demand | Stopped]
[05/12/2006 03:04 PM | 00,439,248 | ---- | M] (RealVNC Ltd.) - C:\Program Files\RealVNC\VNC4\winvnc4.exe

===== Driver Services - Non-Microsoft Only =====

(AR5211) Atheros Wireless Network Adapter Service [On_Demand | Running]
[04/05/2007 07:19 AM | 00,546,112 | ---- | M] (Atheros Communications, Inc.) - C:\WINDOWS\system32\drivers\ar5211.sys

(catchme) catchme [On_Demand | Stopped]
File not found - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys

(IBMPMDRV) IBMPMDRV [On_Demand | Running]
[05/31/2007 07:01 PM | 00,021,424 | ---- | M] (Lenovo.) - C:\WINDOWS\system32\drivers\ibmpmdrv.sys

(LVcKap) Logitech AEC Driver [On_Demand | Stopped]
[10/19/2007 02:16 PM | 02,109,976 | ---- | M] (Logitech Inc.) - C:\WINDOWS\system32\drivers\Lvckap.sys

(LVMVDrv) Logitech Machine Vision Engine Loader [On_Demand | Stopped]
[10/11/2007 07:59 PM | 02,142,488 | ---- | M] (Logitech Inc.) - C:\WINDOWS\system32\drivers\LVMVdrv.sys

(LVPr2Mon) Logitech LVPr2Mon Driver [On_Demand | Running]
[10/11/2007 07:59 PM | 00,025,624 | ---- | M] () - C:\WINDOWS\system32\drivers\LVPr2Mon.sys

(LVUSBSta) Logitech USB Monitor Filter [On_Demand | Stopped]
[10/11/2007 07:00 PM | 00,041,752 | ---- | M] (Logitech Inc.) - C:\WINDOWS\system32\drivers\LVUSBSta.sys

(PID_0928) Logitech QuickCam Express(PID_0928) [On_Demand | Stopped]
[10/11/2007 06:56 PM | 00,490,776 | ---- | M] (Logitech Inc.) - C:\WINDOWS\system32\drivers\LV561AV.SYS

(rimmptsk) rimmptsk [Auto | Running]
[02/24/2007 02:42 PM | 00,039,936 | ---- | M] (REDC) - C:\WINDOWS\system32\drivers\rimmptsk.sys

(rimsptsk) rimsptsk [Auto | Running]
[01/23/2007 04:40 PM | 00,042,496 | ---- | M] (REDC) - C:\WINDOWS\system32\drivers\rimsptsk.sys

(RimVSerPort) RIM Virtual Serial Port v2 [On_Demand | Running]
[06/30/2006 04:10 PM | 00,026,752 | R--- | M] (Research in Motion Ltd) - C:\WINDOWS\system32\drivers\RimSerial.sys

(rismxdp) Ricoh xD-Picture Card Driver [Auto | Running]
[03/21/2007 10:02 PM | 00,037,376 | ---- | M] (REDC) - C:\WINDOWS\system32\drivers\rixdptsk.sys

(Shockprf) Shockprf [Boot | Running]
[03/02/2007 05:49 PM | 00,100,656 | ---- | M] (Lenovo.) - C:\WINDOWS\system32\drivers\ApsX86.sys

(SynTP) Synaptics TouchPad Driver [On_Demand | Running]
[08/10/2007 06:25 PM | 00,177,664 | ---- | M] (Synaptics, Inc.) - C:\WINDOWS\system32\drivers\SynTP.sys

(Teefer) Teefer for NT [Boot | Running]
[10/15/2004 06:17 PM | 00,060,496 | ---- | M] (Sygate Technologies, Inc.) - C:\WINDOWS\system32\drivers\Teefer.sys

(TPDIGIMN) TPDIGIMN [Boot | Running]
[03/02/2007 05:47 PM | 00,019,760 | ---- | M] (Lenovo.) - C:\WINDOWS\system32\drivers\ApsHM86.sys

(TPPWRIF) TPPWRIF [System | Running]
[09/21/2007 01:19 AM | 00,004,442 | ---- | M] () - C:\WINDOWS\system32\drivers\TPPWRIF.SYS

(TSMAPIP) TSMAPIP [System | Running]
[04/10/2007 03:03 AM | 00,012,848 | ---- | M] () - C:\WINDOWS\system32\drivers\TSMAPIP.SYS

(UIUSys) Conexant Setup API [On_Demand | Stopped]
File not found - C:\WINDOWS\System32\DRIVERS\UIUSYS.SYS

(wg3n) SyGate for NT, wg3n [Auto | Running]
[10/15/2004 06:32 PM | 00,014,568 | ---- | M] (Sygate Technologies, Inc.) - C:\WINDOWS\system32\drivers\wg3n.sys

(wg4n) SyGate for NT, wg4n [Auto | Running]
[10/15/2004 06:32 PM | 00,014,568 | ---- | M] (Sygate Technologies, Inc.) - C:\WINDOWS\system32\drivers\wg4n.sys

(wg5n) SyGate for NT, wg5n [Auto | Running]
[10/15/2004 06:32 PM | 00,014,568 | ---- | M] (Sygate Technologies, Inc.) - C:\WINDOWS\system32\drivers\wg5n.sys

(wg6n) SyGate for NT, wg6n [Auto | Running]
[10/15/2004 06:32 PM | 00,014,568 | ---- | M] (Sygate Technologies, Inc.) - C:\WINDOWS\system32\drivers\wg6n.sys

(wpsdrvnt) wpsdrvnt [System | Running]
[10/15/2004 06:18 PM | 00,021,075 | ---- | M] (Sygate Technologies, Inc.) - C:\WINDOWS\system32\drivers\wpsdrvnt.sys

(WSIMD) wsimd Service [On_Demand | Running]
[11/15/2006 03:00 AM | 00,057,216 | ---- | M] (Atheros Communications, Inc.) - C:\WINDOWS\system32\drivers\wsimd.sys

========== Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BLOG" = rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog [09/21/2007 01:19 AM | 00,208,896 | ---- | M] ()
"EZEJMNAP" = C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe [04/27/2007 02:33 AM | 00,243,248 | ---- | M] (Lenovo Group Ltd.)
"IgfxTray" = C:\WINDOWS\system32\igfxtray.exe [08/15/2007 03:07 PM | 00,141,848 | ---- | M] (Intel Corporation)
"LogitechCommunicationsManager" = "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [10/25/2007 05:33 PM | 00,563,984 | ---- | M] ()
"LogitechQuickCamRibbon" = "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide [10/25/2007 05:37 PM | 02,178,832 | ---- | M] ()
"Omnipage" = C:\Program Files\ScanSoft\OmniPageSE\opware32.exe [06/03/2002 12:38 PM | 00,049,152 | ---- | M] (ScanSoft, Inc)
"Persistence" = C:\WINDOWS\system32\igfxpers.exe [08/15/2007 03:07 PM | 00,137,752 | ---- | M] (Intel Corporation)
"PWRMGRTR" = rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor [09/21/2007 01:19 AM | 00,200,704 | ---- | M] (Lenovo Group Limited)
"SmcService" = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui [10/15/2004 07:40 PM | 02,577,632 | ---- | M] (Sygate Technologies, Inc.)
"SoundMAX" = C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray [04/03/2007 07:55 PM | 00,839,680 | ---- | M] (Analog Devices, Inc.)
"SoundMAXPnP" = C:\Program Files\Analog Devices\Core\smax4pnp.exe [04/09/2007 04:23 PM | 01,015,808 | ---- | M] (Analog Devices, Inc.)
"SynTPEnh" = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [08/10/2007 06:30 PM | 00,512,000 | ---- | M] (Synaptics, Inc.)
"SynTPLpr" = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [08/10/2007 06:30 PM | 00,110,592 | ---- | M] (Synaptics, Inc.)
"TPFNF7" = C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r [04/10/2007 03:03 AM | 00,058,416 | ---- | M] (Lenovo Group Limited)
"TPHOTKEY" = C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe [03/09/2007 02:49 PM | 00,066,176 | ---- | M] (Lenovo Group Limited)
"TPKMAPHELPER" = C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper [01/09/2007 04:28 PM | 00,868,352 | ---- | M] (Lenovo)
"TpShocks" = TpShocks.exe [03/29/2007 06:40 PM | 00,181,808 | ---- | M] (Lenovo.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Value load does not exist or could not be read.
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr" = "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\S-1-5-21-299502267-854245398-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector" = C:\Program Files\Picasa2\PicasaMediaDetector.exe [02/25/2008 06:23 PM | 00,443,968 | ---- | M] (Google Inc.)
"Skype" = "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized [06/08/2007 03:18 PM | 23,233,576 | R--- | M] (Skype Technologies S.A.)
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet [08/30/2007 05:43 PM | 04,670,704 | ---- | M] (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-299502267-854245398-725345543-1003\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\S-1-5-21-299502267-854245398-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr" = "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background File not found

[HKEY_USERS\S-1-5-21-299502267-854245398-725345543-1004\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

[HKEY_USERS\S-1-5-21-299502267-854245398-725345543-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.

========== Startup Folders ==========

[Administrator Startup Folder - C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]

[All Users Startup Folder - C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

[annapy Startup Folder - C:\Documents and Settings\annapy\Start Menu\Programs\Startup]

[dcarwin Startup Folder - C:\Documents and Settings\dcarwin\Start Menu\Programs\Startup]

[Default User Startup Folder - C:\Documents and Settings\Default User\Start Menu\Programs\Startup]

========== BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
HKLM CLSID: (SSVHelper Class) - [09/25/2007 01:11 AM | 00,501,136 | ---- | M] (Sun Microsystems, Inc.) C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

========== Toolbars ==========

========== AppInit_Dlls ==========

========== HKLM Security Providers ==========

========== HKLM Winlogon Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell]
= Explorer.exe
>Explorer.exe - [04/14/2008 05:42 AM | 01,033,728 | ---- | M] (Microsoft Corporation) C:\WINDOWS\explorer.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit]
= C:\WINDOWS\SYSTEM32\Userinit.exe,
>C:\WINDOWS\SYSTEM32\Userinit.exe - [04/14/2008 05:42 AM | 00,026,112 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\userinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost]
= logonui.exe
>logonui.exe - [04/14/2008 05:42 AM | 00,514,560 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\logonui.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
= rundll32 shell32,Control_RunDLL "sysdm.cpl"
>rundll32 shell32 - [04/14/2008 05:42 AM | 08,461,312 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
>Control_RunDLL "sysdm.cpl" - [04/14/2008 05:42 AM | 00,300,544 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\sysdm.cpl

========== User's Winlogon Settings ==========

========== Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
"DllName" = C:\WINDOWS\system32\igfxdev.dll [08/09/2007 09:31 AM | 00,204,800 | ---- | M] (Intel Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tpfnf2]
"DllName" = C:\Program Files\Lenovo\HOTKEY\notifyf2.dll [09/06/2006 04:37 PM | 00,034,344 | ---- | M] ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]
"DllName" = C:\Program Files\Lenovo\HOTKEY\tphklock.dll [12/14/2006 11:06 AM | 00,028,672 | ---- | M] ()

========== Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername" = 0
"legalnoticecaption" =
"legalnoticetext" =
"shutdownwithoutlogon" = 1
"undockwithoutlogon" = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Unable to open key or key not present!


[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Unable to open key or key not present!


[HKEY_USERS\S-1-5-21-299502267-854245398-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-21-299502267-854245398-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]

[HKEY_USERS\S-1-5-21-299502267-854245398-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-21-299502267-854245398-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]

[HKEY_USERS\S-1-5-21-299502267-854245398-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145

[HKEY_USERS\S-1-5-21-299502267-854245398-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]

========== Lsa Authentication Packages ==========

========== Lsa Security Packages ==========

========== Desktop Components ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName" = "My Current Home Page"
"Source" = "About:Home"
"SubscribedURL" = "About:Home"

========== Safeboot Options ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = cmd.exe

========== Disabled MsConfig Items ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT [PATH=%PATH%;C:\PROGRA~1\COMMON~1\MUVEET~1\030625 | ]
[06/05/2008 06:39 PM | 00,000,050 | ---- | M] () C:\AUTOEXEC.BAT [ NTFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2e902dc5-6e0e-11dd-b56e-00197e932f9e}\Shell]
"" = Open

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8e6764b3-6f27-11dd-b58a-00197e932f9e}\Shell]
"" = None

========== DNS Name Servers ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{0DC826C6-E6C1-48F8-A5FE-86C3607AAF88}]
Servers: | Description: 11a/b/g Wireless LAN Mini PCI Express Adapter

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{93008F3B-85B5-41D8-B1FB-9225D9F2B837}]
Servers: 208.201.224.11,208.201.224.33 | Description: Intel® 82566MM Gigabit Network Connection

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{F5168545-344F-41AE-9BEA-3ED6BBA5E9C0}]
Servers: | Description: 1394 Net Adapter

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{F7F324DC-68C4-4FC4-B6DC-603D52C928CE}]
Servers: | Description:

========== Hosts File ==========

HOSTS File = (686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost



========== Files/Folders - Created Within 30 days ==========

[08/20/2008 01:57 AM | ---D | C] - C:\SDFix
[08/20/2008 07:16 PM | 10,467,86048 | -HS- | C] () - C:\hiberfil.sys
[08/20/2008 04:57 PM | 00,000,717 | ---- | C] () - C:\WINDOWS\System32\dllcache\cloapp.gif
[08/20/2008 04:57 PM | 00,000,760 | ---- | C] () - C:\WINDOWS\System32\dllcache\cloapph.gif
[08/20/2008 04:57 PM | 00,000,772 | ---- | C] () - C:\WINDOWS\System32\dllcache\cntd.gif
[08/20/2008 04:57 PM | 00,000,773 | ---- | C] () - C:\WINDOWS\System32\dllcache\cnt.gif
[08/20/2008 04:57 PM | 00,000,773 | ---- | C] () - C:\WINDOWS\System32\dllcache\cnth.gif
[08/20/2008 04:57 PM | 00,000,999 | ---- | C] () - C:\WINDOWS\System32\dllcache\bktrh.gif
[08/20/2008 04:57 PM | 00,001,885 | ---- | C] () - C:\WINDOWS\System32\dllcache\mplayer2.cnt
[08/20/2008 04:57 PM | 00,002,545 | ---- | C] () - C:\WINDOWS\System32\dllcache\mplogo.gif
[08/20/2008 04:57 PM | 00,002,778 | ---- | C] () - C:\WINDOWS\System32\dllcache\mplogoh.gif
[08/20/2008 04:57 PM | 00,005,971 | ---- | C] () - C:\WINDOWS\System32\dllcache\events.js
[08/20/2008 04:57 PM | 00,006,878 | ---- | C] () - C:\WINDOWS\System32\dllcache\controls.js
[08/20/2008 04:57 PM | 00,008,298 | ---- | C] () - C:\WINDOWS\System32\dllcache\contents.htm
[08/20/2008 04:57 PM | 00,009,585 | ---- | C] () - C:\WINDOWS\System32\dllcache\controls.css
[08/20/2008 04:57 PM | 00,018,286 | ---- | C] () - C:\WINDOWS\System32\dllcache\mplayer2.inf
[08/20/2008 04:57 PM | 00,097,117 | ---- | C] () - C:\WINDOWS\System32\dllcache\mplayer2.hlp
[08/20/2008 04:57 PM | 00,184,959 | ---- | C] () - C:\WINDOWS\System32\dllcache\compact.wmz
[08/20/2008 04:57 PM | 00,290,816 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) - C:\WINDOWS\System32\dllcache\l3codeca.acm
[08/20/2008 04:57 PM | 00,381,425 | ---- | C] () - C:\WINDOWS\System32\dllcache\copycd.wmv
[08/20/2008 04:57 PM | 00,457,607 | ---- | C] () - C:\WINDOWS\System32\dllcache\mdlib.wmv
[08/20/2008 04:58 PM | 00,000,403 | ---- | C] () - C:\WINDOWS\System32\dllcache\npdrmv2.zip
[08/20/2008 04:58 PM | 00,000,420 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmploc.js
[08/20/2008 04:58 PM | 00,000,733 | ---- | C] () - C:\WINDOWS\System32\dllcache\plylst15.wpl
[08/20/2008 04:58 PM | 00,000,775 | ---- | C] () - C:\WINDOWS\System32\dllcache\plylst14.wpl
[08/20/2008 04:58 PM | 00,000,783 | ---- | C] () - C:\WINDOWS\System32\dllcache\plylst13.wpl
[08/20/2008 04:58 PM | 00,000,784 | ---- | C] () - C:\WINDOWS\System32\dllcache\plylst9.wpl
[08/20/2008 04:58 PM | 00,000,787 | ---- | C] () - C:\WINDOWS\System32\dllcache\plylst10.wpl
[08/20/2008 04:58 PM | 00,000,789 | ---- | C] () - C:\WINDOWS\System32\dllcache\plylst11.wpl
[08/20/2008 04:58 PM | 00,000,855 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmpocm.inf
[08/20/2008 04:58 PM | 00,000,908 | ---- | C] () - C:\WINDOWS\System32\dllcache\skins.inf
[08/20/2008 04:58 PM | 00,001,036 | ---- | C] () - C:\WINDOWS\System32\dllcache\plylst8.wpl
[08/20/2008 04:58 PM | 00,001,046 | ---- | C] () - C:\WINDOWS\System32\dllcache\plylst7.wpl
[08/20/2008 04:58 PM | 00,001,049 | ---- | C] () - C:\WINDOWS\System32\dllcache\plylst2.wpl
[08/20/2008 04:58 PM | 00,001,148 | ---- | C] () - C:\WINDOWS\System32\dllcache\snd.htm
[08/20/2008 04:58 PM | 00,001,250 | ---- | C] () - C:\WINDOWS\System32\dllcache\plylst1.wpl
[08/20/2008 04:58 PM | 00,001,367 | ---- | C] () - C:\WINDOWS\System32\dllcache\taoffh.gif
[08/20/2008 04:58 PM | 00,001,380 | ---- | C] () - C:\WINDOWS\System32\dllcache\taoff.gif
[08/20/2008 04:58 PM | 00,001,380 | ---- | C] () - C:\WINDOWS\System32\dllcache\taonh.gif
[08/20/2008 04:58 PM | 00,001,398 | ---- | C] () - C:\WINDOWS\System32\dllcache\taon.gif
[08/20/2008 04:58 PM | 00,001,448 | ---- | C] () - C:\WINDOWS\System32\dllcache\plylst4.wpl
[08/20/2008 04:58 PM | 00,001,451 | ---- | C] () - C:\WINDOWS\System32\dllcache\plylst12.wpl
[08/20/2008 04:58 PM | 00,001,474 | ---- | C] () - C:\WINDOWS\System32\dllcache\plylst3.wpl
[08/20/2008 04:58 PM | 00,001,477 | ---- | C] () - C:\WINDOWS\System32\dllcache\plylst5.wpl
[08/20/2008 04:58 PM | 00,001,477 | ---- | C] () - C:\WINDOWS\System32\dllcache\plylst6.wpl
[08/20/2008 04:58 PM | 00,001,771 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmptour.css
[08/20/2008 04:58 PM | 00,002,371 | ---- | C] () - C:\WINDOWS\System32\dllcache\tpauseh.gif
[08/20/2008 04:58 PM | 00,002,375 | ---- | C] () - C:\WINDOWS\System32\dllcache\tplayh.gif
[08/20/2008 04:58 PM | 00,002,450 | ---- | C] () - C:\WINDOWS\System32\dllcache\tpause.gif
[08/20/2008 04:58 PM | 00,002,469 | ---- | C] () - C:\WINDOWS\System32\dllcache\tplay.gif
[08/20/2008 04:58 PM | 00,002,477 | ---- | C] () - C:\WINDOWS\System32\dllcache\wm5.gif
[08/20/2008 04:58 PM | 00,003,187 | ---- | C] () - C:\WINDOWS\System32\dllcache\tour.js
[08/20/2008 04:58 PM | 00,004,193 | ---- | C] () - C:\WINDOWS\System32\dllcache\wm8.gif
[08/20/2008 04:58 PM | 00,005,290 | ---- | C] () - C:\WINDOWS\System32\dllcache\vidsamp.gif
[08/20/2008 04:58 PM | 00,005,789 | ---- | C] () - C:\WINDOWS\System32\dllcache\wm1.gif
[08/20/2008 04:58 PM | 00,006,060 | ---- | C] () - C:\WINDOWS\System32\dllcache\wm6.gif
[08/20/2008 04:58 PM | 00,006,241 | ---- | C] () - C:\WINDOWS\System32\dllcache\wm3.gif
[08/20/2008 04:58 PM | 00,006,769 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmfsdk.inf
[08/20/2008 04:58 PM | 00,007,369 | ---- | C] () - C:\WINDOWS\System32\dllcache\wm4.gif
[08/20/2008 04:58 PM | 00,007,636 | ---- | C] () - C:\WINDOWS\System32\dllcache\wm2.gif
[08/20/2008 04:58 PM | 00,007,892 | ---- | C] () - C:\WINDOWS\System32\dllcache\wm9.gif
[08/20/2008 04:58 PM | 00,008,677 | ---- | C] () - C:\WINDOWS\System32\dllcache\wm7.gif
[08/20/2008 04:58 PM | 00,010,457 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmptour.hta
[08/20/2008 04:58 PM | 00,017,272 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmdm.inf
[08/20/2008 04:58 PM | 00,017,489 | ---- | C] () - C:\WINDOWS\System32\dllcache\videobg.gif
[08/20/2008 04:58 PM | 00,022,060 | ---- | C] () - C:\WINDOWS\System32\dllcache\npds.zip
[08/20/2008 04:58 PM | 00,023,195 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmplay.chm
[08/20/2008 04:58 PM | 00,023,829 | ---- | C] () - C:\WINDOWS\System32\dllcache\tourbg.gif
[08/20/2008 04:58 PM | 00,029,070 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmp.inf
[08/20/2008 04:58 PM | 00,066,725 | ---- | C] () - C:\WINDOWS\System32\dllcache\revert.wmz
[08/20/2008 04:58 PM | 00,067,374 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmplayer.adm
[08/20/2008 04:58 PM | 00,077,307 | ---- | C] () - C:\WINDOWS\System32\dllcache\plyr_err.chm
[08/20/2008 04:58 PM | 00,086,016 | ---- | C] (Sipro Lab Telecom Inc.) - C:\WINDOWS\System32\dllcache\sl_anet.acm
[08/20/2008 04:58 PM | 00,086,180 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmpaud2.wav
[08/20/2008 04:58 PM | 00,086,180 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmpaud4.wav
[08/20/2008 04:58 PM | 00,086,196 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmpaud5.wav
[08/20/2008 04:58 PM | 00,172,196 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmpaud3.wav
[08/20/2008 04:58 PM | 00,172,196 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmpaud8.wav
[08/20/2008 04:58 PM | 00,172,196 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmpaud9.wav
[08/20/2008 04:58 PM | 00,300,969 | ---- | C] () - C:\WINDOWS\System32\dllcache\viz.wmv
[08/20/2008 04:58 PM | 00,343,204 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmpaud6.wav
[08/20/2008 04:58 PM | 00,343,204 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmpaud7.wav
[08/20/2008 04:58 PM | 00,354,468 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmpaud1.wav
[08/20/2008 04:58 PM | 00,375,519 | ---- | C] () - C:\WINDOWS\System32\dllcache\nuskin.wmv
[08/20/2008 04:58 PM | 00,572,557 | ---- | C] () - C:\WINDOWS\System32\dllcache\rtuner.wmv
[08/20/2008 04:58 PM | 00,613,334 | ---- | C] () - C:\WINDOWS\System32\dllcache\wmplayer.chm
[08/20/2008 04:52 PM | 00,064,352 | ---- | C] () - C:\WINDOWS\System32\drivers\ativmc20.cod
[08/20/2008 04:52 PM | 00,067,866 | ---- | C] () - C:\WINDOWS\System32\drivers\netwlan5.img
[08/20/2008 04:52 PM | 00,129,045 | ---- | C] () - C:\WINDOWS\System32\drivers\cxthsfs2.cty
[08/21/2008 12:57 PM | 00,014,568 | ---- | C] (Sygate Technologies, Inc.) - C:\WINDOWS\System32\drivers\wg3n.sys
[08/21/2008 12:57 PM | 00,014,568 | ---- | C] (Sygate Technologies, Inc.) - C:\WINDOWS\System32\drivers\wg4n.sys
[08/21/2008 12:57 PM | 00,014,568 | ---- | C] (Sygate Technologies, Inc.) - C:\WINDOWS\System32\drivers\wg5n.sys
[08/21/2008 12:57 PM | 00,014,568 | ---- | C] (Sygate Technologies, Inc.) - C:\WINDOWS\System32\drivers\wg6n.sys
[08/21/2008 12:57 PM | 00,021,075 | ---- | C] (Sygate Technologies, Inc.) - C:\WINDOWS\System32\drivers\wpsdrvnt.sys
[08/21/2008 12:57 PM | 00,060,496 | ---- | C] (Sygate Technologies, Inc.) - C:\WINDOWS\System32\drivers\Teefer.sys
[2 C:\WINDOWS\System32\*.tmp files]
[08/20/2008 01:13 AM | -H-D | C] - C:\WINDOWS\System32\GroupPolicy
[08/20/2008 04:57 PM | ---D | C] - C:\WINDOWS\System32\bits
[08/20/2008 04:57 PM | ---D | C] - C:\WINDOWS\System32\en
[08/20/2008 04:57 PM | ---D | C] - C:\WINDOWS\System32\en-us
[08/20/2008 04:57 PM | ---D | C] - C:\WINDOWS\System32\scripting
[08/20/2008 11:15 AM | 00,013,646 | ---- | C] () - C:\WINDOWS\System32\wpa.dbl
[08/20/2008 11:15 AM | 00,204,120 | ---- | C] () - C:\WINDOWS\System32\FNTCACHE.DAT
[08/21/2008 12:56 PM | 00,083,096 | ---- | C] (Sygate Technologies, Inc.) - C:\WINDOWS\System32\SSSensor.dll
[5 C:\WINDOWS\*.tmp files]
[08/10/2008 11:47 PM | 00,001,409 | ---- | C] () - C:\WINDOWS\QTFont.for
[08/10/2008 11:47 PM | 00,054,156 | -H-- | C] () - C:\WINDOWS\QTFont.qfn
[08/20/2008 01:12 AM | ---D | C] - C:\WINDOWS\pss
[08/20/2008 02:01 AM | ---D | C] - C:\WINDOWS\ERUNT
[08/20/2008 04:49 PM | -H-D | C] - C:\WINDOWS\$NtServicePackUninstall$
[08/20/2008 04:52 PM | ---D | C] - C:\WINDOWS\network diagnostic
[08/20/2008 04:55 PM | ---D | C] - C:\WINDOWS\ServicePackFiles
[08/20/2008 04:57 PM | ---D | C] - C:\WINDOWS\l2schemas
[08/20/2008 05:03 PM | ---D | C] - C:\WINDOWS\Prefetch
[08/20/2008 01:36 AM | ---D | C] - C:\Documents and Settings\dcarwin\Application Data\Sun
[08/20/2008 02:53 AM | 00,000,907 | ---- | C] () - C:\Documents and Settings\dcarwin\My Documents\My Sharing Folders.lnk
[08/21/2008 11:10 AM | 00,000,793 | ---- | C] () - C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[08/21/2008 11:10 AM | 00,000,793 | ---- | C] () - C:\Documents and Settings\All Users\Desktop\Ad-Watch.lnk
[08/20/2008 01:22 AM | 00,001,601 | ---- | C] () - C:\Documents and Settings\dcarwin\Desktop\HijackThis.lnk
[08/20/2008 01:32 AM | 03,520,552 | ---- | C] (Sysinternals - www.sysinternals.com) - C:\Documents and Settings\dcarwin\Desktop\procexp.exe
[08/20/2008 01:55 AM | 01,463,521 | ---- | C] () - C:\Documents and Settings\dcarwin\Desktop\SDFix.exe
[08/20/2008 01:22 AM | ---D | C] - C:\Program Files\test55
[08/20/2008 05:38 PM | ---D | C] - C:\Program Files\Microsoft CAPICOM 2.1.0.2
[08/21/2008 01:03 PM | ---D | C] - C:\Program Files\Trend Micro
[08/21/2008 12:56 PM | ---D | C] - C:\Program Files\Sygate

========== Files - Modified Within 30 days ==========

[08/18/2008 09:44 PM | 00,000,232 | -H-- | M] () - C:\sqmdata17.sqm
[08/18/2008 09:44 PM | 00,000,244 | -H-- | M] () - C:\sqmnoopt17.sqm
[08/18/2008 10:24 PM | 00,000,232 | -H-- | M] () - C:\sqmdata18.sqm
[08/18/2008 10:24 PM | 00,000,244 | -H-- | M] () - C:\sqmnoopt18.sqm
[08/19/2008 01:16 PM | 00,000,232 | -H-- | M] () - C:\sqmdata04.sqm
[08/19/2008 01:16 PM | 00,000,244 | -H-- | M] () - C:\sqmnoopt04.sqm
[08/19/2008 02:00 PM | 00,000,232 | -H-- | M] () - C:\sqmdata05.sqm
[08/19/2008 02:00 PM | 00,000,244 | -H-- | M] () - C:\sqmnoopt05.sqm
[08/19/2008 02:44 PM | 00,000,232 | -H-- | M] () - C:\sqmdata06.sqm
[08/19/2008 02:44 PM | 00,000,244 | -H-- | M] () - C:\sqmnoopt06.sqm
[08/19/2008 03:28 PM | 00,000,232 | -H-- | M] () - C:\sqmdata07.sqm
[08/19/2008 03:28 PM | 00,000,244 | -H-- | M] () - C:\sqmnoopt07.sqm
[08/19/2008 04:12 PM | 00,000,232 | -H-- | M] () - C:\sqmdata08.sqm
[08/19/2008 04:12 PM | 00,000,244 | -H-- | M] () - C:\sqmnoopt08.sqm
[08/19/2008 04:56 PM | 00,000,232 | -H-- | M] () - C:\sqmdata09.sqm
[08/19/2008 04:56 PM | 00,000,244 | -H-- | M] () - C:\sqmnoopt09.sqm
[08/19/2008 05:40 PM | 00,000,232 | -H-- | M] () - C:\sqmdata10.sqm
[08/19/2008 05:40 PM | 00,000,244 | -H-- | M] () - C:\sqmnoopt10.sqm
[08/19/2008 06:24 PM | 00,000,232 | -H-- | M] () - C:\sqmdata11.sqm
[08/19/2008 06:24 PM | 00,000,244 | -H-- | M] () - C:\sqmnoopt11.sqm
[08/19/2008 09:36 AM | 00,000,232 | -H-- | M] () - C:\sqmdata19.sqm
[08/19/2008 09:36 AM | 00,000,244 | -H-- | M] () - C:\sqmnoopt19.sqm
[08/19/2008 10:20 AM | 00,000,232 | -H-- | M] () - C:\sqmdata00.sqm
[08/19/2008 10:20 AM | 00,000,244 | -H-- | M] () - C:\sqmnoopt00.sqm
[08/19/2008 11:04 AM | 00,000,232 | -H-- | M] () - C:\sqmdata01.sqm
[08/19/2008 11:04 AM | 00,000,244 | -H-- | M] () - C:\sqmnoopt01.sqm
[08/19/2008 11:48 AM | 00,000,232 | -H-- | M] () - C:\sqmdata02.sqm
[08/19/2008 11:48 AM | 00,000,244 | -H-- | M] () - C:\sqmnoopt02.sqm
[08/19/2008 12:32 PM | 00,000,232 | -H-- | M] () - C:\sqmdata03.sqm
[08/19/2008 12:32 PM | 00,000,244 | -H-- | M] () - C:\sqmnoopt03.sqm
[08/20/2008 01:11 AM | 00,000,244 | -H-- | M] () - C:\sqmnoopt12.sqm
[08/20/2008 01:11 AM | 00,000,268 | -H-- | M] () - C:\sqmdata12.sqm
[08/20/2008 01:53 AM | 00,000,232 | -H-- | M] () - C:\sqmdata13.sqm
[08/20/2008 01:53 AM | 00,000,244 | -H-- | M] () - C:\sqmnoopt13.sqm
[08/20/2008 02:12 AM | 00,000,244 | -H-- | M] () - C:\sqmnoopt14.sqm
[08/20/2008 02:12 AM | 00,000,268 | -H-- | M] () - C:\sqmdata14.sqm
[08/20/2008 02:15 AM | 00,000,244 | -H-- | M] () - C:\sqmnoopt15.sqm
[08/20/2008 02:15 AM | 00,000,268 | -H-- | M] () - C:\sqmdata15.sqm
[08/20/2008 02:53 AM | 00,000,244 | -H-- | M] () - C:\sqmnoopt16.sqm
[08/20/2008 02:53 AM | 00,000,268 | -H-- | M] () - C:\sqmdata16.sqm
[08/20/2008 04:52 PM | 00,250,048 | RHS- | M] () - C:\ntldr
[08/21/2008 12:58 PM | 10,467,86048 | -HS- | M] () - C:\hiberfil.sys
[08/20/2008 06:20 PM | 00,000,686 | ---- | M] () - C:\WINDOWS\System32\drivers\etc\HOSTS
[2 C:\WINDOWS\System32\*.tmp files]
[08/20/2008 05:42 PM | 00,204,120 | ---- | M] () - C:\WINDOWS\System32\FNTCACHE.DAT
[08/20/2008 11:23 AM | 00,013,588 | ---- | M] () - C:\WINDOWS\System32\wpa.bak
[09/07/2008 09:10 PM | 00,013,646 | ---- | M] () - C:\WINDOWS\System32\wpa.dbl
[5 C:\WINDOWS\*.tmp files]
[08/10/2008 11:47 PM | 00,001,409 | ---- | M] () - C:\WINDOWS\QTFont.for
[08/10/2008 11:47 PM | 00,054,156 | -H-- | M] () - C:\WINDOWS\QTFont.qfn
[08/20/2008 05:04 PM | 00,316,640 | ---- | M] () - C:\WINDOWS\WMSysPr9.prx
[08/20/2008 05:37 PM | 00,000,756 | ---- | M] () - C:\WINDOWS\win.ini
[08/20/2008 05:40 PM | 00,001,374 | ---- | M] () - C:\WINDOWS\imsins.BAK
[08/21/2008 12:22 PM | 00,000,376 | ---- | M] () - C:\WINDOWS\ODBC.INI
[08/21/2008 12:58 PM | 00,002,048 | --S- | M] () - C:\WINDOWS\bootstat.dat
[08/21/2008 12:58 PM | 00,000,006 | -H-- | M] () - C:\WINDOWS\tasks\SA.DAT
[09/08/2008 11:47 AM | 00,000,302 | ---- | M] () - C:\WINDOWS\tasks\PMTask.job
[08/20/2008 03:12 AM | 03,236,044 | -H-- | M] () - C:\Documents and Settings\dcarwin\Local Settings\Application Data\IconCache.db
[08/20/2008 02:53 AM | 00,000,907 | ---- | M] () - C:\Documents and Settings\dcarwin\My Documents\My Sharing Folders.lnk
[09/07/2008 09:10 PM | 00,000,078 | -HS- | M] () - C:\Documents and Settings\dcarwin\My Documents\desktop.ini
[08/18/2008 06:52 PM | 00,002,257 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Skype.lnk
[08/20/2008 04:06 AM | 00,001,781 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Logitech QuickCam.lnk
[08/21/2008 11:10 AM | 00,000,793 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[08/21/2008 11:10 AM | 00,000,793 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Ad-Watch.lnk
[08/20/2008 01:30 AM | 03,520,552 | ---- | M] (Sysinternals - www.sysinternals.com) - C:\Documents and Settings\dcarwin\Desktop\procexp.exe
[08/20/2008 01:53 AM | 01,463,521 | ---- | M] () - C:\Documents and Settings\dcarwin\Desktop\SDFix.exe
[08/20/2008 02:14 AM | 00,001,601 | ---- | M] () - C:\Documents and Settings\dcarwin\Desktop\HijackThis.lnk

< End of report >



EXTRAS.txt
===
OTViewIt Extras logfile created on: 9/8/2008 11:48:59 AM - Run 1
OTViewIt by OldTimer - Version 1.0.1.8 Folder = C:\Documents and Settings\dcarwin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

998.22 Mb Total Physical Memory | 558.23 Mb Available Physical Memory | 55.92% Memory free
2.35 Gb Paging File | 1.86 Gb Available in Paging File | 79.15% Paging File free
Paging file location(s): C:\pagefile.sys 1500 3000;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.16 Gb Total Space | 68.78 Gb Free Space | 73.84% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 1.97 Gb Total Space | 1.57 Gb Free Space | 79.63% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[04/14/2008 12:23 AM | 00,558,080 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
[08/30/2007 05:43 PM | 04,670,704 | ---- | M] (Yahoo! Inc.)

"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
[08/30/2007 05:43 PM | 00,091,376 | ---- | M] (Yahoo! Inc.)

"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype
[06/08/2007 03:18 PM | 23,233,576 | R--- | M] (Skype Technologies S.A.)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[04/14/2008 12:23 AM | 00,558,080 | ---- | M] (Microsoft Corporation)

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] - "%1" %*
.cmd [@ = cmdfile] - "%1" %*
.com [@ = comfile] - "%1" %*
.exe [@ = exefile] - "%1" %*
.html [@ = FirefoxHTML] - [07/16/2008 10:13 PM | 07,667,312 | ---- | M] (Mozilla Corporation) - C:\Program Files\Mozilla Firefox\firefox.exe
.pif [@ = piffile] - "%1" %*
.scr [@ = scrfile] - "%1" /S

========== Winsock2 Catalogs ==========

========== HKEY_LOCAL_MACHINE Protocol Defaults ==========


========== HKEY_CURRENT_USER Protocol Defaults ==========


========== HKEY_USERS Protocol Defaults ==========


========== HKEY_USERS Protocol Defaults ==========


========== HKEY_USERS Protocol Defaults ==========


========== HKEY_USERS Protocol Defaults ==========


========== HKEY_USERS Protocol Defaults ==========


========== HKEY_USERS Protocol Defaults ==========


========== HKEY_USERS Protocol Defaults ==========


========== Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]
msdaipp: [HKLM - No CLSID value]

skype4com:{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} [HKLM - IEProtocolHandler Class]
[06/08/2007 03:18 PM | 01,828,440 | R--- | M] (Skype Technologies) C:\Program Files\Common Files\Skype\Skype4COM.dll

========== Protocol Filters ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03F1CC67-5BD8-4C36-8394-76311B2AE69A}" = ArcSoft PhotoStudio 5
"{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}" = Security Update for CAPICOM (KB931906)
"{1297C681-92D7-40EF-93BF-03F66EC5105C}" = ThinkPad EasyEject Utility
"{17CBC505-D1AE-459D-B445-3D2000A85842}" = ThinkPad UltraNav Utility
"{2111B23F-7FDA-4A41-8309-E5A1663CA296}" = ThinkPad Keyboard Customizer Utility
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35725FBC-A136-4A46-9F29-091759D9BB93}" = MVision
"{37E1EB56-C59B-4C5C-B0B3-B5076046EF8A}" = BlackBerry Desktop Software 4.2
"{46A84694-59EC-48F0-964C-7E76E9F8A2ED}" = ThinkVantage Active Protection System
"{5058B085-AA79-41E5-A726-681B4C4B846E}" = ACDSee 5.0 PowerPack
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.2
"{6249C22D-E6A8-407B-BA8B-40298848ED94}" = OmniPage SE
"{65706020-7B6F-41F2-8047-FC69579E386A}" = Presentation Director
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{70D9854A-CEF5-4BCF-B37A-0AA1AB0A83CF}" = Internet Chess
"{82CA0A0C-A3EC-4167-B694-909205B2EDEC}" = muvee Plugin 1.0
"{89E2A724-0E1C-4A43-93E3-47704C03EF38}" = Learn to Play Chess with Fritz and Chesster 2
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}" = Logitech QuickCam
"{9FAC9E5C-0D20-4DBF-AFE5-2E09C52A95A2}" = ThinkPad Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g)
"{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}" = ThinkPad Power Manager
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{BCE46757-7674-4416-BEDB-68205A60409E}" = Canon CanoScan Toolbox 4.1
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F34D9A5F-484A-4E31-A9D3-908CB265B289}" = Sygate Personal Firewall
"{F5D32134-EAEB-4C6C-9CB8-51299CD2C5FC}" = Manual CanoScan 5000,5000F,8000F
"3ivx MPEG-4 5.0.1 Decoder" = 3ivx MPEG-4 5.0.1 Decoder (remove only)
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Shockwave Player" = Adobe Shockwave Player
"BlackBerry_{37E1EB56-C59B-4C5C-B0B3-B5076046EF8A}" = BlackBerry Desktop Software 4.2
"Brutal Chess" = Brutal Chess
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588" = ThinkPad Modem
"Foxit Reader" = Foxit Reader
"Google Calendar Sync" = Google Calendar Sync
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"KB888111WXPSP2" = High Definition Audio Driver Package - KB888111
"KB892130" = Windows Genuine Advantage Validation Tool (KB892130)
"KB923689" = Security Update for Windows XP (KB923689)
"KB923789" = Security Update for Windows XP (KB923789)
"KB931906" = Security Update for CAPICOM (KB931906)
"KB950762" = Security Update for Windows XP (KB950762)
"KB950974" = Security Update for Windows XP (KB950974)
"KB951066" = Security Update for Windows XP (KB951066)
"KB951072-v2" = Update for Windows XP (KB951072-v2)
"KB951376-v2" = Security Update for Windows XP (KB951376-v2)
"KB951698" = Security Update for Windows XP (KB951698)
"KB951748" = Security Update for Windows XP (KB951748)
"KB952287" = Hotfix for Windows XP (KB952287)
"KB952954" = Security Update for Windows XP (KB952954)
"KB953838" = Security Update for Windows XP (KB953838)
"KB953839" = Security Update for Windows XP (KB953839)
"legacyqcam_11.10" = Logitech Legacy USB Camera Driver Package
"lvdrivers_11.50" = Logitech QuickCam Driver Package
"Mozilla Firefox (2.0.0.16)" = Mozilla Firefox (2.0.0.16)
"OnScreenDisplay" = On Screen Display
"PeaZip_is1" = PeaZip 1.9.2
"Picasa2" = Picasa 2
"Power Management Driver" = ThinkPad Power Management Driver
"PROSet" = Intel® PRO Network Connections Drivers
"QuicktimeAlt_is1" = QuickTime Alternative 1.77
"RealAlt_is1" = Real Alternative 1.51
"RealVNC_is1" = VNC Free Edition 4.1.2
"Scholastic's I SPY Treasure Hunt" = Scholastic's I SPY Treasure Hunt
"SynTPDeinstKey" = ThinkPad UltraNav Driver
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"WGA" = Windows Genuine Advantage Validation Tool (KB892130)
"Windows XP Service Pack" = Windows XP Service Pack 3
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_CURRENT_USER Uninstall List ==========


========== HKEY_USERS Uninstall List ==========


========== HKEY_USERS Uninstall List ==========


========== HKEY_USERS Uninstall List ==========


========== HKEY_USERS Uninstall List ==========


========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-299502267-854245398-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Softsqueeze 3.4" = Softsqueeze 3.4

========== HKEY_USERS Uninstall List ==========


========== HKEY_USERS Uninstall List ==========


========== Last 10 Event Log Errors ==========


[ Application Events ]
Error - 8/21/2008 12:08:12 AM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = LoadPerf
Description = Unable to read the performance counter strings of the 009 language
ID. The Win32 status returned by the call is the first DWORD in Data section.

Error - 8/21/2008 12:47:48 AM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = LoadPerf
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 8/21/2008 12:47:51 AM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = LoadPerf
Description = Unable to read the performance counter strings of the 009 language
ID. The Win32 status returned by the call is the first DWORD in Data section.

Error - 8/21/2008 1:18:15 AM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = Application Error
Description = Faulting application jirfes.exe, version 0.0.0.0, faulting module
jirfes.exe, version 0.0.0.0, fault address 0x0000684a.

Error - 8/21/2008 1:21:31 AM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = LoadPerf
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 8/21/2008 1:21:34 AM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = LoadPerf
Description = Unable to read the performance counter strings of the 009 language
ID. The Win32 status returned by the call is the first DWORD in Data section.

Error - 8/21/2008 1:27:30 AM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = LoadPerf
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 8/21/2008 1:27:33 AM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = LoadPerf
Description = Unable to read the performance counter strings of the 009 language
ID. The Win32 status returned by the call is the first DWORD in Data section.

Error - 8/21/2008 1:31:16 AM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = LoadPerf
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 8/21/2008 1:31:19 AM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = LoadPerf
Description = Unable to read the performance counter strings of the 009 language
ID. The Win32 status returned by the call is the first DWORD in Data section.


[ Security Events ]

[ System Events ]
Error - 8/21/2008 2:14:44 AM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = Service Control Manager
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 8/21/2008 2:14:44 AM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = Service Control Manager
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 8/21/2008 2:14:44 AM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = Service Control Manager
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 8/21/2008 2:14:44 AM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = Service Control Manager
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 8/21/2008 2:14:44 AM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = Service Control Manager
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip TPHKDRV TPPWRIF TSMAPIP

Error - 8/21/2008 2:15:26 AM - Computer Name = ANNA-T61 - User Name = NT AUTHORITY\SYSTEM - Source = DCOM
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 8/21/2008 7:57:03 PM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = Service Control Manager
Description = The Microsoft TV/Video Connection service failed to start due to the
following error: %%1058

Error - 8/23/2008 7:29:39 PM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = Windows Update Agent
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 8/28/2008 12:31:34 AM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = Windows Update Agent
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 9/8/2008 4:09:41 AM - Computer Name = ANNA-T61 - User Name = User SID not found - Source = Windows Update Agent
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >


NOTE:
You said: Please do an online scan with Kaspersky WebScanner.
1. Please visit the Kaspersky Online Scanner website.

I cannot plug in the network cable as doing so will activate the systempre deployer. We need to work offline.

Regards,
Dan

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:02 AM

Posted 08 September 2008 - 10:34 PM

Hello, Dan.
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.
Can you please elaborate on the problem with connecting this machine to the internet?

We need to move some files
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\sqmdata17.sqm
    C:\sqmnoopt17.sqm
    C:\sqmdata18.sqm
    C:\sqmnoopt18.sqm
    C:\sqmdata04.sqm
    C:\sqmnoopt04.sqm
    C:\sqmdata05.sqm
    C:\sqmnoopt05.sqm
    C:\sqmdata06.sqm
    C:\sqmnoopt06.sqm
    C:\sqmdata07.sqm
    C:\sqmnoopt07.sqm
    C:\sqmdata08.sqm
    C:\sqmnoopt08.sqm
    C:\sqmdata09.sqm
    C:\sqmnoopt09.sqm
    C:\sqmdata10.sqm
    C:\sqmnoopt10.sqm
    C:\sqmdata11.sqm
    C:\sqmnoopt11.sqm
    C:\sqmdata19.sqm
    C:\sqmnoopt19.sqm
    C:\sqmdata00.sqm
    C:\sqmnoopt00.sqm
    C:\sqmdata01.sqm
    C:\sqmnoopt01.sqm
    C:\sqmdata02.sqm
    C:\sqmnoopt02.sqm
    C:\sqmdata03.sqm
    C:\sqmnoopt03.sqm
    C:\sqmnoopt12.sqm
    C:\sqmdata12.sqm
    C:\sqmdata13.sqm
    C:\sqmnoopt13.sqm
    C:\sqmnoopt14.sqm
    C:\sqmdata14.sqm
    C:\sqmnoopt15.sqm
    C:\sqmdata15.sqm
    C:\sqmnoopt16.sqm
    C:\sqmdata16.sqm
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

We need to run a system scan with Dr. Web CureIt
  • Please download DrWeb-CureIt & save it to your desktop.
    DO NOT perform a scan yet.
  • Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Do not select "Safe Mode with Networking" or "Safe Mode with Command Prompt".
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Custom Scan", then Select drives (a red dot will show which drives have been chosen).
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
In your next reply, please include the following:
  • OTMoveIt2's Log
  • Dr.Web's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 dcarwin

dcarwin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 08 September 2008 - 10:46 PM

Hi Billy,

Can you please elaborate on the problem with connecting this machine to the internet?

I manually removed the systempre infection, using SDFix and HJT (please see first post). Right now the system "seems" normal. It is not connected to the LAN/internet. The wireless card is turned off and the network cable is unplugged.

If I were to plug the network cable into the box, then after a few seconds the systempre.exe infection would return. Systempre.exe would be placed in windows/system32, along with other randomly named executables. The registry entries to autorun these executables would also be created and so on. Task manager would close and be disabled, msconfig would close and be disabled. Certain websites would be blocked (including bleepingcomputer). I would be unable to run hijackthis. [Note you can see I had to rename hijack this to get it to run initially. I renamed it to C:\Program Files\test55\ht\jojo.exe because it would not run while systempre.exe was present.]

All these things happen as soon as I plug in the network cable. The infection "blossoms" at that point. it is truly disheartening to see, when you think you have the infection cleared...

-Dan

[working on your requests. will have results in 15 min]

#8 dcarwin

dcarwin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 09 September 2008 - 12:30 AM

OTMoveit2 Log
=========
C:\sqmdata17.sqm moved successfully.
C:\sqmnoopt17.sqm moved successfully.
C:\sqmdata18.sqm moved successfully.
C:\sqmnoopt18.sqm moved successfully.
C:\sqmdata04.sqm moved successfully.
C:\sqmnoopt04.sqm moved successfully.
C:\sqmdata05.sqm moved successfully.
C:\sqmnoopt05.sqm moved successfully.
C:\sqmdata06.sqm moved successfully.
C:\sqmnoopt06.sqm moved successfully.
C:\sqmdata07.sqm moved successfully.
C:\sqmnoopt07.sqm moved successfully.
C:\sqmdata08.sqm moved successfully.
C:\sqmnoopt08.sqm moved successfully.
C:\sqmdata09.sqm moved successfully.
C:\sqmnoopt09.sqm moved successfully.
C:\sqmdata10.sqm moved successfully.
C:\sqmnoopt10.sqm moved successfully.
C:\sqmdata11.sqm moved successfully.
C:\sqmnoopt11.sqm moved successfully.
C:\sqmdata19.sqm moved successfully.
C:\sqmnoopt19.sqm moved successfully.
C:\sqmdata00.sqm moved successfully.
C:\sqmnoopt00.sqm moved successfully.
C:\sqmdata01.sqm moved successfully.
C:\sqmnoopt01.sqm moved successfully.
C:\sqmdata02.sqm moved successfully.
C:\sqmnoopt02.sqm moved successfully.
C:\sqmdata03.sqm moved successfully.
C:\sqmnoopt03.sqm moved successfully.
C:\sqmnoopt12.sqm moved successfully.
C:\sqmdata12.sqm moved successfully.
C:\sqmdata13.sqm moved successfully.
C:\sqmnoopt13.sqm moved successfully.
C:\sqmnoopt14.sqm moved successfully.
C:\sqmdata14.sqm moved successfully.
C:\sqmnoopt15.sqm moved successfully.
C:\sqmdata15.sqm moved successfully.
C:\sqmnoopt16.sqm moved successfully.
C:\sqmdata16.sqm moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09082008_205446


DRWEB.csv
=======
SDFix.exe;C:\Documents and Settings\dcarwin\Desktop;Archive contains infected objects;Moved.;
SDFix.exe;C:\sourcefiles\dcsfx;Archive contains infected objects;Moved.;
omniformat.exe;C:\sourcefiles\PDF Suite;Archive contains infected objects;Moved.;
vnc-4_1_2-x86_win32.exe;C:\sourcefiles\vnc;Archive contains infected objects;Moved.;
A0014254.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP287;Archive contains infected objects;Moved.;
A0014255.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP287;Archive contains infected objects;Moved.;
A0014256.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP287;Archive contains infected objects;Moved.;
A0014257.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP287;Archive contains infected objects;Moved.;
Dc14.jpeg;C:\RECYCLER\S-1-5-21-299502267-854245398-725345543-1003;BackDoor.IRC.Suicide;Deleted.;
zzz-was-ESaudio.exe;C:\WINDOWS\system32;BackDoor.IRC.Suicide;Deleted.;
vncviewer.exe;C:\Program Files\RealVNC\VNC4;Program.RemoteAdmin.51;Moved.;
vnc-4_1_2-x86_win32.exe\data005;C:\sourcefiles\vnc\vnc-4_1_2-x86_win32.exe;Program.RemoteAdmin.51;;
A0014257.exe\data005;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP287\A0014257.exe;Program.RemoteAdmin.51;;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\dcarwin\Desktop\SDFix.exe;Tool.Prockill;;
Process.exe;C:\SDFix\apps;Tool.Prockill;Moved.;
SDFix.exe\SDFix\apps\Process.exe;C:\sourcefiles\dcsfx\SDFix.exe;Tool.Prockill;;
A0014254.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP287\A0014254.exe;Tool.Prockill;;
A0014255.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP287\A0014255.exe;Tool.Prockill;;
client-p[1].exe;C:\Documents and Settings\dcarwin\Local Settings\Temporary Internet Files\Content.IE5\Y6KPAWWW;Trojan.LydraSpy.1411;Deleted.;
A0008753.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP282;Trojan.LydraSpy.1411;Deleted.;
A0008760.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP282;Trojan.LydraSpy.1411;Deleted.;
A0008819.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP282;Trojan.MulDrop.17841;Deleted.;
A0008820.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP282;Trojan.MulDrop.17841;Deleted.;
omniformat.exe\OmniFormat/NTService.exe;C:\sourcefiles\PDF Suite\omniformat.exe;Trojan.MulDrop.origin;;
A0014256.exe\OmniFormat/NTService.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP287\A0014256.exe;Trojan.MulDrop.origin;;
A0009035.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP282;Trojan.Virtumod.based.18;Deleted.;
A0009037.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP282;Trojan.Virtumod.based.18;Deleted.;
A0009188.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP282;Trojan.Virtumod.based.18;Deleted.;
A0009189.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP282;Trojan.Virtumod.based.18;Deleted.;
A0009237.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP283;Trojan.Virtumod.based.18;Deleted.;
A0009241.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP283;Trojan.Virtumod.based.18;Deleted.;
A0009299.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP283;Trojan.Virtumod.based.18;Deleted.;
A0009302.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP283;Trojan.Virtumod.based.18;Deleted.;
A0014087.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP285;Trojan.Virtumod.based.18;Deleted.;
A0014091.exe;C:\System Volume Information\_restore{A289681D-C4AD-45E4-957E-0BAF1723EDCF}\RP285;Trojan.Virtumod.based.18;Deleted.;

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:02 AM

Posted 09 September 2008 - 06:41 PM

Hello, Dan.
Looks clean to me.

Connect and run this one scan to be sure.

All the files detected by Dr. Web were deactivated. They simply appeared in windows' system restore feature.

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 dcarwin

dcarwin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 09 September 2008 - 10:59 PM

OK I am gonna reconnect to the network.
Cross your fingers.

#11 dcarwin

dcarwin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 10 September 2008 - 01:19 AM

Happy to report the virus did not reactivate on connection. I ran the ESET scan and went back and ran the kapersky scan sinvce I was connected.
Both reports are below.

Should I remove {nuke} the quarantined files?


ESET LOG
======
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3430 (20080910)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=85631dcb24e6384991db519ac8a317d7
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-09-10 04:50:05
# local_time=2008-09-09 09:50:05 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=265830
# found=21
# scan_time=1674
C:\Documents and Settings\dcarwin\Local Settings\Temporary Internet Files\Content.IE5\WXQHINYP\new[1].exe Win32/AutoRun.UB worm (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-299502267-854245398-725345543-1003\Dc322.zip Win32/IRCBot trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\SDFix\backups\backups.zip Win32/AutoRun.UB worm (deleted) 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/systempre.exe Win32/AutoRun.UB worm (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\SDFix\backups\HOSTS Win32/Qhost trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\SDFix\backups_old\HOSTS Win32/Qhost trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\SDFix\backups_old1\HOSTS Win32/Qhost trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\SDFix\backups_old2\backups.zip Win32/AutoRun.UB worm (deleted) 00000000000000000000000000000000
C:\SDFix\backups_old2\backups.zip »ZIP »backups/systempre.exe Win32/AutoRun.UB worm (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\SDFix\backups_old2\HOSTS Win32/Qhost trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\SDFix\backups_old3\backups.zip Win32/AutoRun.UB worm (deleted) 00000000000000000000000000000000
C:\SDFix\backups_old3\backups.zip »ZIP »backups/systempre.exe Win32/AutoRun.UB worm (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\SDFix\backups_old3\HOSTS Win32/Qhost trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\sourcefiles\Ahead.Nero.7.xx.All.Editions.and.Some.Plug-Ins_KEYGEN-FFF\Ahead.Nero.7.xx.All.Editions.and.Some.Plug-Ins_KEYGEN-FFF.zip Win32/Toolbar.AskSBar application (deleted) 00000000000000000000000000000000
C:\sourcefiles\Ahead.Nero.7.xx.All.Editions.and.Some.Plug-Ins_KEYGEN-FFF\Ahead.Nero.7.xx.All.Editions.and.Some.Plug-Ins_KEYGEN-FFF.zip »ZIP »Nero-7.8.5.0_eng_update.exe Win32/Toolbar.AskSBar application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\sourcefiles\Ahead.Nero.7.xx.All.Editions.and.Some.Plug-Ins_KEYGEN-FFF\Ahead.Nero.7.xx.All.Editions.and.Some.Plug-Ins_KEYGEN-FFF.zip »ZIP »Nero-7.8.5.0_eng_update.exe »RAR »Toolbar.exe Win32/Toolbar.AskSBar application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\sourcefiles\Ahead.Nero.7.xx.All.Editions.and.Some.Plug-Ins_KEYGEN-FFF\Nero-7.8.5.0_eng_update.exe Win32/Toolbar.AskSBar application (deleted) 00000000000000000000000000000000
C:\sourcefiles\Ahead.Nero.7.xx.All.Editions.and.Some.Plug-Ins_KEYGEN-FFF\Nero-7.8.5.0_eng_update.exe »RAR »Toolbar.exe Win32/Toolbar.AskSBar application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\sourcefiles\PDF Suite\Able2Extract with keygen\Able2Extract[1].3.0-Patch_CiM.zip probably a variant of Win32/Obfuscated trojan (deleted) 00000000000000000000000000000000
C:\sourcefiles\PDF Suite\Able2Extract with keygen\Able2Extract[1].3.0-Patch_CiM.zip »ZIP »Crack.exe probably a variant of Win32/Obfuscated trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\sourcefiles\PDF Suite\Able2Extract with keygen\Able2Extract[1].3.0-Patch_CiM\Crack.exe probably a variant of Win32/Obfuscated trojan (unable to clean - deleted) 00000000000000000000000000000000



Kapersky Log
=========
Tuesday, September 9, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, September 10, 2008 04:53:48
Records in database: 1205860
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
Scan statistics
Files scanned 49493
Threat name 1
Infected objects 12
Suspicious objects 0
Duration of the scan 01:06:36

File name Threat name Threats count
C:\Documents and Settings\dcarwin\DoctorWeb\Quarantine\A0014257.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
C:\Documents and Settings\dcarwin\DoctorWeb\Quarantine\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
C:\Documents and Settings\dcarwin\DoctorWeb\Quarantine\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
The selected area was scanned.

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:02 AM

Posted 11 September 2008 - 02:27 PM

Hello, Dan.
Go ahead and delete this manually:
C:\Documents and Settings\dcarwin\DoctorWeb <-- This Folder

You can also delete cureit from your desktop.

We need to clear out some temporary data.
Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Two good paid for antivirus programs are NOD32 and Bitdefender
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection level. It may also impair the performance of your PC.

In your next reply, please include the following:
  • A New HiJack This log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 dcarwin

dcarwin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 11 September 2008 - 03:23 PM

Thanks Billy,
Used the ATF cleaner.

Below is the HJT log.


=====

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:32 PM, on 9/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\test55\ht\jojo.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192779822406
O17 - HKLM\System\CCS\Services\Tcpip\..\{93008F3B-85B5-41D8-B1FB-9225D9F2B837}: NameServer = 208.201.224.11,208.201.224.33
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5987 bytes

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:02 AM

Posted 11 September 2008 - 05:45 PM

Hmm.. you don't seem to have installed an A/V yet.....

Any reason or did you just overlook that part?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 dcarwin

dcarwin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 12 September 2008 - 02:27 PM

Hi Billy,

I needed to copmare and choose between Avast! and Antivir.

-Dan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users