Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Continuous Pop ups


  • Please log in to reply
14 replies to this topic

#1 EddiePinz

EddiePinz

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 06 December 2008 - 08:01 PM

Hi,

This pop up problem just started today. It does not matter what site I am browsing on, the pop ups still come. I have ran an anti virus scan and a scan using Ad-ware, but the problem is still there. The pop ups are for various sites. I'm not sure what to from here. So if you could help me out, it would be greatly appreciated. Thank you.

Here are the logs:

Logfile of random's system information tool 1.04 (written by random/random)
Run by QUINNE1 at 2008-12-06 19:47:17
Microsoft Windows XP Professional Service Pack 2
System drive C: has 67 GB (88%) free of 76 GB
Total RAM: 998 MB (30% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:24 PM, on 12/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Verint\Bin\LoggerServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verint\Screens\Bin\RFBAgent.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe
C:\Program Files\Verint\ila\ilaloginapp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\GetModule\GetModule31.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Documents and Settings\quinne1\My Documents\nj051b_en\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\QUINNE1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfd.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lfd.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Lincoln Financial Group
O2 - BHO: {3af17858-5a95-0f3b-7d34-33b7aa152021} - {120251aa-7b33-43d7-b3f0-59a585871fa3} - C:\WINDOWS\system32\mavmal.dll
O2 - BHO: (no name) - {14A40973-DF0A-41C3-A70E-74FDF14DC75E} - C:\WINDOWS\system32\pmnomKcD.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [EPHD User] "C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ILA] C:\Program Files\Verint\ila\ilaloginapp.exe
O4 - HKLM\..\Run: [RFBAgent] "C:\Program Files\Verint\Screens\Bin\RFBAgent.exe" -servicehelper
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [c0541618] rundll32.exe "C:\WINDOWS\system32\qtyhiica.dll",b
O4 - HKCU\..\Run: [GetModule31] C:\Program Files\GetModule\GetModule31.exe
O4 - Global Startup: Live Meeting Add-in for Microsoft Outlook.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.lfd.com
O15 - Trusted Zone: *.amgusa.com
O15 - Trusted Zone: *.ascendix.com
O15 - Trusted Zone: *.delgroup.com
O15 - Trusted Zone: http://*.delpwsymweb1
O15 - Trusted Zone: *.emanywhere.com
O15 - Trusted Zone: *.ermonline.net
O15 - Trusted Zone: *.guar.com
O15 - Trusted Zone: http://*.itradeiis
O15 - Trusted Zone: *.jp.corp
O15 - Trusted Zone: *.jpfinancial.com
O15 - Trusted Zone: *.jpfnet.com
O15 - Trusted Zone: *.lfacrm.com
O15 - Trusted Zone: *.lfd.com
O15 - Trusted Zone: *.lfdanywhere.com
O15 - Trusted Zone: http://*.lfdpwportal1
O15 - Trusted Zone: *.delinvest.ad.lfg.com
O15 - Trusted Zone: *.us.ad.lfg.com
O15 - Trusted Zone: *.lfg.com
O15 - Trusted Zone: *.lfgmfin.com
O15 - Trusted Zone: *.lnc.com
O15 - Trusted Zone: *.oasyson-line.com
O15 - Trusted Zone: *.placeware.com
O15 - Trusted Zone: *.salesforce.com
O15 - Trusted Zone: *.transitbenefit.com
O15 - Trusted Zone: *.amgusa.com (HKLM)
O15 - Trusted Zone: *.ascendix.com (HKLM)
O15 - Trusted Zone: *.delgroup.com (HKLM)
O15 - Trusted Zone: http://*.delpwsymweb1 (HKLM)
O15 - Trusted Zone: *.emanywhere.com (HKLM)
O15 - Trusted Zone: *.ermonline.net (HKLM)
O15 - Trusted Zone: *.guar.com (HKLM)
O15 - Trusted Zone: http://*.itradeiis (HKLM)
O15 - Trusted Zone: *.jp.corp (HKLM)
O15 - Trusted Zone: *.jpfinancial.com (HKLM)
O15 - Trusted Zone: *.jpfnet.com (HKLM)
O15 - Trusted Zone: *.lfacrm.com (HKLM)
O15 - Trusted Zone: *.lfd.com (HKLM)
O15 - Trusted Zone: *.lfdanywhere.com (HKLM)
O15 - Trusted Zone: http://*.lfdpwportal1 (HKLM)
O15 - Trusted Zone: *.delinvest.ad.lfg.com (HKLM)
O15 - Trusted Zone: *.us.ad.lfg.com (HKLM)
O15 - Trusted Zone: *.lfg.com (HKLM)
O15 - Trusted Zone: *.lfgmfin.com (HKLM)
O15 - Trusted Zone: *.lnc.com (HKLM)
O15 - Trusted Zone: *.oasyson-line.com (HKLM)
O15 - Trusted Zone: *.placeware.com (HKLM)
O15 - Trusted Zone: *.salesforce.com (HKLM)
O15 - Trusted Zone: *.transitbenefit.com (HKLM)
O16 - DPF: {52e54c77-cced-4b72-8e29-bb7206ca5a8f} (Oracle JInitiator 1.1.8.27) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192204329089
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192453858325
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - http://crystalprod.jp.corp/crystalreportvi...tiveXViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = delinvest.ad.lfg.com
O17 - HKLM\Software\..\Telephony: DomainName = delinvest.ad.lfg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = delinvest.ad.lfg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = delinvest.ad.lfg.com,us.ad.lfg.com,ad.lfg.com,lfg.com,lnc.com,jp.corp,amgusa.com,delgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = delinvest.ad.lfg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = delinvest.ad.lfg.com,us.ad.lfg.com,ad.lfg.com,lfg.com,lnc.com,jp.corp,amgusa.com,delgroup.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = delinvest.ad.lfg.com,us.ad.lfg.com,ad.lfg.com,lfg.com,lnc.com,jp.corp,amgusa.com,delgroup.com
O20 - AppInit_DLLs: mavmal.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: fcccbbyV - C:\WINDOWS\SYSTEM32\fcccbbyV.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPHDManager - GuardianEdge Technologies, Inc. - C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LoggerServer - Verint - C:\Program Files\Common Files\Verint\Bin\LoggerServer.exe
O23 - Service: RFB Agent (RFBAgent) - Verint - C:\Program Files\Verint\Screens\Bin\RFBAgent.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 11335 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{120251aa-7b33-43d7-b3f0-59a585871fa3}]
C:\WINDOWS\system32\mavmal.dll [2008-12-06 129024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14A40973-DF0A-41C3-A70E-74FDF14DC75E}]
C:\WINDOWS\system32\pmnomKcD.dll [2008-12-06 302592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-05-11 40048]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-11-21 52840]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2007-03-14 125632]
"StorageGuard"=C:\Program Files\VERITAS Software\Update Manager\sgtray.exe [2002-06-18 155648]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-08-15 141848]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-08-15 162328]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-08-15 137752]
"ACTray"=C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe [2007-07-05 413696]
"ACWLIcon"=C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe [2007-07-05 126976]
"EPHD User"=C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe [2008-03-11 98304]
"Synchronization Manager"=C:\WINDOWS\system32\mobsync.exe [2004-08-04 143360]
"ILA"=C:\Program Files\Verint\ila\ilaloginapp.exe [2005-01-26 57344]
"RFBAgent"=C:\Program Files\Verint\Screens\Bin\RFBAgent.exe [2004-08-18 352256]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2008-02-18 1044480]
"c0541618"=C:\WINDOWS\system32\qtyhiica.dll [2008-12-06 72704]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"GetModule31"=C:\Program Files\GetModule\GetModule31.exe [2008-12-05 367616]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Live Meeting Add-in for Microsoft Outlook.lnk - C:\WINDOWS\Installer\{A3BA5420-0C00-47B7-8450-02C99A20F832}\_294823.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="mavmal.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACNotify]
C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll [2007-07-05 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2004-08-25 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ckpNotify]
C:\WINDOWS\system32\ckpNotify.dll [2008-01-29 24669]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fcccbbyV]
C:\WINDOWS\system32\fcccbbyV.dll [2008-12-06 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-08-09 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2007-03-14 43712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=C:\WINDOWS\system32\fcccbbyV.dll [2008-12-06 34816]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\pmnomKcD
"notification packages"=scecli
ACGina
ephdssol

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispScrSavPage"=1
"HideLegacyLogonScripts"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=1
"legalnoticecaption"=Lincoln Financial Group
"legalnoticetext"=Do not attempt to log on unless you are an authorized user.
.
.
*********************************************************************************************
By logging on to this computer, you agree to abide by the LFG Information
Security Policy and Information Handling Policy, including appropriate use of
e-mail and the Internet. The primary use of this PC and the LFG network is to
conduct company business. You are responsible for protecting the Company's
confidential or proprietary information from unauthorized disclosures.
*********************************************************************************************
"shutdownwithoutlogon"=0
"undockwithoutlogon"=1
"HideStartupScripts"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoSMHelp"=1
"Intellimenus"=1
"NoSMMyDocs"=1
"DisablePersonalDirChange"=1
"ForceClassicControlPanel"=1
"NoSharedDocuments"=1
"NoSMMyPictures"=1
"NoStartMenuMyMusic"=1
"ForceStartMenuLogOff"=1
"NoSMConfigurePrograms"=1
"NoRecentDocsNetHood"=1
"NoDesktopCleanupWizard"=1
"NoWelcomeScreen"=1
"NoSMBalloonTip"=1
"DisallowRun"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe:*:Enabled:VPN-1 SecuRemote/SecureClient service"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe:*:Enabled:VPN-1 SecuRemote/SecureClient application"
"C:\Program Files\CheckPoint\SecuRemote\bin\scc.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\scc.exe:*:Enabled:VPN-1 SecuRemote/SecureClient command line"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe:*:Enabled:VPN-1 SecuRemote/SecureClient service"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe:*:Enabled:VPN-1 SecuRemote/SecureClient application"
"C:\Program Files\CheckPoint\SecuRemote\bin\scc.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\scc.exe:*:Enabled:VPN-1 SecuRemote/SecureClient command line"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics"

======List of files/folders created in the last 1 months======

2008-12-06 19:47:17 ----D---- C:\rsit
2008-12-06 19:02:08 ----D---- C:\Program Files\Lavasoft
2008-12-06 19:02:06 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-12-06 19:01:25 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-06 18:39:35 ----D---- C:\Program Files\Trend Micro
2008-12-06 17:18:56 ----SH---- C:\WINDOWS\system32\aciihytq.ini
2008-12-06 17:18:52 ----A---- C:\WINDOWS\system32\qtyhiica.dll
2008-12-06 17:16:38 ----A---- C:\WINDOWS\system32\mavmal.dll
2008-12-06 17:16:37 ----A---- C:\WINDOWS\system32\bwhdqwyn.dll
2008-12-06 17:16:09 ----A---- C:\WINDOWS\system32\cb77d266-.txt
2008-12-06 17:15:51 ----ASH---- C:\WINDOWS\system32\DcKmonmp.ini2
2008-12-06 17:15:51 ----ASH---- C:\WINDOWS\system32\DcKmonmp.ini
2008-12-06 17:15:46 ----A---- C:\WINDOWS\system32\pmnomKcD.dll
2008-12-06 17:10:44 ----D---- C:\Documents and Settings\quinne1\Application Data\GetModule
2008-12-06 17:10:39 ----D---- C:\Program Files\GetModule
2008-12-06 17:10:38 ----D---- C:\Program Files\iCheck
2008-12-06 17:10:31 ----A---- C:\WINDOWS\system32\fcccbbyV.dll
2008-12-06 17:10:24 ----A---- C:\WINDOWS\system32\~.exe
2008-12-05 17:20:17 ----D---- C:\Documents and Settings\quinne1\Application Data\PlaceWare
2008-12-02 17:30:50 ----D---- C:\Program Files\Project64 1.6
2008-11-28 07:59:43 ----D---- C:\WINDOWS\system32\symbols
2008-11-28 07:59:43 ----D---- C:\Program Files\Verint
2008-11-28 07:59:27 ----D---- C:\WINDOWS\Symbols
2008-11-28 07:59:15 ----D---- C:\Program Files\Common Files\Verint
2008-11-25 12:38:27 ----D---- C:\Documents and Settings\quinne1\Application Data\iWin
2008-11-25 12:38:23 ----D---- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-11-25 10:09:51 ----D---- C:\Program Files\Common Files\Wintertree
2008-11-25 10:09:19 ----D---- C:\Program Files\Common Files\Business Objects
2008-11-25 10:09:19 ----D---- C:\Program Files\Business Objects
2008-11-22 07:29:53 ----D---- C:\Program Files\Full Tilt Poker
2008-11-20 16:42:00 ----D---- C:\Documents and Settings\quinne1\Application Data\Mozilla
2008-11-20 16:41:49 ----D---- C:\Program Files\Mozilla Firefox
2008-11-20 15:22:10 ----D---- C:\Program Files\Common Files\Crystal Decisions
2008-11-20 11:17:53 ----D---- C:\Documents and Settings\quinne1\Application Data\HEAT
2008-11-20 11:15:26 ----D---- C:\Program Files\HEAT
2008-11-20 11:12:54 ----D---- C:\Program Files\orl
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\msxbse35.dll
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\mstext35.dll
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\mspdox35.dll
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\msltus35.dll
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\msexch35.dll
2008-11-20 10:59:15 ----A---- C:\WINDOWS\system32\msrpfs35.dll
2008-11-20 10:59:15 ----A---- C:\WINDOWS\system32\msrepl35.dll
2008-11-20 10:59:15 ----A---- C:\WINDOWS\system32\msjt4jlt.dll
2008-11-20 10:59:15 ----A---- C:\WINDOWS\system32\msexcl35.dll
2008-11-20 10:59:14 ----A---- C:\WINDOWS\system32\JETCOMP.exe
2008-11-20 10:59:13 ----A---- C:\WINDOWS\HyperlinkHelper.exe
2008-11-20 10:44:45 ----D---- C:\Program Files\Oracle
2008-11-20 10:44:08 ----D---- C:\Program Files\MS07-OCT
2008-11-20 10:43:04 ----HDC---- C:\WINDOWS\$NtUninstallKB937143$
2008-11-20 10:42:24 ----D---- C:\Program Files\MSXML 4.0
2008-11-20 10:42:16 ----D---- C:\Program Files\MS07-AUG
2008-11-20 10:39:14 ----A---- C:\WINDOWS\system32\VBAR332.DLL
2008-11-20 10:39:14 ----A---- C:\WINDOWS\system32\odbctl32.dll
2008-11-20 10:39:14 ----A---- C:\WINDOWS\system32\Odbcstf.dll
2008-11-20 10:39:13 ----A---- C:\WINDOWS\system32\msrd2x35.dll
2008-11-20 10:39:13 ----A---- C:\WINDOWS\system32\msjter35.dll
2008-11-20 10:39:13 ----A---- C:\WINDOWS\system32\msjint35.dll
2008-11-20 10:39:13 ----A---- C:\WINDOWS\system32\msjet35.dll
2008-11-20 10:39:12 ----A---- C:\WINDOWS\system32\Convdsn.exe
2008-11-20 10:38:04 ----D---- C:\Program Files\Common Files\Actuate
2008-11-20 10:38:00 ----A---- C:\WINDOWS\system32\winrpc32.dll
2008-11-20 10:38:00 ----A---- C:\WINDOWS\system32\oc30.dll
2008-11-20 10:38:00 ----A---- C:\WINDOWS\system32\mfcans32.dll
2008-11-20 10:38:00 ----A---- C:\WINDOWS\system32\LTWND10N.DLL
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\ltkrn10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\ltfil10N.DLL
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\ltdlg10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\LTDIS10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lfwmf10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lftif10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lftga10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lfpcx10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lffax10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\LFCMP10N.DLL
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lfbmp10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\hdk3ct32.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\gswdll32.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\gswag32.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\gsw32.exe
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\GSJPG32.DLL
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\ezrpcw32.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\acxerces-c_1_4_71.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\AcUnInstall.exe
2008-11-20 10:37:58 ----A---- C:\WINDOWS\system32\acicudt18_71.dll
2008-11-20 10:37:51 ----A---- C:\WINDOWS\system32\acrq8071.dll
2008-11-20 10:36:26 ----A---- C:\WINDOWS\system32\acrs8071.dll
2008-11-20 10:36:26 ----A---- C:\WINDOWS\system32\acr7771.dll
2008-11-20 10:36:22 ----D---- C:\Program Files\Actuate8
2008-11-20 09:39:05 ----D---- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\hpzpnp.dll
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZISN12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZIPT12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZIPR12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZIPM12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZINW12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZIDR12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPNRA.EXE
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPJIPX1U.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPJCMN2U.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBPROPS.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBPRO.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBOIDPS.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBOID.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBNRAC2.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBMINI.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBMIAPI.DLL
2008-11-20 09:36:42 ----D---- C:\HP CLJ4600
2008-11-20 09:36:12 ----D---- C:\HP_CLJ_4700_32bit_2000_XP_S2003_PS_HPDIU
2008-11-20 09:04:33 ----D---- C:\Documents and Settings\quinne1\Application Data\ICAClient
2008-11-20 08:59:27 ----D---- C:\Program Files\SQLXML 4.0
2008-11-20 08:53:09 ----D---- C:\Program Files\Microsoft Visual Studio 8
2008-11-20 08:53:09 ----D---- C:\Program Files\Common Files\Merge Modules
2008-11-20 08:53:07 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-11-20 08:51:57 ----D---- C:\Program Files\Microsoft Analysis Services
2008-11-20 08:44:43 ----D---- C:\Program Files\Microsoft SQL Server
2008-11-20 07:19:13 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-11-20 07:18:29 ----D---- C:\Program Files\MSECache
2008-11-20 07:16:14 ----N---- C:\WINDOWS\system32\spmsg.dll
2008-11-20 07:16:04 ----D---- C:\Program Files\MS07-APR
2008-11-20 07:16:04 ----D---- C:\Program Files\GuardianEdge Technologies
2008-11-20 07:11:07 ----D---- C:\Program Files\RCenter
2008-11-20 07:10:57 ----D---- C:\Program Files\iTrade
2008-11-20 07:10:47 ----D---- C:\Program Files\Delaware Research Analysis
2008-11-19 18:55:35 ----D---- C:\Program Files\CheckPoint
2008-11-19 18:55:24 ----D---- C:\Program Files\Drive Mapper
2008-11-19 18:55:06 ----D---- C:\Program Files\triCerat
2008-11-19 18:54:43 ----D---- C:\Program Files\Citrix
2008-11-19 18:53:27 ----D---- C:\Program Files\PlaceWare
2008-11-19 18:49:54 ----D---- C:\TRIGGER_FILES
2008-11-19 18:49:50 ----D---- C:\Program Files\Robocopy
2008-11-19 18:49:48 ----A---- C:\WINDOWS\robocopy.exe
2008-11-19 18:49:47 ----A---- C:\WINDOWS\IFMEMBER.EXE
2008-11-19 18:49:37 ----ASH---- C:\Documents and Settings\quinne1\Application Data\desktop.ini
2008-11-19 18:49:36 ----D---- C:\Documents and Settings\quinne1\Application Data\Identities
2008-11-19 18:49:36 ----D---- C:\Documents and Settings\quinne1\Application Data\Adobe
2008-11-19 18:49:35 ----SD---- C:\Documents and Settings\quinne1\Application Data\Microsoft
2008-11-19 18:49:35 ----D---- C:\Documents and Settings\quinne1\Application Data\VERITAS
2008-11-19 18:49:35 ----D---- C:\Documents and Settings\quinne1\Application Data\Sun
2008-11-19 18:49:35 ----D---- C:\Documents and Settings\quinne1\Application Data\Macromedia
2008-11-19 18:46:35 ----D---- C:\WINDOWS\SchCache
2008-11-19 18:41:29 ----RA---- C:\WINDOWS\system32\uci32103.dll
2008-11-19 18:35:58 ----D---- C:\Program Files\Analog Devices
2008-11-19 18:35:52 ----HDC---- C:\WINDOWS\$NtUninstallKB888111WXPSP2$
2008-11-19 18:34:37 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-11-19 18:34:34 ----D---- C:\Program Files\Intel
2008-11-19 18:34:31 ----D---- C:\Intel
2008-11-19 18:34:01 ----D---- C:\WINDOWS\system32\CCM
2008-11-19 18:34:01 ----D---- C:\WINDOWS\ms
2008-11-19 18:33:50 ----A---- C:\WINDOWS\system32\tvt_gina_api.dll
2008-11-19 18:33:50 ----A---- C:\WINDOWS\system32\tvt_gina.dll
2008-11-19 18:33:43 ----D---- C:\Program Files\ThinkPad
2008-11-19 18:33:40 ----A---- C:\WINDOWS\IsUninst.exe
2008-11-19 18:33:34 ----D---- C:\WINDOWS\system32\ccmsetup
2008-11-19 18:33:32 ----A---- C:\postsys2.bat
2008-11-19 18:32:38 ----RD---- C:\LFG_Apps
2008-11-19 18:31:44 ----A---- C:\WINDOWS\system32\igfxres.dll
2008-11-19 17:28:58 ----A---- C:\WINDOWS\system32\TPMDDL.dll
2008-11-19 17:27:47 ----D---- C:\WINDOWS\system32\x64
2008-11-19 17:27:47 ----D---- C:\WINDOWS\system32\Lang
2008-11-19 17:27:47 ----A---- C:\WINDOWS\system32\igxpun.exe
2008-11-19 17:27:23 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-11-19 17:27:23 ----A---- C:\WINDOWS\system32\difxapi.dll

======List of files/folders modified in the last 1 months======

2008-12-06 19:04:29 ----D---- C:\WINDOWS\Temp
2008-12-06 19:02:56 ----SHD---- C:\WINDOWS\Installer
2008-12-06 19:02:56 ----D---- C:\WINDOWS
2008-12-06 19:02:37 ----D---- C:\WINDOWS\Prefetch
2008-12-06 19:02:08 ----RD---- C:\Program Files
2008-12-06 19:02:08 ----D---- C:\WINDOWS\system32\drivers
2008-12-06 19:02:08 ----D---- C:\WINDOWS\system32
2008-12-06 19:01:25 ----D---- C:\Program Files\Common Files
2008-12-06 17:13:44 ----D---- C:\Program Files\Symantec AntiVirus
2008-12-05 20:54:50 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-05 20:51:45 ----A---- C:\WINDOWS\smscfg.ini
2008-12-05 18:02:06 ----D---- C:\WINDOWS\security
2008-12-05 18:01:57 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-05 11:51:14 ----HD---- C:\WINDOWS\inf
2008-12-05 11:51:14 ----D---- C:\WINDOWS\system32\CatRoot
2008-12-05 10:02:25 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-28 08:00:02 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-28 07:59:34 ----D---- C:\WINDOWS\system32\config
2008-11-25 15:29:39 ----AC---- C:\WINDOWS\ODBC.INI
2008-11-25 10:18:15 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-21 18:17:02 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-21 14:02:27 ----D---- C:\WINDOWS\Help
2008-11-20 14:00:37 ----SHD---- C:\RECYCLER
2008-11-20 13:39:38 ----D---- C:\WINDOWS\Microsoft.NET
2008-11-20 13:39:37 ----RSD---- C:\WINDOWS\assembly
2008-11-20 11:15:38 ----D---- C:\WINDOWS\WinSxS
2008-11-20 10:59:27 ----AC---- C:\WINDOWS\ODBCINST.INI
2008-11-20 10:43:01 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-20 10:35:37 ----D---- C:\Program Files\Common Files\InstallShield
2008-11-20 09:09:35 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-11-20 09:07:51 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-11-20 08:59:18 ----D---- C:\WINDOWS\Registration
2008-11-20 08:58:23 ----D---- C:\Program Files\Microsoft.NET
2008-11-20 08:53:20 ----D---- C:\WINDOWS\system32\1033
2008-11-20 08:31:50 ----SHD---- C:\WINDOWS\CSC
2008-11-20 07:19:24 ----A---- C:\WINDOWS\imsins.BAK
2008-11-19 18:58:02 ----SHD---- C:\System Volume Information
2008-11-19 18:58:02 ----D---- C:\WINDOWS\system32\Restore
2008-11-19 18:53:41 ----D---- C:\WINDOWS\system32\wbem
2008-11-19 18:52:56 ----D---- C:\Program Files\Microsoft Office
2008-11-19 18:49:43 ----D---- C:\WINDOWS\system32\appmgmt
2008-11-19 18:49:33 ----D---- C:\Documents and Settings
2008-11-19 18:45:22 ----A---- C:\WINDOWS\setuplog.txt
2008-11-19 18:43:56 ----RASH---- C:\boot.ini
2008-11-19 18:43:22 ----A---- C:\WINDOWS\system.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ANC;ANC; C:\WINDOWS\System32\drivers\ANC.SYS [2005-11-08 11520]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 FW1;SecuRemote Miniport; C:\WINDOWS\system32\DRIVERS\fw.sys [2008-01-29 2235760]
R1 IBMTPCHK;IBMTPCHK; \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R1 Smapint;Smapint; C:\WINDOWS\System32\drivers\Smapint.sys [2003-07-03 14848]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2007-02-12 196752]
R1 TDSMAPI;TDSMAPI; C:\WINDOWS\System32\drivers\TDSMAPI.SYS [2003-07-03 8830]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-03 8832]
R2 CP_OMDRV;Check Point Office Mode Module; C:\WINDOWS\System32\drivers\omdrv.sys [2008-01-29 47504]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient; C:\WINDOWS\system32\DRIVERS\vnasc.sys [2008-01-29 121136]
R2 VPN-1;VPN-1 Module; C:\WINDOWS\System32\drivers\vpn.sys [2008-01-29 673872]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2008-02-18 334848]
R3 aeaudio;AE Audio Service; C:\WINDOWS\system32\drivers\aeaudio.sys [2008-02-18 94976]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 atmeltpm;atmeltpm; C:\WINDOWS\system32\DRIVERS\atmeltpm.sys [2005-05-17 15872]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-05-11 252312]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-12-06 996736]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2005-12-06 202624]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-08-09 5765056]
R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys [2007-05-31 21424]
R3 idisw2km;idisw2km; C:\WINDOWS\system32\DRIVERS\idisw2km.sys [2006-02-09 8992]
R3 kbstuff;SMS Virtual Keyboard; C:\WINDOWS\system32\DRIVERS\kbstuff5.sys [2006-02-09 11744]
R3 LenovoRd;LenovoRd; C:\WINDOWS\System32\Drivers\LenovoRd.sys [2007-06-08 81280]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081204.003\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081204.003\navex15.sys []
R3 NETw4x32;Intel® Wireless WiFi Link Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw4x32.sys [2007-11-26 2236544]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 prepdrvr;SMS Process Event Driver; \??\C:\WINDOWS\system32\CCM\prepdrv.sys []
R3 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 TcUsb;TC USB Kernel Driver; C:\WINDOWS\System32\Drivers\tcusb.sys [2007-03-08 40848]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-12-06 724224]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-08-25 787456]
S3 E1000;Intel® PRO/1000 Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1000325.sys [2007-03-25 171416]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\system32\DRIVERS\nscirda.sys [2004-08-03 28672]
S3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
S3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-05-27 578304]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-04 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 AcPrfMgrSvc;Ac Profile Manager Service; C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe [2007-07-05 65536]
R2 AcSvc;Access Connections Main Service; C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe [2007-07-05 184320]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-11-21 192104]
R2 CcmExec;SMS Agent Host; C:\WINDOWS\system32\CCM\CcmExec.exe [2006-02-09 578784]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-11-21 169576]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2007-03-14 31424]
R2 EPHDManager;EPHDManager; C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe [2008-03-11 155648]
R2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2007-05-31 36400]
R2 LoggerServer;LoggerServer; C:\Program Files\Common Files\Verint\Bin\LoggerServer.exe [2005-01-03 155648]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 MsDtsServer;SQL Server Integration Services; C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2005-10-14 199384]
R2 msftesql;SQL Server FullText Search (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [2005-08-26 92880]
R2 MSSQLSERVER;SQL Server (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2005-10-14 28768528]
R2 MSSQLServerOLAPService;SQL Server Analysis Services (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe [2005-10-14 14557912]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 RFBAgent;RFB Agent; C:\Program Files\Verint\Screens\Bin\RFBAgent.exe [2004-08-18 352256]
R2 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2007-03-14 116416]
R2 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2007-01-10 1160792]
R2 SQLSERVERAGENT;SQL Server Agent (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [2005-10-14 318680]
R2 SR_Service;Check Point VPN-1 Securemote service; C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe [2008-01-29 106590]
R2 SR_Watchdog;Check Point VPN-1 Securemote watchdog; C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe [2008-01-29 36959]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2007-03-14 1816768]
R2 Wuser32;SMS Remote Control Agent; C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe [2006-02-09 248544]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2004-08-25 389120]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-09-02 2528960]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2007-02-12 214672]
S3 SQLWriter;SQL Server VSS Writer; C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2005-10-14 87768]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]
S4 SQLBrowser;SQL Server Browser; C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2005-10-14 239320]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.04 2008-12-06 19:47:29

======Uninstall list======

-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {09DA4F91-2A09-4232-AB8C-6BC740096DE3}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
-->MsiExec.exe /I{9B38E514-F7BD-11D6-BD75-00105A5F3811}
-->MsiExec.exe /I{9DBEAE1C-15E1-4F38-89AD-A6FA4E044A23}
-->MsiExec.exe /I{B1ECA60D-C4C3-450A-8790-1DBEF69F4D86}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Actuate e.Report Designer Professional 8-->C:\WINDOWS\system32\ACUNIN~1.EXE -p "C:\Program Files\Actuate8\eRDPro\AcUninst.txt"
Actuate e.Spreadsheet Designer 8-->C:\WINDOWS\system32\ACUNIN~1.EXE -p "C:\Program Files\Actuate8\espreadsheet\AcUninst.txt"
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player 9 ActiveX-->MsiExec.exe /X{58BAA8D0-404E-4585-9FD3-ED1BB72AC2EE}
Adobe Reader 8.1.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Check Point VPN-1 SecuRemote/SecureClient NGX R60 HFA2-->MsiExec.exe /X{c5ae39ac-ff79-47e1-b69c-c05ac7de9cf2}
Citrix Presentation Server Client-->MsiExec.exe /I{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Delaware Research Analysis-->MsiExec.exe /I{528D308A-9B11-4849-A3A1-335BE516A218}
Drive Mapper-->MsiExec.exe /I{F6C586D8-E5E8-4699-BE31-3DCCC7321408}
Encryption Plus Hard Disk-->MsiExec.exe /X{FD1BFE79-D8DA-4F6B-AD94-51CCF4F71F0D}
Full Tilt Poker-->"C:\Program Files\InstallShield Installation Information\{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}\setup.exe" -runfromtemp -l0x0009 -removeonly
HEAT-->MsiExec.exe /I{2E69CA8D-516C-42D5-A8A4-E9A254CDBF4A}
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.0 (KB932471)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {ECD292A0-0347-4244-8C24-5DBCE990FB40} /package {BAF78226-3200-4DB4-BE33-4D922A799840}
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
IBM RecordNow Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
IBM RecordNow-->MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
IBM ThinkPad Configuration-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ThinkPad\Utilities\UNTPUW.ISU" -c"C:\Program Files\ThinkPad\Utilities\Tpinswin.dll"
Intel® Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
Intel® PRO Network Connections Drivers-->Prounstl.exe
Internet Speed Monitor-->C:\Program Files\iCheck\Uninstall.exe
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
iTrade-->MsiExec.exe /I{26FDCCAF-6326-48DF-A757-6B8B410420CB}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LincolnPDF-->C:\WINDOWS\system32\uninstpw.exe C:\LincolnPDF
LiveUpdate 3.1 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft Office 2003 Web Components-->MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Live Meeting Add-in for Microsoft Outlook-->MsiExec.exe /X{A3BA5420-0C00-47B7-8450-02C99A20F832}
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{90120409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server 2005 Analysis Services-->MsiExec.exe /I{8ABF8FEB-ABB0-40DC-9945-85AF36EF30A9}
Microsoft SQL Server 2005 Backward compatibility-->MsiExec.exe /I{96327C3C-96BE-4C7A-A6F7-A71635E5949A}
Microsoft SQL Server 2005 Books Online (English)-->MsiExec.exe /I{0B43A744-B1B8-4089-9BD1-9D41C7EC0AA3}
Microsoft SQL Server 2005 Integration Services-->MsiExec.exe /I{EE8CFFD9-6E29-4DC3-A967-7348D5F41F44}
Microsoft SQL Server 2005 Notification Services-->MsiExec.exe /I{37E9AD9F-3217-4229-B5A5-7A0C82364C6C}
Microsoft SQL Server 2005 Tools-->MsiExec.exe /I{1DD463C0-A50A-4394-B7E4-5895C02F9E0D}
Microsoft SQL Server 2005-->"C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005-->MsiExec.exe /I{130A3BE1-85CC-4135-8EA7-5A724EE6CE2C}
Microsoft SQL Server Native Client-->MsiExec.exe /I{BF251EAF-8697-4E89-BF09-C998F97BBC40}
Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer-->MsiExec.exe /I{1CBE3804-20DF-48DA-B048-895C206E80A5}
Microsoft Visual Studio 2005 Premier Partner Edition - ENU-->MsiExec.exe /I{C25EF637-BE7A-4761-9B45-9069989C319F}
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MS07-APR-->"C:\Program Files\MS07-APR\UNINSTAL.EXE" "C:\Program Files\MS07-APR\INSTALL.LOG" "MS07-APR Uninstall"
MS07-AUG-->"C:\Program Files\MS07-AUG\UNINSTAL.EXE" "C:\Program Files\MS07-AUG\INSTALL.LOG" "MS07-AUG Uninstall"
MS07-OCT-->"C:\Program Files\MS07-OCT\UNINSTAL.EXE" "C:\Program Files\MS07-OCT\INSTALL.LOG" "MS07-OCT Uninstall"
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Oracle Client 9.0.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{714B233D-0C5A-4EBF-B695-962CE45945DF}\setup.exe" -l0x9 -uninst -removeonly
Oracle JInitiator 1.1.8.16-->MsiExec.exe /I{71E73A05-FEA9-4E35-9AF8-4FF6BFEEE39E}
Oracle JInitiator 1.1.8.27-->MsiExec.exe /I{3E991AB9-758F-40AF-8158-E2354FC7A193}
Project64 1.6-->MsiExec.exe /X{9559F7CA-5E34-4237-A2D9-D856464AD727}
RCenter-->MsiExec.exe /I{D8682D1B-E352-4E89-8534-DD86405C182D}
ScrewDrivers Client v4-->MsiExec.exe /I{665ECEFC-F101-43AC-B750-2C17BF03CF4F}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937143)-->"C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937894)-->"C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB939653)-->"C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338)-->"C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB947864)-->"C:\WINDOWS\$NtUninstallKB947864$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
SQLXML4-->MsiExec.exe /I{8C62A94B-4AB6-485F-A111-93056684D340}
Symantec AntiVirus-->MsiExec.exe /I{50E125D1-88E5-48CE-80AE-98EC9698E639}
ThinkPad Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588\HXFSETUP.EXE -U -ITkp0588k.inf
ThinkPad Power Management Driver-->RunDll32.exe tpinspm.dll,Uninstall
ThinkVantage Access Connections-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7EB114D8-207F-45AE-BABD-1669715F2630}\Setup.exe" -l0x9 anything
Time Zone Data Update Tool for Microsoft Office Outlook-->MsiExec.exe /X{95120000-0038-0409-0000-0000000FF1CE}
ULTRA 9.3 Desktop-->MsiExec.exe /X{982AF7AB-9939-11D6-817D-00105AB492EA}
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB925720)-->"C:\WINDOWS\$NtUninstallKB925720$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
VNC HDRA-->MsiExec.exe /I{22151A28-9C1C-46E5-A54E-8B062FCFCD05}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122-->"C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe

======Security center information======

AV: Symantec AntiVirus Corporate Edition

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Desktop"=No
"FP_NO_HOST_CHECK"=NO
"ICU_DATA"=C:\WINDOWS\system32\
"Laptop"=XP
"LegacyDomain"=DELAWARE
"lib"=C:\Program Files\SQLXML 4.0\bin\
"Location"=PA1
"NUMBER_OF_PROCESSORS"=2
"OS"=Windows_NT
"Path"=C:\PROGRAM FILES\THINKPAD\UTILITIES;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ThinkPad\ConnectUtilities;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft SQL Server\90\DTS\Binn\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\;C:\Program Files\HEAT\;\\delinvest.ad.lfg.com\dfs-apps-shared\jpapps\plib1\Ora901\Bin;\\delinvest.ad.lfg.com\dfs-apps-shared\jpapps\plib1\Ora901\Bin;\\delinvest.ad.lfg.com\dfs-apps-shared\jpapps\plib1\Ora901\Bin;\\delinvest.ad.lfg.com\dfs-apps-shared\jpapps\plib1\Ora901\Bin;\\delinvest.ad.lfg.com\dfs-apps-shared\jpapps\plib1\Ora901\Bin;C:\Program Files\Common Files\Verint\Bin
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PCTYPE"=T61
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 11, GenuineIntel
"PROCESSOR_LEVEL"=6
"PROCESSOR_REVISION"=0f0b
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:26 PM

Posted 06 December 2008 - 09:54 PM

Hello EddiePinz,

Posted Image

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 EddiePinz

EddiePinz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 07 December 2008 - 02:24 PM

Here are the logs:

ComboFix 08-12-06.06 - QUINNE1 2008-12-07 13:51:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.313 [GMT -5:00]
Running from: c:\documents and settings\quinne1\My Documents\nj051b_en\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\quinne1\Application Data\GetModule
c:\documents and settings\quinne1\Application Data\GetModule\dicik.gz
c:\documents and settings\quinne1\Application Data\GetModule\kwdik.gz
c:\documents and settings\quinne1\Application Data\GetModule\ofadik.gz
c:\program files\GetModule
c:\program files\GetModule\GetModule31.exe
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\windows\system32\~.exe
c:\windows\system32\aciihytq.ini
c:\windows\system32\bwhdqwyn.dll
c:\windows\system32\DcKmonmp.ini
c:\windows\system32\DcKmonmp.ini2
c:\windows\system32\LFGBUILD20080908.exe
c:\windows\system32\mavmal.dll
c:\windows\system32\pmnomKcD.dll
c:\windows\system32\qtyhiica.dll
c:\windows\system32\wpv741228549885.cpx
c:\windows\system32\x64
c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://PA1PWSMS01:80
.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-06 19:47 . 2008-12-06 19:47 <DIR> d-------- C:\rsit
2008-12-06 19:02 . 2008-12-06 19:02 <DIR> d-------- c:\program files\Lavasoft
2008-12-06 19:02 . 2008-12-06 19:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-06 19:01 . 2008-12-06 19:01 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-06 18:39 . 2008-12-06 18:39 <DIR> d-------- c:\program files\Trend Micro
2008-12-06 17:10 . 2008-12-06 17:10 34,816 --a------ c:\windows\system32\fcccbbyV.dll
2008-12-05 17:20 . 2008-12-05 17:20 <DIR> d-------- c:\documents and settings\quinne1\Application Data\PlaceWare
2008-12-02 17:30 . 2008-12-02 17:44 <DIR> d-------- c:\program files\Project64 1.6
2008-11-28 07:59 . 2008-11-28 07:59 <DIR> d-------- c:\windows\system32\symbols
2008-11-28 07:59 . 2008-11-28 07:59 <DIR> d-------- c:\windows\Symbols
2008-11-28 07:59 . 2008-11-28 08:00 <DIR> d-------- c:\program files\Verint
2008-11-28 07:59 . 2008-11-28 07:59 <DIR> d-------- c:\program files\Common Files\Verint
2008-11-25 12:38 . 2008-11-25 12:38 <DIR> d-------- c:\documents and settings\quinne1\Application Data\iWin
2008-11-25 12:38 . 2008-11-25 12:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2008-11-25 10:09 . 2008-11-25 10:09 <DIR> d-------- c:\program files\Common Files\Wintertree
2008-11-25 10:09 . 2008-11-25 10:09 <DIR> d-------- c:\program files\Common Files\Business Objects
2008-11-25 10:09 . 2008-11-25 10:09 <DIR> d-------- c:\program files\Business Objects
2008-11-22 07:29 . 2008-11-28 21:41 <DIR> d-------- c:\program files\Full Tilt Poker
2008-11-20 16:42 . 2008-11-20 16:42 0 --a------ c:\windows\nsreg.dat
2008-11-20 15:22 . 2008-11-20 15:22 <DIR> d-------- c:\program files\Common Files\Crystal Decisions
2008-11-20 11:17 . 2008-11-20 11:17 <DIR> d-------- c:\documents and settings\quinne1\Application Data\HEAT
2008-11-20 11:15 . 2008-11-26 10:23 <DIR> d-------- c:\program files\HEAT
2008-11-20 11:12 . 2008-11-20 11:12 <DIR> d-------- c:\program files\orl
2008-11-20 11:05 . 2008-11-20 11:08 <DIR> d-------- c:\documents and settings\quinne1\.f1j
2008-11-20 10:59 . 1999-09-29 21:04 1,238,288 --a------ c:\windows\system32\msjt4jlt.dll
2008-11-20 10:59 . 1999-08-25 15:57 415,504 --a------ c:\windows\system32\msrepl35.dll
2008-11-20 10:59 . 1998-06-01 15:37 344,064 --a------ c:\windows\system32\msexch35.dll
2008-11-20 10:59 . 1998-06-01 15:37 294,912 --a------ c:\windows\system32\msxbse35.dll
2008-11-20 10:59 . 1999-09-09 23:06 252,688 --a------ c:\windows\system32\msexcl35.dll
2008-11-20 10:59 . 1999-06-07 19:59 250,128 --a------ c:\windows\system32\mspdox35.dll
2008-11-20 10:59 . 1999-09-09 23:06 168,720 --a------ c:\windows\system32\msltus35.dll
2008-11-20 10:59 . 1999-09-30 20:21 166,672 --a------ c:\windows\system32\mstext35.dll
2008-11-20 10:59 . 1999-04-26 21:08 44,304 --a------ c:\windows\system32\msrpfs35.dll
2008-11-20 10:59 . 2005-06-24 17:16 40,960 --a------ c:\windows\HyperlinkHelper.exe
2008-11-20 10:59 . 1998-05-05 12:36 39,424 --a------ c:\windows\system32\JETCOMP.exe
2008-11-20 10:44 . 2008-11-20 14:42 <DIR> d-------- c:\program files\Oracle
2008-11-20 10:44 . 2008-11-20 10:44 <DIR> d-------- c:\program files\MS07-OCT
2008-11-20 10:42 . 2008-11-20 10:42 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-20 10:42 . 2008-11-20 10:43 <DIR> d-------- c:\program files\MS07-AUG
2008-11-20 10:38 . 2008-11-20 10:38 <DIR> d-------- c:\program files\Common Files\Actuate
2008-11-20 10:38 . 2004-10-21 14:13 638,464 --a------ c:\windows\system32\oc30.dll
2008-11-20 10:38 . 2004-10-21 14:13 139,363 --a------ c:\windows\system32\winrpc32.dll
2008-11-20 10:38 . 2004-10-21 14:13 133,904 --a------ c:\windows\system32\mfcans32.dll
2008-11-20 10:38 . 2005-06-24 16:24 36,864 --a------ c:\windows\system32\LTWND10N.DLL
2008-11-20 10:38 . 2005-06-24 16:27 2,495 --a------ c:\windows\system32\Comctl32.dep
2008-11-20 10:36 . 2008-11-20 10:57 <DIR> d-------- c:\program files\Actuate8
2008-11-20 10:36 . 2005-06-24 21:01 1,519,616 --a------ c:\windows\system32\acrs8071.dll
2008-11-20 10:36 . 2005-06-24 21:01 724,992 --a------ c:\windows\system32\acr7771.dll
2008-11-20 09:39 . 2008-11-20 09:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-11-20 09:36 . 2008-11-20 09:36 <DIR> d-------- C:\HP_CLJ_4700_32bit_2000_XP_S2003_PS_HPDIU
2008-11-20 09:36 . 2008-11-20 09:36 <DIR> d-------- C:\HP CLJ4600
2008-11-20 09:04 . 2008-11-20 09:04 <DIR> d-------- c:\documents and settings\quinne1\Application Data\ICAClient
2008-11-20 08:59 . 2008-11-20 08:59 <DIR> d-------- c:\program files\SQLXML 4.0
2008-11-20 08:53 . 2008-11-20 08:53 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-11-20 08:53 . 2008-11-20 08:53 <DIR> d-------- c:\program files\Common Files\Merge Modules
2008-11-20 08:53 . 2008-11-20 09:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-20 08:51 . 2008-11-20 08:51 <DIR> d-------- c:\program files\Microsoft Analysis Services
2008-11-20 08:44 . 2008-11-20 09:31 <DIR> d-------- c:\program files\Microsoft SQL Server
2008-11-20 08:32 . 2004-08-03 22:58 14,848 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-20 08:32 . 2004-08-03 22:58 14,848 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-11-20 08:31 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-11-20 08:31 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-11-20 08:31 . 2001-08-17 14:02 9,600 --a------ c:\windows\system32\drivers\hidusb.sys
2008-11-20 08:31 . 2001-08-17 14:02 9,600 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-11-20 07:19 . 2008-11-20 07:19 2,359,296 --ahs---- C:\EP1.vol
2008-11-20 07:19 . 2008-11-20 07:19 1,048,576 --ahs---- C:\EP5.vol
2008-11-20 07:19 . 2008-11-20 07:19 1,048,576 --ahs---- C:\EP4.vol
2008-11-20 07:19 . 2008-11-20 07:19 1,048,576 --ahs---- C:\EP0.vol
2008-11-20 07:19 . 2008-11-20 07:19 262,144 --ahs---- C:\EP3.vol
2008-11-20 07:19 . 2008-11-20 07:19 262,144 --ahs---- C:\EP2.vol
2008-11-20 07:18 . 2008-11-20 07:18 <DIR> d-------- c:\program files\MSECache
2008-11-20 07:16 . 2008-11-20 07:16 <DIR> d-------- c:\program files\MS07-APR
2008-11-20 07:16 . 2008-11-20 07:16 <DIR> d-------- c:\program files\GuardianEdge Technologies
2008-11-20 07:11 . 2008-11-20 07:11 <DIR> d-------- c:\program files\RCenter
2008-11-20 07:10 . 2008-11-20 07:10 <DIR> d-------- c:\program files\iTrade
2008-11-20 07:10 . 2008-11-20 07:10 <DIR> d-------- c:\program files\Delaware Research Analysis
2008-11-19 18:56 . 2008-01-29 16:15 2,516 --a------ c:\windows\system32\drivers\default.bin
2008-11-19 18:56 . 2008-01-29 16:15 2,516 --a------ c:\windows\system32\default.bin
2008-11-19 18:55 . 2008-11-19 18:55 <DIR> d-------- c:\program files\triCerat
2008-11-19 18:55 . 2008-11-19 18:55 <DIR> d-------- c:\program files\Drive Mapper
2008-11-19 18:55 . 2008-11-19 18:55 <DIR> d-------- c:\program files\CheckPoint
2008-11-19 18:54 . 2008-11-19 18:54 <DIR> d-------- c:\program files\Citrix
2008-11-19 18:53 . 2008-11-19 18:53 <DIR> d-------- c:\program files\PlaceWare
2008-11-19 18:49 . 2008-11-28 08:00 <DIR> d-------- C:\TRIGGER_FILES
2008-11-19 18:49 . 2008-11-19 18:49 <DIR> d-------- c:\program files\Robocopy
2008-11-19 18:49 . 2008-11-19 18:33 <DIR> d-------- c:\documents and settings\quinne1\WINDOWS
2008-11-19 18:49 . 2007-10-12 10:51 <DIR> d---s---- c:\documents and settings\quinne1\UserData
2008-11-19 18:49 . 2007-12-11 14:53 <DIR> d-------- c:\documents and settings\quinne1\Application Data\VERITAS
2008-11-19 18:49 . 2008-12-03 09:03 <DIR> d-------- c:\documents and settings\quinne1
2008-11-19 18:49 . 1999-12-02 13:54 97,280 --a------ c:\windows\robocopy.exe
2008-11-19 18:49 . 2003-06-19 11:05 5,392 --a------ c:\windows\IFMEMBER.EXE
2008-11-19 18:46 . 2008-11-19 18:46 <DIR> d-------- c:\windows\SchCache
2008-11-19 18:45 . 2008-11-19 18:33 <DIR> d-------- c:\documents and settings\Default User\WINDOWS
2008-11-19 18:41 . 2005-12-06 09:57 202,624 -ra------ c:\windows\system32\drivers\HSFHWAZL.sys
2008-11-19 18:41 . 2005-11-16 14:41 114,688 -ra------ c:\windows\system32\uci32103.dll
2008-11-19 18:35 . 2008-12-05 11:51 <DIR> d-------- c:\program files\Analog Devices
2008-11-19 18:34 . 2008-11-19 18:34 <DIR> d-------- c:\windows\system32\CCM
2008-11-19 18:34 . 2008-11-19 18:34 <DIR> d-------- c:\windows\ms
2008-11-19 18:34 . 2008-11-19 18:34 <DIR> d-------- c:\program files\Intel
2008-11-19 18:34 . 2008-11-19 18:34 <DIR> d-------- C:\Intel
2008-11-19 18:33 . 2008-11-19 18:34 <DIR> d-------- c:\windows\system32\ccmsetup
2008-11-19 18:33 . 2008-11-19 18:33 <DIR> d-------- c:\program files\ThinkPad
2008-11-19 18:33 . 2008-11-19 18:33 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-11-19 18:33 . 2007-02-05 17:45 583,232 --a------ c:\windows\system32\tvt_gina.dll
2008-11-19 18:33 . 1998-10-30 05:15 306,688 --a------ c:\windows\IsUninst.exe
2008-11-19 18:33 . 2007-02-05 17:45 292,416 --a------ c:\windows\system32\tvt_gina_api.dll
2008-11-19 18:33 . 2003-07-03 00:34 34,816 --a------ c:\windows\system32\TP98.CPL
2008-11-19 18:33 . 2003-07-03 00:34 14,848 --a------ c:\windows\system32\drivers\SMAPINT.SYS
2008-11-19 18:33 . 2005-11-08 09:27 11,520 --a------ c:\windows\system32\drivers\ANC.sys
2008-11-19 18:33 . 2003-07-03 00:34 8,830 --a------ c:\windows\system32\drivers\TDSMAPI.SYS
2008-11-19 18:33 . 2008-11-19 18:33 4,429 --a------ C:\postsys2.bat
2008-11-19 18:33 . 2007-04-02 11:24 4,224 --a------ c:\windows\system32\drivers\IBMBLDID.sys
2008-11-19 18:33 . 2008-11-19 18:33 0 --a------ c:\windows\system32\AccConnAdvanced.html
2008-11-19 18:32 . 2008-11-19 18:33 <DIR> dr------- C:\LFG_Apps
2008-11-19 18:31 . 2007-08-09 08:31 172,032 --a------ c:\windows\system32\igfxres.dll
2008-11-19 17:28 . 2005-05-17 08:56 98,304 --a------ c:\windows\system32\TPMDDL.dll
2008-11-19 17:28 . 2004-08-03 23:10 61,056 --a------ c:\windows\system32\drivers\ohci1394.sys
2008-11-19 17:28 . 2004-08-03 23:10 53,248 --a------ c:\windows\system32\drivers\1394bus.sys
2008-11-19 17:28 . 2005-05-17 09:20 15,872 --a------ c:\windows\system32\drivers\atmeltpm.sys
2008-11-19 17:28 . 2001-08-17 13:46 6,400 --a------ c:\windows\system32\drivers\enum1394.sys
2008-11-19 17:27 . 2008-11-19 17:27 <DIR> d-------- c:\windows\system32\Lang
2008-11-19 17:27 . 2008-11-19 18:34 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-19 17:27 . 2007-08-15 14:07 399,896 --a------ c:\windows\system32\igxpun.exe
2008-11-19 17:27 . 2006-11-10 08:25 319,456 --a------ c:\windows\system32\difxapi.dll
2008-11-19 17:27 . 2006-01-23 10:29 121,232 --a------ c:\windows\system32\IScrNBR.bmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 19:00 --------- d-----w c:\program files\Symantec AntiVirus
2008-11-25 15:18 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-20 15:35 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-20 13:58 --------- d-----w c:\program files\Microsoft.NET
2007-10-03 13:07 493 -c--a-w c:\windows\system32\config\systemprofile\kick.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2008-12-06 17:10 34816 --a------ c:\windows\system32\fcccbbyV.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976]
"EPHD User"="c:\program files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe" [2008-03-11 98304]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"ILA"="c:\program files\Verint\ila\ilaloginapp.exe" [2005-01-26 57344]
"RFBAgent"="c:\program files\Verint\Screens\Bin\RFBAgent.exe" [2004-08-18 352256]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-02-18 1044480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Live Meeting Add-in for Microsoft Outlook.lnk - c:\windows\Installer\{A3BA5420-0C00-47B7-8450-02C99A20F832}\_294823.exe [2008-11-19 3638]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= aim.exe
"2"= icq.exe
"3"= Kazaa.exe
"4"= klrun.exe
"5"= msmsgs.exe
"6"= napster.exe
"7"= skype.exe
"8"= trillian.exe
"9"= ypager.exe
"10"= yupdater.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\fcccbbyV.dll" [2008-12-06 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 14:52 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2008-01-29 16:14 24669 c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcccbbyV]
2008-12-06 17:10 34816 c:\windows\system32\fcccbbyV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=mavmal.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina ephdssol

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\delinvest.ad.lfg.com\SYSVOL\delinvest.ad.lfg.com\scripts\DNS\DNS_Suffix_Search.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=installOS.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=AddUserToLocalAdmin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2133283647-335812911-648689268-112050\Scripts\Logon\0\0]
"Script"=START2000.BAT

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=

R0 EAFSPROT;EAFSPROT;c:\windows\system32\drivers\eafsprot.sys [2007-06-14 13696]
R0 EPHDXLAT;PC Guardian Encryption Filter;c:\windows\system32\drivers\EPHDXLAT.sys [2007-06-14 98816]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2008-11-19 11520]
R1 FW1;SecuRemote Miniport;c:\windows\system32\DRIVERS\fw.sys [2008-01-29 2235760]
R1 IBMTPCHK;IBMTPCHK;\??\c:\windows\system32\Drivers\IBMBLDID.sys [2008-11-19 4224]
R2 CcmExec;SMS Agent Host;c:\windows\system32\CCM\CcmExec.exe [2006-02-09 578784]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2008-01-29 47504]
R2 EPHDManager;EPHDManager;"c:\program files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe" [2008-03-11 155648]
R2 LoggerServer;LoggerServer;c:\program files\Common Files\Verint\Bin\LoggerServer.exe -LSRS []
R2 MsDtsServer;SQL Server Integration Services;"c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2005-10-14 199384]
R2 RFBAgent;RFB Agent;"c:\program files\Verint\Screens\Bin\RFBAgent.exe" -service [2004-08-18 352256]
R2 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2007-03-14 116416]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\DRIVERS\vnasc.sys [2008-01-29 121136]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2008-01-29 673872]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-20 99376]
R3 LenovoRd;LenovoRd;c:\windows\system32\Drivers\LenovoRd.sys [2007-10-15 81280]
R3 prepdrvr;SMS Process Event Driver;\??\c:\windows\system32\CCM\prepdrv.sys [2006-02-09 20704]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -

BHO-{120251aa-7b33-43d7-b3f0-59a585871fa3} - c:\windows\system32\mavmal.dll
BHO-{A9E3F777-9971-493B-A23E-0E4620EFF80D} - c:\windows\system32\pmnomKcD.dll
HKCU-Run-GetModule31 - c:\program files\GetModule\GetModule31.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lfd.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.amgusa.com
Trusted Zone: *.ascendix.com
Trusted Zone: *.delgroup.com
Trusted Zone: *.emanywhere.com
Trusted Zone: *.ermonline.net
Trusted Zone: *.guar.com
Trusted Zone: *.jp.corp
Trusted Zone: *.jpfinancial.com
Trusted Zone: *.jpfnet.com
Trusted Zone: *.lfacrm.com
Trusted Zone: *.lfd.com
Trusted Zone: *.lfdanywhere.com
Trusted Zone: *.lfg.com
Trusted Zone: *.delinvest.ad.lfg.com
Trusted Zone: *.us.ad.lfg.com
Trusted Zone: *.lfgmfin.com
Trusted Zone: *.lnc.com
Trusted Zone: *.oasyson-line.com
Trusted Zone: *.placeware.com
Trusted Zone: *.salesforce.com
Trusted Zone: *.transitbenefit.com
Trusted Zone: *.amgusa.com
Trusted Zone: *.ascendix.com
Trusted Zone: *.delgroup.com
Trusted Zone: *.emanywhere.com
Trusted Zone: *.ermonline.net
Trusted Zone: *.guar.com
Trusted Zone: *.jp.corp
Trusted Zone: *.jpfinancial.com
Trusted Zone: *.jpfnet.com
Trusted Zone: *.lfacrm.com
Trusted Zone: *.lfd.com
Trusted Zone: *.lfdanywhere.com
Trusted Zone: *.lfg.com
Trusted Zone: *.delinvest.ad.lfg.com
Trusted Zone: *.us.ad.lfg.com
Trusted Zone: *.lfgmfin.com
Trusted Zone: *.lnc.com
Trusted Zone: *.oasyson-line.com
Trusted Zone: *.placeware.com
Trusted Zone: *.salesforce.com
Trusted Zone: *.transitbenefit.com

O16 -: {52e54c77-cced-4b72-8e29-bb7206ca5a8f}

O16 -: {9b935470-ad4a-11d5-b63e-00c04faedb18}

c:\windows\system32\atl.dll - c:\windows\system32\mfc42.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\mfc42u.dll
c:\windows\Downloaded Program Files\cselexpt.ocx
c:\windows\Downloaded Program Files\reportparameterdialog.dll
c:\windows\Downloaded Program Files\CRViewer.dll
c:\windows\Downloaded Program Files\sviewhlp.dll
c:\windows\Downloaded Program Files\swebrs.dll
O16 -: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011}
hxxp://crystalprod.jp.corp/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
c:\windows\Downloaded Program Files\crviewer.inf
FireFox -: Profile - c:\documents and settings\quinne1\Application Data\Mozilla\Firefox\Profiles\ynfklun6.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.lfd.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 14:02:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\windows\system32\ephdgina.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\fcccbbyV.dll

- - - - - - - > 'lsass.exe'(1060)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\windows\system32\ephdssol.dll
c:\windows\system32\ephdsson.dll
c:\windows\system32\RegistryAccess.dll
c:\windows\system32\AccessEPFS.dll
c:\windows\system32\EPcrypto.dll
c:\windows\system32\EPCL32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\scardsvr.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Verint\Bin\LoggerServer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\CCM\clicomp\RemCtrl\Wuser32.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\windows\system32\msiexec.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Symantec AntiVirus\DoScan.exe
.
**************************************************************************
.
Completion time: 2008-12-07 14:05:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 19:05:37

Pre-Run: 70,177,312,768 bytes free
Post-Run: 70,176,690,176 bytes free

410


Logfile of random's system information tool 1.04 (written by random/random)
Run by QUINNE1 at 2008-12-07 14:19:53
Microsoft Windows XP Professional Service Pack 2
System drive C: has 67 GB (88%) free of 76 GB
Total RAM: 998 MB (42% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:19, on 2008-12-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Verint\Bin\LoggerServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verint\Screens\Bin\RFBAgent.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe
C:\Program Files\Verint\ila\ilaloginapp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\quinne1\My Documents\nj051b_en\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\QUINNE1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfd.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\fcccbbyV.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [EPHD User] "C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ILA] C:\Program Files\Verint\ila\ilaloginapp.exe
O4 - HKLM\..\Run: [RFBAgent] "C:\Program Files\Verint\Screens\Bin\RFBAgent.exe" -servicehelper
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - Global Startup: Live Meeting Add-in for Microsoft Outlook.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.lfd.com
O15 - Trusted Zone: *.amgusa.com
O15 - Trusted Zone: *.ascendix.com
O15 - Trusted Zone: *.delgroup.com
O15 - Trusted Zone: http://*.delpwsymweb1
O15 - Trusted Zone: *.emanywhere.com
O15 - Trusted Zone: *.ermonline.net
O15 - Trusted Zone: *.guar.com
O15 - Trusted Zone: http://*.itradeiis
O15 - Trusted Zone: *.jp.corp
O15 - Trusted Zone: *.jpfinancial.com
O15 - Trusted Zone: *.jpfnet.com
O15 - Trusted Zone: *.lfacrm.com
O15 - Trusted Zone: *.lfd.com
O15 - Trusted Zone: *.lfdanywhere.com
O15 - Trusted Zone: http://*.lfdpwportal1
O15 - Trusted Zone: *.delinvest.ad.lfg.com
O15 - Trusted Zone: *.us.ad.lfg.com
O15 - Trusted Zone: *.lfg.com
O15 - Trusted Zone: *.lfgmfin.com
O15 - Trusted Zone: *.lnc.com
O15 - Trusted Zone: *.oasyson-line.com
O15 - Trusted Zone: *.placeware.com
O15 - Trusted Zone: *.salesforce.com
O15 - Trusted Zone: *.transitbenefit.com
O15 - Trusted Zone: *.amgusa.com (HKLM)
O15 - Trusted Zone: *.ascendix.com (HKLM)
O15 - Trusted Zone: *.delgroup.com (HKLM)
O15 - Trusted Zone: http://*.delpwsymweb1 (HKLM)
O15 - Trusted Zone: *.emanywhere.com (HKLM)
O15 - Trusted Zone: *.ermonline.net (HKLM)
O15 - Trusted Zone: *.guar.com (HKLM)
O15 - Trusted Zone: http://*.itradeiis (HKLM)
O15 - Trusted Zone: *.jp.corp (HKLM)
O15 - Trusted Zone: *.jpfinancial.com (HKLM)
O15 - Trusted Zone: *.jpfnet.com (HKLM)
O15 - Trusted Zone: *.lfacrm.com (HKLM)
O15 - Trusted Zone: *.lfd.com (HKLM)
O15 - Trusted Zone: *.lfdanywhere.com (HKLM)
O15 - Trusted Zone: http://*.lfdpwportal1 (HKLM)
O15 - Trusted Zone: *.delinvest.ad.lfg.com (HKLM)
O15 - Trusted Zone: *.us.ad.lfg.com (HKLM)
O15 - Trusted Zone: *.lfg.com (HKLM)
O15 - Trusted Zone: *.lfgmfin.com (HKLM)
O15 - Trusted Zone: *.lnc.com (HKLM)
O15 - Trusted Zone: *.oasyson-line.com (HKLM)
O15 - Trusted Zone: *.placeware.com (HKLM)
O15 - Trusted Zone: *.salesforce.com (HKLM)
O15 - Trusted Zone: *.transitbenefit.com (HKLM)
O16 - DPF: {52e54c77-cced-4b72-8e29-bb7206ca5a8f} (Oracle JInitiator 1.1.8.27) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192204329089
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192453858325
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - http://crystalprod.jp.corp/crystalreportvi...tiveXViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = delinvest.ad.lfg.com
O17 - HKLM\Software\..\Telephony: DomainName = delinvest.ad.lfg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = delinvest.ad.lfg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = delinvest.ad.lfg.com,us.ad.lfg.com,ad.lfg.com,lfg.com,lnc.com,jp.corp,amgusa.com,delgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = delinvest.ad.lfg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = delinvest.ad.lfg.com,us.ad.lfg.com,ad.lfg.com,lfg.com,lnc.com,jp.corp,amgusa.com,delgroup.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = delinvest.ad.lfg.com,us.ad.lfg.com,ad.lfg.com,lfg.com,lnc.com,jp.corp,amgusa.com,delgroup.com
O20 - AppInit_DLLs: mavmal.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: fcccbbyV - C:\WINDOWS\SYSTEM32\fcccbbyV.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPHDManager - GuardianEdge Technologies, Inc. - C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LoggerServer - Verint - C:\Program Files\Common Files\Verint\Bin\LoggerServer.exe
O23 - Service: RFB Agent (RFBAgent) - Verint - C:\Program Files\Verint\Screens\Bin\RFBAgent.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10923 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
C:\WINDOWS\system32\fcccbbyV.dll [2008-12-06 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-05-11 40048]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-11-21 52840]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2007-03-14 125632]
"StorageGuard"=C:\Program Files\VERITAS Software\Update Manager\sgtray.exe [2002-06-18 155648]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-08-15 141848]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-08-15 162328]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-08-15 137752]
"ACTray"=C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe [2007-07-05 413696]
"ACWLIcon"=C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe [2007-07-05 126976]
"EPHD User"=C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe [2008-03-11 98304]
"Synchronization Manager"=C:\WINDOWS\system32\mobsync.exe [2004-08-04 143360]
"ILA"=C:\Program Files\Verint\ila\ilaloginapp.exe [2005-01-26 57344]
"RFBAgent"=C:\Program Files\Verint\Screens\Bin\RFBAgent.exe [2004-08-18 352256]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2008-02-18 1044480]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Live Meeting Add-in for Microsoft Outlook.lnk - C:\WINDOWS\Installer\{A3BA5420-0C00-47B7-8450-02C99A20F832}\_294823.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="mavmal.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACNotify]
C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll [2007-07-05 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2004-08-25 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ckpNotify]
C:\WINDOWS\system32\ckpNotify.dll [2008-01-29 24669]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fcccbbyV]
C:\WINDOWS\system32\fcccbbyV.dll [2008-12-06 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-08-09 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2007-03-14 43712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=C:\WINDOWS\system32\fcccbbyV.dll [2008-12-06 34816]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
ACGina
ephdssol

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=1
"legalnoticecaption"=Lincoln Financial Group
"legalnoticetext"=Do not attempt to log on unless you are an authorized user.
.
.
*********************************************************************************************
By logging on to this computer, you agree to abide by the LFG Information
Security Policy and Information Handling Policy, including appropriate use of
e-mail and the Internet. The primary use of this PC and the LFG network is to
conduct company business. You are responsible for protecting the Company's
confidential or proprietary information from unauthorized disclosures.
*********************************************************************************************
"shutdownwithoutlogon"=0
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoSMHelp"=1
"Intellimenus"=1
"NoSMMyDocs"=1
"DisablePersonalDirChange"=1
"ForceClassicControlPanel"=1
"NoSharedDocuments"=1
"NoSMMyPictures"=1
"NoStartMenuMyMusic"=1
"ForceStartMenuLogOff"=1
"NoSMConfigurePrograms"=1
"NoRecentDocsNetHood"=1
"NoDesktopCleanupWizard"=1
"NoWelcomeScreen"=1
"NoSMBalloonTip"=1
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe:*:Enabled:VPN-1 SecuRemote/SecureClient service"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe:*:Enabled:VPN-1 SecuRemote/SecureClient application"
"C:\Program Files\CheckPoint\SecuRemote\bin\scc.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\scc.exe:*:Enabled:VPN-1 SecuRemote/SecureClient command line"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe:*:Enabled:VPN-1 SecuRemote/SecureClient service"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe:*:Enabled:VPN-1 SecuRemote/SecureClient application"
"C:\Program Files\CheckPoint\SecuRemote\bin\scc.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\scc.exe:*:Enabled:VPN-1 SecuRemote/SecureClient command line"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics"

======List of files/folders created in the last 1 months======

2008-12-07 14:05:44 ----A---- C:\ComboFix.txt
2008-12-07 13:49:17 ----A---- C:\WINDOWS\zip.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\VFIND.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\SWSC.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\SWREG.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\sed.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\grep.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\fdsv.exe
2008-12-07 13:48:54 ----D---- C:\WINDOWS\ERDNT
2008-12-07 13:48:54 ----D---- C:\Qoobox
2008-12-06 19:47:17 ----D---- C:\rsit
2008-12-06 19:02:08 ----D---- C:\Program Files\Lavasoft
2008-12-06 19:02:06 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-12-06 19:01:25 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-06 18:39:35 ----D---- C:\Program Files\Trend Micro
2008-12-06 17:16:09 ----A---- C:\WINDOWS\system32\cb77d266-.txt
2008-12-06 17:10:31 ----A---- C:\WINDOWS\system32\fcccbbyV.dll
2008-12-05 17:20:17 ----D---- C:\Documents and Settings\quinne1\Application Data\PlaceWare
2008-12-02 17:30:50 ----D---- C:\Program Files\Project64 1.6
2008-11-28 07:59:43 ----D---- C:\WINDOWS\system32\symbols
2008-11-28 07:59:43 ----D---- C:\Program Files\Verint
2008-11-28 07:59:27 ----D---- C:\WINDOWS\Symbols
2008-11-28 07:59:15 ----D---- C:\Program Files\Common Files\Verint
2008-11-25 12:38:27 ----D---- C:\Documents and Settings\quinne1\Application Data\iWin
2008-11-25 12:38:23 ----D---- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-11-25 10:09:51 ----D---- C:\Program Files\Common Files\Wintertree
2008-11-25 10:09:19 ----D---- C:\Program Files\Common Files\Business Objects
2008-11-25 10:09:19 ----D---- C:\Program Files\Business Objects
2008-11-22 07:29:53 ----D---- C:\Program Files\Full Tilt Poker
2008-11-20 16:42:00 ----D---- C:\Documents and Settings\quinne1\Application Data\Mozilla
2008-11-20 16:41:49 ----D---- C:\Program Files\Mozilla Firefox
2008-11-20 15:22:10 ----D---- C:\Program Files\Common Files\Crystal Decisions
2008-11-20 11:17:53 ----D---- C:\Documents and Settings\quinne1\Application Data\HEAT
2008-11-20 11:15:26 ----D---- C:\Program Files\HEAT
2008-11-20 11:12:54 ----D---- C:\Program Files\orl
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\msxbse35.dll
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\mstext35.dll
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\mspdox35.dll
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\msltus35.dll
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\msexch35.dll
2008-11-20 10:59:15 ----A---- C:\WINDOWS\system32\msrpfs35.dll
2008-11-20 10:59:15 ----A---- C:\WINDOWS\system32\msrepl35.dll
2008-11-20 10:59:15 ----A---- C:\WINDOWS\system32\msjt4jlt.dll
2008-11-20 10:59:15 ----A---- C:\WINDOWS\system32\msexcl35.dll
2008-11-20 10:59:14 ----A---- C:\WINDOWS\system32\JETCOMP.exe
2008-11-20 10:59:13 ----A---- C:\WINDOWS\HyperlinkHelper.exe
2008-11-20 10:44:45 ----D---- C:\Program Files\Oracle
2008-11-20 10:44:08 ----D---- C:\Program Files\MS07-OCT
2008-11-20 10:43:04 ----HDC---- C:\WINDOWS\$NtUninstallKB937143$
2008-11-20 10:42:24 ----D---- C:\Program Files\MSXML 4.0
2008-11-20 10:42:16 ----D---- C:\Program Files\MS07-AUG
2008-11-20 10:39:14 ----A---- C:\WINDOWS\system32\VBAR332.DLL
2008-11-20 10:39:14 ----A---- C:\WINDOWS\system32\odbctl32.dll
2008-11-20 10:39:14 ----A---- C:\WINDOWS\system32\Odbcstf.dll
2008-11-20 10:39:13 ----A---- C:\WINDOWS\system32\msrd2x35.dll
2008-11-20 10:39:13 ----A---- C:\WINDOWS\system32\msjter35.dll
2008-11-20 10:39:13 ----A---- C:\WINDOWS\system32\msjint35.dll
2008-11-20 10:39:13 ----A---- C:\WINDOWS\system32\msjet35.dll
2008-11-20 10:39:12 ----A---- C:\WINDOWS\system32\Convdsn.exe
2008-11-20 10:38:04 ----D---- C:\Program Files\Common Files\Actuate
2008-11-20 10:38:00 ----A---- C:\WINDOWS\system32\winrpc32.dll
2008-11-20 10:38:00 ----A---- C:\WINDOWS\system32\oc30.dll
2008-11-20 10:38:00 ----A---- C:\WINDOWS\system32\mfcans32.dll
2008-11-20 10:38:00 ----A---- C:\WINDOWS\system32\LTWND10N.DLL
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\ltkrn10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\ltfil10N.DLL
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\ltdlg10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\LTDIS10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lfwmf10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lftif10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lftga10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lfpcx10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lffax10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\LFCMP10N.DLL
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lfbmp10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\hdk3ct32.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\gswdll32.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\gswag32.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\gsw32.exe
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\GSJPG32.DLL
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\ezrpcw32.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\acxerces-c_1_4_71.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\AcUnInstall.exe
2008-11-20 10:37:58 ----A---- C:\WINDOWS\system32\acicudt18_71.dll
2008-11-20 10:37:51 ----A---- C:\WINDOWS\system32\acrq8071.dll
2008-11-20 10:36:26 ----A---- C:\WINDOWS\system32\acrs8071.dll
2008-11-20 10:36:26 ----A---- C:\WINDOWS\system32\acr7771.dll
2008-11-20 10:36:22 ----D---- C:\Program Files\Actuate8
2008-11-20 09:39:05 ----D---- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\hpzpnp.dll
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZISN12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZIPT12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZIPR12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZIPM12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZINW12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZIDR12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPNRA.EXE
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPJIPX1U.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPJCMN2U.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBPROPS.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBPRO.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBOIDPS.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBOID.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBNRAC2.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBMINI.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBMIAPI.DLL
2008-11-20 09:36:42 ----D---- C:\HP CLJ4600
2008-11-20 09:36:12 ----D---- C:\HP_CLJ_4700_32bit_2000_XP_S2003_PS_HPDIU
2008-11-20 09:04:33 ----D---- C:\Documents and Settings\quinne1\Application Data\ICAClient
2008-11-20 08:59:27 ----D---- C:\Program Files\SQLXML 4.0
2008-11-20 08:53:09 ----D---- C:\Program Files\Microsoft Visual Studio 8
2008-11-20 08:53:09 ----D---- C:\Program Files\Common Files\Merge Modules
2008-11-20 08:53:07 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-11-20 08:51:57 ----D---- C:\Program Files\Microsoft Analysis Services
2008-11-20 08:44:43 ----D---- C:\Program Files\Microsoft SQL Server
2008-11-20 07:19:13 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-11-20 07:18:29 ----D---- C:\Program Files\MSECache
2008-11-20 07:16:14 ----A---- C:\WINDOWS\system32\spmsg.dll
2008-11-20 07:16:04 ----D---- C:\Program Files\MS07-APR
2008-11-20 07:16:04 ----D---- C:\Program Files\GuardianEdge Technologies
2008-11-20 07:11:07 ----D---- C:\Program Files\RCenter
2008-11-20 07:10:57 ----D---- C:\Program Files\iTrade
2008-11-20 07:10:47 ----D---- C:\Program Files\Delaware Research Analysis
2008-11-19 18:55:35 ----D---- C:\Program Files\CheckPoint
2008-11-19 18:55:24 ----D---- C:\Program Files\Drive Mapper
2008-11-19 18:55:06 ----D---- C:\Program Files\triCerat
2008-11-19 18:54:43 ----D---- C:\Program Files\Citrix
2008-11-19 18:53:27 ----D---- C:\Program Files\PlaceWare
2008-11-19 18:49:54 ----D---- C:\TRIGGER_FILES
2008-11-19 18:49:50 ----D---- C:\Program Files\Robocopy
2008-11-19 18:49:48 ----A---- C:\WINDOWS\robocopy.exe
2008-11-19 18:49:47 ----A---- C:\WINDOWS\IFMEMBER.EXE
2008-11-19 18:49:37 ----ASH---- C:\Documents and Settings\quinne1\Application Data\desktop.ini
2008-11-19 18:49:36 ----D---- C:\Documents and Settings\quinne1\Application Data\Identities
2008-11-19 18:49:36 ----D---- C:\Documents and Settings\quinne1\Application Data\Adobe
2008-11-19 18:49:35 ----SD---- C:\Documents and Settings\quinne1\Application Data\Microsoft
2008-11-19 18:49:35 ----D---- C:\Documents and Settings\quinne1\Application Data\VERITAS
2008-11-19 18:49:35 ----D---- C:\Documents and Settings\quinne1\Application Data\Sun
2008-11-19 18:49:35 ----D---- C:\Documents and Settings\quinne1\Application Data\Macromedia
2008-11-19 18:46:35 ----D---- C:\WINDOWS\SchCache
2008-11-19 18:41:29 ----RA---- C:\WINDOWS\system32\uci32103.dll
2008-11-19 18:35:58 ----D---- C:\Program Files\Analog Devices
2008-11-19 18:35:52 ----HDC---- C:\WINDOWS\$NtUninstallKB888111WXPSP2$
2008-11-19 18:34:37 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-11-19 18:34:34 ----D---- C:\Program Files\Intel
2008-11-19 18:34:31 ----D---- C:\Intel
2008-11-19 18:34:01 ----D---- C:\WINDOWS\system32\CCM
2008-11-19 18:34:01 ----D---- C:\WINDOWS\ms
2008-11-19 18:33:50 ----A---- C:\WINDOWS\system32\tvt_gina_api.dll
2008-11-19 18:33:50 ----A---- C:\WINDOWS\system32\tvt_gina.dll
2008-11-19 18:33:43 ----D---- C:\Program Files\ThinkPad
2008-11-19 18:33:40 ----A---- C:\WINDOWS\IsUninst.exe
2008-11-19 18:33:34 ----D---- C:\WINDOWS\system32\ccmsetup
2008-11-19 18:33:32 ----A---- C:\postsys2.bat
2008-11-19 18:32:38 ----RD---- C:\LFG_Apps
2008-11-19 18:31:44 ----A---- C:\WINDOWS\system32\igfxres.dll
2008-11-19 17:28:58 ----A---- C:\WINDOWS\system32\TPMDDL.dll
2008-11-19 17:27:47 ----D---- C:\WINDOWS\system32\Lang
2008-11-19 17:27:47 ----A---- C:\WINDOWS\system32\igxpun.exe
2008-11-19 17:27:23 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-11-19 17:27:23 ----A---- C:\WINDOWS\system32\difxapi.dll

======List of files/folders modified in the last 1 months======

2008-12-07 14:05:54 ----D---- C:\WINDOWS\system32\drivers
2008-12-07 14:05:54 ----D---- C:\WINDOWS\system32
2008-12-07 14:05:48 ----D---- C:\WINDOWS
2008-12-07 14:05:46 ----D---- C:\WINDOWS\Temp
2008-12-07 14:04:45 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-07 14:04:00 ----D---- C:\WINDOWS\Prefetch
2008-12-07 14:03:50 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-07 14:03:04 ----A---- C:\WINDOWS\system.ini
2008-12-07 14:01:01 ----A---- C:\WINDOWS\smscfg.ini
2008-12-07 14:00:54 ----D---- C:\Program Files\Symantec AntiVirus
2008-12-07 13:55:49 ----D---- C:\WINDOWS\system32\config
2008-12-07 13:52:59 ----D---- C:\WINDOWS\AppPatch
2008-12-07 13:52:59 ----D---- C:\Program Files\Common Files
2008-12-07 13:51:43 ----RD---- C:\Program Files
2008-12-07 13:49:55 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-07 13:49:13 ----D---- C:\WINDOWS\system32\Restore
2008-12-06 19:02:56 ----SHD---- C:\WINDOWS\Installer
2008-12-05 18:02:06 ----D---- C:\WINDOWS\security
2008-12-05 11:51:14 ----HD---- C:\WINDOWS\inf
2008-12-05 11:51:14 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-28 08:00:02 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-25 15:29:39 ----AC---- C:\WINDOWS\ODBC.INI
2008-11-25 10:18:15 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-21 18:17:02 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-21 14:02:27 ----D---- C:\WINDOWS\Help
2008-11-20 13:39:38 ----D---- C:\WINDOWS\Microsoft.NET
2008-11-20 13:39:37 ----RSD---- C:\WINDOWS\assembly
2008-11-20 11:15:38 ----D---- C:\WINDOWS\WinSxS
2008-11-20 10:59:27 ----AC---- C:\WINDOWS\ODBCINST.INI
2008-11-20 10:43:01 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-20 10:35:37 ----D---- C:\Program Files\Common Files\InstallShield
2008-11-20 09:09:35 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-11-20 09:07:51 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-11-20 08:59:18 ----D---- C:\WINDOWS\Registration
2008-11-20 08:58:23 ----D---- C:\Program Files\Microsoft.NET
2008-11-20 08:53:20 ----D---- C:\WINDOWS\system32\1033
2008-11-20 08:31:50 ----SHD---- C:\WINDOWS\CSC
2008-11-20 07:19:24 ----A---- C:\WINDOWS\imsins.BAK
2008-11-19 18:58:02 ----SHD---- C:\System Volume Information
2008-11-19 18:53:41 ----D---- C:\WINDOWS\system32\wbem
2008-11-19 18:52:56 ----D---- C:\Program Files\Microsoft Office
2008-11-19 18:49:43 ----D---- C:\WINDOWS\system32\appmgmt
2008-11-19 18:49:33 ----D---- C:\Documents and Settings
2008-11-19 18:45:22 ----A---- C:\WINDOWS\setuplog.txt
2008-11-19 18:43:56 ----RASH---- C:\boot.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ANC;ANC; C:\WINDOWS\System32\drivers\ANC.SYS [2005-11-08 11520]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 FW1;SecuRemote Miniport; C:\WINDOWS\system32\DRIVERS\fw.sys [2008-01-29 2235760]
R1 IBMTPCHK;IBMTPCHK; \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R1 Smapint;Smapint; C:\WINDOWS\System32\drivers\Smapint.sys [2003-07-03 14848]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2007-02-12 196752]
R1 TDSMAPI;TDSMAPI; C:\WINDOWS\System32\drivers\TDSMAPI.SYS [2003-07-03 8830]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-03 8832]
R2 CP_OMDRV;Check Point Office Mode Module; C:\WINDOWS\System32\drivers\omdrv.sys [2008-01-29 47504]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient; C:\WINDOWS\system32\DRIVERS\vnasc.sys [2008-01-29 121136]
R2 VPN-1;VPN-1 Module; C:\WINDOWS\System32\drivers\vpn.sys [2008-01-29 673872]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2008-02-18 334848]
R3 aeaudio;AE Audio Service; C:\WINDOWS\system32\drivers\aeaudio.sys [2008-02-18 94976]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 atmeltpm;atmeltpm; C:\WINDOWS\system32\DRIVERS\atmeltpm.sys [2005-05-17 15872]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-05-11 252312]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-12-06 996736]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2005-12-06 202624]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-08-09 5765056]
R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys [2007-05-31 21424]
R3 idisw2km;idisw2km; C:\WINDOWS\system32\DRIVERS\idisw2km.sys [2006-02-09 8992]
R3 kbstuff;SMS Virtual Keyboard; C:\WINDOWS\system32\DRIVERS\kbstuff5.sys [2006-02-09 11744]
R3 LenovoRd;LenovoRd; C:\WINDOWS\System32\Drivers\LenovoRd.sys [2007-06-08 81280]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081204.003\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081204.003\navex15.sys []
R3 NETw4x32;Intel® Wireless WiFi Link Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw4x32.sys [2007-11-26 2236544]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 prepdrvr;SMS Process Event Driver; \??\C:\WINDOWS\system32\CCM\prepdrv.sys []
R3 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 TcUsb;TC USB Kernel Driver; C:\WINDOWS\System32\Drivers\tcusb.sys [2007-03-08 40848]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-12-06 724224]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-08-25 787456]
S3 E1000;Intel® PRO/1000 Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1000325.sys [2007-03-25 171416]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\system32\DRIVERS\nscirda.sys [2004-08-03 28672]
S3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
S3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-05-27 578304]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-04 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 AcPrfMgrSvc;Ac Profile Manager Service; C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe [2007-07-05 65536]
R2 AcSvc;Access Connections Main Service; C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe [2007-07-05 184320]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-11-21 192104]
R2 CcmExec;SMS Agent Host; C:\WINDOWS\system32\CCM\CcmExec.exe [2006-02-09 578784]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-11-21 169576]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2007-03-14 31424]
R2 EPHDManager;EPHDManager; C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe [2008-03-11 155648]
R2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2007-05-31 36400]
R2 LoggerServer;LoggerServer; C:\Program Files\Common Files\Verint\Bin\LoggerServer.exe [2005-01-03 155648]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 MsDtsServer;SQL Server Integration Services; C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2005-10-14 199384]
R2 msftesql;SQL Server FullText Search (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [2005-08-26 92880]
R2 MSSQLSERVER;SQL Server (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2005-10-14 28768528]
R2 MSSQLServerOLAPService;SQL Server Analysis Services (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe [2005-10-14 14557912]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 RFBAgent;RFB Agent; C:\Program Files\Verint\Screens\Bin\RFBAgent.exe [2004-08-18 352256]
R2 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2007-03-14 116416]
R2 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2007-01-10 1160792]
R2 SR_Service;Check Point VPN-1 Securemote service; C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe [2008-01-29 106590]
R2 SR_Watchdog;Check Point VPN-1 Securemote watchdog; C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe [2008-01-29 36959]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2007-03-14 1816768]
R2 Wuser32;SMS Remote Control Agent; C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe [2006-02-09 248544]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2004-08-25 389120]
S2 SQLSERVERAGENT;SQL Server Agent (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [2005-10-14 318680]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-09-02 2528960]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2007-02-12 214672]
S3 SQLWriter;SQL Server VSS Writer; C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2005-10-14 87768]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]
S4 SQLBrowser;SQL Server Browser; C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2005-10-14 239320]

-----------------EOF-----------------

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:26 PM

Posted 08 December 2008 - 04:52 AM

Hello,

Can you please tell me if you set all those 015s and 017s yourself? :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 EddiePinz

EddiePinz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 08 December 2008 - 11:31 AM

I don't recognize these. The others look alright.

O15 - Trusted Zone: *.guar.com
O15 - Trusted Zone: *.oasyson-line.com
O15 - Trusted Zone: *.transitbenefit.com
O15 - Trusted Zone: *.guar.com (HKLM)
O15 - Trusted Zone: *.oasyson-line.com (HKLM)
O15 - Trusted Zone: *.transitbenefit.com (HKLM)

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:26 PM

Posted 08 December 2008 - 01:11 PM

Hello,

Thanks. :thumbsup:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\fcccbbyV.dll
O20 - AppInit_DLLs: mavmal.dll
O20 - Winlogon Notify: fcccbbyV - C:\WINDOWS\SYSTEM32\fcccbbyV.dll


*Also add in those 015s you don't recognize

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
c:\windows\system32\fcccbbyV.dll

Folder::
c:\documents and settings\All Users\Application Data\Trymedia

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcccbbyV]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. Please also let me know how it's running now. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 EddiePinz

EddiePinz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 08 December 2008 - 08:54 PM

The computer has been running a lot better. The pop ups were very few, it seemed like only when I would do a google search they would pop up. Shut down and start up were rather slow, but the last restart went much faster.


Here are the log files:


ComboFix 08-12-06.06 - QUINNE1 2008-12-08 20:42:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.329 [GMT -5:00]
Running from: c:\documents and settings\quinne1\My Documents\nj051b_en\ComboFix.exe
Command switches used :: c:\documents and settings\quinne1\My Documents\nj051b_en\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\fcccbbyV.dll
.
/wow section - STAGE 32A


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Trymedia
c:\documents and settings\All Users\Application Data\Trymedia\data\{567A3B7C-9AA7-0012-DF72-F7AF20EE3694}
c:\documents and settings\All Users\Application Data\Trymedia\data\{DA224176-0FEF-88A4-6AE3-336FA20E7D48}
c:\documents and settings\All Users\Application Data\Trymedia\data\{EC646EA7-CD65-49BF-B7FD-386EC96E54DA}
c:\documents and settings\All Users\Application Data\Trymedia\data\{EE64CF88-72BD-3C19-3BE3-05CC159203DB}
c:\windows\system32\tabwhtpn.dll
c:\windows\system32\tndiem.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-07 14:25 . 2008-12-08 14:25 1,598,743 ---hs---- c:\windows\system32\rpwpwhav.ini
2008-12-07 14:25 . 2008-12-07 14:25 72,704 --a------ c:\windows\system32\vahwpwpr.dll
2008-12-07 14:24 . 2008-12-08 20:42 864,726 --ahs---- c:\windows\system32\ELmmoUtv.ini2
2008-12-07 14:24 . 2008-12-08 20:42 864,726 --ahs---- c:\windows\system32\ELmmoUtv.ini
2008-12-07 14:24 . 2008-12-07 14:24 302,592 --a------ c:\windows\system32\vtUommLE.dll
2008-12-06 19:47 . 2008-12-06 19:47 <DIR> d-------- C:\rsit
2008-12-06 19:02 . 2008-12-06 19:02 <DIR> d-------- c:\program files\Lavasoft
2008-12-06 19:02 . 2008-12-06 19:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-06 19:01 . 2008-12-06 19:01 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-06 18:39 . 2008-12-06 18:39 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 17:20 . 2008-12-05 17:20 <DIR> d-------- c:\documents and settings\quinne1\Application Data\PlaceWare
2008-12-02 17:30 . 2008-12-02 17:44 <DIR> d-------- c:\program files\Project64 1.6
2008-11-28 07:59 . 2008-11-28 07:59 <DIR> d-------- c:\windows\system32\symbols
2008-11-28 07:59 . 2008-11-28 07:59 <DIR> d-------- c:\windows\Symbols
2008-11-28 07:59 . 2008-11-28 08:00 <DIR> d-------- c:\program files\Verint
2008-11-28 07:59 . 2008-11-28 07:59 <DIR> d-------- c:\program files\Common Files\Verint
2008-11-25 12:38 . 2008-11-25 12:38 <DIR> d-------- c:\documents and settings\quinne1\Application Data\iWin
2008-11-25 10:09 . 2008-11-25 10:09 <DIR> d-------- c:\program files\Common Files\Wintertree
2008-11-25 10:09 . 2008-11-25 10:09 <DIR> d-------- c:\program files\Common Files\Business Objects
2008-11-25 10:09 . 2008-11-25 10:09 <DIR> d-------- c:\program files\Business Objects
2008-11-22 07:29 . 2008-11-28 21:41 <DIR> d-------- c:\program files\Full Tilt Poker
2008-11-20 16:42 . 2008-11-20 16:42 0 --a------ c:\windows\nsreg.dat
2008-11-20 15:22 . 2008-11-20 15:22 <DIR> d-------- c:\program files\Common Files\Crystal Decisions
2008-11-20 11:17 . 2008-11-20 11:17 <DIR> d-------- c:\documents and settings\quinne1\Application Data\HEAT
2008-11-20 11:15 . 2008-11-26 10:23 <DIR> d-------- c:\program files\HEAT
2008-11-20 11:12 . 2008-11-20 11:12 <DIR> d-------- c:\program files\orl
2008-11-20 11:05 . 2008-11-20 11:08 <DIR> d-------- c:\documents and settings\quinne1\.f1j
2008-11-20 10:59 . 1999-09-29 21:04 1,238,288 --a------ c:\windows\system32\msjt4jlt.dll
2008-11-20 10:59 . 1999-08-25 15:57 415,504 --a------ c:\windows\system32\msrepl35.dll
2008-11-20 10:59 . 1998-06-01 15:37 344,064 --a------ c:\windows\system32\msexch35.dll
2008-11-20 10:59 . 1998-06-01 15:37 294,912 --a------ c:\windows\system32\msxbse35.dll
2008-11-20 10:59 . 1999-09-09 23:06 252,688 --a------ c:\windows\system32\msexcl35.dll
2008-11-20 10:59 . 1999-06-07 19:59 250,128 --a------ c:\windows\system32\mspdox35.dll
2008-11-20 10:59 . 1999-09-09 23:06 168,720 --a------ c:\windows\system32\msltus35.dll
2008-11-20 10:59 . 1999-09-30 20:21 166,672 --a------ c:\windows\system32\mstext35.dll
2008-11-20 10:59 . 1999-04-26 21:08 44,304 --a------ c:\windows\system32\msrpfs35.dll
2008-11-20 10:59 . 2005-06-24 17:16 40,960 --a------ c:\windows\HyperlinkHelper.exe
2008-11-20 10:59 . 1998-05-05 12:36 39,424 --a------ c:\windows\system32\JETCOMP.exe
2008-11-20 10:44 . 2008-11-20 14:42 <DIR> d-------- c:\program files\Oracle
2008-11-20 10:44 . 2008-11-20 10:44 <DIR> d-------- c:\program files\MS07-OCT
2008-11-20 10:42 . 2008-11-20 10:42 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-20 10:42 . 2008-11-20 10:43 <DIR> d-------- c:\program files\MS07-AUG
2008-11-20 10:38 . 2008-11-20 10:38 <DIR> d-------- c:\program files\Common Files\Actuate
2008-11-20 10:38 . 2004-10-21 14:13 638,464 --a------ c:\windows\system32\oc30.dll
2008-11-20 10:38 . 2004-10-21 14:13 139,363 --a------ c:\windows\system32\winrpc32.dll
2008-11-20 10:38 . 2004-10-21 14:13 133,904 --a------ c:\windows\system32\mfcans32.dll
2008-11-20 10:38 . 2005-06-24 16:24 36,864 --a------ c:\windows\system32\LTWND10N.DLL
2008-11-20 10:38 . 2005-06-24 16:27 2,495 --a------ c:\windows\system32\Comctl32.dep
2008-11-20 10:36 . 2008-11-20 10:57 <DIR> d-------- c:\program files\Actuate8
2008-11-20 10:36 . 2005-06-24 21:01 1,519,616 --a------ c:\windows\system32\acrs8071.dll
2008-11-20 10:36 . 2005-06-24 21:01 724,992 --a------ c:\windows\system32\acr7771.dll
2008-11-20 09:39 . 2008-11-20 09:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-11-20 09:36 . 2008-11-20 09:36 <DIR> d-------- C:\HP_CLJ_4700_32bit_2000_XP_S2003_PS_HPDIU
2008-11-20 09:36 . 2008-11-20 09:36 <DIR> d-------- C:\HP CLJ4600
2008-11-20 09:04 . 2008-11-20 09:04 <DIR> d-------- c:\documents and settings\quinne1\Application Data\ICAClient
2008-11-20 08:59 . 2008-11-20 08:59 <DIR> d-------- c:\program files\SQLXML 4.0
2008-11-20 08:53 . 2008-11-20 08:53 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-11-20 08:53 . 2008-11-20 08:53 <DIR> d-------- c:\program files\Common Files\Merge Modules
2008-11-20 08:53 . 2008-11-20 09:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-20 08:51 . 2008-11-20 08:51 <DIR> d-------- c:\program files\Microsoft Analysis Services
2008-11-20 08:44 . 2008-11-20 09:31 <DIR> d-------- c:\program files\Microsoft SQL Server
2008-11-20 08:32 . 2004-08-03 22:58 14,848 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-20 08:32 . 2004-08-03 22:58 14,848 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-11-20 08:31 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-11-20 08:31 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-11-20 08:31 . 2001-08-17 14:02 9,600 --a------ c:\windows\system32\drivers\hidusb.sys
2008-11-20 08:31 . 2001-08-17 14:02 9,600 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-11-20 07:19 . 2008-11-20 07:19 2,359,296 --ahs---- C:\EP1.vol
2008-11-20 07:19 . 2008-11-20 07:19 1,048,576 --ahs---- C:\EP5.vol
2008-11-20 07:19 . 2008-11-20 07:19 1,048,576 --ahs---- C:\EP4.vol
2008-11-20 07:19 . 2008-11-20 07:19 1,048,576 --ahs---- C:\EP0.vol
2008-11-20 07:19 . 2008-11-20 07:19 262,144 --ahs---- C:\EP3.vol
2008-11-20 07:19 . 2008-11-20 07:19 262,144 --ahs---- C:\EP2.vol
2008-11-20 07:18 . 2008-11-20 07:18 <DIR> d-------- c:\program files\MSECache
2008-11-20 07:16 . 2008-11-20 07:16 <DIR> d-------- c:\program files\MS07-APR
2008-11-20 07:16 . 2008-11-20 07:16 <DIR> d-------- c:\program files\GuardianEdge Technologies
2008-11-20 07:11 . 2008-11-20 07:11 <DIR> d-------- c:\program files\RCenter
2008-11-20 07:10 . 2008-11-20 07:10 <DIR> d-------- c:\program files\iTrade
2008-11-20 07:10 . 2008-11-20 07:10 <DIR> d-------- c:\program files\Delaware Research Analysis
2008-11-19 18:56 . 2008-01-29 16:15 2,516 --a------ c:\windows\system32\drivers\default.bin
2008-11-19 18:56 . 2008-01-29 16:15 2,516 --a------ c:\windows\system32\default.bin
2008-11-19 18:55 . 2008-11-19 18:55 <DIR> d-------- c:\program files\triCerat
2008-11-19 18:55 . 2008-11-19 18:55 <DIR> d-------- c:\program files\Drive Mapper
2008-11-19 18:55 . 2008-11-19 18:55 <DIR> d-------- c:\program files\CheckPoint
2008-11-19 18:54 . 2008-11-19 18:54 <DIR> d-------- c:\program files\Citrix
2008-11-19 18:53 . 2008-11-19 18:53 <DIR> d-------- c:\program files\PlaceWare
2008-11-19 18:49 . 2008-11-28 08:00 <DIR> d-------- C:\TRIGGER_FILES
2008-11-19 18:49 . 2008-11-19 18:49 <DIR> d-------- c:\program files\Robocopy
2008-11-19 18:49 . 2008-11-19 18:33 <DIR> d-------- c:\documents and settings\quinne1\WINDOWS
2008-11-19 18:49 . 2007-10-12 10:51 <DIR> d---s---- c:\documents and settings\quinne1\UserData
2008-11-19 18:49 . 2007-12-11 14:53 <DIR> d-------- c:\documents and settings\quinne1\Application Data\VERITAS
2008-11-19 18:49 . 2008-12-03 09:03 <DIR> d-------- c:\documents and settings\quinne1
2008-11-19 18:49 . 1999-12-02 13:54 97,280 --a------ c:\windows\robocopy.exe
2008-11-19 18:49 . 2003-06-19 11:05 5,392 --a------ c:\windows\IFMEMBER.EXE
2008-11-19 18:46 . 2008-11-19 18:46 <DIR> d-------- c:\windows\SchCache
2008-11-19 18:45 . 2008-11-19 18:33 <DIR> d-------- c:\documents and settings\Default User\WINDOWS
2008-11-19 18:41 . 2005-12-06 09:57 202,624 -ra------ c:\windows\system32\drivers\HSFHWAZL.sys
2008-11-19 18:41 . 2005-11-16 14:41 114,688 -ra------ c:\windows\system32\uci32103.dll
2008-11-19 18:35 . 2008-12-05 11:51 <DIR> d-------- c:\program files\Analog Devices
2008-11-19 18:34 . 2008-11-19 18:34 <DIR> d-------- c:\windows\system32\CCM
2008-11-19 18:34 . 2008-11-19 18:34 <DIR> d-------- c:\windows\ms
2008-11-19 18:34 . 2008-11-19 18:34 <DIR> d-------- c:\program files\Intel
2008-11-19 18:34 . 2008-11-19 18:34 <DIR> d-------- C:\Intel
2008-11-19 18:33 . 2008-11-19 18:34 <DIR> d-------- c:\windows\system32\ccmsetup
2008-11-19 18:33 . 2008-11-19 18:33 <DIR> d-------- c:\program files\ThinkPad
2008-11-19 18:33 . 2008-11-19 18:33 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-11-19 18:33 . 2007-02-05 17:45 583,232 --a------ c:\windows\system32\tvt_gina.dll
2008-11-19 18:33 . 1998-10-30 05:15 306,688 --a------ c:\windows\IsUninst.exe
2008-11-19 18:33 . 2007-02-05 17:45 292,416 --a------ c:\windows\system32\tvt_gina_api.dll
2008-11-19 18:33 . 2003-07-03 00:34 34,816 --a------ c:\windows\system32\TP98.CPL
2008-11-19 18:33 . 2003-07-03 00:34 14,848 --a------ c:\windows\system32\drivers\SMAPINT.SYS
2008-11-19 18:33 . 2005-11-08 09:27 11,520 --a------ c:\windows\system32\drivers\ANC.sys
2008-11-19 18:33 . 2003-07-03 00:34 8,830 --a------ c:\windows\system32\drivers\TDSMAPI.SYS
2008-11-19 18:33 . 2008-11-19 18:33 4,429 --a------ C:\postsys2.bat
2008-11-19 18:33 . 2007-04-02 11:24 4,224 --a------ c:\windows\system32\drivers\IBMBLDID.sys
2008-11-19 18:33 . 2008-11-19 18:33 0 --a------ c:\windows\system32\AccConnAdvanced.html
2008-11-19 18:32 . 2008-11-19 18:33 <DIR> dr------- C:\LFG_Apps
2008-11-19 18:31 . 2007-08-09 08:31 172,032 --a------ c:\windows\system32\igfxres.dll
2008-11-19 17:28 . 2005-05-17 08:56 98,304 --a------ c:\windows\system32\TPMDDL.dll
2008-11-19 17:28 . 2004-08-03 23:10 61,056 --a------ c:\windows\system32\drivers\ohci1394.sys
2008-11-19 17:28 . 2004-08-03 23:10 53,248 --a------ c:\windows\system32\drivers\1394bus.sys
2008-11-19 17:28 . 2005-05-17 09:20 15,872 --a------ c:\windows\system32\drivers\atmeltpm.sys
2008-11-19 17:28 . 2001-08-17 13:46 6,400 --a------ c:\windows\system32\drivers\enum1394.sys
2008-11-19 17:27 . 2008-11-19 17:27 <DIR> d-------- c:\windows\system32\Lang
2008-11-19 17:27 . 2008-11-19 18:34 <DIR> d----c--- c:\windows\system32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 01:33 --------- d-----w c:\program files\Symantec AntiVirus
2008-11-25 15:18 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-20 15:35 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-20 13:58 --------- d-----w c:\program files\Microsoft.NET
2007-10-03 13:07 493 -c--a-w c:\windows\system32\config\systemprofile\kick.bat
.

((((((((((((((((((((((((((((( snapshot@2008-12-07_14.05.01.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-07 18:37:18 111,330 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-09 01:36:18 111,330 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-07 18:37:18 552,588 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-09 01:36:18 552,588 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-09 01:30:13 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_3b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{351FFEF2-883E-428B-84BF-FDDF47571999}]
2008-12-07 14:24 302592 --a------ c:\windows\system32\vtUommLE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976]
"EPHD User"="c:\program files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe" [2008-03-11 98304]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"ILA"="c:\program files\Verint\ila\ilaloginapp.exe" [2005-01-26 57344]
"RFBAgent"="c:\program files\Verint\Screens\Bin\RFBAgent.exe" [2004-08-18 352256]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-02-18 1044480]
"c0541618"="c:\windows\system32\vahwpwpr.dll" [2008-12-07 72704]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Live Meeting Add-in for Microsoft Outlook.lnk - c:\windows\Installer\{A3BA5420-0C00-47B7-8450-02C99A20F832}\_294823.exe [2008-11-19 3638]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= aim.exe
"2"= icq.exe
"3"= Kazaa.exe
"4"= klrun.exe
"5"= msmsgs.exe
"6"= napster.exe
"7"= skype.exe
"8"= trillian.exe
"9"= ypager.exe
"10"= yupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 14:52 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2008-01-29 16:14 24669 c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\vtUommLE
Notification Packages REG_MULTI_SZ scecli ACGina ephdssol

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\delinvest.ad.lfg.com\SYSVOL\delinvest.ad.lfg.com\scripts\DNS\DNS_Suffix_Search.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=installOS.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=AddUserToLocalAdmin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2133283647-335812911-648689268-112050\Scripts\Logon\0\0]
"Script"=START2000.BAT

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=

R0 EAFSPROT;EAFSPROT;c:\windows\system32\drivers\eafsprot.sys [2007-06-14 13696]
R0 EPHDXLAT;PC Guardian Encryption Filter;c:\windows\system32\drivers\EPHDXLAT.sys [2007-06-14 98816]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2008-11-19 11520]
R1 FW1;SecuRemote Miniport;c:\windows\system32\DRIVERS\fw.sys [2008-01-29 2235760]
R1 IBMTPCHK;IBMTPCHK;\??\c:\windows\system32\Drivers\IBMBLDID.sys [2008-11-19 4224]
R2 CcmExec;SMS Agent Host;c:\windows\system32\CCM\CcmExec.exe [2006-02-09 578784]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2008-01-29 47504]
R2 EPHDManager;EPHDManager;"c:\program files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe" [2008-03-11 155648]
R2 LoggerServer;LoggerServer;c:\program files\Common Files\Verint\Bin\LoggerServer.exe -LSRS []
R2 MsDtsServer;SQL Server Integration Services;"c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2005-10-14 199384]
R2 RFBAgent;RFB Agent;"c:\program files\Verint\Screens\Bin\RFBAgent.exe" -service [2004-08-18 352256]
R2 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2007-03-14 116416]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\DRIVERS\vnasc.sys [2008-01-29 121136]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2008-01-29 673872]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-20 99376]
R3 LenovoRd;LenovoRd;c:\windows\system32\Drivers\LenovoRd.sys [2007-10-15 81280]
R3 prepdrvr;SMS Process Event Driver;\??\c:\windows\system32\CCM\prepdrv.sys [2006-02-09 20704]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -

BHO-{f03e5c37-f637-4d7e-84e3-301a0ec34d28} - c:\windows\system32\tndiem.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lfd.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.amgusa.com
Trusted Zone: *.ascendix.com
Trusted Zone: *.delgroup.com
Trusted Zone: *.emanywhere.com
Trusted Zone: *.ermonline.net
Trusted Zone: *.jp.corp
Trusted Zone: *.jpfinancial.com
Trusted Zone: *.jpfnet.com
Trusted Zone: *.lfacrm.com
Trusted Zone: *.lfd.com
Trusted Zone: *.lfdanywhere.com
Trusted Zone: *.lfg.com
Trusted Zone: *.delinvest.ad.lfg.com
Trusted Zone: *.us.ad.lfg.com
Trusted Zone: *.lfgmfin.com
Trusted Zone: *.lnc.com
Trusted Zone: *.placeware.com
Trusted Zone: *.salesforce.com
Trusted Zone: *.amgusa.com
Trusted Zone: *.ascendix.com
Trusted Zone: *.delgroup.com
Trusted Zone: *.emanywhere.com
Trusted Zone: *.ermonline.net
Trusted Zone: *.jp.corp
Trusted Zone: *.jpfinancial.com
Trusted Zone: *.jpfnet.com
Trusted Zone: *.lfacrm.com
Trusted Zone: *.lfd.com
Trusted Zone: *.lfdanywhere.com
Trusted Zone: *.lfg.com
Trusted Zone: *.delinvest.ad.lfg.com
Trusted Zone: *.us.ad.lfg.com
Trusted Zone: *.lfgmfin.com
Trusted Zone: *.lnc.com
Trusted Zone: *.placeware.com
Trusted Zone: *.salesforce.com

O16 -: {52e54c77-cced-4b72-8e29-bb7206ca5a8f}

O16 -: {9b935470-ad4a-11d5-b63e-00c04faedb18}

c:\windows\system32\atl.dll - c:\windows\system32\mfc42.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\mfc42u.dll
c:\windows\Downloaded Program Files\cselexpt.ocx
c:\windows\Downloaded Program Files\reportparameterdialog.dll
c:\windows\Downloaded Program Files\CRViewer.dll
c:\windows\Downloaded Program Files\sviewhlp.dll
c:\windows\Downloaded Program Files\swebrs.dll
O16 -: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011}
hxxp://crystalprod.jp.corp/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
c:\windows\Downloaded Program Files\crviewer.inf
FireFox -: Profile - c:\documents and settings\quinne1\Application Data\Mozilla\Firefox\Profiles\ynfklun6.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.lfd.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-08 20:45:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\windows\system32\ephdgina.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1048)
c:\windows\system32\vtUommLE.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\windows\system32\ephdssol.dll
c:\windows\system32\ephdsson.dll
c:\windows\system32\RegistryAccess.dll
c:\windows\system32\AccessEPFS.dll
c:\windows\system32\EPcrypto.dll
c:\windows\system32\EPCL32.dll
.
Completion time: 2008-12-08 20:46:46
ComboFix-quarantined-files.txt 2008-12-09 01:46:41
ComboFix2.txt 2008-12-07 19:05:44

Pre-Run: 70,085,722,112 bytes free
Post-Run: 70,083,796,992 bytes free

368




Logfile of random's system information tool 1.04 (written by random/random)
Run by QUINNE1 at 2008-12-08 20:49:41
Microsoft Windows XP Professional Service Pack 2
System drive C: has 67 GB (88%) free of 76 GB
Total RAM: 998 MB (40% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:49, on 2008-12-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Verint\Bin\LoggerServer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verint\Screens\Bin\RFBAgent.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Verint\ila\ilaloginapp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\quinne1\My Documents\nj051b_en\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\QUINNE1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfd.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {351FFEF2-883E-428B-84BF-FDDF47571999} - C:\WINDOWS\system32\vtUommLE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [EPHD User] "C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ILA] C:\Program Files\Verint\ila\ilaloginapp.exe
O4 - HKLM\..\Run: [RFBAgent] "C:\Program Files\Verint\Screens\Bin\RFBAgent.exe" -servicehelper
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [c0541618] rundll32.exe "C:\WINDOWS\system32\vahwpwpr.dll",b
O4 - Global Startup: Live Meeting Add-in for Microsoft Outlook.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.lfd.com
O15 - Trusted Zone: *.amgusa.com
O15 - Trusted Zone: *.ascendix.com
O15 - Trusted Zone: *.delgroup.com
O15 - Trusted Zone: http://*.delpwsymweb1
O15 - Trusted Zone: *.emanywhere.com
O15 - Trusted Zone: *.ermonline.net
O15 - Trusted Zone: http://*.itradeiis
O15 - Trusted Zone: *.jp.corp
O15 - Trusted Zone: *.jpfinancial.com
O15 - Trusted Zone: *.jpfnet.com
O15 - Trusted Zone: *.lfacrm.com
O15 - Trusted Zone: *.lfd.com
O15 - Trusted Zone: *.lfdanywhere.com
O15 - Trusted Zone: http://*.lfdpwportal1
O15 - Trusted Zone: *.delinvest.ad.lfg.com
O15 - Trusted Zone: *.us.ad.lfg.com
O15 - Trusted Zone: *.lfg.com
O15 - Trusted Zone: *.lfgmfin.com
O15 - Trusted Zone: *.lnc.com
O15 - Trusted Zone: *.placeware.com
O15 - Trusted Zone: *.salesforce.com
O15 - Trusted Zone: *.amgusa.com (HKLM)
O15 - Trusted Zone: *.ascendix.com (HKLM)
O15 - Trusted Zone: *.delgroup.com (HKLM)
O15 - Trusted Zone: http://*.delpwsymweb1 (HKLM)
O15 - Trusted Zone: *.emanywhere.com (HKLM)
O15 - Trusted Zone: *.ermonline.net (HKLM)
O15 - Trusted Zone: http://*.itradeiis (HKLM)
O15 - Trusted Zone: *.jp.corp (HKLM)
O15 - Trusted Zone: *.jpfinancial.com (HKLM)
O15 - Trusted Zone: *.jpfnet.com (HKLM)
O15 - Trusted Zone: *.lfacrm.com (HKLM)
O15 - Trusted Zone: *.lfd.com (HKLM)
O15 - Trusted Zone: *.lfdanywhere.com (HKLM)
O15 - Trusted Zone: http://*.lfdpwportal1 (HKLM)
O15 - Trusted Zone: *.delinvest.ad.lfg.com (HKLM)
O15 - Trusted Zone: *.us.ad.lfg.com (HKLM)
O15 - Trusted Zone: *.lfg.com (HKLM)
O15 - Trusted Zone: *.lfgmfin.com (HKLM)
O15 - Trusted Zone: *.lnc.com (HKLM)
O15 - Trusted Zone: *.placeware.com (HKLM)
O15 - Trusted Zone: *.salesforce.com (HKLM)
O16 - DPF: {52e54c77-cced-4b72-8e29-bb7206ca5a8f} (Oracle JInitiator 1.1.8.27) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192204329089
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192453858325
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - http://crystalprod.jp.corp/crystalreportvi...tiveXViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = delinvest.ad.lfg.com
O17 - HKLM\Software\..\Telephony: DomainName = delinvest.ad.lfg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = delinvest.ad.lfg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = delinvest.ad.lfg.com,us.ad.lfg.com,ad.lfg.com,lfg.com,lnc.com,jp.corp,amgusa.com,delgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = delinvest.ad.lfg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = delinvest.ad.lfg.com,us.ad.lfg.com,ad.lfg.com,lfg.com,lnc.com,jp.corp,amgusa.com,delgroup.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = delinvest.ad.lfg.com,us.ad.lfg.com,ad.lfg.com,lfg.com,lnc.com,jp.corp,amgusa.com,delgroup.com
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPHDManager - GuardianEdge Technologies, Inc. - C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LoggerServer - Verint - C:\Program Files\Common Files\Verint\Bin\LoggerServer.exe
O23 - Service: RFB Agent (RFBAgent) - Verint - C:\Program Files\Verint\Screens\Bin\RFBAgent.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10577 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{351FFEF2-883E-428B-84BF-FDDF47571999}]
C:\WINDOWS\system32\vtUommLE.dll [2008-12-07 302592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-05-11 40048]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-11-21 52840]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2007-03-14 125632]
"StorageGuard"=C:\Program Files\VERITAS Software\Update Manager\sgtray.exe [2002-06-18 155648]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-08-15 141848]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-08-15 162328]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-08-15 137752]
"ACTray"=C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe [2007-07-05 413696]
"ACWLIcon"=C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe [2007-07-05 126976]
"EPHD User"=C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe [2008-03-11 98304]
"Synchronization Manager"=C:\WINDOWS\system32\mobsync.exe [2004-08-04 143360]
"ILA"=C:\Program Files\Verint\ila\ilaloginapp.exe [2005-01-26 57344]
"RFBAgent"=C:\Program Files\Verint\Screens\Bin\RFBAgent.exe [2004-08-18 352256]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2008-02-18 1044480]
"c0541618"=C:\WINDOWS\system32\vahwpwpr.dll [2008-12-07 72704]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Live Meeting Add-in for Microsoft Outlook.lnk - C:\WINDOWS\Installer\{A3BA5420-0C00-47B7-8450-02C99A20F832}\_294823.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACNotify]
C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll [2007-07-05 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2004-08-25 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ckpNotify]
C:\WINDOWS\system32\ckpNotify.dll [2008-01-29 24669]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-08-09 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2007-03-14 43712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\vtUommLE
"notification packages"=scecli
ACGina
ephdssol

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=1
"legalnoticecaption"=Lincoln Financial Group
"legalnoticetext"=Do not attempt to log on unless you are an authorized user.
.
.
*********************************************************************************************
By logging on to this computer, you agree to abide by the LFG Information
Security Policy and Information Handling Policy, including appropriate use of
e-mail and the Internet. The primary use of this PC and the LFG network is to
conduct company business. You are responsible for protecting the Company's
confidential or proprietary information from unauthorized disclosures.
*********************************************************************************************
"shutdownwithoutlogon"=0
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoSMHelp"=1
"Intellimenus"=1
"NoSMMyDocs"=1
"DisablePersonalDirChange"=1
"ForceClassicControlPanel"=1
"NoSharedDocuments"=1
"NoSMMyPictures"=1
"NoStartMenuMyMusic"=1
"ForceStartMenuLogOff"=1
"NoSMConfigurePrograms"=1
"NoRecentDocsNetHood"=1
"NoDesktopCleanupWizard"=1
"NoWelcomeScreen"=1
"NoSMBalloonTip"=1
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe:*:Enabled:VPN-1 SecuRemote/SecureClient service"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe:*:Enabled:VPN-1 SecuRemote/SecureClient application"
"C:\Program Files\CheckPoint\SecuRemote\bin\scc.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\scc.exe:*:Enabled:VPN-1 SecuRemote/SecureClient command line"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe:*:Enabled:VPN-1 SecuRemote/SecureClient service"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe:*:Enabled:VPN-1 SecuRemote/SecureClient application"
"C:\Program Files\CheckPoint\SecuRemote\bin\scc.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\scc.exe:*:Enabled:VPN-1 SecuRemote/SecureClient command line"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics"

======List of files/folders created in the last 1 months======

2008-12-08 20:46:50 ----A---- C:\ComboFix.txt
2008-12-07 14:25:07 ----SH---- C:\WINDOWS\system32\rpwpwhav.ini
2008-12-07 14:25:04 ----A---- C:\WINDOWS\system32\vahwpwpr.dll
2008-12-07 14:24:19 ----ASH---- C:\WINDOWS\system32\ELmmoUtv.ini2
2008-12-07 14:24:19 ----ASH---- C:\WINDOWS\system32\ELmmoUtv.ini
2008-12-07 14:24:14 ----A---- C:\WINDOWS\system32\vtUommLE.dll
2008-12-07 13:49:17 ----A---- C:\WINDOWS\zip.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\VFIND.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\SWSC.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\SWREG.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\sed.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\grep.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\fdsv.exe
2008-12-07 13:48:54 ----D---- C:\WINDOWS\ERDNT
2008-12-07 13:48:54 ----D---- C:\Qoobox
2008-12-06 19:47:17 ----D---- C:\rsit
2008-12-06 19:02:08 ----D---- C:\Program Files\Lavasoft
2008-12-06 19:02:06 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-12-06 19:01:25 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-06 18:39:35 ----D---- C:\Program Files\Trend Micro
2008-12-06 17:16:09 ----A---- C:\WINDOWS\system32\cb77d266-.txt
2008-12-05 17:20:17 ----D---- C:\Documents and Settings\quinne1\Application Data\PlaceWare
2008-12-02 17:30:50 ----D---- C:\Program Files\Project64 1.6
2008-11-28 07:59:43 ----D---- C:\WINDOWS\system32\symbols
2008-11-28 07:59:43 ----D---- C:\Program Files\Verint
2008-11-28 07:59:27 ----D---- C:\WINDOWS\Symbols
2008-11-28 07:59:15 ----D---- C:\Program Files\Common Files\Verint
2008-11-25 12:38:27 ----D---- C:\Documents and Settings\quinne1\Application Data\iWin
2008-11-25 10:09:51 ----D---- C:\Program Files\Common Files\Wintertree
2008-11-25 10:09:19 ----D---- C:\Program Files\Common Files\Business Objects
2008-11-25 10:09:19 ----D---- C:\Program Files\Business Objects
2008-11-22 07:29:53 ----D---- C:\Program Files\Full Tilt Poker
2008-11-20 16:42:00 ----D---- C:\Documents and Settings\quinne1\Application Data\Mozilla
2008-11-20 16:41:49 ----D---- C:\Program Files\Mozilla Firefox
2008-11-20 15:22:10 ----D---- C:\Program Files\Common Files\Crystal Decisions
2008-11-20 11:17:53 ----D---- C:\Documents and Settings\quinne1\Application Data\HEAT
2008-11-20 11:15:26 ----D---- C:\Program Files\HEAT
2008-11-20 11:12:54 ----D---- C:\Program Files\orl
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\msxbse35.dll
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\mstext35.dll
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\mspdox35.dll
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\msltus35.dll
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\msexch35.dll
2008-11-20 10:59:15 ----A---- C:\WINDOWS\system32\msrpfs35.dll
2008-11-20 10:59:15 ----A---- C:\WINDOWS\system32\msrepl35.dll
2008-11-20 10:59:15 ----A---- C:\WINDOWS\system32\msjt4jlt.dll
2008-11-20 10:59:15 ----A---- C:\WINDOWS\system32\msexcl35.dll
2008-11-20 10:59:14 ----A---- C:\WINDOWS\system32\JETCOMP.exe
2008-11-20 10:59:13 ----A---- C:\WINDOWS\HyperlinkHelper.exe
2008-11-20 10:44:45 ----D---- C:\Program Files\Oracle
2008-11-20 10:44:08 ----D---- C:\Program Files\MS07-OCT
2008-11-20 10:43:04 ----HDC---- C:\WINDOWS\$NtUninstallKB937143$
2008-11-20 10:42:24 ----D---- C:\Program Files\MSXML 4.0
2008-11-20 10:42:16 ----D---- C:\Program Files\MS07-AUG
2008-11-20 10:39:14 ----A---- C:\WINDOWS\system32\VBAR332.DLL
2008-11-20 10:39:14 ----A---- C:\WINDOWS\system32\odbctl32.dll
2008-11-20 10:39:14 ----A---- C:\WINDOWS\system32\Odbcstf.dll
2008-11-20 10:39:13 ----A---- C:\WINDOWS\system32\msrd2x35.dll
2008-11-20 10:39:13 ----A---- C:\WINDOWS\system32\msjter35.dll
2008-11-20 10:39:13 ----A---- C:\WINDOWS\system32\msjint35.dll
2008-11-20 10:39:13 ----A---- C:\WINDOWS\system32\msjet35.dll
2008-11-20 10:39:12 ----A---- C:\WINDOWS\system32\Convdsn.exe
2008-11-20 10:38:04 ----D---- C:\Program Files\Common Files\Actuate
2008-11-20 10:38:00 ----A---- C:\WINDOWS\system32\winrpc32.dll
2008-11-20 10:38:00 ----A---- C:\WINDOWS\system32\oc30.dll
2008-11-20 10:38:00 ----A---- C:\WINDOWS\system32\mfcans32.dll
2008-11-20 10:38:00 ----A---- C:\WINDOWS\system32\LTWND10N.DLL
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\ltkrn10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\ltfil10N.DLL
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\ltdlg10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\LTDIS10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lfwmf10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lftif10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lftga10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lfpcx10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lffax10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\LFCMP10N.DLL
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lfbmp10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\hdk3ct32.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\gswdll32.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\gswag32.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\gsw32.exe
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\GSJPG32.DLL
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\ezrpcw32.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\acxerces-c_1_4_71.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\AcUnInstall.exe
2008-11-20 10:37:58 ----A---- C:\WINDOWS\system32\acicudt18_71.dll
2008-11-20 10:37:51 ----A---- C:\WINDOWS\system32\acrq8071.dll
2008-11-20 10:36:26 ----A---- C:\WINDOWS\system32\acrs8071.dll
2008-11-20 10:36:26 ----A---- C:\WINDOWS\system32\acr7771.dll
2008-11-20 10:36:22 ----D---- C:\Program Files\Actuate8
2008-11-20 09:39:05 ----D---- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\hpzpnp.dll
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZISN12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZIPT12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZIPR12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZIPM12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZINW12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZIDR12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPNRA.EXE
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPJIPX1U.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPJCMN2U.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBPROPS.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBPRO.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBOIDPS.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBOID.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBNRAC2.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBMINI.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBMIAPI.DLL
2008-11-20 09:36:42 ----D---- C:\HP CLJ4600
2008-11-20 09:36:12 ----D---- C:\HP_CLJ_4700_32bit_2000_XP_S2003_PS_HPDIU
2008-11-20 09:04:33 ----D---- C:\Documents and Settings\quinne1\Application Data\ICAClient
2008-11-20 08:59:27 ----D---- C:\Program Files\SQLXML 4.0
2008-11-20 08:53:09 ----D---- C:\Program Files\Microsoft Visual Studio 8
2008-11-20 08:53:09 ----D---- C:\Program Files\Common Files\Merge Modules
2008-11-20 08:53:07 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-11-20 08:51:57 ----D---- C:\Program Files\Microsoft Analysis Services
2008-11-20 08:44:43 ----D---- C:\Program Files\Microsoft SQL Server
2008-11-20 07:19:13 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-11-20 07:18:29 ----D---- C:\Program Files\MSECache
2008-11-20 07:16:14 ----A---- C:\WINDOWS\system32\spmsg.dll
2008-11-20 07:16:04 ----D---- C:\Program Files\MS07-APR
2008-11-20 07:16:04 ----D---- C:\Program Files\GuardianEdge Technologies
2008-11-20 07:11:07 ----D---- C:\Program Files\RCenter
2008-11-20 07:10:57 ----D---- C:\Program Files\iTrade
2008-11-20 07:10:47 ----D---- C:\Program Files\Delaware Research Analysis
2008-11-19 18:55:35 ----D---- C:\Program Files\CheckPoint
2008-11-19 18:55:24 ----D---- C:\Program Files\Drive Mapper
2008-11-19 18:55:06 ----D---- C:\Program Files\triCerat
2008-11-19 18:54:43 ----D---- C:\Program Files\Citrix
2008-11-19 18:53:27 ----D---- C:\Program Files\PlaceWare
2008-11-19 18:49:54 ----D---- C:\TRIGGER_FILES
2008-11-19 18:49:50 ----D---- C:\Program Files\Robocopy
2008-11-19 18:49:48 ----A---- C:\WINDOWS\robocopy.exe
2008-11-19 18:49:47 ----A---- C:\WINDOWS\IFMEMBER.EXE
2008-11-19 18:49:37 ----ASH---- C:\Documents and Settings\quinne1\Application Data\desktop.ini
2008-11-19 18:49:36 ----D---- C:\Documents and Settings\quinne1\Application Data\Identities
2008-11-19 18:49:36 ----D---- C:\Documents and Settings\quinne1\Application Data\Adobe
2008-11-19 18:49:35 ----SD---- C:\Documents and Settings\quinne1\Application Data\Microsoft
2008-11-19 18:49:35 ----D---- C:\Documents and Settings\quinne1\Application Data\VERITAS
2008-11-19 18:49:35 ----D---- C:\Documents and Settings\quinne1\Application Data\Sun
2008-11-19 18:49:35 ----D---- C:\Documents and Settings\quinne1\Application Data\Macromedia
2008-11-19 18:46:35 ----D---- C:\WINDOWS\SchCache
2008-11-19 18:41:29 ----RA---- C:\WINDOWS\system32\uci32103.dll
2008-11-19 18:35:58 ----D---- C:\Program Files\Analog Devices
2008-11-19 18:35:52 ----HDC---- C:\WINDOWS\$NtUninstallKB888111WXPSP2$
2008-11-19 18:34:37 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-11-19 18:34:34 ----D---- C:\Program Files\Intel
2008-11-19 18:34:31 ----D---- C:\Intel
2008-11-19 18:34:01 ----D---- C:\WINDOWS\system32\CCM
2008-11-19 18:34:01 ----D---- C:\WINDOWS\ms
2008-11-19 18:33:50 ----A---- C:\WINDOWS\system32\tvt_gina_api.dll
2008-11-19 18:33:50 ----A---- C:\WINDOWS\system32\tvt_gina.dll
2008-11-19 18:33:43 ----D---- C:\Program Files\ThinkPad
2008-11-19 18:33:40 ----A---- C:\WINDOWS\IsUninst.exe
2008-11-19 18:33:34 ----D---- C:\WINDOWS\system32\ccmsetup
2008-11-19 18:33:32 ----A---- C:\postsys2.bat
2008-11-19 18:32:38 ----RD---- C:\LFG_Apps
2008-11-19 18:31:44 ----A---- C:\WINDOWS\system32\igfxres.dll
2008-11-19 17:28:58 ----A---- C:\WINDOWS\system32\TPMDDL.dll
2008-11-19 17:27:47 ----D---- C:\WINDOWS\system32\Lang
2008-11-19 17:27:47 ----A---- C:\WINDOWS\system32\igxpun.exe
2008-11-19 17:27:23 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-11-19 17:27:23 ----A---- C:\WINDOWS\system32\difxapi.dll

======List of files/folders modified in the last 1 months======

2008-12-08 20:47:07 ----D---- C:\WINDOWS\Temp
2008-12-08 20:47:04 ----D---- C:\WINDOWS\system32
2008-12-08 20:46:56 ----D---- C:\WINDOWS
2008-12-08 20:45:10 ----A---- C:\WINDOWS\system.ini
2008-12-08 20:43:34 ----D---- C:\WINDOWS\system32\drivers
2008-12-08 20:43:34 ----D---- C:\Program Files\Common Files
2008-12-08 20:43:33 ----D---- C:\WINDOWS\AppPatch
2008-12-08 20:42:15 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-08 20:41:04 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-08 20:39:49 ----SHD---- C:\System Volume Information
2008-12-08 20:39:49 ----D---- C:\WINDOWS\system32\Restore
2008-12-08 20:36:18 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-08 20:33:42 ----D---- C:\Program Files\Symantec AntiVirus
2008-12-08 20:33:02 ----A---- C:\WINDOWS\smscfg.ini
2008-12-08 20:00:06 ----D---- C:\WINDOWS\security
2008-12-08 09:02:14 ----D---- C:\WINDOWS\Prefetch
2008-12-07 13:55:49 ----D---- C:\WINDOWS\system32\config
2008-12-07 13:51:43 ----RD---- C:\Program Files
2008-12-06 19:02:56 ----SHD---- C:\WINDOWS\Installer
2008-12-05 11:51:14 ----HD---- C:\WINDOWS\inf
2008-12-05 11:51:14 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-28 08:00:02 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-25 15:29:39 ----AC---- C:\WINDOWS\ODBC.INI
2008-11-25 10:18:15 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-21 18:17:02 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-21 14:02:27 ----D---- C:\WINDOWS\Help
2008-11-20 13:39:38 ----D---- C:\WINDOWS\Microsoft.NET
2008-11-20 13:39:37 ----RSD---- C:\WINDOWS\assembly
2008-11-20 11:15:38 ----D---- C:\WINDOWS\WinSxS
2008-11-20 10:59:27 ----AC---- C:\WINDOWS\ODBCINST.INI
2008-11-20 10:43:01 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-20 10:35:37 ----D---- C:\Program Files\Common Files\InstallShield
2008-11-20 09:09:35 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-11-20 09:07:51 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-11-20 08:59:18 ----D---- C:\WINDOWS\Registration
2008-11-20 08:58:23 ----D---- C:\Program Files\Microsoft.NET
2008-11-20 08:53:20 ----D---- C:\WINDOWS\system32\1033
2008-11-20 08:31:50 ----SHD---- C:\WINDOWS\CSC
2008-11-20 07:19:24 ----A---- C:\WINDOWS\imsins.BAK
2008-11-19 18:53:41 ----D---- C:\WINDOWS\system32\wbem
2008-11-19 18:52:56 ----D---- C:\Program Files\Microsoft Office
2008-11-19 18:49:43 ----D---- C:\WINDOWS\system32\appmgmt
2008-11-19 18:49:33 ----D---- C:\Documents and Settings
2008-11-19 18:45:22 ----A---- C:\WINDOWS\setuplog.txt
2008-11-19 18:43:56 ----RASH---- C:\boot.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ANC;ANC; C:\WINDOWS\System32\drivers\ANC.SYS [2005-11-08 11520]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 FW1;SecuRemote Miniport; C:\WINDOWS\system32\DRIVERS\fw.sys [2008-01-29 2235760]
R1 IBMTPCHK;IBMTPCHK; \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R1 Smapint;Smapint; C:\WINDOWS\System32\drivers\Smapint.sys [2003-07-03 14848]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2007-02-12 196752]
R1 TDSMAPI;TDSMAPI; C:\WINDOWS\System32\drivers\TDSMAPI.SYS [2003-07-03 8830]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-03 8832]
R2 CP_OMDRV;Check Point Office Mode Module; C:\WINDOWS\System32\drivers\omdrv.sys [2008-01-29 47504]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient; C:\WINDOWS\system32\DRIVERS\vnasc.sys [2008-01-29 121136]
R2 VPN-1;VPN-1 Module; C:\WINDOWS\System32\drivers\vpn.sys [2008-01-29 673872]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2008-02-18 334848]
R3 aeaudio;AE Audio Service; C:\WINDOWS\system32\drivers\aeaudio.sys [2008-02-18 94976]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 atmeltpm;atmeltpm; C:\WINDOWS\system32\DRIVERS\atmeltpm.sys [2005-05-17 15872]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-05-11 252312]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-12-06 996736]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2005-12-06 202624]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-08-09 5765056]
R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys [2007-05-31 21424]
R3 idisw2km;idisw2km; C:\WINDOWS\system32\DRIVERS\idisw2km.sys [2006-02-09 8992]
R3 kbstuff;SMS Virtual Keyboard; C:\WINDOWS\system32\DRIVERS\kbstuff5.sys [2006-02-09 11744]
R3 LenovoRd;LenovoRd; C:\WINDOWS\System32\Drivers\LenovoRd.sys [2007-06-08 81280]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081207.005\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081207.005\navex15.sys []
R3 NETw4x32;Intel® Wireless WiFi Link Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw4x32.sys [2007-11-26 2236544]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 prepdrvr;SMS Process Event Driver; \??\C:\WINDOWS\system32\CCM\prepdrv.sys []
R3 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 TcUsb;TC USB Kernel Driver; C:\WINDOWS\System32\Drivers\tcusb.sys [2007-03-08 40848]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-12-06 724224]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-08-25 787456]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 E1000;Intel® PRO/1000 Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1000325.sys [2007-03-25 171416]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\system32\DRIVERS\nscirda.sys [2004-08-03 28672]
S3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
S3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-05-27 578304]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 AcPrfMgrSvc;Ac Profile Manager Service; C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe [2007-07-05 65536]
R2 AcSvc;Access Connections Main Service; C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe [2007-07-05 184320]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-11-21 192104]
R2 CcmExec;SMS Agent Host; C:\WINDOWS\system32\CCM\CcmExec.exe [2006-02-09 578784]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-11-21 169576]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2007-03-14 31424]
R2 EPHDManager;EPHDManager; C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe [2008-03-11 155648]
R2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2007-05-31 36400]
R2 LoggerServer;LoggerServer; C:\Program Files\Common Files\Verint\Bin\LoggerServer.exe [2005-01-03 155648]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 MsDtsServer;SQL Server Integration Services; C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2005-10-14 199384]
R2 msftesql;SQL Server FullText Search (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [2005-08-26 92880]
R2 MSSQLSERVER;SQL Server (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2005-10-14 28768528]
R2 MSSQLServerOLAPService;SQL Server Analysis Services (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe [2005-10-14 14557912]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 RFBAgent;RFB Agent; C:\Program Files\Verint\Screens\Bin\RFBAgent.exe [2004-08-18 352256]
R2 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2007-03-14 116416]
R2 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2007-01-10 1160792]
R2 SR_Service;Check Point VPN-1 Securemote service; C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe [2008-01-29 106590]
R2 SR_Watchdog;Check Point VPN-1 Securemote watchdog; C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe [2008-01-29 36959]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2007-03-14 1816768]
R2 Wuser32;SMS Remote Control Agent; C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe [2006-02-09 248544]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2004-08-25 389120]
S2 SQLSERVERAGENT;SQL Server Agent (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [2005-10-14 318680]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-09-02 2528960]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2007-02-12 214672]
S3 SQLWriter;SQL Server VSS Writer; C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2005-10-14 87768]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]
S4 SQLBrowser;SQL Server Browser; C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2005-10-14 239320]

-----------------EOF-----------------

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:26 PM

Posted 09 December 2008 - 06:19 AM

Hello,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
c:\windows\system32\rpwpwhav.ini
c:\windows\system32\vahwpwpr.dll
c:\windows\system32\ELmmoUtv.ini2
c:\windows\system32\ELmmoUtv.ini
c:\windows\system32\vtUommLE.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{351FFEF2-883E-428B-84BF-FDDF47571999}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 EddiePinz

EddiePinz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 09 December 2008 - 09:59 AM

Here are the logs:

ComboFix 08-12-06.06 - QUINNE1 2008-12-09 8:02:29.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.318 [GMT -5:00]
Running from: c:\documents and settings\quinne1\My Documents\nj051b_en\ComboFix.exe
Command switches used :: c:\documents and settings\quinne1\My Documents\nj051b_en\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\ELmmoUtv.ini
c:\windows\system32\ELmmoUtv.ini2
c:\windows\system32\rpwpwhav.ini
c:\windows\system32\vahwpwpr.dll
c:\windows\system32\vtUommLE.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ELmmoUtv.ini
c:\windows\system32\ELmmoUtv.ini2
c:\windows\system32\ihcddrry.dll
c:\windows\system32\rpwpwhav.ini
c:\windows\system32\swumjvxy.dll
c:\windows\system32\tfrief.dll
c:\windows\system32\vahwpwpr.dll
c:\windows\system32\vtUommLE.dll
c:\windows\system32\yxvjmuws.ini

.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-06 19:47 . 2008-12-06 19:47 <DIR> d-------- C:\rsit
2008-12-06 19:02 . 2008-12-06 19:02 <DIR> d-------- c:\program files\Lavasoft
2008-12-06 19:02 . 2008-12-06 19:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-06 19:01 . 2008-12-06 19:01 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-06 18:39 . 2008-12-06 18:39 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 17:20 . 2008-12-05 17:20 <DIR> d-------- c:\documents and settings\quinne1\Application Data\PlaceWare
2008-12-02 17:30 . 2008-12-02 17:44 <DIR> d-------- c:\program files\Project64 1.6
2008-11-28 07:59 . 2008-11-28 07:59 <DIR> d-------- c:\windows\system32\symbols
2008-11-28 07:59 . 2008-11-28 07:59 <DIR> d-------- c:\windows\Symbols
2008-11-28 07:59 . 2008-11-28 08:00 <DIR> d-------- c:\program files\Verint
2008-11-28 07:59 . 2008-11-28 07:59 <DIR> d-------- c:\program files\Common Files\Verint
2008-11-25 12:38 . 2008-11-25 12:38 <DIR> d-------- c:\documents and settings\quinne1\Application Data\iWin
2008-11-25 10:09 . 2008-11-25 10:09 <DIR> d-------- c:\program files\Common Files\Wintertree
2008-11-25 10:09 . 2008-11-25 10:09 <DIR> d-------- c:\program files\Common Files\Business Objects
2008-11-25 10:09 . 2008-11-25 10:09 <DIR> d-------- c:\program files\Business Objects
2008-11-22 07:29 . 2008-11-28 21:41 <DIR> d-------- c:\program files\Full Tilt Poker
2008-11-20 16:42 . 2008-11-20 16:42 0 --a------ c:\windows\nsreg.dat
2008-11-20 15:22 . 2008-11-20 15:22 <DIR> d-------- c:\program files\Common Files\Crystal Decisions
2008-11-20 11:17 . 2008-11-20 11:17 <DIR> d-------- c:\documents and settings\quinne1\Application Data\HEAT
2008-11-20 11:15 . 2008-11-26 10:23 <DIR> d-------- c:\program files\HEAT
2008-11-20 11:12 . 2008-11-20 11:12 <DIR> d-------- c:\program files\orl
2008-11-20 11:05 . 2008-11-20 11:08 <DIR> d-------- c:\documents and settings\quinne1\.f1j
2008-11-20 10:59 . 1999-09-29 21:04 1,238,288 --a------ c:\windows\system32\msjt4jlt.dll
2008-11-20 10:59 . 1999-08-25 15:57 415,504 --a------ c:\windows\system32\msrepl35.dll
2008-11-20 10:59 . 1998-06-01 15:37 344,064 --a------ c:\windows\system32\msexch35.dll
2008-11-20 10:59 . 1998-06-01 15:37 294,912 --a------ c:\windows\system32\msxbse35.dll
2008-11-20 10:59 . 1999-09-09 23:06 252,688 --a------ c:\windows\system32\msexcl35.dll
2008-11-20 10:59 . 1999-06-07 19:59 250,128 --a------ c:\windows\system32\mspdox35.dll
2008-11-20 10:59 . 1999-09-09 23:06 168,720 --a------ c:\windows\system32\msltus35.dll
2008-11-20 10:59 . 1999-09-30 20:21 166,672 --a------ c:\windows\system32\mstext35.dll
2008-11-20 10:59 . 1999-04-26 21:08 44,304 --a------ c:\windows\system32\msrpfs35.dll
2008-11-20 10:59 . 2005-06-24 17:16 40,960 --a------ c:\windows\HyperlinkHelper.exe
2008-11-20 10:59 . 1998-05-05 12:36 39,424 --a------ c:\windows\system32\JETCOMP.exe
2008-11-20 10:44 . 2008-11-20 14:42 <DIR> d-------- c:\program files\Oracle
2008-11-20 10:44 . 2008-11-20 10:44 <DIR> d-------- c:\program files\MS07-OCT
2008-11-20 10:42 . 2008-11-20 10:42 <DIR> d-------- c:\program files\MSXML 4.0
2008-11-20 10:42 . 2008-11-20 10:43 <DIR> d-------- c:\program files\MS07-AUG
2008-11-20 10:38 . 2008-11-20 10:38 <DIR> d-------- c:\program files\Common Files\Actuate
2008-11-20 10:38 . 2004-10-21 14:13 638,464 --a------ c:\windows\system32\oc30.dll
2008-11-20 10:38 . 2004-10-21 14:13 139,363 --a------ c:\windows\system32\winrpc32.dll
2008-11-20 10:38 . 2004-10-21 14:13 133,904 --a------ c:\windows\system32\mfcans32.dll
2008-11-20 10:38 . 2005-06-24 16:24 36,864 --a------ c:\windows\system32\LTWND10N.DLL
2008-11-20 10:38 . 2005-06-24 16:27 2,495 --a------ c:\windows\system32\Comctl32.dep
2008-11-20 10:36 . 2008-11-20 10:57 <DIR> d-------- c:\program files\Actuate8
2008-11-20 10:36 . 2005-06-24 21:01 1,519,616 --a------ c:\windows\system32\acrs8071.dll
2008-11-20 10:36 . 2005-06-24 21:01 724,992 --a------ c:\windows\system32\acr7771.dll
2008-11-20 09:39 . 2008-11-20 09:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-11-20 09:36 . 2008-11-20 09:36 <DIR> d-------- C:\HP_CLJ_4700_32bit_2000_XP_S2003_PS_HPDIU
2008-11-20 09:36 . 2008-11-20 09:36 <DIR> d-------- C:\HP CLJ4600
2008-11-20 09:04 . 2008-11-20 09:04 <DIR> d-------- c:\documents and settings\quinne1\Application Data\ICAClient
2008-11-20 08:59 . 2008-11-20 08:59 <DIR> d-------- c:\program files\SQLXML 4.0
2008-11-20 08:53 . 2008-11-20 08:53 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-11-20 08:53 . 2008-11-20 08:53 <DIR> d-------- c:\program files\Common Files\Merge Modules
2008-11-20 08:53 . 2008-11-20 09:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-20 08:51 . 2008-11-20 08:51 <DIR> d-------- c:\program files\Microsoft Analysis Services
2008-11-20 08:44 . 2008-11-20 09:31 <DIR> d-------- c:\program files\Microsoft SQL Server
2008-11-20 08:32 . 2004-08-03 22:58 14,848 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-11-20 08:32 . 2004-08-03 22:58 14,848 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-11-20 08:31 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-11-20 08:31 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-11-20 08:31 . 2001-08-17 14:02 9,600 --a------ c:\windows\system32\drivers\hidusb.sys
2008-11-20 08:31 . 2001-08-17 14:02 9,600 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-11-20 07:19 . 2008-11-20 07:19 2,359,296 --ahs---- C:\EP1.vol
2008-11-20 07:19 . 2008-11-20 07:19 1,048,576 --ahs---- C:\EP5.vol
2008-11-20 07:19 . 2008-11-20 07:19 1,048,576 --ahs---- C:\EP4.vol
2008-11-20 07:19 . 2008-11-20 07:19 1,048,576 --ahs---- C:\EP0.vol
2008-11-20 07:19 . 2008-11-20 07:19 262,144 --ahs---- C:\EP3.vol
2008-11-20 07:19 . 2008-11-20 07:19 262,144 --ahs---- C:\EP2.vol
2008-11-20 07:18 . 2008-11-20 07:18 <DIR> d-------- c:\program files\MSECache
2008-11-20 07:16 . 2008-11-20 07:16 <DIR> d-------- c:\program files\MS07-APR
2008-11-20 07:16 . 2008-11-20 07:16 <DIR> d-------- c:\program files\GuardianEdge Technologies
2008-11-20 07:11 . 2008-11-20 07:11 <DIR> d-------- c:\program files\RCenter
2008-11-20 07:10 . 2008-11-20 07:10 <DIR> d-------- c:\program files\iTrade
2008-11-20 07:10 . 2008-11-20 07:10 <DIR> d-------- c:\program files\Delaware Research Analysis
2008-11-19 18:56 . 2008-01-29 16:15 2,516 --a------ c:\windows\system32\drivers\default.bin
2008-11-19 18:56 . 2008-01-29 16:15 2,516 --a------ c:\windows\system32\default.bin
2008-11-19 18:55 . 2008-11-19 18:55 <DIR> d-------- c:\program files\triCerat
2008-11-19 18:55 . 2008-11-19 18:55 <DIR> d-------- c:\program files\Drive Mapper
2008-11-19 18:55 . 2008-11-19 18:55 <DIR> d-------- c:\program files\CheckPoint
2008-11-19 18:54 . 2008-11-19 18:54 <DIR> d-------- c:\program files\Citrix
2008-11-19 18:53 . 2008-11-19 18:53 <DIR> d-------- c:\program files\PlaceWare
2008-11-19 18:49 . 2008-11-28 08:00 <DIR> d-------- C:\TRIGGER_FILES
2008-11-19 18:49 . 2008-11-19 18:49 <DIR> d-------- c:\program files\Robocopy
2008-11-19 18:49 . 2008-11-19 18:33 <DIR> d-------- c:\documents and settings\quinne1\WINDOWS
2008-11-19 18:49 . 2007-10-12 10:51 <DIR> d---s---- c:\documents and settings\quinne1\UserData
2008-11-19 18:49 . 2007-12-11 14:53 <DIR> d-------- c:\documents and settings\quinne1\Application Data\VERITAS
2008-11-19 18:49 . 2008-12-03 09:03 <DIR> d-------- c:\documents and settings\quinne1
2008-11-19 18:49 . 1999-12-02 13:54 97,280 --a------ c:\windows\robocopy.exe
2008-11-19 18:49 . 2003-06-19 11:05 5,392 --a------ c:\windows\IFMEMBER.EXE
2008-11-19 18:46 . 2008-11-19 18:46 <DIR> d-------- c:\windows\SchCache
2008-11-19 18:45 . 2008-11-19 18:33 <DIR> d-------- c:\documents and settings\Default User\WINDOWS
2008-11-19 18:41 . 2005-12-06 09:57 202,624 -ra------ c:\windows\system32\drivers\HSFHWAZL.sys
2008-11-19 18:41 . 2005-11-16 14:41 114,688 -ra------ c:\windows\system32\uci32103.dll
2008-11-19 18:35 . 2008-12-05 11:51 <DIR> d-------- c:\program files\Analog Devices
2008-11-19 18:34 . 2008-11-19 18:34 <DIR> d-------- c:\windows\system32\CCM
2008-11-19 18:34 . 2008-11-19 18:34 <DIR> d-------- c:\windows\ms
2008-11-19 18:34 . 2008-11-19 18:34 <DIR> d-------- c:\program files\Intel
2008-11-19 18:34 . 2008-11-19 18:34 <DIR> d-------- C:\Intel
2008-11-19 18:33 . 2008-11-19 18:34 <DIR> d-------- c:\windows\system32\ccmsetup
2008-11-19 18:33 . 2008-11-19 18:33 <DIR> d-------- c:\program files\ThinkPad
2008-11-19 18:33 . 2008-11-19 18:33 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-11-19 18:33 . 2007-02-05 17:45 583,232 --a------ c:\windows\system32\tvt_gina.dll
2008-11-19 18:33 . 1998-10-30 05:15 306,688 --a------ c:\windows\IsUninst.exe
2008-11-19 18:33 . 2007-02-05 17:45 292,416 --a------ c:\windows\system32\tvt_gina_api.dll
2008-11-19 18:33 . 2003-07-03 00:34 34,816 --a------ c:\windows\system32\TP98.CPL
2008-11-19 18:33 . 2003-07-03 00:34 14,848 --a------ c:\windows\system32\drivers\SMAPINT.SYS
2008-11-19 18:33 . 2005-11-08 09:27 11,520 --a------ c:\windows\system32\drivers\ANC.sys
2008-11-19 18:33 . 2003-07-03 00:34 8,830 --a------ c:\windows\system32\drivers\TDSMAPI.SYS
2008-11-19 18:33 . 2008-11-19 18:33 4,429 --a------ C:\postsys2.bat
2008-11-19 18:33 . 2007-04-02 11:24 4,224 --a------ c:\windows\system32\drivers\IBMBLDID.sys
2008-11-19 18:33 . 2008-11-19 18:33 0 --a------ c:\windows\system32\AccConnAdvanced.html
2008-11-19 18:32 . 2008-11-19 18:33 <DIR> dr------- C:\LFG_Apps
2008-11-19 18:31 . 2007-08-09 08:31 172,032 --a------ c:\windows\system32\igfxres.dll
2008-11-19 17:28 . 2005-05-17 08:56 98,304 --a------ c:\windows\system32\TPMDDL.dll
2008-11-19 17:28 . 2004-08-03 23:10 61,056 --a------ c:\windows\system32\drivers\ohci1394.sys
2008-11-19 17:28 . 2004-08-03 23:10 53,248 --a------ c:\windows\system32\drivers\1394bus.sys
2008-11-19 17:28 . 2005-05-17 09:20 15,872 --a------ c:\windows\system32\drivers\atmeltpm.sys
2008-11-19 17:28 . 2001-08-17 13:46 6,400 --a------ c:\windows\system32\drivers\enum1394.sys
2008-11-19 17:27 . 2008-11-19 17:27 <DIR> d-------- c:\windows\system32\Lang
2008-11-19 17:27 . 2008-11-19 18:34 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-11-19 17:27 . 2007-08-15 14:07 399,896 --a------ c:\windows\system32\igxpun.exe
2008-11-19 17:27 . 2006-11-10 08:25 319,456 --a------ c:\windows\system32\difxapi.dll
2008-11-19 17:27 . 2006-01-23 10:29 121,232 --a------ c:\windows\system32\IScrNBR.bmp
2008-11-19 17:27 . 2006-01-23 10:29 121,232 --a------ c:\windows\system32\IScrNB.bmp
2008-11-19 17:26 . 2004-08-03 23:07 8,832 --a------ c:\windows\system32\drivers\wmiacpi.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 13:10 --------- d-----w c:\program files\Symantec AntiVirus
2008-11-25 15:18 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-20 15:35 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-20 13:58 --------- d-----w c:\program files\Microsoft.NET
2007-10-03 13:07 493 -c--a-w c:\windows\system32\config\systemprofile\kick.bat
.

((((((((((((((((((((((((((((( snapshot@2008-12-07_14.05.01.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-07 18:37:18 111,330 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-09 01:36:18 111,330 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-07 18:37:18 552,588 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-09 01:36:18 552,588 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-09 13:09:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_190.dat
+ 2008-12-09 13:10:28 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_9b4.dat
+ 2008-12-09 13:11:16 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_ee8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-14 125632]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976]
"EPHD User"="c:\program files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe" [2008-03-11 98304]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"ILA"="c:\program files\Verint\ila\ilaloginapp.exe" [2005-01-26 57344]
"RFBAgent"="c:\program files\Verint\Screens\Bin\RFBAgent.exe" [2004-08-18 352256]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-02-18 1044480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Live Meeting Add-in for Microsoft Outlook.lnk - c:\windows\Installer\{A3BA5420-0C00-47B7-8450-02C99A20F832}\_294823.exe [2008-11-19 3638]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= aim.exe
"2"= icq.exe
"3"= Kazaa.exe
"4"= klrun.exe
"5"= msmsgs.exe
"6"= napster.exe
"7"= skype.exe
"8"= trillian.exe
"9"= ypager.exe
"10"= yupdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 14:52 32768 c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2008-01-29 16:14 24669 c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=tfrief.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina ephdssol

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\delinvest.ad.lfg.com\SYSVOL\delinvest.ad.lfg.com\scripts\DNS\DNS_Suffix_Search.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=installOS.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=AddUserToLocalAdmin.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2133283647-335812911-648689268-112050\Scripts\Logon\0\0]
"Script"=START2000.BAT

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=

R0 EAFSPROT;EAFSPROT;c:\windows\system32\drivers\eafsprot.sys [2007-06-14 13696]
R0 EPHDXLAT;PC Guardian Encryption Filter;c:\windows\system32\drivers\EPHDXLAT.sys [2007-06-14 98816]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.SYS [2008-11-19 11520]
R1 FW1;SecuRemote Miniport;c:\windows\system32\DRIVERS\fw.sys [2008-01-29 2235760]
R1 IBMTPCHK;IBMTPCHK;\??\c:\windows\system32\Drivers\IBMBLDID.sys [2008-11-19 4224]
R2 CcmExec;SMS Agent Host;c:\windows\system32\CCM\CcmExec.exe [2006-02-09 578784]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2008-01-29 47504]
R2 EPHDManager;EPHDManager;"c:\program files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe" [2008-03-11 155648]
R2 LoggerServer;LoggerServer;c:\program files\Common Files\Verint\Bin\LoggerServer.exe -LSRS []
R2 MsDtsServer;SQL Server Integration Services;"c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2005-10-14 199384]
R2 RFBAgent;RFB Agent;"c:\program files\Verint\Screens\Bin\RFBAgent.exe" -service [2004-08-18 352256]
R2 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2007-03-14 116416]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\DRIVERS\vnasc.sys [2008-01-29 121136]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2008-01-29 673872]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-20 99376]
R3 LenovoRd;LenovoRd;c:\windows\system32\Drivers\LenovoRd.sys [2007-10-15 81280]
R3 prepdrvr;SMS Process Event Driver;\??\c:\windows\system32\CCM\prepdrv.sys [2006-02-09 20704]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -

BHO-{6c77a39c-4346-400d-9f73-e4f384e38b5e} - c:\windows\system32\tfrief.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lfd.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.amgusa.com
Trusted Zone: *.ascendix.com
Trusted Zone: *.delgroup.com
Trusted Zone: *.emanywhere.com
Trusted Zone: *.ermonline.net
Trusted Zone: *.jp.corp
Trusted Zone: *.jpfinancial.com
Trusted Zone: *.jpfnet.com
Trusted Zone: *.lfacrm.com
Trusted Zone: *.lfd.com
Trusted Zone: *.lfdanywhere.com
Trusted Zone: *.lfg.com
Trusted Zone: *.delinvest.ad.lfg.com
Trusted Zone: *.us.ad.lfg.com
Trusted Zone: *.lfgmfin.com
Trusted Zone: *.lnc.com
Trusted Zone: *.placeware.com
Trusted Zone: *.salesforce.com
Trusted Zone: *.amgusa.com
Trusted Zone: *.ascendix.com
Trusted Zone: *.delgroup.com
Trusted Zone: *.emanywhere.com
Trusted Zone: *.ermonline.net
Trusted Zone: *.jp.corp
Trusted Zone: *.jpfinancial.com
Trusted Zone: *.jpfnet.com
Trusted Zone: *.lfacrm.com
Trusted Zone: *.lfd.com
Trusted Zone: *.lfdanywhere.com
Trusted Zone: *.lfg.com
Trusted Zone: *.delinvest.ad.lfg.com
Trusted Zone: *.us.ad.lfg.com
Trusted Zone: *.lfgmfin.com
Trusted Zone: *.lnc.com
Trusted Zone: *.placeware.com
Trusted Zone: *.salesforce.com

O16 -: {52e54c77-cced-4b72-8e29-bb7206ca5a8f}

O16 -: {9b935470-ad4a-11d5-b63e-00c04faedb18}

c:\windows\system32\atl.dll - c:\windows\system32\mfc42.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\olepro32.dll
c:\windows\Downloaded Program Files\mfc42u.dll
c:\windows\Downloaded Program Files\cselexpt.ocx
c:\windows\Downloaded Program Files\reportparameterdialog.dll
c:\windows\Downloaded Program Files\CRViewer.dll
c:\windows\Downloaded Program Files\sviewhlp.dll
c:\windows\Downloaded Program Files\swebrs.dll
O16 -: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011}
hxxp://crystalprod.jp.corp/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
c:\windows\Downloaded Program Files\crviewer.inf
FireFox -: Profile - c:\documents and settings\quinne1\Application Data\Mozilla\Firefox\Profiles\ynfklun6.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.lfd.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 08:12:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\ephdgina.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1052)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\windows\system32\ephdssol.dll
c:\windows\system32\ephdsson.dll
c:\windows\system32\RegistryAccess.dll
c:\windows\system32\AccessEPFS.dll
c:\windows\system32\EPcrypto.dll
c:\windows\system32\EPCL32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\scardsvr.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Verint\Bin\LoggerServer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\CCM\clicomp\RemCtrl\Wuser32.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
c:\windows\system32\msiexec.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Symantec AntiVirus\DoScan.exe
.
**************************************************************************
.
Completion time: 2008-12-09 8:15:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-09 13:15:22
ComboFix2.txt 2008-12-09 01:46:50
ComboFix3.txt 2008-12-07 19:05:44

Pre-Run: 70,090,981,376 bytes free
Post-Run: 70,076,473,344 bytes free

401



Logfile of random's system information tool 1.04 (written by random/random)
Run by QUINNE1 at 2008-12-09 09:59:01
Microsoft Windows XP Professional Service Pack 2
System drive C: has 67 GB (88%) free of 76 GB
Total RAM: 998 MB (23% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:59, on 2008-12-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verint\Screens\Bin\RFBAgent.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe
C:\Program Files\Verint\ila\ilaloginapp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\sqlwb.exe
C:\Program Files\HEAT\Alert32.exe
C:\Program Files\HEAT\CallLog32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\quinne1\My Documents\nj051b_en\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\QUINNE1.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfd.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lfd.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Lincoln Financial Group
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [EPHD User] "C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ILA] C:\Program Files\Verint\ila\ilaloginapp.exe
O4 - HKLM\..\Run: [RFBAgent] "C:\Program Files\Verint\Screens\Bin\RFBAgent.exe" -servicehelper
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - Global Startup: Live Meeting Add-in for Microsoft Outlook.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.lfd.com
O15 - Trusted Zone: *.amgusa.com
O15 - Trusted Zone: *.ascendix.com
O15 - Trusted Zone: *.delgroup.com
O15 - Trusted Zone: http://*.delpwsymweb1
O15 - Trusted Zone: *.emanywhere.com
O15 - Trusted Zone: *.ermonline.net
O15 - Trusted Zone: *.guar.com
O15 - Trusted Zone: http://*.itradeiis
O15 - Trusted Zone: *.jp.corp
O15 - Trusted Zone: *.jpfinancial.com
O15 - Trusted Zone: *.jpfnet.com
O15 - Trusted Zone: *.lfacrm.com
O15 - Trusted Zone: *.lfd.com
O15 - Trusted Zone: *.lfdanywhere.com
O15 - Trusted Zone: http://*.lfdpwportal1
O15 - Trusted Zone: *.delinvest.ad.lfg.com
O15 - Trusted Zone: *.us.ad.lfg.com
O15 - Trusted Zone: *.lfg.com
O15 - Trusted Zone: *.lfgmfin.com
O15 - Trusted Zone: *.lnc.com
O15 - Trusted Zone: *.oasyson-line.com
O15 - Trusted Zone: *.placeware.com
O15 - Trusted Zone: *.salesforce.com
O15 - Trusted Zone: *.transitbenefit.com
O15 - Trusted Zone: *.amgusa.com (HKLM)
O15 - Trusted Zone: *.ascendix.com (HKLM)
O15 - Trusted Zone: *.delgroup.com (HKLM)
O15 - Trusted Zone: http://*.delpwsymweb1 (HKLM)
O15 - Trusted Zone: *.emanywhere.com (HKLM)
O15 - Trusted Zone: *.ermonline.net (HKLM)
O15 - Trusted Zone: *.guar.com (HKLM)
O15 - Trusted Zone: http://*.itradeiis (HKLM)
O15 - Trusted Zone: *.jp.corp (HKLM)
O15 - Trusted Zone: *.jpfinancial.com (HKLM)
O15 - Trusted Zone: *.jpfnet.com (HKLM)
O15 - Trusted Zone: *.lfacrm.com (HKLM)
O15 - Trusted Zone: *.lfd.com (HKLM)
O15 - Trusted Zone: *.lfdanywhere.com (HKLM)
O15 - Trusted Zone: http://*.lfdpwportal1 (HKLM)
O15 - Trusted Zone: *.delinvest.ad.lfg.com (HKLM)
O15 - Trusted Zone: *.us.ad.lfg.com (HKLM)
O15 - Trusted Zone: *.lfg.com (HKLM)
O15 - Trusted Zone: *.lfgmfin.com (HKLM)
O15 - Trusted Zone: *.lnc.com (HKLM)
O15 - Trusted Zone: *.oasyson-line.com (HKLM)
O15 - Trusted Zone: *.placeware.com (HKLM)
O15 - Trusted Zone: *.salesforce.com (HKLM)
O15 - Trusted Zone: *.transitbenefit.com (HKLM)
O16 - DPF: {52e54c77-cced-4b72-8e29-bb7206ca5a8f} (Oracle JInitiator 1.1.8.27) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192204329089
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192453858325
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - http://crystalprod.jp.corp/crystalreportvi...tiveXViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = delinvest.ad.lfg.com
O17 - HKLM\Software\..\Telephony: DomainName = delinvest.ad.lfg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = delinvest.ad.lfg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = delinvest.ad.lfg.com,us.ad.lfg.com,ad.lfg.com,lfg.com,lnc.com,jp.corp,amgusa.com,delgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = delinvest.ad.lfg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = delinvest.ad.lfg.com,us.ad.lfg.com,ad.lfg.com,lfg.com,lnc.com,jp.corp,amgusa.com,delgroup.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = delinvest.ad.lfg.com,us.ad.lfg.com,ad.lfg.com,lfg.com,lnc.com,jp.corp,amgusa.com,delgroup.com
O20 - AppInit_DLLs: tfrief.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPHDManager - GuardianEdge Technologies, Inc. - C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LoggerServer - Verint - C:\Program Files\Common Files\Verint\Bin\LoggerServer.exe
O23 - Service: RFB Agent (RFBAgent) - Verint - C:\Program Files\Verint\Screens\Bin\RFBAgent.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10947 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-05-11 40048]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-11-21 52840]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2007-03-14 125632]
"StorageGuard"=C:\Program Files\VERITAS Software\Update Manager\sgtray.exe [2002-06-18 155648]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-08-15 141848]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-08-15 162328]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-08-15 137752]
"ACTray"=C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe [2007-07-05 413696]
"ACWLIcon"=C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe [2007-07-05 126976]
"EPHD User"=C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe [2008-03-11 98304]
"Synchronization Manager"=C:\WINDOWS\system32\mobsync.exe [2004-08-04 143360]
"ILA"=C:\Program Files\Verint\ila\ilaloginapp.exe [2005-01-26 57344]
"RFBAgent"=C:\Program Files\Verint\Screens\Bin\RFBAgent.exe [2004-08-18 352256]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2008-02-18 1044480]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Live Meeting Add-in for Microsoft Outlook.lnk - C:\WINDOWS\Installer\{A3BA5420-0C00-47B7-8450-02C99A20F832}\_294823.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="tfrief.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACNotify]
C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll [2007-07-05 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2004-08-25 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ckpNotify]
C:\WINDOWS\system32\ckpNotify.dll [2008-01-29 24669]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2007-08-09 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2007-03-14 43712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
ACGina
ephdssol

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=1
"legalnoticecaption"=Lincoln Financial Group
"legalnoticetext"=Do not attempt to log on unless you are an authorized user.
.
.
*********************************************************************************************
By logging on to this computer, you agree to abide by the LFG Information
Security Policy and Information Handling Policy, including appropriate use of
e-mail and the Internet. The primary use of this PC and the LFG network is to
conduct company business. You are responsible for protecting the Company's
confidential or proprietary information from unauthorized disclosures.
*********************************************************************************************
"shutdownwithoutlogon"=0
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoSMHelp"=1
"Intellimenus"=1
"NoSMMyDocs"=1
"DisablePersonalDirChange"=1
"ForceClassicControlPanel"=1
"NoSharedDocuments"=1
"NoSMMyPictures"=1
"NoStartMenuMyMusic"=1
"ForceStartMenuLogOff"=1
"NoSMConfigurePrograms"=1
"NoRecentDocsNetHood"=1
"NoDesktopCleanupWizard"=1
"NoWelcomeScreen"=1
"NoSMBalloonTip"=1
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe:*:Enabled:VPN-1 SecuRemote/SecureClient service"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe:*:Enabled:VPN-1 SecuRemote/SecureClient application"
"C:\Program Files\CheckPoint\SecuRemote\bin\scc.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\scc.exe:*:Enabled:VPN-1 SecuRemote/SecureClient command line"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe:*:Enabled:VPN-1 SecuRemote/SecureClient service"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe:*:Enabled:VPN-1 SecuRemote/SecureClient application"
"C:\Program Files\CheckPoint\SecuRemote\bin\scc.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\scc.exe:*:Enabled:VPN-1 SecuRemote/SecureClient command line"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.exe:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent"
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe"="C:\Program Files\CheckPoint\SecuRemote\bin\SR_Diagnostics.exe:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics"

======List of files/folders created in the last 1 months======

2008-12-09 08:15:27 ----A---- C:\ComboFix.txt
2008-12-09 08:05:54 ----A---- C:\WINDOWS\PSEXESVC.EXE
2008-12-07 13:49:17 ----A---- C:\WINDOWS\zip.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\VFIND.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\SWSC.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\SWREG.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\sed.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\grep.exe
2008-12-07 13:49:17 ----A---- C:\WINDOWS\fdsv.exe
2008-12-07 13:48:54 ----D---- C:\WINDOWS\ERDNT
2008-12-07 13:48:54 ----D---- C:\Qoobox
2008-12-06 19:47:17 ----D---- C:\rsit
2008-12-06 19:02:08 ----D---- C:\Program Files\Lavasoft
2008-12-06 19:02:06 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-12-06 19:01:25 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-06 18:39:35 ----D---- C:\Program Files\Trend Micro
2008-12-06 17:16:09 ----A---- C:\WINDOWS\system32\cb77d266-.txt
2008-12-05 17:20:17 ----D---- C:\Documents and Settings\quinne1\Application Data\PlaceWare
2008-12-02 17:30:50 ----D---- C:\Program Files\Project64 1.6
2008-11-28 07:59:43 ----D---- C:\WINDOWS\system32\symbols
2008-11-28 07:59:43 ----D---- C:\Program Files\Verint
2008-11-28 07:59:27 ----D---- C:\WINDOWS\Symbols
2008-11-28 07:59:15 ----D---- C:\Program Files\Common Files\Verint
2008-11-25 12:38:27 ----D---- C:\Documents and Settings\quinne1\Application Data\iWin
2008-11-25 10:09:51 ----D---- C:\Program Files\Common Files\Wintertree
2008-11-25 10:09:19 ----D---- C:\Program Files\Common Files\Business Objects
2008-11-25 10:09:19 ----D---- C:\Program Files\Business Objects
2008-11-22 07:29:53 ----D---- C:\Program Files\Full Tilt Poker
2008-11-20 16:42:00 ----D---- C:\Documents and Settings\quinne1\Application Data\Mozilla
2008-11-20 16:41:49 ----D---- C:\Program Files\Mozilla Firefox
2008-11-20 15:22:10 ----D---- C:\Program Files\Common Files\Crystal Decisions
2008-11-20 11:17:53 ----D---- C:\Documents and Settings\quinne1\Application Data\HEAT
2008-11-20 11:15:26 ----D---- C:\Program Files\HEAT
2008-11-20 11:12:54 ----D---- C:\Program Files\orl
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\msxbse35.dll
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\mstext35.dll
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\mspdox35.dll
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\msltus35.dll
2008-11-20 10:59:16 ----A---- C:\WINDOWS\system32\msexch35.dll
2008-11-20 10:59:15 ----A---- C:\WINDOWS\system32\msrpfs35.dll
2008-11-20 10:59:15 ----A---- C:\WINDOWS\system32\msrepl35.dll
2008-11-20 10:59:15 ----A---- C:\WINDOWS\system32\msjt4jlt.dll
2008-11-20 10:59:15 ----A---- C:\WINDOWS\system32\msexcl35.dll
2008-11-20 10:59:14 ----A---- C:\WINDOWS\system32\JETCOMP.exe
2008-11-20 10:59:13 ----A---- C:\WINDOWS\HyperlinkHelper.exe
2008-11-20 10:44:45 ----D---- C:\Program Files\Oracle
2008-11-20 10:44:08 ----D---- C:\Program Files\MS07-OCT
2008-11-20 10:43:04 ----HDC---- C:\WINDOWS\$NtUninstallKB937143$
2008-11-20 10:42:24 ----D---- C:\Program Files\MSXML 4.0
2008-11-20 10:42:16 ----D---- C:\Program Files\MS07-AUG
2008-11-20 10:39:14 ----A---- C:\WINDOWS\system32\VBAR332.DLL
2008-11-20 10:39:14 ----A---- C:\WINDOWS\system32\odbctl32.dll
2008-11-20 10:39:14 ----A---- C:\WINDOWS\system32\Odbcstf.dll
2008-11-20 10:39:13 ----A---- C:\WINDOWS\system32\msrd2x35.dll
2008-11-20 10:39:13 ----A---- C:\WINDOWS\system32\msjter35.dll
2008-11-20 10:39:13 ----A---- C:\WINDOWS\system32\msjint35.dll
2008-11-20 10:39:13 ----A---- C:\WINDOWS\system32\msjet35.dll
2008-11-20 10:39:12 ----A---- C:\WINDOWS\system32\Convdsn.exe
2008-11-20 10:38:04 ----D---- C:\Program Files\Common Files\Actuate
2008-11-20 10:38:00 ----A---- C:\WINDOWS\system32\winrpc32.dll
2008-11-20 10:38:00 ----A---- C:\WINDOWS\system32\oc30.dll
2008-11-20 10:38:00 ----A---- C:\WINDOWS\system32\mfcans32.dll
2008-11-20 10:38:00 ----A---- C:\WINDOWS\system32\LTWND10N.DLL
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\ltkrn10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\ltfil10N.DLL
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\ltdlg10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\LTDIS10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lfwmf10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lftif10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lftga10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lfpcx10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lffax10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\LFCMP10N.DLL
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\lfbmp10N.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\hdk3ct32.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\gswdll32.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\gswag32.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\gsw32.exe
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\GSJPG32.DLL
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\ezrpcw32.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\acxerces-c_1_4_71.dll
2008-11-20 10:37:59 ----A---- C:\WINDOWS\system32\AcUnInstall.exe
2008-11-20 10:37:58 ----A---- C:\WINDOWS\system32\acicudt18_71.dll
2008-11-20 10:37:51 ----A---- C:\WINDOWS\system32\acrq8071.dll
2008-11-20 10:36:26 ----A---- C:\WINDOWS\system32\acrs8071.dll
2008-11-20 10:36:26 ----A---- C:\WINDOWS\system32\acr7771.dll
2008-11-20 10:36:22 ----D---- C:\Program Files\Actuate8
2008-11-20 09:39:05 ----D---- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\hpzpnp.dll
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZISN12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZIPT12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZIPR12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZIPM12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZINW12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPZIDR12.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPNRA.EXE
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPJIPX1U.DLL
2008-11-20 09:38:40 ----A---- C:\WINDOWS\system32\HPJCMN2U.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBPROPS.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBPRO.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBOIDPS.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBOID.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBNRAC2.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBMINI.DLL
2008-11-20 09:38:39 ----A---- C:\WINDOWS\system32\HPBMIAPI.DLL
2008-11-20 09:36:42 ----D---- C:\HP CLJ4600
2008-11-20 09:36:12 ----D---- C:\HP_CLJ_4700_32bit_2000_XP_S2003_PS_HPDIU
2008-11-20 09:04:33 ----D---- C:\Documents and Settings\quinne1\Application Data\ICAClient
2008-11-20 08:59:27 ----D---- C:\Program Files\SQLXML 4.0
2008-11-20 08:53:09 ----D---- C:\Program Files\Microsoft Visual Studio 8
2008-11-20 08:53:09 ----D---- C:\Program Files\Common Files\Merge Modules
2008-11-20 08:53:07 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-11-20 08:51:57 ----D---- C:\Program Files\Microsoft Analysis Services
2008-11-20 08:44:43 ----D---- C:\Program Files\Microsoft SQL Server
2008-11-20 07:19:13 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-11-20 07:18:29 ----D---- C:\Program Files\MSECache
2008-11-20 07:16:14 ----A---- C:\WINDOWS\system32\spmsg.dll
2008-11-20 07:16:04 ----D---- C:\Program Files\MS07-APR
2008-11-20 07:16:04 ----D---- C:\Program Files\GuardianEdge Technologies
2008-11-20 07:11:07 ----D---- C:\Program Files\RCenter
2008-11-20 07:10:57 ----D---- C:\Program Files\iTrade
2008-11-20 07:10:47 ----D---- C:\Program Files\Delaware Research Analysis
2008-11-19 18:55:35 ----D---- C:\Program Files\CheckPoint
2008-11-19 18:55:24 ----D---- C:\Program Files\Drive Mapper
2008-11-19 18:55:06 ----D---- C:\Program Files\triCerat
2008-11-19 18:54:43 ----D---- C:\Program Files\Citrix
2008-11-19 18:53:27 ----D---- C:\Program Files\PlaceWare
2008-11-19 18:49:54 ----D---- C:\TRIGGER_FILES
2008-11-19 18:49:50 ----D---- C:\Program Files\Robocopy
2008-11-19 18:49:48 ----A---- C:\WINDOWS\robocopy.exe
2008-11-19 18:49:47 ----A---- C:\WINDOWS\IFMEMBER.EXE
2008-11-19 18:49:37 ----ASH---- C:\Documents and Settings\quinne1\Application Data\desktop.ini
2008-11-19 18:49:36 ----D---- C:\Documents and Settings\quinne1\Application Data\Identities
2008-11-19 18:49:36 ----D---- C:\Documents and Settings\quinne1\Application Data\Adobe
2008-11-19 18:49:35 ----SD---- C:\Documents and Settings\quinne1\Application Data\Microsoft
2008-11-19 18:49:35 ----D---- C:\Documents and Settings\quinne1\Application Data\VERITAS
2008-11-19 18:49:35 ----D---- C:\Documents and Settings\quinne1\Application Data\Sun
2008-11-19 18:49:35 ----D---- C:\Documents and Settings\quinne1\Application Data\Macromedia
2008-11-19 18:46:35 ----D---- C:\WINDOWS\SchCache
2008-11-19 18:41:29 ----RA---- C:\WINDOWS\system32\uci32103.dll
2008-11-19 18:35:58 ----D---- C:\Program Files\Analog Devices
2008-11-19 18:35:52 ----HDC---- C:\WINDOWS\$NtUninstallKB888111WXPSP2$
2008-11-19 18:34:37 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-11-19 18:34:34 ----D---- C:\Program Files\Intel
2008-11-19 18:34:31 ----D---- C:\Intel
2008-11-19 18:34:01 ----D---- C:\WINDOWS\system32\CCM
2008-11-19 18:34:01 ----D---- C:\WINDOWS\ms
2008-11-19 18:33:50 ----A---- C:\WINDOWS\system32\tvt_gina_api.dll
2008-11-19 18:33:50 ----A---- C:\WINDOWS\system32\tvt_gina.dll
2008-11-19 18:33:43 ----D---- C:\Program Files\ThinkPad
2008-11-19 18:33:40 ----A---- C:\WINDOWS\IsUninst.exe
2008-11-19 18:33:34 ----D---- C:\WINDOWS\system32\ccmsetup
2008-11-19 18:33:32 ----A---- C:\postsys2.bat
2008-11-19 18:32:38 ----RD---- C:\LFG_Apps
2008-11-19 18:31:44 ----A---- C:\WINDOWS\system32\igfxres.dll
2008-11-19 17:28:58 ----A---- C:\WINDOWS\system32\TPMDDL.dll
2008-11-19 17:27:47 ----D---- C:\WINDOWS\system32\Lang
2008-11-19 17:27:47 ----A---- C:\WINDOWS\system32\igxpun.exe
2008-11-19 17:27:23 ----DC---- C:\WINDOWS\system32\DRVSTORE
2008-11-19 17:27:23 ----A---- C:\WINDOWS\system32\difxapi.dll

======List of files/folders modified in the last 1 months======

2008-12-09 09:47:22 ----D---- C:\WINDOWS\Prefetch
2008-12-09 09:04:59 ----D---- C:\WINDOWS\system32
2008-12-09 09:04:59 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-09 09:03:07 ----D---- C:\WINDOWS\Temp
2008-12-09 09:01:47 ----D---- C:\Program Files\Symantec AntiVirus
2008-12-09 09:01:35 ----A---- C:\WINDOWS\smscfg.ini
2008-12-09 09:01:24 ----D---- C:\WINDOWS\security
2008-12-09 08:17:07 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-09 08:15:30 ----D---- C:\WINDOWS\system32\drivers
2008-12-09 08:14:35 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-09 08:13:08 ----D---- C:\WINDOWS
2008-12-09 08:13:08 ----A---- C:\WINDOWS\system.ini
2008-12-09 08:06:39 ----D---- C:\WINDOWS\system32\config
2008-12-09 08:04:07 ----D---- C:\WINDOWS\AppPatch
2008-12-09 08:04:07 ----D---- C:\Program Files\Common Files
2008-12-08 20:39:49 ----SHD---- C:\System Volume Information
2008-12-08 20:39:49 ----D---- C:\WINDOWS\system32\Restore
2008-12-07 13:51:43 ----RD---- C:\Program Files
2008-12-06 19:02:56 ----SHD---- C:\WINDOWS\Installer
2008-12-05 11:51:14 ----HD---- C:\WINDOWS\inf
2008-12-05 11:51:14 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-28 08:00:02 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-25 15:29:39 ----AC---- C:\WINDOWS\ODBC.INI
2008-11-25 10:18:15 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-21 18:17:02 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-21 14:02:27 ----D---- C:\WINDOWS\Help
2008-11-20 13:39:38 ----D---- C:\WINDOWS\Microsoft.NET
2008-11-20 13:39:37 ----RSD---- C:\WINDOWS\assembly
2008-11-20 11:15:38 ----D---- C:\WINDOWS\WinSxS
2008-11-20 10:59:27 ----AC---- C:\WINDOWS\ODBCINST.INI
2008-11-20 10:43:01 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-20 10:35:37 ----D---- C:\Program Files\Common Files\InstallShield
2008-11-20 09:09:35 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-11-20 09:07:51 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-11-20 08:59:18 ----D---- C:\WINDOWS\Registration
2008-11-20 08:58:23 ----D---- C:\Program Files\Microsoft.NET
2008-11-20 08:53:20 ----D---- C:\WINDOWS\system32\1033
2008-11-20 08:31:50 ----SHD---- C:\WINDOWS\CSC
2008-11-20 07:19:24 ----A---- C:\WINDOWS\imsins.BAK
2008-11-19 18:53:41 ----D---- C:\WINDOWS\system32\wbem
2008-11-19 18:52:56 ----D---- C:\Program Files\Microsoft Office
2008-11-19 18:49:43 ----D---- C:\WINDOWS\system32\appmgmt
2008-11-19 18:49:33 ----D---- C:\Documents and Settings
2008-11-19 18:45:22 ----A---- C:\WINDOWS\setuplog.txt
2008-11-19 18:43:56 ----RASH---- C:\boot.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ANC;ANC; C:\WINDOWS\System32\drivers\ANC.SYS [2005-11-08 11520]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 FW1;SecuRemote Miniport; C:\WINDOWS\system32\DRIVERS\fw.sys [2008-01-29 2235760]
R1 IBMTPCHK;IBMTPCHK; \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R1 Smapint;Smapint; C:\WINDOWS\System32\drivers\Smapint.sys [2003-07-03 14848]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2007-02-12 196752]
R1 TDSMAPI;TDSMAPI; C:\WINDOWS\System32\drivers\TDSMAPI.SYS [2003-07-03 8830]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-03 8832]
R2 CP_OMDRV;Check Point Office Mode Module; C:\WINDOWS\System32\drivers\omdrv.sys [2008-01-29 47504]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient; C:\WINDOWS\system32\DRIVERS\vnasc.sys [2008-01-29 121136]
R2 VPN-1;VPN-1 Module; C:\WINDOWS\System32\drivers\vpn.sys [2008-01-29 673872]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2008-02-18 334848]
R3 aeaudio;AE Audio Service; C:\WINDOWS\system32\drivers\aeaudio.sys [2008-02-18 94976]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 atmeltpm;atmeltpm; C:\WINDOWS\system32\DRIVERS\atmeltpm.sys [2005-05-17 15872]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-05-11 252312]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-12-06 996736]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2005-12-06 202624]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2007-08-09 5765056]
R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys [2007-05-31 21424]
R3 idisw2km;idisw2km; C:\WINDOWS\system32\DRIVERS\idisw2km.sys [2006-02-09 8992]
R3 kbstuff;SMS Virtual Keyboard; C:\WINDOWS\system32\DRIVERS\kbstuff5.sys [2006-02-09 11744]
R3 LenovoRd;LenovoRd; C:\WINDOWS\System32\Drivers\LenovoRd.sys [2007-06-08 81280]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081208.003\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081208.003\navex15.sys []
R3 NETw4x32;Intel® Wireless WiFi Link Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw4x32.sys [2007-11-26 2236544]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 prepdrvr;SMS Process Event Driver; \??\C:\WINDOWS\system32\CCM\prepdrv.sys []
R3 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 TcUsb;TC USB Kernel Driver; C:\WINDOWS\System32\Drivers\tcusb.sys [2007-03-08 40848]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-12-06 724224]
S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2004-08-25 787456]
S3 E1000;Intel® PRO/1000 Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1000325.sys [2007-03-25 171416]
S3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys []
S3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\system32\DRIVERS\nscirda.sys [2004-08-03 28672]
S3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
S3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-05-27 578304]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 AcSvc;Access Connections Main Service; C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe [2007-07-05 184320]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-11-21 192104]
R2 CcmExec;SMS Agent Host; C:\WINDOWS\system32\CCM\CcmExec.exe [2006-02-09 578784]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-11-21 169576]
R2 EPHDManager;EPHDManager; C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe [2008-03-11 155648]
R2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2007-05-31 36400]
R2 MsDtsServer;SQL Server Integration Services; C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [2005-10-14 199384]
R2 msftesql;SQL Server FullText Search (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [2005-08-26 92880]
R2 MSSQLSERVER;SQL Server (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2005-10-14 28768528]
R2 MSSQLServerOLAPService;SQL Server Analysis Services (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe [2005-10-14 14557912]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 RFBAgent;RFB Agent; C:\Program Files\Verint\Screens\Bin\RFBAgent.exe [2004-08-18 352256]
R2 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2007-03-14 116416]
R2 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2007-01-10 1160792]
R2 SQLSERVERAGENT;SQL Server Agent (MSSQLSERVER); C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [2005-10-14 318680]
R2 SR_Service;Check Point VPN-1 Securemote service; C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe [2008-01-29 106590]
R2 SR_Watchdog;Check Point VPN-1 Securemote watchdog; C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe [2008-01-29 36959]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2007-03-14 1816768]
R2 Wuser32;SMS Remote Control Agent; C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe [2006-02-09 248544]
S2 AcPrfMgrSvc;Ac Profile Manager Service; C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe [2007-07-05 65536]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2004-08-25 389120]
S2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2007-03-14 31424]
S2 LoggerServer;LoggerServer; C:\Program Files\Common Files\Verint\Bin\LoggerServer.exe [2005-01-03 155648]
S2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-09-02 2528960]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2007-02-12 214672]
S3 SQLWriter;SQL Server VSS Writer; C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2005-10-14 87768]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]
S4 SQLBrowser;SQL Server Browser; C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2005-10-14 239320]

-----------------EOF-----------------

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:26 PM

Posted 09 December 2008 - 10:14 AM

Are you on a network?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 EddiePinz

EddiePinz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 09 December 2008 - 02:00 PM

Typical, I am not on a network. But I was when I ran the last HijackThis log. I guess I wasn't thinking that it would change the results.

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:26 PM

Posted 09 December 2008 - 03:25 PM

Hello,

You're not, but you are? :thumbsup: I don't understand. Stay off the network, if you're on one.

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. PLEASE, for the love of heaven, please only post the HijackThis part of that rsit garbage. I don't need to see all that mess, and it's hard on the eyes to wade through it. Please also let me know how it's running. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 EddiePinz

EddiePinz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 09 December 2008 - 09:23 PM

It has been improving with every step of this process. Sorry about posting that extra stuff, didn't mean to be so hard on your eyes.


Here are the logs:

Malwarebytes' Anti-Malware 1.31
Database version: 1479
Windows 5.1.2600 Service Pack 2

2008-12-09 21:02:57
mbam-log-2008-12-09 (21-02-57).txt

Scan type: Quick Scan
Objects scanned: 55615
Time elapsed: 13 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:19, on 2008-12-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe
C:\Program Files\Verint\ila\ilaloginapp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfd.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lfd.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Lincoln Financial Group
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [EPHD User] "C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\LaunchEPHD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ILA] C:\Program Files\Verint\ila\ilaloginapp.exe
O4 - HKLM\..\Run: [RFBAgent] "C:\Program Files\Verint\Screens\Bin\RFBAgent.exe" -servicehelper
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - Global Startup: Live Meeting Add-in for Microsoft Outlook.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.lfd.com
O15 - Trusted Zone: *.amgusa.com
O15 - Trusted Zone: *.ascendix.com
O15 - Trusted Zone: *.delgroup.com
O15 - Trusted Zone: http://*.delpwsymweb1
O15 - Trusted Zone: *.emanywhere.com
O15 - Trusted Zone: *.ermonline.net
O15 - Trusted Zone: *.guar.com
O15 - Trusted Zone: http://*.itradeiis
O15 - Trusted Zone: *.jp.corp
O15 - Trusted Zone: *.jpfinancial.com
O15 - Trusted Zone: *.jpfnet.com
O15 - Trusted Zone: *.lfacrm.com
O15 - Trusted Zone: *.lfd.com
O15 - Trusted Zone: *.lfdanywhere.com
O15 - Trusted Zone: http://*.lfdpwportal1
O15 - Trusted Zone: *.delinvest.ad.lfg.com
O15 - Trusted Zone: *.us.ad.lfg.com
O15 - Trusted Zone: *.lfg.com
O15 - Trusted Zone: *.lfgmfin.com
O15 - Trusted Zone: *.lnc.com
O15 - Trusted Zone: *.oasyson-line.com
O15 - Trusted Zone: *.placeware.com
O15 - Trusted Zone: *.salesforce.com
O15 - Trusted Zone: *.transitbenefit.com
O15 - Trusted Zone: *.amgusa.com (HKLM)
O15 - Trusted Zone: *.ascendix.com (HKLM)
O15 - Trusted Zone: *.delgroup.com (HKLM)
O15 - Trusted Zone: http://*.delpwsymweb1 (HKLM)
O15 - Trusted Zone: *.emanywhere.com (HKLM)
O15 - Trusted Zone: *.ermonline.net (HKLM)
O15 - Trusted Zone: *.guar.com (HKLM)
O15 - Trusted Zone: http://*.itradeiis (HKLM)
O15 - Trusted Zone: *.jp.corp (HKLM)
O15 - Trusted Zone: *.jpfinancial.com (HKLM)
O15 - Trusted Zone: *.jpfnet.com (HKLM)
O15 - Trusted Zone: *.lfacrm.com (HKLM)
O15 - Trusted Zone: *.lfd.com (HKLM)
O15 - Trusted Zone: *.lfdanywhere.com (HKLM)
O15 - Trusted Zone: http://*.lfdpwportal1 (HKLM)
O15 - Trusted Zone: *.delinvest.ad.lfg.com (HKLM)
O15 - Trusted Zone: *.us.ad.lfg.com (HKLM)
O15 - Trusted Zone: *.lfg.com (HKLM)
O15 - Trusted Zone: *.lfgmfin.com (HKLM)
O15 - Trusted Zone: *.lnc.com (HKLM)
O15 - Trusted Zone: *.oasyson-line.com (HKLM)
O15 - Trusted Zone: *.placeware.com (HKLM)
O15 - Trusted Zone: *.salesforce.com (HKLM)
O15 - Trusted Zone: *.transitbenefit.com (HKLM)
O16 - DPF: {52e54c77-cced-4b72-8e29-bb7206ca5a8f} (Oracle JInitiator 1.1.8.27) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192204329089
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192453858325
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - http://crystalprod.jp.corp/crystalreportvi...tiveXViewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = delinvest.ad.lfg.com
O17 - HKLM\Software\..\Telephony: DomainName = delinvest.ad.lfg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = delinvest.ad.lfg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = delinvest.ad.lfg.com,us.ad.lfg.com,ad.lfg.com,lfg.com,lnc.com,jp.corp,amgusa.com,delgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = delinvest.ad.lfg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = delinvest.ad.lfg.com,us.ad.lfg.com,ad.lfg.com,lfg.com,lnc.com,jp.corp,amgusa.com,delgroup.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = delinvest.ad.lfg.com,us.ad.lfg.com,ad.lfg.com,lfg.com,lnc.com,jp.corp,amgusa.com,delgroup.com
O20 - AppInit_DLLs: tfrief.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPHDManager - GuardianEdge Technologies, Inc. - C:\Program Files\GuardianEdge Technologies\EP Hard Disk\User\EPHDManager.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LoggerServer - Verint - C:\Program Files\Common Files\Verint\Bin\LoggerServer.exe
O23 - Service: RFB Agent (RFBAgent) - Verint - C:\Program Files\Verint\Screens\Bin\RFBAgent.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10135 bytes

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:26 PM

Posted 10 December 2008 - 08:11 AM

Hello,

No need for you to apologize at all. Not your fault, and I know you were following the instructions for posting here. :) I thank you for being so nice about it. :) As for the network thing.......try to clarify for me, please. For a time it was looking like you were either getting reinfected by hooking into the network, or we had a file that was morphing with every reboot. I was trying to figure out which one it is. If there is a network involved here, then it would be prudent to check all the machines involved for infection.

Not much left in the log to worry about :

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O20 - AppInit_DLLs: tfrief.dll

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Navigate to and delete the following file, if present :

tfrief.dll <----It *should* be in system32. If not, then do a Windows search for it. If it still isn't there, then it was just an orphan to begin with. :)

Reboot your computer.

In your reply, please let me know if that last entry went away, and let me know about the things I asked. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 EddiePinz

EddiePinz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 10 December 2008 - 08:35 PM

To clarify about the network, it would be my school's network. Sometimes I would take my laptop to the computer lab and use the network there. I only did that once since this problem started, and that was after several of the scans were done. I didn't really think about my computer being infected until after I was done. I did let the IT department at my University know.

The last entry did go away. Everything seems to be running great now. Really no problems to report over the last couple days.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users