Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Agonizingly slow, not able to run System Restore


  • This topic is locked This topic is locked
28 replies to this topic

#1 bsgranpa

bsgranpa

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 18 October 2009 - 06:45 PM

Not sure what's the problem. Just real, real slow and I can't go back via System Restore.


DDS (Ver_09-10-13.01) - NTFSx86
Run by Sherrie at 16:17:01.10 on Sun 10/18/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.129 [GMT -7:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Sherrie.LENOVO-224392D9\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [amsg] c:\program files\thinkvantage\amsg\Amsg.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [TrackPointSrv] c:\program files\lenovo\trackpoint\tp4serv.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [cssauthe] "c:\program files\ibm thinkvantage\client security solution\cssauthe.exe" silent
mRun: [PDService.exe] "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe"
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet g series\bin\hpoavn07.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227640738343
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: AtiExtEvent - Ati2evxx.dll
Notify: QConGina - QConGina.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli csspwntfye

============= SERVICES / DRIVERS ===============

R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-12-19 11520]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-10-24 34824]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-12-19 2432]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2005-12-19 4442]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-8-2 13184]
R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-6-28 46142]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-8-2 3968]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [1980-1-1 200576]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1980-1-1 22568]
S3 apusbsnt;AirPrime USB Modem Device Driver;c:\windows\system32\drivers\apusbsnt.sys [2006-7-14 40064]
S3 BulkUsb;Usbscan.Sys;c:\windows\system32\drivers\usbscan.sys [2007-1-13 15104]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-12-19 12288]

=============== Created Last 30 ================

2009-10-18 15:12 <DIR> --dsh--- c:\documents and settings\sherrie.lenovo-224392d9\PrivacIE
2009-10-18 15:11 <DIR> --d----- c:\docume~1\sherri~1.len\applic~1\Malwarebytes
2009-10-18 15:09 <DIR> --dsh--- c:\documents and settings\sherrie.lenovo-224392d9\IETldCache
2009-10-18 15:09 <DIR> --d----- c:\docume~1\sherri~1.len\applic~1\IBM
2009-10-18 15:09 <DIR> --d----- c:\docume~1\sherri~1.len\applic~1\ThinkVantage
2009-10-18 15:09 <DIR> --d----- c:\docume~1\sherri~1.len\applic~1\Symantec
2009-10-18 15:09 <DIR> --d----- c:\documents and settings\Sherrie.LENOVO-224392D9
2009-10-14 22:04 <DIR> --d----- c:\program files\VideoLAN
2009-10-14 19:00 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-14 19:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-14 19:00 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-14 19:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 18:12 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-10-12 16:12 <DIR> --d----- c:\program files\GRETECH
2009-09-25 14:51 2,722 a------- c:\windows\DevMgr.ini
2009-09-25 14:47 12,928 a------- c:\windows\system32\drivers\Dot4Prt.sys
2009-09-25 14:47 12,928 a------- c:\windows\system32\dllcache\dot4prt.sys
2009-09-25 14:46 324,608 a------- c:\windows\system32\hpojwia.dll
2009-09-25 14:46 324,608 a------- c:\windows\system32\dllcache\hpojwia.dll
2009-09-25 14:46 18,411 a------- c:\windows\system32\hpo5500a.aio
2009-09-25 14:46 18,411 a------- c:\windows\system32\hpo5400a.aio
2009-09-25 14:46 18,411 a------- c:\windows\system32\hpo5300a.aio
2009-09-25 14:46 8,704 a------- c:\windows\system32\drivers\Dot4scan.sys
2009-09-25 14:46 8,704 a------- c:\windows\system32\dllcache\dot4scan.sys
2009-09-25 14:46 23,808 a------- c:\windows\system32\drivers\Dot4usb.sys
2009-09-25 14:46 23,808 a------- c:\windows\system32\dllcache\dot4usb.sys
2009-09-25 14:46 206,976 a------- c:\windows\system32\drivers\Dot4.sys
2009-09-25 14:46 206,976 a------- c:\windows\system32\dllcache\dot4.sys
2009-09-25 14:38 90,112 a------- c:\windows\system32\hpocon09.exe
2009-09-25 14:38 22,139 a------- c:\windows\system32\hpocoi08.dll
2009-09-25 14:38 20 a------- c:\windows\Hposcv07.INI
2009-09-25 14:32 <DIR> --d----- c:\windows\system32\NtmsData
2009-09-25 14:31 <DIR> --d----- c:\windows\AiOTemp
2009-09-25 14:30 38,912 a------- c:\windows\system32\hh.exe

==================== Find3M ====================

2009-09-11 07:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 07:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-06 20:46 24,044 a------- c:\windows\system32\mlfcache.dat
2009-09-04 14:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 14:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 03:35 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 01:00 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2009-08-26 01:00 247,326 -------- c:\windows\system32\strmdll.dll
2009-08-05 02:01 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 02:01 204,800 -------- c:\windows\system32\mswebdvd.dll
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\ntoskrnl.exe
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 08:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 07:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 07:20 2,066,048 -------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 07:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-07-28 21:37 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-07-28 21:37 81,920 a------- c:\windows\system32\dllcache\fontsub.dll
2009-07-28 21:37 119,808 -------- c:\windows\system32\t2embed.dll
2009-07-28 21:37 81,920 -------- c:\windows\system32\fontsub.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2008-07-17 14:07 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071720080718\index.dat

============= FINISH: 16:17:52.96 ===============


RR report

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/18 16:23
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF203C000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79F4000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE4A1000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\RRbackups
Status: Locked to the Windows API!

Path: \\?\C:\RRbackups\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\bt0.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\bt1.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\bt2.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\bt3.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\bt4.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\bt5.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\C
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings
Status: Invisible to the Windows API!

Path: C:\RRbackups\hints.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\osfilter.txt
Status: Invisible to the Windows API!

Path: C:\RRbackups\rr.log
Status: Invisible to the Windows API!

Path: C:\RRbackups\SAM
Status: Invisible to the Windows API!

Path: C:\RRbackups\system
Status: Invisible to the Windows API!

Path: C:\RRbackups\system.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\tvt.txt
Status: Invisible to the Windows API!

Path: C:\RRbackups\usersids.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\C\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C\0
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\3
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\MERGE
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Lindsay Scott
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\LocalService
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Sherrie
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\C\0\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C\0\Data27
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data46
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data65
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data0
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data1
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data10
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data11
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data12
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data13
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data14
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data15
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data16
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data17
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data18
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data19
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data2
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data20
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data21
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data22
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data23
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data24
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data25
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data26
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data28
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data29
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data3
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data30
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data31
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data32
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data33
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data34
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data35
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data36
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data37
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data38
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data39
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data4
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data40
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data41
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data42
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data43
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data44
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data45
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data47
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data48
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data49
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data5
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data50
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data51
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data52
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data53
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data54
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data55
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data56
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data57
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data58
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data59
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data6
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data60
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data61
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data62
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data63
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data64
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data66
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data67
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data68
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data69
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data7
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data70
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data71
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data72
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data73
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data74
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data75
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data76
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data77
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data78
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data79
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data8
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data80
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data81
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data82
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data83
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data84
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data85
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data86
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data87
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data88
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data89
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data9
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data90
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data91
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data92
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data93
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data94
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data95
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data96
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Data97
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\dats
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\EFSFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\HashFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\Info
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\0\TOCFile
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\C\1\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C\1\Data0
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data1
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data10
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data11
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data12
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data13
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data14
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data2
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data3
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data4
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data5
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data6
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data7
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data8
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Data9
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\dats
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\EFSFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\HashFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\Info
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\1\TOCFile
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\C\2\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C\2\Data0
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data1
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data10
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data11
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data12
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data13
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data14
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data15
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data16
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data17
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data18
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data19
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data2
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data20
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data21
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data22
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data23
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data24
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data25
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data26
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data27
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data28
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data29
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data3
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data30
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data4
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data5
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data6
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data7
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data8
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Data9
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\dats
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\EFSFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\HashFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\Info
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\2\TOCFile
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\C\3\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C\3\Data0
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\3\Data1
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\3\Data10
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\3\Data11
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\3\Data2
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\3\Data3
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\3\Data4
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\3\Data5
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\3\Data6
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\3\Data7
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\3\Data8
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\3\Data9
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\3\dats
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\3\EFSFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\3\HashFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\3\Info
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\3\TOCFile
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\C\4\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C\4\Data0
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4\Data1
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4\Data10
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4\Data11
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4\Data12
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4\Data2
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4\Data3
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4\Data4
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4\Data5
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4\Data6
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4\Data7
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4\Data8
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4\Data9
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4\dats
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4\EFSFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4\HashFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4\Info
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\4\TOCFile
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\C\5\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C\5\Data0
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data1
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data10
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data11
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data12
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data13
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data14
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data15
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data16
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data17
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data18
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data19
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data2
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data20
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data3
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data4
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data5
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data6
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data7
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data8
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Data9
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\dats
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\EFSFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\HashFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\Info
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\5\TOCFile
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\C\MERGE\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\C\MERGE\Data0
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\MERGE\EFSFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\MERGE\HashFile
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\MERGE\Info
Status: Invisible to the Windows API!

Path: C:\RRbackups\C\MERGE\TOCFile
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Lindsay Scott\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Sherrie\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Sherrie\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\C\0\dats\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\C\1\dats\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\C\2\dats\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\C\3\dats\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\C\4\dats\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\C\5\dats\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\ThinkVantage
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Sherrie\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\ThinkVantage\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\ThinkVantage\Client Security
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3602314410-1122598404-2943149515-500
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3602314410-1122598404-2943149515-500
Status: Invisible to==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:37 AM

Posted 29 October 2009 - 05:45 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 bsgranpa

bsgranpa
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 30 October 2009 - 10:38 AM

Follows the DDS Notepad. I understand the workload and appreciate your help. Thanks


DDS (Ver_09-10-26.01) - NTFSx86
Run by Sherrie at 8:30:48.60 on Fri 10/30/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.129 [GMT -7:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
svchost.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Sherrie.LENOVO-224392D9\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\acrobat\activex\AcroIEHelper.ocx
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [amsg] c:\program files\thinkvantage\amsg\Amsg.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [TrackPointSrv] c:\program files\lenovo\trackpoint\tp4serv.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [cssauthe] "c:\program files\ibm thinkvantage\client security solution\cssauthe.exe" silent
mRun: [PDService.exe] "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe"
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet g series\bin\hpoavn07.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227640738343
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Notify: AtiExtEvent - Ati2evxx.dll
Notify: QConGina - QConGina.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli csspwntfye

============= SERVICES / DRIVERS ===============

R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2005-12-19 11520]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-10-24 34824]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2005-12-19 2432]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2005-12-19 4442]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-8-2 13184]
R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-6-28 46142]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-8-2 3968]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [1980-1-1 200576]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1980-1-1 22568]
S3 apusbsnt;AirPrime USB Modem Device Driver;c:\windows\system32\drivers\apusbsnt.sys [2006-7-14 40064]
S3 BulkUsb;Usbscan.Sys;c:\windows\system32\drivers\usbscan.sys [2007-1-13 15104]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2005-12-19 12288]

=============== Created Last 30 ================

2009-10-29 05:45:02 0 d-----w- c:\program files\iPod
2009-10-29 05:44:19 0 d-----w- c:\program files\iTunes
2009-10-29 05:44:19 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-25 02:04:11 77824 ----a-w- c:\windows\system32\adistres.dll
2009-10-25 02:04:11 20588 ----a-w- c:\windows\system32\PdfPorts.dll
2009-10-25 02:04:00 101200 ------w- c:\windows\system32\pdfshell.dll
2009-10-25 02:03:41 0 d-----w- c:\windows\system32\Adobe
2009-10-18 22:12:22 0 d-sh--w- c:\documents and settings\sherrie.lenovo-224392d9\PrivacIE
2009-10-18 22:11:11 0 d-----w- c:\docume~1\sherri~1.len\applic~1\Malwarebytes
2009-10-18 22:09:11 0 d-----w- c:\docume~1\sherri~1.len\applic~1\IBM
2009-10-18 22:09:10 0 d-----w- c:\docume~1\sherri~1.len\applic~1\ThinkVantage
2009-10-18 22:09:10 0 d-----w- c:\docume~1\sherri~1.len\applic~1\Symantec
2009-10-15 05:04:30 0 d-----w- c:\program files\VideoLAN
2009-10-15 02:00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-15 02:00:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-15 02:00:06 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-15 02:00:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-15 01:12:04 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-10-12 23:12:09 0 d-----w- c:\program files\GRETECH

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-07 03:46:42 24044 ----a-w- c:\windows\system32\mlfcache.dat
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:35:52 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 09:01:48 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:44:46 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-05 03:44:46 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 15:13:08 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 14:20:09 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 14:20:08 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-08-04 14:20:08 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-07-17 21:07:59 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071720080718\index.dat

============= FINISH: 8:31:49.21 ===============

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:37 AM

Posted 30 October 2009 - 04:09 PM

Hello, bsgranpa and again
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.






Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 bsgranpa

bsgranpa
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 31 October 2009 - 05:16 PM

Tom, thanks for the help. Sorry it took so long. This scan took over three hours. Whew!

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-31 15:14:20
Windows 5.1.2600 Service Pack 3
Running: 6317s8b6.exe; Driver: C:\DOCUME~1\SHERRI~1.LEN\LOCALS~1\Temp\kfkyrpoc.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[380] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\WINDOWS\system32\SearchIndexer.exe[2524] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

Device \FileSystem\Fastfat \Fat ED7B4D20

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Files - GMER 1.0.15 ----

File C:\RRbackups\bt0.dat 32256 bytes
File C:\RRbackups\bt1.dat 32256 bytes
File C:\RRbackups\bt2.dat 32256 bytes
File C:\RRbackups\bt3.dat 32256 bytes
File C:\RRbackups\bt4.dat 32256 bytes
File C:\RRbackups\bt5.dat 32256 bytes
File C:\RRbackups\C 0 bytes
File C:\RRbackups\C\0 0 bytes
File C:\RRbackups\C\0\Data27 50003968 bytes
File C:\RRbackups\C\0\Data46 50003968 bytes
File C:\RRbackups\C\0\Data65 50003968 bytes
File C:\RRbackups\C\0\Data0 50003968 bytes
File C:\RRbackups\C\0\Data1 50003968 bytes
File C:\RRbackups\C\0\Data10 50003968 bytes
File C:\RRbackups\C\0\Data11 50003968 bytes
File C:\RRbackups\C\0\Data12 50003968 bytes
File C:\RRbackups\C\0\Data13 50003968 bytes
File C:\RRbackups\C\0\Data14 50003968 bytes
File C:\RRbackups\C\0\Data15 50003968 bytes
File C:\RRbackups\C\0\Data16 50003968 bytes
File C:\RRbackups\C\0\Data17 50003968 bytes
File C:\RRbackups\C\0\Data18 50003968 bytes
File C:\RRbackups\C\0\Data19 50003968 bytes
File C:\RRbackups\C\0\Data2 50003968 bytes
File C:\RRbackups\C\0\Data20 50003968 bytes
File C:\RRbackups\C\0\Data21 50003968 bytes
File C:\RRbackups\C\0\Data22 50003968 bytes
File C:\RRbackups\C\0\Data23 50003968 bytes
File C:\RRbackups\C\0\Data24 50003968 bytes
File C:\RRbackups\C\0\Data25 50003968 bytes
File C:\RRbackups\C\0\Data26 50003968 bytes
File C:\RRbackups\C\0\Data28 50003968 bytes
File C:\RRbackups\C\0\Data29 50003968 bytes
File C:\RRbackups\C\0\Data3 50003968 bytes
File C:\RRbackups\C\0\Data30 50003968 bytes
File C:\RRbackups\C\0\Data31 50003968 bytes
File C:\RRbackups\C\0\Data32 50003968 bytes
File C:\RRbackups\C\0\Data33 50003968 bytes
File C:\RRbackups\C\0\Data34 50003968 bytes
File C:\RRbackups\C\0\Data35 50003968 bytes
File C:\RRbackups\C\0\Data36 50003968 bytes
File C:\RRbackups\C\0\Data37 50003968 bytes
File C:\RRbackups\C\0\Data38 50003968 bytes
File C:\RRbackups\C\0\Data39 50003968 bytes
File C:\RRbackups\C\0\Data4 50003968 bytes
File C:\RRbackups\C\0\Data40 50003968 bytes
File C:\RRbackups\C\0\Data41 50003968 bytes
File C:\RRbackups\C\0\Data42 50003968 bytes
File C:\RRbackups\C\0\Data43 50003968 bytes
File C:\RRbackups\C\0\Data44 50003968 bytes
File C:\RRbackups\C\0\Data45 50003968 bytes
File C:\RRbackups\C\0\Data47 50003968 bytes
File C:\RRbackups\C\0\Data48 50003968 bytes
File C:\RRbackups\C\0\Data49 50003968 bytes
File C:\RRbackups\C\0\Data5 50003968 bytes
File C:\RRbackups\C\0\Data50 50003968 bytes
File C:\RRbackups\C\0\Data51 50003968 bytes
File C:\RRbackups\C\0\Data52 50003968 bytes
File C:\RRbackups\C\0\Data53 50003968 bytes
File C:\RRbackups\C\0\Data54 50003968 bytes
File C:\RRbackups\C\0\Data55 50003968 bytes
File C:\RRbackups\C\0\Data56 50003968 bytes
File C:\RRbackups\C\0\Data57 50003968 bytes
File C:\RRbackups\C\0\Data58 50003968 bytes
File C:\RRbackups\C\0\Data59 50003968 bytes
File C:\RRbackups\C\0\Data6 50003968 bytes
File C:\RRbackups\C\0\Data60 50003968 bytes
File C:\RRbackups\C\0\Data61 50003968 bytes
File C:\RRbackups\C\0\Data62 50003968 bytes
File C:\RRbackups\C\0\Data63 50003968 bytes
File C:\RRbackups\C\0\Data64 50003968 bytes
File C:\RRbackups\C\0\Data66 50003968 bytes
File C:\RRbackups\C\0\Data67 50003968 bytes
File C:\RRbackups\C\0\Data68 50003968 bytes
File C:\RRbackups\C\0\Data69 50003968 bytes
File C:\RRbackups\C\0\Data7 50003968 bytes
File C:\RRbackups\C\0\Data70 50003968 bytes
File C:\RRbackups\C\0\Data71 50003968 bytes
File C:\RRbackups\C\0\Data72 50003968 bytes
File C:\RRbackups\C\0\Data73 50003968 bytes
File C:\RRbackups\C\0\Data74 50003968 bytes
File C:\RRbackups\C\0\Data75 50003968 bytes
File C:\RRbackups\C\0\Data76 50003968 bytes
File C:\RRbackups\C\0\Data77 50003968 bytes
File C:\RRbackups\C\0\Data78 50003968 bytes
File C:\RRbackups\C\0\Data79 50003968 bytes
File C:\RRbackups\C\0\Data8 50003968 bytes
File C:\RRbackups\C\0\Data80 50003968 bytes
File C:\RRbackups\C\0\Data81 50003968 bytes
File C:\RRbackups\C\0\Data82 50003968 bytes
File C:\RRbackups\C\0\Data83 50003968 bytes
File C:\RRbackups\C\0\Data84 50003968 bytes
File C:\RRbackups\C\0\Data85 50003968 bytes
File C:\RRbackups\C\0\Data86 50003968 bytes
File C:\RRbackups\C\0\Data87 50003968 bytes
File C:\RRbackups\C\0\Data88 50003968 bytes
File C:\RRbackups\C\0\Data89 50003968 bytes
File C:\RRbackups\C\0\Data9 50003968 bytes
File C:\RRbackups\C\0\Data90 50003968 bytes
File C:\RRbackups\C\0\Data91 50003968 bytes
File C:\RRbackups\C\0\Data92 50003968 bytes
File C:\RRbackups\C\0\Data93 50003968 bytes
File C:\RRbackups\C\0\Data94 50003968 bytes
File C:\RRbackups\C\0\Data95 50003968 bytes
File C:\RRbackups\C\0\Data96 50003968 bytes
File C:\RRbackups\C\0\Data97 16941111 bytes
File C:\RRbackups\C\0\dats 0 bytes
File C:\RRbackups\C\0\EFSFile 610 bytes
File C:\RRbackups\C\0\HashFile 347610 bytes
File C:\RRbackups\C\0\Info 752 bytes
File C:\RRbackups\C\0\TOCFile 35340350 bytes
File C:\RRbackups\C\1 0 bytes
File C:\RRbackups\C\1\Data0 50003968 bytes
File C:\RRbackups\C\1\Data1 50003968 bytes
File C:\RRbackups\C\1\Data10 50003968 bytes
File C:\RRbackups\C\1\Data11 50003968 bytes
File C:\RRbackups\C\1\Data12 50003968 bytes
File C:\RRbackups\C\1\Data13 50003968 bytes
File C:\RRbackups\C\1\Data14 30016219 bytes
File C:\RRbackups\C\1\Data2 50003968 bytes
File C:\RRbackups\C\1\Data3 50003968 bytes
File C:\RRbackups\C\1\Data4 50003968 bytes
File C:\RRbackups\C\1\Data5 50003968 bytes
File C:\RRbackups\C\1\Data6 50003968 bytes
File C:\RRbackups\C\1\Data7 50003968 bytes
File C:\RRbackups\C\1\Data8 50003968 bytes
File C:\RRbackups\C\1\Data9 50003968 bytes
File C:\RRbackups\C\1\dats 0 bytes
File C:\RRbackups\C\1\EFSFile 610 bytes
File C:\RRbackups\C\1\HashFile 448416 bytes
File C:\RRbackups\C\1\Info 752 bytes
File C:\RRbackups\C\1\TOCFile 45588960 bytes
File C:\RRbackups\C\2 0 bytes
File C:\RRbackups\C\2\Data0 50003968 bytes
File C:\RRbackups\C\2\Data1 50003968 bytes
File C:\RRbackups\C\2\Data10 50003968 bytes
File C:\RRbackups\C\2\Data11 50003968 bytes
File C:\RRbackups\C\2\Data12 50003968 bytes
File C:\RRbackups\C\2\Data13 50003968 bytes
File C:\RRbackups\C\2\Data14 50003968 bytes
File C:\RRbackups\C\2\Data15 50003968 bytes
File C:\RRbackups\C\2\Data16 50003968 bytes
File C:\RRbackups\C\2\Data17 50003968 bytes
File C:\RRbackups\C\2\Data18 50003968 bytes
File C:\RRbackups\C\2\Data19 50003968 bytes
File C:\RRbackups\C\2\Data2 50003968 bytes
File C:\RRbackups\C\2\Data20 50003968 bytes
File C:\RRbackups\C\2\Data21 50003968 bytes
File C:\RRbackups\C\2\Data22 50003968 bytes
File C:\RRbackups\C\2\Data23 50003968 bytes
File C:\RRbackups\C\2\Data24 50003968 bytes
File C:\RRbackups\C\2\Data25 50003968 bytes
File C:\RRbackups\C\2\Data26 50003968 bytes
File C:\RRbackups\C\2\Data27 50003968 bytes
File C:\RRbackups\C\2\Data28 50003968 bytes
File C:\RRbackups\C\2\Data29 50003968 bytes
File C:\RRbackups\C\2\Data3 50003968 bytes
File C:\RRbackups\C\2\Data30 16588755 bytes
File C:\RRbackups\C\2\Data4 50003968 bytes
File C:\RRbackups\C\2\Data5 50003968 bytes
File C:\RRbackups\C\2\Data6 50003968 bytes
File C:\RRbackups\C\2\Data7 50003968 bytes
File C:\RRbackups\C\2\Data8 50003968 bytes
File C:\RRbackups\C\2\Data9 50003968 bytes
File C:\RRbackups\C\2\dats 0 bytes
File C:\RRbackups\C\2\EFSFile 610 bytes
File C:\RRbackups\C\2\HashFile 453294 bytes
File C:\RRbackups\C\2\Info 752 bytes
File C:\RRbackups\C\2\TOCFile 46084890 bytes
File C:\RRbackups\C\3 0 bytes
File C:\RRbackups\C\3\Data0 50003968 bytes
File C:\RRbackups\C\3\Data1 50003968 bytes
File C:\RRbackups\C\3\Data10 50003968 bytes
File C:\RRbackups\C\3\Data11 11943384 bytes
File C:\RRbackups\C\3\Data2 50003968 bytes
File C:\RRbackups\C\3\Data3 50003968 bytes
File C:\RRbackups\C\3\Data4 50003968 bytes
File C:\RRbackups\C\3\Data5 50003968 bytes
File C:\RRbackups\C\3\Data6 50003968 bytes
File C:\RRbackups\C\3\Data7 50003968 bytes
File C:\RRbackups\C\3\Data8 50003968 bytes
File C:\RRbackups\C\3\Data9 50003968 bytes
File C:\RRbackups\C\3\dats 0 bytes
File C:\RRbackups\C\3\EFSFile 610 bytes
File C:\RRbackups\C\3\HashFile 454566 bytes
File C:\RRbackups\C\3\Info 752 bytes
File C:\RRbackups\C\3\TOCFile 46214210 bytes
File C:\RRbackups\C\4 0 bytes
File C:\RRbackups\C\4\Data0 50003968 bytes
File C:\RRbackups\C\4\Data1 50003968 bytes
File C:\RRbackups\C\4\Data10 50003968 bytes
File C:\RRbackups\C\4\Data11 50003968 bytes
File C:\RRbackups\C\4\Data12 3129 bytes
File C:\RRbackups\C\4\Data2 50003968 bytes
File C:\RRbackups\C\4\Data3 50003968 bytes
File C:\RRbackups\C\4\Data4 50003968 bytes
File C:\RRbackups\C\4\Data5 50003968 bytes
File C:\RRbackups\C\4\Data6 50003968 bytes
File C:\RRbackups\C\4\Data7 50003968 bytes
File C:\RRbackups\C\4\Data8 50003968 bytes
File C:\RRbackups\C\4\Data9 50003968 bytes
File C:\RRbackups\C\4\dats 0 bytes
File C:\RRbackups\C\4\EFSFile 610 bytes
File C:\RRbackups\C\4\HashFile 462690 bytes
File C:\RRbackups\C\4\Info 752 bytes
File C:\RRbackups\C\4\TOCFile 47040150 bytes
File C:\RRbackups\C\5 0 bytes
File C:\RRbackups\C\5\Data0 50003968 bytes
File C:\RRbackups\C\5\Data1 50003968 bytes
File C:\RRbackups\C\5\Data10 50003968 bytes
File C:\RRbackups\C\5\Data11 50003968 bytes
File C:\RRbackups\C\5\Data12 50003968 bytes
File C:\RRbackups\C\5\Data13 50003968 bytes
File C:\RRbackups\C\5\Data14 50003968 bytes
File C:\RRbackups\C\5\Data15 50003968 bytes
File C:\RRbackups\C\5\Data16 50003968 bytes
File C:\RRbackups\C\5\Data17 50003968 bytes
File C:\RRbackups\C\5\Data18 50003968 bytes
File C:\RRbackups\C\5\Data19 50003968 bytes
File C:\RRbackups\C\5\Data2 50003968 bytes
File C:\RRbackups\C\5\Data20 11398317 bytes
File C:\RRbackups\C\5\Data3 50003968 bytes
File C:\RRbackups\C\5\Data4 50003968 bytes
File C:\RRbackups\C\5\Data5 50003968 bytes
File C:\RRbackups\C\5\Data6 50003968 bytes
File C:\RRbackups\C\5\Data7 50003968 bytes
File C:\RRbackups\C\5\Data8 50003968 bytes
File C:\RRbackups\C\5\Data9 50003968 bytes
File C:\RRbackups\C\5\dats 0 bytes
File C:\RRbackups\C\5\EFSFile 610 bytes
File C:\RRbackups\C\5\HashFile 557850 bytes
File C:\RRbackups\C\5\Info 752 bytes
File C:\RRbackups\C\5\TOCFile 56714750 bytes
File C:\RRbackups\C\MERGE 0 bytes
File C:\RRbackups\C\MERGE\Data0 0 bytes
File C:\RRbackups\C\MERGE\EFSFile 0 bytes
File C:\RRbackups\C\MERGE\HashFile 0 bytes
File C:\RRbackups\C\MERGE\Info 0 bytes
File C:\RRbackups\C\MERGE\TOCFile 0 bytes
File C:\RRbackups\Documents and Settings 0 bytes
File C:\RRbackups\Documents and Settings\Administrator 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3602314410-1122598404-2943149515-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3602314410-1122598404-2943149515-500\79e1129e-2a5a-4955-83e6-31513bf2ad03 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3602314410-1122598404-2943149515-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\All Users 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_64a236c8-b20e-4e8b-b97d-0bbc0c81497d 52 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_64a236c8-b20e-4e8b-b97d-0bbc0c81497d 893 bytes
File C:\RRbackups\Documents and Settings\Default User 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3602314410-1122598404-2943149515-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3602314410-1122598404-2943149515-500\79e1129e-2a5a-4955-83e6-31513bf2ad03 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3602314410-1122598404-2943149515-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott 0 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3065565367-3688125934-2868120403-1005 0 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3065565367-3688125934-2868120403-1005\05d7511ca8718edec064d6fe2763641c_64a236c8-b20e-4e8b-b97d-0bbc0c81497d 54 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3065565367-3688125934-2868120403-1005\6b29ae44e85efac3c72ff4d1865d73f1_64a236c8-b20e-4e8b-b97d-0bbc0c81497d 53 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3065565367-3688125934-2868120403-1005\83aa4cc77f591dfc2374580bbd95f6ba_64a236c8-b20e-4e8b-b97d-0bbc0c81497d 45 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3065565367-3688125934-2868120403-1005\932a2db58c237abd381d22df4c63a04a_64a236c8-b20e-4e8b-b97d-0bbc0c81497d 87 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1005 0 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1005\0a260aae-7986-43e4-8ce4-9c46810c47c5 388 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1005\0b3b6876-6f14-4fd8-b1b2-5b2194c5ac0b 388 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1005\1e4d4d81-2fea-46c7-a487-740c991b5dc2 388 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1005\1faab9e0-9dc0-4284-85ba-0eecf4a0439f 388 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1005\4f88a8a6-a329-4908-83b2-38c5c3d578c8 388 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1005\5d1ac4d5-80c6-4666-9c01-c4a4251f29c2 388 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1005\6e638111-8eea-49b6-8326-6eedccf982b8 388 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1005\742dddbd-9e88-4dca-8f5c-4bb3066aeb7e 388 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1005\9d9f09b2-0d43-47b4-8dcc-9c217e36d041 388 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1005\b37b4fd3-63dd-4650-8813-d84826e8f000 388 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1005\b93d1d6d-72b6-41a4-ae0c-5d552fa5df46 388 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1005\e15ca602-b0db-49a1-bef3-544a13c5b1fb 388 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1005\f9b0dc49-991a-4274-aa70-fe7ebc7c70e2 388 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1005\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\S-1-5-21-3602314410-1122598404-2943149515-500 0 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\S-1-5-21-3602314410-1122598404-2943149515-500\79e1129e-2a5a-4955-83e6-31513bf2ad03 388 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\Protect\S-1-5-21-3602314410-1122598404-2943149515-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\ThinkVantage 0 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\ThinkVantage\Client Security 0 bytes
File C:\RRbackups\Documents and Settings\Lindsay Scott\Application Data\ThinkVantage\Client Security\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\LocalService 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3065565367-3688125934-2868120403-1006 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\Protect\CREDHIST 160 bytes
File C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1006 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1006\728a3522-1ec1-4db5-b3c3-f30b27e0bc9a 388 bytes
File C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1006\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\Protect\S-1-5-21-3602314410-1122598404-2943149515-500 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\Protect\S-1-5-21-3602314410-1122598404-2943149515-500\79e1129e-2a5a-4955-83e6-31513bf2ad03 388 bytes
File C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\Protect\S-1-5-21-3602314410-1122598404-2943149515-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3065565367-3688125934-2868120403-1007 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3065565367-3688125934-2868120403-1007\6b29ae44e85efac3c72ff4d1865d73f1_64a236c8-b20e-4e8b-b97d-0bbc0c81497d 53 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1007 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1007\c16cec49-806c-4acd-b038-a70e6b1c0b06 388 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft\Protect\S-1-5-21-3065565367-3688125934-2868120403-1007\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft\Protect\S-1-5-21-3602314410-1122598404-2943149515-500 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft\Protect\S-1-5-21-3602314410-1122598404-2943149515-500\79e1129e-2a5a-4955-83e6-31513bf2ad03 388 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft\Protect\S-1-5-21-3602314410-1122598404-2943149515-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\ThinkVantage 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\ThinkVantage\Client Security 0 bytes
File C:\RRbackups\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\ThinkVantage\Client Security\hibernation.dat 4 bytes
File C:\RRbackups\hints.dat 8192 bytes
File C:\RRbackups\osfilter.txt 7563 bytes
File C:\RRbackups\rr.log 15809 bytes
File C:\RRbackups\SAM 262144 bytes
File C:\RRbackups\system 7864320 bytes
File C:\RRbackups\system.dat 12288 bytes
File C:\RRbackups\tvt.txt 9118 bytes
File C:\RRbackups\usersids.dat 16640 bytes

---- EOF - GMER 1.0.15 ----

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:37 AM

Posted 31 October 2009 - 05:49 PM

Hi,

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 bsgranpa

bsgranpa
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 31 October 2009 - 06:14 PM

Wow, thanks for the quick response. Logs as requested

Logfile of random's system information tool 1.06 (written by random/random)
Run by Sherrie at 2009-10-31 16:10:26
Microsoft Windows XP Professional Service Pack 3
System drive C: has 6 GB (18%) free of 34 GB
Total RAM: 446 MB (35% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:38 PM, on 10/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Sherrie.LENOVO-224392D9\Desktop\RSIT.exe
C:\Program Files\trend micro\Sherrie.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [TrackPointSrv] C:\Program Files\Lenovo\TrackPoint\tp4serv.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [ISUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [cssauthe] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" silent
O4 - HKLM\..\Run: [PDService.exe] "C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe"
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [amsg] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-21-3065565367-3688125934-2868120403-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Lindsay Scott')
O4 - HKUS\S-1-5-21-3065565367-3688125934-2868120403-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Lindsay Scott')
O4 - HKUS\S-1-5-21-3065565367-3688125934-2868120403-1005\..\Run: [Google Update] "C:\Documents and Settings\Lindsay Scott\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User 'Lindsay Scott')
O4 - HKUS\S-1-5-21-3065565367-3688125934-2868120403-1005\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe (User 'Lindsay Scott')
O4 - HKUS\S-1-5-21-3065565367-3688125934-2868120403-1005\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'Lindsay Scott')
O4 - HKUS\S-1-5-21-3065565367-3688125934-2868120403-1006\..\Run: [amsg] C:\Program Files\ThinkVantage\AMSG\Amsg.exe (User '?')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [JAVA_IBM] Java (IBM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1227640738343
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Ltd. - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - Lenovo - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 11242 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3065565367-3688125934-2868120403-1005Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3065565367-3688125934-2868120403-1005UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx [2001-04-16 37808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-10-17 256112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll [2009-10-31 762864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll [2009-10-17 458736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-10-17 256112]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"=C:\Program Files\Lenovo\TrackPoint\tp4serv.exe [2008-03-04 92960]
"TPKMAPHELPER"=C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe [2005-08-11 864256]
"TP4EX"=C:\WINDOWS\system32\tp4ex.exe [2005-08-02 40960]
"EZEJMNAP"=C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe [2005-08-10 237568]
"TPHOTKEY"=C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe [2005-08-29 94208]
"LPManager"=C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe [2005-08-10 98304]
"ISUSPM Startup"=c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup []
"ISUSScheduler"=c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start []
"cssauthe"=C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe [2005-08-02 1979952]
"PDService.exe"=C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe [2005-07-07 49152]
"QCWLICON"=C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE [2005-08-10 86016]
"PWRMGRTR"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor []
"BLOG"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog []
"Logitech Hardware Abstraction Layer"=C:\WINDOWS\KHALMNPR.EXE [2005-03-10 28160]
"TVT Scheduler Proxy"=C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [2008-03-04 487424]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-08-13 177440]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2008-10-24 1451264]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-09-05 417792]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-09-21 305440]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"amsg"=C:\Program Files\ThinkVantage\AMSG\Amsg.exe []
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-10-17 39408]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HPAiODevice(hp officejet g series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-04-05 114688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\QConGina]
C:\WINDOWS\system32\QConGina.dll [2005-08-10 262144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tpfnf2]
C:\WINDOWS\system32\notifyf2.dll [2005-07-06 28672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]
C:\WINDOWS\system32\tphklock.dll [2005-06-16 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
csspwntfye

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe"="C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe:*:Enabled:ThinkVantage System Update"
"C:\StubInstaller.exe"="C:\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe"="C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe:*:Enabled:ThinkVantage System Update"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-10-31 16:10:32 ----D---- C:\Program Files\trend micro
2009-10-31 16:10:26 ----D---- C:\rsit
2009-10-28 22:45:02 ----D---- C:\Program Files\iPod
2009-10-28 22:44:19 ----D---- C:\Program Files\iTunes
2009-10-28 22:44:19 ----D---- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-28 22:12:48 ----D---- C:\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Apple Computer
2009-10-24 19:04:11 ----A---- C:\WINDOWS\system32\PdfPorts.dll
2009-10-24 19:04:11 ----A---- C:\WINDOWS\system32\adistres.dll
2009-10-24 19:04:00 -------- C:\WINDOWS\system32\pdfshell.dll
2009-10-24 19:03:41 ----D---- C:\WINDOWS\system32\Adobe
2009-10-18 18:05:35 ----D---- C:\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Sun
2009-10-18 16:33:08 ----A---- C:\RootRepeal report 10-18-09 (16-33-08).txt
2009-10-18 15:34:09 ----D---- C:\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Macromedia
2009-10-18 15:12:30 ----D---- C:\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Adobe
2009-10-18 15:12:03 ----D---- C:\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Google
2009-10-18 15:11:11 ----D---- C:\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Malwarebytes
2009-10-18 15:09:38 ----A---- C:\WINDOWS\OEWABLog.txt
2009-10-18 15:09:15 ----ASH---- C:\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\desktop.ini
2009-10-18 15:09:11 ----D---- C:\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Identities
2009-10-18 15:09:11 ----D---- C:\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\IBM
2009-10-18 15:09:10 ----SD---- C:\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Microsoft
2009-10-18 15:09:10 ----D---- C:\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\ThinkVantage
2009-10-18 15:09:10 ----D---- C:\Documents and Settings\Sherrie.LENOVO-224392D9\Application Data\Symantec
2009-10-16 08:27:28 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2009-10-16 08:23:08 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2009-10-16 08:22:57 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2009-10-16 08:22:47 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2009-10-16 08:22:28 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2009-10-16 08:21:07 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2009-10-16 08:17:34 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$
2009-10-16 08:16:32 ----HDC---- C:\WINDOWS\$NtUninstallKB973525$
2009-10-16 08:14:34 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2009-10-14 22:04:30 ----D---- C:\Program Files\VideoLAN
2009-10-14 19:00:07 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-10-14 19:00:05 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-10-14 18:12:04 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-10-12 16:12:09 ----D---- C:\Program Files\GRETECH

======List of files/folders modified in the last 1 months======

2009-10-31 16:11:10 ----D---- C:\WINDOWS\Temp
2009-10-31 16:10:32 ----RD---- C:\Program Files
2009-10-31 15:29:35 ----N---- C:\WINDOWS\win.ini
2009-10-31 13:14:53 ----D---- C:\WINDOWS\Prefetch
2009-10-31 11:13:02 ----D---- C:\WINDOWS\system32\CatRoot2
2009-10-31 08:08:08 ----RSHD---- C:\RRbackups
2009-10-30 12:56:29 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-10-28 22:55:58 ----AD---- C:\WINDOWS
2009-10-28 22:54:32 ----SHD---- C:\Config.Msi
2009-10-28 22:47:37 ----SHD---- C:\WINDOWS\Installer
2009-10-28 22:46:42 ----D---- C:\WINDOWS\system32\drivers
2009-10-28 22:46:42 ----AD---- C:\WINDOWS\system32
2009-10-28 22:46:41 ----HD---- C:\WINDOWS\inf
2009-10-28 22:46:33 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-10-28 22:44:59 ----D---- C:\Program Files\Common Files\Apple
2009-10-28 22:39:12 ----D---- C:\Program Files\QuickTime
2009-10-28 13:55:23 ----AC---- C:\WINDOWS\ODBC.INI
2009-10-24 19:05:23 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-10-24 19:03:39 ----D---- C:\Program Files\Common Files\Adobe
2009-10-19 06:14:49 ----SHD---- C:\RECYCLER
2009-10-18 15:09:06 ----D---- C:\Documents and Settings
2009-10-17 22:58:03 ----D---- C:\Program Files\Google
2009-10-17 22:37:25 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-10-16 10:36:59 ----RSD---- C:\WINDOWS\assembly
2009-10-16 10:35:16 ----D---- C:\WINDOWS\Microsoft.NET
2009-10-16 10:00:59 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-16 10:00:32 ----D---- C:\WINDOWS\Debug
2009-10-16 08:40:33 ----D---- C:\Program Files\Internet Explorer
2009-10-16 08:34:22 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-10-16 08:32:55 ----D---- C:\WINDOWS\WinSxS
2009-10-16 08:27:58 ----D---- C:\WINDOWS\ie8updates
2009-10-16 08:27:47 ----HD---- C:\WINDOWS\$hf_mig$
2009-10-02 14:43:41 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-10-02 11:01:57 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ANC;ANC; C:\WINDOWS\System32\drivers\ANC.SYS [2005-08-10 11520]
R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2008-10-24 53256]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-10-24 34824]
R1 IBMTPCHK;IBMTPCHK; C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2005-08-10 2432]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 Smapint;Smapint; C:\WINDOWS\System32\drivers\Smapint.sys [2005-08-10 14848]
R1 TDSMAPI;TDSMAPI; C:\WINDOWS\System32\drivers\TDSMAPI.SYS [2005-08-10 9340]
R1 TPHKDRV;TPHKDRV; C:\WINDOWS\system32\drivers\TPHKDRV.sys [2005-07-05 17699]
R1 TPPWRIF;TPPWRIF; C:\WINDOWS\System32\drivers\Tppwrif.sys [2005-08-10 4442]
R1 TSMAPIP;TSMAPIP; C:\WINDOWS\System32\drivers\TSMAPIP.SYS [2005-08-08 7168]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2005-12-19 17801]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2008-10-24 39944]
R2 EGATHDRV;IBM eGatherer; \??\C:\WINDOWS\SYSTEM32\EGATHDRV.SYS []
R2 ibmfilter;ibmfilter; \??\C:\WINDOWS\system32\drivers\ibmfilter.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 pmem;pmem; \??\C:\WINDOWS\System32\drivers\pmemnt.sys []
R2 PrivateDisk;PrivateDisk; \??\C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\PrivateDiskM.sys []
R2 PROCDD;IPS Helper Driver; C:\WINDOWS\system32\DRIVERS\PROCDD.SYS [2005-10-05 5120]
R2 smi2;smi2; \??\C:\Program Files\SMI2\smi2.sys []
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2004-10-21 130432]
R3 AR5211;Dual-band Wi-Fi Wireless Mini PCI Adapter; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2005-07-25 467040]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-04-05 1989120]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2007-05-02 161792]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-05-18 26600]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-01-25 1038208]
R3 HSFHWATI;HSFHWATI; C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-01-25 200576]
R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys [2007-06-01 21424]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 psadd;Lenovo Parties Service Access Device Driver; C:\WINDOWS\system32\DRIVERS\psadd.sys [2007-02-18 21376]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2004-10-13 259840]
R3 Tp4Track;PS/2 TrackPoint Driver; C:\WINDOWS\system32\DRIVERS\tp4track.sys [2008-03-04 22568]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2007-09-15 501800]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-01-25 703616]
S3 ac97intc;Intel® 82801 Audio Driver Install Service (WDM); C:\WINDOWS\system32\drivers\ac97intc.sys [2001-08-17 96256]
S3 apusbsnt;AirPrime USB Modem Device Driver; C:\WINDOWS\system32\DRIVERS\apusbsnt.sys [2004-07-15 40064]
S3 BulkUsb;Usbscan.Sys; C:\WINDOWS\System32\Drivers\usbscan.sys [2008-04-13 15104]
S3 dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2008-04-13 206976]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 Dot4Scan;Scan Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys [2001-08-17 8704]
S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\WINDOWS\system32\DRIVERS\dot4usb.sys [2001-08-17 23808]
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 kfkyrpoc;kfkyrpoc; \??\C:\DOCUME~1\SHERRI~1.LEN\LOCALS~1\Temp\kfkyrpoc.sys []
S3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\L8042mou.Sys [2005-03-10 53632]
S3 LHidKe;Logitech SetPoint HID Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidKE.Sys [2005-03-10 24704]
S3 LHidUsbK;Logitech SetPoint USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsbK.Sys [2005-03-10 36480]
S3 LMouKE;Logitech SetPoint Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouKE.Sys [2005-03-10 69504]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 QCNDISIF;QCNDISIF; C:\WINDOWS\System32\drivers\qcndisif.SYS [2005-08-10 12288]
S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS []
S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\drivers\UIUSys.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-06-05 39424]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-06-05 144712]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2007-06-01 36400]
R2 IPSSVC;IPS Core Service; C:\WINDOWS\system32\IPSSVC.EXE [2005-10-05 73728]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376]
R2 QCONSVC;QCONSVC; C:\WINDOWS\System32\QCONSVC.EXE [2005-08-10 81920]
R2 SUService;System Update; c:\program files\lenovo\system update\suservice.exe [2008-05-16 32768]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2008-07-17 1251720]
R2 ThinkVantage Registry Monitor Service;ThinkVantage Registry Monitor Service; C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe [2007-09-26 644408]
R2 TpKmpSVC;IBM KCU Service; C:\WINDOWS\system32\TpKmpSVC.exe [2005-06-06 32768]
R2 TVT Backup Service;TVT Backup Service; C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe [2005-08-02 1372160]
R2 TVT Scheduler;TVT Scheduler; C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe [2008-03-04 1122304]
R2 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
R2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]
R3 ACS;ACU Configuration Service; C:\WINDOWS\system32\acs.exe [2005-07-07 36864]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-09-21 545568]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-04-05 454656]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2008-10-24 19200]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-10-17 182768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 PsaSrv;IBM PSA Access Driver Control; C:\WINDOWS\system32\PsaSrv.exe []
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.06 2009-10-31 16:11:47

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->MsiExec.exe /X{2642BE09-1F9F-4E18-AAD4-0258B9BCE611}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\SETUP.EXE" -l0x9 ControlPanelAnyText
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\SETUP.EXE" -l0x9 ControlPanel
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Apple Application Support-->MsiExec.exe /I{0C34B801-6AEC-4667-B053-03A67E2D0415}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
ESET NOD32 Antivirus-->MsiExec.exe /I{4EAE8F8E-0C2E-4814-9A04-635AFB9050AA}
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_E582EA556D8DE101.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915800-v4)-->"C:\WINDOWS\$NtUninstallKB915800-v4$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
HP Image Zone 4.2-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
hp officejet g series-->C:\WINDOWS\system32\hpocon09.exe /u 1253915508 /d "hp officejet g series"
HP PSC & OfficeJet 4.2-->"C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
IBM 32-bit Runtime Environment for Java 2, v1.4.2-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E922961C-6DB6-41DE-9FEA-426DF3E9F81C} /l1033
IE New Window Maximizer 2.4-->"C:\Program Files\IE New Window Maximizer\unins000.exe"
iTunes-->MsiExec.exe /I{DA34FE93-5DC5-48E0-ACC8-A5389E05BB51}
J2SE Runtime Environment 5.0 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java™ 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Logitech SetPoint-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9 -removeonly
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS\$NtUninstallWdf01007$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 SR-1 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MobileMe Control Panel-->MsiExec.exe /I{3AC54383-31D1-4907-961B-B12CBB1D0AE8}
MSXML 4.0 SP2 (KB925672)-->MsiExec.exe /I{A9CF9052-F4A0-475D-A00F-A8388C62DD63}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
OpenOffice.org Installer 1.0-->MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
Productivity Center Supplement for ThinkPad-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D728E945-256D-4477-B377-6BBA693714AC}\SETUP.EXE" -l0x9 -AddRemove
QuickTime-->MsiExec.exe /I{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}
Remove Multimedia Center-->"C:\ibmtools\apps\recnow\uninstal.bat
Rescue and Recovery - Client Security Solution-->MsiExec.exe /I{BF90215F-2D7B-4C84-8A24-A03BC41B95DD}
Safari-->MsiExec.exe /I{E56D39F8-2A9F-44B4-B068-A72E45A073E6}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Search 4 - KB963093-->"C:\WINDOWS\$NtUninstallKB963093$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
SequoiaView-->C:\Program Files\SequoiaView\Uninstal.exe
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec KB-DocID:2003093015493306-->MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
System Migration Assistant 5.0-->MsiExec.exe /X{9A1E6130-8F5E-4076-899A-D51FF01EDA6C}
System Update-->MsiExec.exe /X{8675339C-128C-44DD-83BF-0A5D6ABD8297}
ThinkPad Configuration-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC081D4D-DF1B-4CF1-B530-027E4118D846}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad EasyEject Utility -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1297C681-92D7-40EF-93BF-03F66EC5105C}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad FullScreen Magnifier-->RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.inf
ThinkPad Integrated 56K Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_05871014\HXFSETUP.EXE -U -ITkp0587k.inf -ISFG
ThinkPad Keyboard Customizer Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2111B23F-7FDA-4A41-8309-E5A1663CA296}\SETUP.EXE" -l0x9 anything
ThinkPad PC Card Power Policy-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUnInstall 132 C:\IBMTOOLS\OSFIXES\PCMCIAPW\pcmciapw.inf
ThinkPad Power Management Driver-->RunDll32.exe tpinspm.dll,Uninstall
ThinkPad Power Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}\SETUP.EXE" -l0x9 -AddRemove
ThinkPad Presentation Director-->C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNNPDR.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsnpd.dll"
ThinkPad TrackPoint Driver-->C:\Program Files\Lenovo\TrackPoint\tp4unins.exe
ThinkPad Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FAC9E5C-0D20-4DBF-AFE5-2E09C52A95A2}\SETUP.EXE" -l0x9 UNINSTALLFROMSYS
ThinkVantage Access Connections-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{22B71A00-4DED-11D4-A5E5-0004AC564F43}\SETUP.EXE" -l0x9 anything
ThinkVantage Away Manager-->Rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\AWAYTASK.INF
ThinkVantage Productivity Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CF5737AF-8550-4546-A69B-0EA9EF5A9B55}\SETUP.EXE" -l0x9 -AddRemove
ThinkVantage Technologies Welcome Message-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1007F41F-7D69-468E-8017-3849A5A973C2}\SETUP.EXE" -l0x9 anything
TrackPoint Accessibility Features-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA664480-3844-11D5-8C25-444553540000}\SETUP.EXE"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB971180)-->"C:\WINDOWS\ie8updates\KB971180-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB943729)-->"C:\WINDOWS\$NtUninstallKB943729$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VideoLAN VLC media player 0.8.6a-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Wallpapers-->MsiExec.exe /I{F386C340-DF4B-4BBA-9503-420FB7EDB395}
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Search 4.0-->"C:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
XP Themes-->MsiExec.exe /I{C54ED2B6-1AF2-416F-BBA8-5E2B8CDCB5C4}

======Hosts File======

127.0.0.1 localhost
127.0.0.1 fr.a2dfp.net
127.0.0.1 m.fr.a2dfp.net
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net

======Security center information======

AV: ESET NOD32 Antivirus 3.0

======System event log======

Computer Name: LENOVO-224392D9
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0014A468DDFA. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 19586
Source Name: Dhcp
Time Written: 20090918174740.000000-420
Event Type: warning
User:

Computer Name: LENOVO-224392D9
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0014A468DDFA. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 19585
Source Name: Dhcp
Time Written: 20090918173041.000000-420
Event Type: warning
User:

Computer Name: LENOVO-224392D9
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0014A468DDFA. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 19584
Source Name: Dhcp
Time Written: 20090918165642.000000-420
Event Type: warning
User:

Computer Name: LENOVO-224392D9
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0014A468DDFA. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 19582
Source Name: Dhcp
Time Written: 20090918135608.000000-420
Event Type: warning
User:

Computer Name: LENOVO-224392D9
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0014A468DDFA. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 19581
Source Name: Dhcp
Time Written: 20090918135608.000000-420
Event Type: warning
User:

=====Application event log=====

Computer Name: LENOVO-224392D9
Event Code: 3013
Message: The entry <C:\DOCUMENTS AND SETTINGS\LINDSAY SCOTT\MY DOCUMENTS\MY MUSIC\ITUNES\MOBILE APPLICATIONS\DOWNLOAD.APP> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)


Record Number: 16746
Source Name: Windows Search Service
Time Written: 20090505231943.000000-420
Event Type: error
User:

Computer Name: LENOVO-224392D9
Event Code: 3013
Message: The entry <C:\DOCUMENTS AND SETTINGS\LINDSAY SCOTT\MY DOCUMENTS\MY MUSIC\ITUNES\ITUNES MUSIC\MADONNA\CONFESSIONS ON A DANCE FLOOR\DOWNLOAD.M4A> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)


Record Number: 16745
Source Name: Windows Search Service
Time Written: 20090505231844.000000-420
Event Type: error
User:

Computer Name: LENOVO-224392D9
Event Code: 1002
Message: Hanging application iexplore.exe, version 7.0.6000.16827, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 16724
Source Name: Application Hang
Time Written: 20090505220127.000000-420
Event Type: error
User:

Computer Name: LENOVO-224392D9
Event Code: 101
Message:
Record Number: 16716
Source Name: Automatic LiveUpdate Scheduler
Time Written: 20090505214045.000000-420
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: LENOVO-224392D9
Event Code: 3013
Message: The entry <C:\DOCUMENTS AND SETTINGS\LINDSAY SCOTT\MY DOCUMENTS\MY MUSIC\ITUNES\MOBILE APPLICATIONS\DOWNLOAD.APP> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)


Record Number: 16695
Source Name: Windows Search Service
Time Written: 20090427214110.000000-420
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Program Files\ThinkPad\Utilities;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\IBM ThinkVantage\Client Security Solution;C:\Program Files\Common Files\Lenovo;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0d08
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"SMA"=C:\Program Files\IBM ThinkVantage\SMA\
"TVT"=C:\Program Files\Lenovo
"IBMSHARE"=%SystemDrive%\IBMSHARE
"RR"=C:\Program Files\IBM ThinkVantage\Rescue and Recovery
"TVTPYDIR"=C:\Program Files\IBM ThinkVantage\Common\Python24
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:37 AM

Posted 01 November 2009 - 03:19 AM

Hi,



Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 bsgranpa

bsgranpa
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 01 November 2009 - 10:40 AM

Thanks Tom, I first thought that you were up very late last night until I saw that you are in Germany. Here's the ComboFix log.

ComboFix 09-10-30.01 - Sherrie 11/01/2009 7:18.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.161 [GMT -8:00]
Running from: c:\documents and settings\Sherrie.LENOVO-224392D9\Desktop\schrauber.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.

2009-10-31 23:10 . 2009-10-31 23:11 -------- d-----w- c:\program files\trend micro
2009-10-31 23:10 . 2009-10-31 23:11 -------- d-----w- C:\rsit
2009-10-31 22:20 . 2009-10-31 22:20 -------- d-sh--w- c:\documents and settings\Sherrie.LENOVO-224392D9\IECompatCache
2009-10-29 05:45 . 2009-10-29 05:45 -------- d-----w- c:\program files\iPod
2009-10-29 05:44 . 2009-10-29 05:46 -------- d-----w- c:\program files\iTunes
2009-10-29 05:44 . 2009-10-29 05:46 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-29 05:14 . 2009-10-29 05:14 -------- d-----w- c:\documents and settings\Sherrie.LENOVO-224392D9\Local Settings\Application Data\Apple
2009-10-29 05:12 . 2009-11-01 00:01 -------- d-----w- c:\documents and settings\Sherrie.LENOVO-224392D9\Application Data\Apple Computer
2009-10-25 02:04 . 2001-10-12 00:35 20588 ----a-w- c:\windows\system32\PdfPorts.dll
2009-10-25 02:04 . 2001-10-12 00:34 77824 ----a-w- c:\windows\system32\adistres.dll
2009-10-25 02:04 . 2001-04-27 21:02 101200 ------w- c:\windows\system32\pdfshell.dll
2009-10-25 02:03 . 2009-10-25 02:03 -------- d-----w- c:\windows\system32\Adobe
2009-10-25 02:00 . 2009-10-25 02:00 -------- d-----w- c:\documents and settings\Lindsay Scott\Application Data\InterTrust
2009-10-18 22:12 . 2009-10-18 22:12 -------- d-sh--w- c:\documents and settings\Sherrie.LENOVO-224392D9\PrivacIE
2009-10-18 22:12 . 2009-10-21 17:23 -------- d-----w- c:\documents and settings\Sherrie.LENOVO-224392D9\Local Settings\Application Data\Google
2009-10-18 22:11 . 2009-10-18 22:11 -------- d-----w- c:\documents and settings\Sherrie.LENOVO-224392D9\Application Data\Malwarebytes
2009-10-18 22:11 . 2009-11-01 00:01 -------- d-----w- c:\documents and settings\Sherrie.LENOVO-224392D9\Local Settings\Application Data\Apple Computer
2009-10-18 05:37 . 2009-10-18 05:37 -------- d-sh--w- c:\documents and settings\Sherrie\PrivacIE
2009-10-18 05:36 . 2009-10-18 05:36 -------- d-----w- c:\documents and settings\Sherrie\Local Settings\Application Data\Google
2009-10-18 05:36 . 2009-10-18 05:36 -------- d-----w- c:\documents and settings\Sherrie\Application Data\Malwarebytes
2009-10-18 05:35 . 2009-10-18 05:36 -------- d-----w- c:\documents and settings\Sherrie\Local Settings\Application Data\Apple Computer
2009-10-18 05:34 . 2009-10-18 05:34 -------- d-sh--w- c:\documents and settings\Sherrie\IETldCache
2009-10-15 05:06 . 2009-10-15 05:06 -------- d-----w- c:\documents and settings\Lindsay Scott\Application Data\vlc
2009-10-15 05:04 . 2009-10-15 05:04 -------- d-----w- c:\program files\VideoLAN
2009-10-15 02:00 . 2009-10-15 02:00 -------- d-----w- c:\documents and settings\Lindsay Scott\Application Data\Malwarebytes
2009-10-15 02:00 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-15 02:00 . 2009-10-15 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-15 02:00 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-15 02:00 . 2009-10-15 02:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-15 01:12 . 2009-10-15 01:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-12 23:12 . 2009-10-15 05:08 -------- d-----w- c:\program files\GRETECH

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 05:44 . 2008-01-15 20:22 -------- d-----w- c:\program files\Common Files\Apple
2009-10-29 05:39 . 2009-06-11 05:19 -------- d-----w- c:\program files\QuickTime
2009-10-25 02:03 . 2006-02-26 09:34 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-18 05:58 . 2008-07-17 22:10 -------- d-----w- c:\program files\Google
2009-10-16 17:00 . 2006-02-26 10:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-12 19:35 . 2006-09-19 22:09 -------- d-----w- c:\documents and settings\Lindsay Scott\Application Data\Apple Computer
2009-09-25 21:35 . 2009-09-25 21:35 -------- d-----w- c:\program files\Hewlett-Packard
2009-09-14 17:40 . 2008-07-17 21:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 14:18 . 1980-01-01 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-07 16:06 . 2006-07-27 21:29 -------- d-----w- c:\program files\Java
2009-09-07 15:45 . 2009-09-07 15:45 -------- d-----w- c:\program files\ESET
2009-09-07 15:45 . 2009-09-07 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-09-07 03:46 . 2009-09-07 03:46 24044 ----a-w- c:\windows\system32\mlfcache.dat
2009-09-04 21:03 . 1980-01-01 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 05:45 . 2009-09-03 05:45 -------- d-----w- c:\program files\CCleaner
2009-09-02 21:07 . 2009-09-02 21:07 -------- d-----w- c:\documents and settings\Lindsay Scott\Application Data\AdobeUM
2009-09-02 20:54 . 2006-03-03 12:32 -------- d-----w- c:\program files\IE New Window Maximizer
2009-09-02 16:36 . 2009-09-02 16:35 -------- d-----w- c:\program files\SequoiaView
2009-08-29 08:08 . 1980-01-01 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 1980-01-01 08:00 247326 ------w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 1980-01-01 08:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:44 . 1980-01-01 08:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 06:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-18 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2008-03-04 92960]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-08-12 864256]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-08-10 237568]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-08-29 94208]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2005-08-10 98304]
"cssauthe"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" [2005-08-03 1979952]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-07-07 49152]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-08-10 86016]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-08-10 139264]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-08-10 208896]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-10-25 1451264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-08-02 40960]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2005-03-10 28160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2009-10-24 82026]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HPAiODevice(hp officejet g series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-08-10 11:08 262144 ------w- c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 07:45 28672 ------w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-06-17 06:23 24576 ------w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli csspwntfye

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [10/24/2008 7:53 PM 34824]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [12/21/2007 7:21 AM 468224]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [8/2/2005 6:15 PM 13184]
R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [6/28/2005 8:26 AM 46142]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [8/2/2005 5:47 PM 3968]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [1/1/1980 200576]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [1/1/1980 22568]
S3 apusbsnt;AirPrime USB Modem Device Driver;c:\windows\system32\drivers\apusbsnt.sys [7/14/2006 10:28 AM 40064]
S3 BulkUsb;Usbscan.Sys;c:\windows\system32\drivers\usbscan.sys [1/13/2007 8:38 PM 15104]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [12/19/2005 11:28 AM 12288]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3065565367-3688125934-2868120403-1005Core.job
- c:\documents and settings\Lindsay Scott\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-23 02:45]

2009-11-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3065565367-3688125934-2868120403-1005UA.job
- c:\documents and settings\Lindsay Scott\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-23 02:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-amsg - c:\program files\ThinkVantage\AMSG\Amsg.exe
HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 07:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(780)
c:\program files\IBM ThinkVantage\Client Security Solution\csspwntfye.dll
c:\program files\IBM ThinkVantage\Client Security Solution\cssuserdatadispatcher.dll
c:\program files\IBM ThinkVantage\Client Security Solution\ibmtsp.dll
c:\program files\IBM ThinkVantage\Client Security Solution\tcsrpc.dll

- - - - - - - > 'explorer.exe'(2948)
c:\windows\system32\WININET.dll
c:\windows\system32\PROCHLP.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-01 7:36
ComboFix-quarantined-files.txt 2009-11-01 15:36

Pre-Run: 6,260,482,048 bytes free
Post-Run: 6,441,111,552 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - CCB8E565998E2300362E9DEEDD60AE78

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:37 AM

Posted 01 November 2009 - 12:38 PM

Hi,

http://www.bleepingcomputer.com/forums/t/160132/how-to-use-dial-a-fix-to-repair-windows-internals-problems/

Please follow the instructions above to run Dial-a-fix, post back with the content of the logfile.

How is your system running?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 bsgranpa

bsgranpa
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 01 November 2009 - 01:16 PM

Follows the Dial-a-fix log. As far as performance is concerned, programs still take a lot longer than usual to open. In addition, the laptop takes more than four or five minutes to start and more than ten minutes to shut down. I sure appreciate your help.

10:04:16 AM | Dial-a-fix was unable to determine your version of Internet Explorer
Notes about this log:
1) "->" denotes an external command being executed, and "-> (number)" indicates
the return code from the previous command
2) Not all external command return codes are accurate, or useful
3) Sometimes commands return 0 (no error) even when they fail or crash
4) If an error occurs while registering an object, please send an email to:
dial-a-fix@DjLizard.net and include a copy of this log

DAF version: v0.60.0.24

--- System info ---
OS: Microsoft Windows XP Service Pack 3
IE version: 8.0.6001.18702
MPC: 76487-OEM
CPU: Intel® Pentium® M processor 1.73GHz (~800MHz)
BIOS: 11/1/2005
Memory (approx): 446MB
Uptime: 3 hour(s)
Current directory: C:\Documents and Settings\Sherrie.LENOVO-224392D9\Desktop
---

11/1/2009 10:04:16 AM -- Dial-a-fix : [v0.60.0.24] -- started
10:04:16 AM | Policy scan started
10:04:16 AM | Policy scan ended - no restrictive policies were found
--- MSI ---
10:04:50 AM | Registered: C:\WINDOWS\system32\msi.dll
--- Windows Update ---
--- Registration: Windows Update/Automatic Update DLLs ---
10:05:05 AM | Unregistered: C:\WINDOWS\system32\msxml.dll
10:05:05 AM | Registered: C:\WINDOWS\system32\msxml.dll
10:05:07 AM | Unregistered: C:\WINDOWS\system32\msxml2.dll
10:05:08 AM | Registered: C:\WINDOWS\system32\msxml2.dll
10:05:21 AM | Unregistered: C:\WINDOWS\system32\msxml3.dll
10:05:22 AM | Registered: C:\WINDOWS\system32\msxml3.dll
10:05:22 AM | Unregistered: C:\WINDOWS\system32\msxml4.dll
10:05:23 AM | Registered: C:\WINDOWS\system32\msxml4.dll
10:05:24 AM | Unregistered: C:\WINDOWS\system32\qmgr.dll
10:05:24 AM | Registered: C:\WINDOWS\system32\qmgr.dll
10:05:24 AM | Unregistered: C:\WINDOWS\system32\qmgrprxy.dll
10:05:24 AM | Registered: C:\WINDOWS\system32\qmgrprxy.dll
10:05:25 AM | Unregistered: C:\WINDOWS\system32\muweb.dll
10:05:25 AM | Registered: C:\WINDOWS\system32\muweb.dll
10:05:25 AM | Unregistered: C:\WINDOWS\system32\winhttp.dll
10:05:25 AM | Registered: C:\WINDOWS\system32\winhttp.dll
10:05:25 AM | Registered: C:\WINDOWS\system32\wuapi.dll
10:05:26 AM | Unregistered: C:\WINDOWS\system32\wuaueng.dll
10:05:28 AM | Registered: C:\WINDOWS\system32\wuaueng.dll
10:05:28 AM | Unregistered: C:\WINDOWS\system32\wuaueng1.dll
10:05:28 AM | Registered: C:\WINDOWS\system32\wuaueng1.dll
10:05:29 AM | Unregistered: C:\WINDOWS\system32\wucltui.dll
10:05:29 AM | Registered: C:\WINDOWS\system32\wucltui.dll
10:05:29 AM | Unregistered: C:\WINDOWS\system32\wups.dll
10:05:29 AM | Registered: C:\WINDOWS\system32\wups.dll
10:05:29 AM | Unregistered: C:\WINDOWS\system32\wups2.dll
10:05:29 AM | Registered: C:\WINDOWS\system32\wups2.dll
10:05:30 AM | Unregistered: C:\WINDOWS\system32\wuweb.dll
10:05:30 AM | Registered: C:\WINDOWS\system32\wuweb.dll
10:05:30 AM | Registered: C:\WINDOWS\system32\ole32.dll
--- SSL/HTTPS/Cryptography ---
10:05:51 AM | Executed 'cmd.exe /c rmdir /q /s C:\WINDOWS\system32\Catroot2'
--- Registration: SSL/HTTPS/Cryptography ---
10:05:56 AM | Unregistered: C:\WINDOWS\system32\cryptdlg.dll
10:05:56 AM | Registered: C:\WINDOWS\system32\cryptdlg.dll
10:05:56 AM | Unregistered: C:\WINDOWS\system32\cryptui.dll
10:05:56 AM | Registered: C:\WINDOWS\system32\cryptui.dll
10:05:56 AM | Unregistered: C:\WINDOWS\system32\cryptext.dll
10:05:56 AM | Registered: C:\WINDOWS\system32\cryptext.dll
10:05:57 AM | Unregistered: C:\WINDOWS\system32\dssenh.dll
10:05:57 AM | Registered: C:\WINDOWS\system32\dssenh.dll
10:05:57 AM | Unregistered: C:\WINDOWS\system32\gpkcsp.dll
10:05:57 AM | Registered: C:\WINDOWS\system32\gpkcsp.dll
10:05:57 AM | Unregistered: C:\WINDOWS\system32\initpki.dll
10:08:54 AM | Registered: C:\WINDOWS\system32\initpki.dll
10:08:55 AM | Unregistered: C:\WINDOWS\system32\licdll.dll
10:08:55 AM | Registered: C:\WINDOWS\system32\licdll.dll
10:08:55 AM | Unregistered: C:\WINDOWS\system32\mssign32.dll
10:08:55 AM | Registered: C:\WINDOWS\system32\mssign32.dll
10:08:55 AM | Unregistered: C:\WINDOWS\system32\mssip32.dll
10:08:55 AM | Registered: C:\WINDOWS\system32\mssip32.dll
10:08:56 AM | Unregistered: C:\WINDOWS\system32\scardssp.dll
10:08:56 AM | Registered: C:\WINDOWS\system32\scardssp.dll
10:08:57 AM | Unregistered: C:\WINDOWS\system32\sccbase.dll
10:08:57 AM | Registered: C:\WINDOWS\system32\sccbase.dll
10:08:57 AM | Unregistered: C:\WINDOWS\system32\scecli.dll
10:09:00 AM | Registered: C:\WINDOWS\system32\scecli.dll
10:09:00 AM | Unregistered: C:\WINDOWS\system32\softpub.dll
10:09:00 AM | Registered: C:\WINDOWS\system32\softpub.dll
10:09:01 AM | Unregistered: C:\WINDOWS\system32\slbcsp.dll
10:09:01 AM | Registered: C:\WINDOWS\system32\slbcsp.dll
10:09:03 AM | Unregistered: C:\WINDOWS\system32\regwizc.dll
10:09:03 AM | Registered: C:\WINDOWS\system32\regwizc.dll
10:09:03 AM | Unregistered: C:\WINDOWS\system32\rsaenh.dll
10:09:03 AM | Registered: C:\WINDOWS\system32\rsaenh.dll
10:09:03 AM | Unregistered: C:\WINDOWS\system32\winhttp.dll
10:09:03 AM | Registered: C:\WINDOWS\system32\winhttp.dll
10:09:03 AM | Unregistered: C:\WINDOWS\system32\wintrust.dll
10:09:04 AM | Registered: C:\WINDOWS\system32\wintrust.dll
--- Registration: ActiveX controls/codecs ---
10:09:04 AM | Registered: C:\WINDOWS\system32\acelpdec.ax
10:09:04 AM | Registered: C:\WINDOWS\system32\actxprxy.dll
10:09:05 AM | Registered: C:\WINDOWS\system32\asctrls.ocx
10:09:05 AM | Registered: C:\WINDOWS\system32\daxctle.ocx
10:09:05 AM | Registered: C:\WINDOWS\system32\hhctrl.ocx
10:09:05 AM | Registered: C:\WINDOWS\system32\l3codecx.ax
10:09:05 AM | Registered: C:\WINDOWS\system32\licmgr10.dll
10:09:05 AM | Registered: C:\WINDOWS\system32\mpg4ds32.ax
10:09:09 AM | Registered: C:\WINDOWS\system32\msdxm.ocx
10:09:09 AM | Registered: C:\WINDOWS\system32\proctexe.ocx
10:09:09 AM | Registered: C:\WINDOWS\system32\tdc.ocx
10:09:09 AM | Registered: C:\WINDOWS\system32\wshom.ocx
--- Registration: Control Panel applets ---
10:09:10 AM | DllInstalled: C:\WINDOWS\system32\inetcpl.cpl
10:09:11 AM | DllInstalled: C:\WINDOWS\system32\appwiz.cpl
10:09:11 AM | Registered: C:\WINDOWS\system32\appwiz.cpl
10:09:11 AM | DllInstalled: C:\WINDOWS\system32\nusrmgr.cpl
10:09:11 AM | Registered: C:\WINDOWS\system32\nusrmgr.cpl
--- Registration: Direct[X|Draw|Show|Media] ---
10:09:11 AM | Registered: C:\WINDOWS\system32\quartz.dll
10:09:13 AM | Registered: C:\WINDOWS\system32\danim.dll
10:09:13 AM | Registered: C:\WINDOWS\system32\dmscript.dll
10:09:13 AM | Registered: C:\WINDOWS\system32\dmstyle.dll
10:09:13 AM | Registered: C:\WINDOWS\system32\dxmasf.dll
10:09:13 AM | Registered: C:\WINDOWS\system32\dxtmsft.dll
10:09:13 AM | Registered: C:\WINDOWS\system32\dxtrans.dll
10:09:14 AM | Registered: C:\WINDOWS\system32\sbe.dll
--- Registration: Programming cores/runtimes ---
10:09:14 AM | Registered: C:\WINDOWS\system32\atl.dll
10:09:14 AM | Registered: C:\WINDOWS\system32\corpol.dll
10:09:14 AM | Registered: C:\WINDOWS\system32\jscript.dll
10:09:14 AM | Registered: C:\WINDOWS\system32\dispex.dll
10:09:14 AM | Registered: C:\WINDOWS\system32\scrrun.dll
10:09:15 AM | Registered: C:\WINDOWS\system32\scrobj.dll
10:09:15 AM | Registered: C:\WINDOWS\system32\vbscript.dll
10:09:15 AM | Registered: C:\WINDOWS\system32\wshext.dll
--- Registration: Explorer/IE/OE/shell/WMP ---
10:09:15 AM | Registered: C:\WINDOWS\system32\activeds.dll
10:09:15 AM | Registered: C:\WINDOWS\system32\audiodev.dll
10:09:16 AM | DllInstalled: C:\WINDOWS\system32\browseui.dll
10:09:16 AM | Registered: C:\WINDOWS\system32\browseui.dll
10:09:17 AM | Registered: C:\WINDOWS\system32\browsewm.dll
10:09:17 AM | Registered: C:\WINDOWS\system32\cabview.dll
10:09:18 AM | Registered: C:\WINDOWS\system32\cdfview.dll
10:09:18 AM | Registered: C:\WINDOWS\system32\clbcatex.dll
10:09:18 AM | Registered: C:\WINDOWS\system32\clbcatq.dll
10:09:18 AM | Registered: C:\WINDOWS\system32\comcat.dll
10:09:18 AM | Registered: C:\WINDOWS\system32\cscui.dll
10:09:18 AM | Registered: C:\WINDOWS\system32\credui.dll
10:09:18 AM | Registered: C:\WINDOWS\system32\datime.dll
10:09:18 AM | Registered: C:\WINDOWS\system32\devmgr.dll
10:09:18 AM | Registered: C:\WINDOWS\system32\dfsshlex.dll
10:09:19 AM | Registered: C:\WINDOWS\system32\dmdlgs.dll
10:09:19 AM | Registered: C:\WINDOWS\system32\dmdskmgr.dll
10:09:19 AM | Registered: C:\WINDOWS\system32\dmloader.dll
10:09:19 AM | Registered: C:\WINDOWS\system32\dmocx.dll
10:09:19 AM | Registered: C:\WINDOWS\system32\dmview.ocx
10:09:19 AM | DllInstalled: C:\WINDOWS\system32\dsuiext.dll
10:09:20 AM | Registered: C:\WINDOWS\system32\dsuiext.dll
10:09:20 AM | DllInstalled: C:\WINDOWS\system32\dsquery.dll
10:09:20 AM | Registered: C:\WINDOWS\system32\dsquery.dll
10:09:20 AM | Registered: C:\WINDOWS\system32\dskquoui.dll
10:09:20 AM | Registered: C:\WINDOWS\system32\els.dll
10:09:21 AM | Registered: C:\WINDOWS\system32\es.dll
10:09:21 AM | Registered: C:\WINDOWS\system32\fontext.dll
10:09:21 AM | Registered: C:\WINDOWS\system32\hlink.dll
10:09:21 AM | Registered: C:\WINDOWS\system32\hnetcfg.dll
10:09:22 AM | Registered: C:\WINDOWS\system32\iedkcs32.dll
10:09:22 AM | Registered: C:\WINDOWS\system32\iepeers.dll
10:09:22 AM | Error 127: C:\WINDOWS\system32\iesetup.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
10:09:40 AM | Error 127: C:\WINDOWS\system32\iesetup.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18702
10:09:42 AM | Registered: C:\WINDOWS\system32\ils.dll
10:09:42 AM | Error 127: C:\WINDOWS\system32\imgutil.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
10:09:44 AM | Registered: C:\WINDOWS\system32\inetcfg.dll
10:09:44 AM | Registered: C:\WINDOWS\system32\inetcomm.dll
10:09:44 AM | Error 127: C:\WINDOWS\system32\inseng.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
10:09:46 AM | Error 127: C:\WINDOWS\system32\inseng.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18702
10:09:47 AM | Registered: C:\WINDOWS\system32\laprxy.dll
10:09:48 AM | Registered: C:\WINDOWS\system32\lmrt.dll
10:09:48 AM | Registered: C:\WINDOWS\system32\mlang.dll
10:09:48 AM | Registered: C:\WINDOWS\system32\mmcndmgr.dll
10:09:49 AM | Registered: C:\WINDOWS\system32\mmcshext.dll
10:09:50 AM | Registered: C:\WINDOWS\system32\mscoree.dll
10:09:50 AM | Error 127: C:\WINDOWS\system32\mshtml.dll is not registerable or the file is corrupted. Version: 8.00.6001.18828
10:09:52 AM | Error 127: C:\WINDOWS\system32\mshtml.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18828
10:09:53 AM | Registered: C:\WINDOWS\system32\mshtmled.dll
10:09:54 AM | Registered: C:\WINDOWS\system32\msieftp.dll
10:09:54 AM | Registered: C:\WINDOWS\system32\msoeacct.dll
10:09:54 AM | Registered: C:\WINDOWS\system32\msr2c.dll
10:09:54 AM | Error 127: C:\WINDOWS\system32\msrating.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
10:09:56 AM | DllInstalled: C:\WINDOWS\system32\mydocs.dll
10:09:56 AM | Registered: C:\WINDOWS\system32\mydocs.dll
10:09:56 AM | Registered: C:\WINDOWS\system32\mstime.dll
10:09:57 AM | Registered: C:\WINDOWS\system32\netcfgx.dll
10:09:57 AM | DllInstalled: C:\WINDOWS\system32\netplwiz.dll
10:09:57 AM | Registered: C:\WINDOWS\system32\netplwiz.dll
10:09:58 AM | Registered: C:\WINDOWS\system32\netman.dll
10:09:59 AM | Registered: C:\WINDOWS\system32\netshell.dll
10:09:59 AM | Registered: C:\WINDOWS\system32\ntmsevt.dll
10:09:59 AM | Registered: C:\WINDOWS\system32\ntmsmgr.dll
10:09:59 AM | DllInstalled: C:\WINDOWS\system32\ntmssvc.dll
10:09:59 AM | Registered: C:\WINDOWS\system32\ntmssvc.dll
10:09:59 AM | Error 127: C:\WINDOWS\system32\occache.dll is not registerable or the file is corrupted. Version: 8.00.6001.18828
10:10:01 AM | Error 127: C:\WINDOWS\system32\occache.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18828
10:10:02 AM | Registered: C:\WINDOWS\system32\ole32.dll
10:10:02 AM | Registered: C:\WINDOWS\system32\oleaut32.dll
10:10:02 AM | Registered: C:\WINDOWS\system32\oleacc.dll
10:10:02 AM | Registered: C:\WINDOWS\system32\olepro32.dll
10:10:02 AM | DllInstalled: C:\WINDOWS\system32\photowiz.dll
10:10:02 AM | Registered: C:\WINDOWS\system32\photowiz.dll
10:10:02 AM | Error 127: C:\WINDOWS\system32\pngfilt.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
10:10:03 AM | Registered: C:\WINDOWS\system32\remotepg.dll
10:10:03 AM | Registered: C:\WINDOWS\system32\rpcrt4.dll
10:10:03 AM | Registered: C:\WINDOWS\system32\rshx32.dll
10:10:04 AM | Registered: C:\WINDOWS\system32\sendmail.dll
10:10:04 AM | Registered: C:\WINDOWS\system32\slayerxp.dll
10:10:06 AM | DllInstalled: C:\WINDOWS\system32\shdocvw.dll
10:10:06 AM | Registered: C:\WINDOWS\system32\shdocvw.dll
10:10:06 AM | Registered: C:\WINDOWS\system32\shell32.dll
10:10:14 AM | DllInstalled: C:\WINDOWS\system32\shell32.dll
10:10:14 AM | Registered: C:\WINDOWS\system32\shmedia.dll
10:10:14 AM | DllInstalled: C:\WINDOWS\system32\shimgvw.dll
10:10:15 AM | Registered: C:\WINDOWS\system32\shimgvw.dll
10:10:15 AM | DllInstalled: C:\WINDOWS\system32\shsvcs.dll
10:10:15 AM | Registered: C:\WINDOWS\system32\shsvcs.dll
10:10:16 AM | Registered: C:\WINDOWS\system32\srclient.dll
10:10:16 AM | Unregistered: C:\WINDOWS\system32\stobject.dll
10:10:16 AM | Registered: C:\WINDOWS\system32\stobject.dll
10:10:16 AM | DllInstalled: C:\WINDOWS\system32\themeui.dll
10:10:17 AM | Registered: C:\WINDOWS\system32\themeui.dll
10:10:17 AM | Registered: C:\WINDOWS\system32\twext.dll
10:10:18 AM | DllInstalled: C:\WINDOWS\system32\urlmon.dll
10:10:18 AM | Registered: C:\WINDOWS\system32\urlmon.dll
10:10:18 AM | Registered: C:\WINDOWS\system32\userenv.dll
10:10:19 AM | Error 127: C:\WINDOWS\system32\webcheck.dll is not registerable or the file is corrupted. Version: 8.00.6001.18702
10:10:21 AM | Error 127: C:\WINDOWS\system32\webcheck.dll is not DLLInstall-able or the file is corrupted. Version: 8.00.6001.18702
10:10:23 AM | Registered: C:\WINDOWS\system32\webvw.dll
10:10:23 AM | Registered: C:\WINDOWS\system32\winhttp.dll
10:10:23 AM | DllInstalled: C:\WINDOWS\system32\wininet.dll
10:10:23 AM | Registered: C:\WINDOWS\system32\zipfldr.dll
10:10:23 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdadc.dll
10:10:23 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaenum.dll
10:10:23 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaer.dll
10:10:24 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaipp.dll
10:10:24 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaora.dll
10:10:24 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaosp.dll
10:10:24 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaps.dll
10:10:24 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasc.dll
10:10:24 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasql.dll
10:10:25 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdatt.dll
10:10:25 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaurl.dll
10:10:25 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msxactps.dll
10:10:25 AM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32.dll
10:10:25 AM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32r.dll
10:10:26 AM | Registered: C:\Program Files\Common Files\system\Ole DB\sqloledb.dll
10:10:26 AM | Registered: C:\Program Files\Common Files\system\Ole DB\sqlxmlx.dll

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:37 AM

Posted 01 November 2009 - 02:24 PM

Hi,


Step 1

Download and Run StartupLite


This program will identify startup entries that are unnecessary to be started at bootup. This will help free some memory.
  • Download StartupLite.exe by MalwareBytes to your desktop.
  • Double click on StartUpLite.exe to run it. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • A list of unecessary startup entries will be compiled.
  • Take a read at the description of each and for most of them you probably won't need it please make sure there is a checkmark next to Disable.
  • Leave all the items as Disabled and click Continue.
  • Restart your computer once it's done.




Step 2

Please download Rooter.exe and save to your desktop.
alternate download link
  • Double-click on Rooter.exe to start the tool. If using Vista, right-click and Run as Administrator...
  • Click the Scan button to begin.
  • Once the scan is complete, Notepad will open with a report named Rooter_#.txt (where # is the number assigned to the report).
  • A folder will be created at the %systemdrive% (usually, C:\Rooter$) where the log will be saved.
  • Rooter will automatically close. If it doesn't, just press the Close button.
  • Copy and paste the contents of Rooter_#.txt in your next reply.
Important: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 bsgranpa

bsgranpa
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 01 November 2009 - 03:12 PM

Complied with your instructions. Rooter report follows. There were only three items in "Start up Lite". As before, thanks for all your help.

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 13 Stepping 8, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
.
C:\ [Fixed-NTFS] .. ( Total:33 Go - Free:6 Go )
D:\ [CD_Rom]
.
Scan : 12:08.37
Path : C:\Documents and Settings\Sherrie.LENOVO-224392D9\Desktop\Rooter.exe
User : Sherrie ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (648)
______ \??\C:\WINDOWS\system32\csrss.exe (696)
______ \??\C:\WINDOWS\system32\winlogon.exe (728)
______ C:\WINDOWS\system32\services.exe (772)
______ C:\WINDOWS\system32\lsass.exe (784)
______ C:\WINDOWS\system32\ibmpmsvc.exe (932)
______ C:\WINDOWS\system32\Ati2evxx.exe (960)
______ C:\WINDOWS\system32\svchost.exe (972)
______ C:\WINDOWS\system32\svchost.exe (1052)
______ C:\WINDOWS\System32\svchost.exe (1088)
______ C:\WINDOWS\system32\Ati2evxx.exe (1224)
______ C:\WINDOWS\system32\svchost.exe (1332)
______ C:\WINDOWS\system32\spoolsv.exe (1500)
______ C:\WINDOWS\system32\svchost.exe (1764)
______ C:\WINDOWS\system32\IPSSVC.EXE (1796)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (1812)
______ C:\Program Files\Bonjour\mDNSResponder.exe (1836)
______ C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (1860)
______ C:\WINDOWS\System32\svchost.exe (1904)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1952)
______ C:\WINDOWS\System32\QCONSVC.EXE (2044)
______ C:\WINDOWS\system32\svchost.exe (420)
______ C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (452)
______ C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe (564)
______ C:\WINDOWS\system32\TpKmpSVC.exe (620)
______ C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe (692)
______ C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe (748)
______ C:\WINDOWS\system32\SearchIndexer.exe (1124)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (1448)
______ c:\program files\lenovo\system update\suservice.exe (1624)
______ C:\Program Files\Windows Media Player\WMPNetwk.exe (1700)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (1704)
______ C:\WINDOWS\system32\acs.exe (2312)
______ C:\WINDOWS\System32\alg.exe (2856)
______ C:\WINDOWS\Explorer.EXE (2944)
______ C:\Program Files\Lenovo\TrackPoint\tp4serv.exe (3636)
______ C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe (3796)
______ C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe (3820)
______ C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe (3832)
______ C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe (3884)
______ C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe (3928)
______ C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE (3960)
______ C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe (3964)
______ C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe (4016)
______ C:\WINDOWS\system32\rundll32.exe (4040)
______ C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (316)
______ C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (1252)
______ C:\Program Files\iTunes\iTunesHelper.exe (2560)
______ C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (3092)
______ C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe (3296)
______ C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe (3168)
______ C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe (3224)
______ C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe (3268)
______ C:\Program Files\iPod\bin\iPodService.exe (2584)
______ C:\WINDOWS\system32\ctfmon.exe (536)
______ C:\WINDOWS\system32\SearchProtocolHost.exe (1180)
______ C:\WINDOWS\system32\SearchFilterHost.exe (216)
______ C:\WINDOWS\system32\wscntfy.exe (240)
______ C:\Documents and Settings\Sherrie.LENOVO-224392D9\Desktop\Rooter.exe (3720)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:35811869184)
\Device\Harddisk0\Partition2 (Start_Offset:35811901440 | Length:4195860480)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3065565367-3688125934-2868120403-1005Core.job
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3065565367-3688125934-2868120403-1005UA.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 12:08.39
.
C:\Rooter$\Rooter_1.txt - (01/11/2009 | 12:08.39)

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:37 AM

Posted 01 November 2009 - 03:43 PM

Hi,

How is your system running?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 bsgranpa

bsgranpa
  • Topic Starter

  • Members
  • 181 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 01 November 2009 - 04:35 PM

Tom, it certainly shut down as one would expect. Starting is better but not terrific. IE takes a very long time to load. So much so that I'm thinking of switching to Foxfire as default browser. Your thoughts? I think that I will probably go in and see if I can add memory. That might help. What about the various tools still on the desktop?

Thank you very much for your time and the willingness to share your expertise. I have been helped here before and you have held up this site's wonderful reputation extremely well.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users