Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by unknown virus resulting in pop-up ads, browser hijacking, interruption of system operations


  • This topic is locked This topic is locked
35 replies to this topic

#1 j.s.nelson

j.s.nelson

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 27 January 2010 - 08:58 PM

Hi folks. I’m stuck and do not know how to proceed. Thanks in advance for your assistance. I think a virus has infected my computer. The symptoms are as follows: 1) Internet Explorer is extermely slow/non-responsive, 2) I began receiving pop-up ads regularly, and 3) My browser is being hijacked, where in clicking on a hyperlink I get redirected to site different than the one intended.

In addition, I am now getting a number of error messages upon start-up of the system, and error messages that shut the system down after operating for five to 30 minutes (which might be related to usage of Internet Explorer). I’ll first describe these error messages, then post the contents of the .txt files from the DDS and RootRepeal scans.

The first error occasionally results in a termination of the start-up process. The error message is “Page_Fault_In_Non-Page_Area”. The system then prompts me to start in safe mode, etc. This error seems to be the result of having to power off the computer to shut it down after the system freezes from the other errors.

The second error message occurs near the end of the start-up process, every time. The message is as follows…Run DLL Error, error loading c:\windows\system32\wohubevu.dll. The specified module could not be found.

An error message that appears irregularly is…Frame Window: SVChost.exe-application error. The instruction at “0x02c3f8c8” referenced memory at “0x00000000”. The memory could not be “written”. Click ok to terminate.

The error that eventually shuts the system down is…Generic Host Process For Win32 Services. Encountered a problem and needs to close.

Then the system will give me 60 seconds to shut down. If I do not shut down, I will lose system functionality, i.e., Internet Explorer is non-responsive, application software (MS Word, etc.) can not open files, Windows “Task Manager” and “Shut Down” operations does not work, so I have to power off the system.

*************Here is the contents of the DDS scan file.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Steve at 15:37:13.85 on Wed 01/27/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.766 [GMT -8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_08\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Browser Helper Object: {afd4ad01-58c1-47db-a404-fbe00a6c5486} - c:\program files\shared\lib.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Microsoft Location Finder] "c:\program files\microsoft location finder\LocationFinder.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [suScheduler] c:\program files\thinkvantage\systemupdate\UCLauncher.exe /SCHEDULER
mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~2\VPTray.exe
mRun: [cssauth] "c:\program files\ibm thinkvantage\client security solution\cssauth.exe" silent
mRun: [PDService.exe] "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe"
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [RCHotKey] "c:\program files\ringcentral\ringcentral call controller\RCHotKey.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_08\bin\jusched.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 4.0\apdproxy.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [huyoroyul] Rundll32.exe "c:\windows\system32\wohubevu.dll",a
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\virtua~1.lnk - c:\windows\system32\virtualexpander\VirtualExpander.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_08\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: schwab.com\remote
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {EE85A9FD-6E52-4227-BB82-D46A660690EA} - hxxps://service.ringcentral.com/ActiveX/RCAXSetup.cab
Filter: text/html - {230feeb7-f3c2-4a70-8ecb-926c3f9a29b2} - c:\windows\batmeter16.dll
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: psfus - psqlpwd.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\bodonope.dll lukuduni.dll c:\windows\system32\minutara.dll c:\windows\system32\hazetosi.dll c:\windows\system32\keyipole.dll c:\windows\system32\wohubevu.dll
SSODL: keyiwelot - {399b8868-a6a0-4f16-a80a-7ee50b42ccc1} - c:\windows\system32\bodonope.dll
SSODL: zufezoweh - {5e819f80-cc68-4dad-8fd0-ac2b9bca0e4f} - c:\windows\system32\minutara.dll
SSODL: peburadib - {9d6d8a27-58a3-4e04-b811-0cc7f259f8ce} - c:\windows\system32\minutara.dll
SSODL: tupavutod - {160aa315-9864-4fe4-8341-a380ee18f958} - c:\windows\system32\wohubevu.dll
STS: mujuzedij: {399b8868-a6a0-4f16-a80a-7ee50b42ccc1} - c:\windows\system32\bodonope.dll
STS: kupuhivus: {5e819f80-cc68-4dad-8fd0-ac2b9bca0e4f} - c:\windows\system32\minutara.dll
STS: mujuzedij: {9d6d8a27-58a3-4e04-b811-0cc7f259f8ce} - c:\windows\system32\minutara.dll
STS: kupuhivus: {160aa315-9864-4fe4-8341-a380ee18f958} - c:\windows\system32\wohubevu.dll
LSA: Notification Packages = scecli psqlpwd csspwntfy sagetumu.dll

============= SERVICES / DRIVERS ===============

R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);c:\windows\system32\drivers\NEOFLTR_600_13073.sys [2008-4-30 64160]
R1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-6-2 239216]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-11-15 46142]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-12-21 3968]
R2 smihlp;SMI helper driver;c:\program files\thinkvantage fingerprint software\smihlp.sys [2005-12-8 3328]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2005-8-18 1730240]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060929.017\naveng.sys [2006-9-29 79240]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060929.017\navex15.sys [2006-9-29 828872]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]
S3 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2005-8-18 124608]

=============== Created Last 30 ================

2010-01-27 06:01:50 1 --sh--w- c:\windows\system32\regikuru.dll
2010-01-27 06:01:49 1 --sh--w- c:\windows\system32\rurafele.dll
2010-01-27 03:45:54 1 --sh--w- c:\windows\system32\hopalusa.dll
2010-01-27 03:45:54 1 --sh--w- c:\windows\system32\gapihovi.dll
2010-01-26 15:15:17 38400 --sh--w- c:\windows\system32\bevahosa.dll
2010-01-25 15:58:33 38912 --sh--w- c:\windows\system32\hevayubi.dll
2010-01-25 03:57:59 38400 --sh--w- c:\windows\system32\kowuyore.dll
2010-01-24 15:57:50 38400 --sh--w- c:\windows\system32\deniyiri.dll
2010-01-23 15:13:17 38400 --sh--w- c:\windows\system32\roweyubo.dll
2010-01-22 17:12:50 38400 --sh--w- c:\windows\system32\ponegiwu.dll
2010-01-22 05:12:32 37888 --sh--w- c:\windows\system32\tajojeti.dll
2010-01-21 17:12:07 38400 --sh--w- c:\windows\system32\rumadune.dll
2010-01-21 17:12:05 61440 --sh--w- c:\windows\system32\todusubi.dll
2010-01-21 05:12:09 38400 --sh--w- c:\windows\system32\tomeruga.dll
2010-01-20 01:46:34 39424 --sh--w- c:\windows\system32\horamufa.dll

==================== Find3M ====================

2010-01-24 15:31:37 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\basukavu.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\bilebivu.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\bunuzope.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\busekuja.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\fahazura.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\figohele.dll
1601-01-01 00:03:28 92160 --sha-w- c:\windows\system32\geyinehi.dll
1601-01-01 00:03:28 91648 --sha-w- c:\windows\system32\higawaka.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\jebosupe.dll
1601-01-01 00:03:28 91136 --sha-w- c:\windows\system32\jemaluja.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\jerosefo.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\kagobale.dll
1601-01-01 00:03:28 94208 --sha-w- c:\windows\system32\koyovabi.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\lodetulu.dll
1601-01-01 00:03:28 91648 --sha-w- c:\windows\system32\lojuvake.dll
1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\lukuduni.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\mifunabi.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\molugivu.dll
1601-01-01 00:03:28 49590 --sha-w- c:\windows\system32\mutipuyu.dll
1601-01-01 00:03:28 38912 --sha-w- c:\windows\system32\nasanuko.dll
1601-01-01 00:03:28 61440 --sha-w- c:\windows\system32\numimoji.dll
1601-01-01 00:03:28 91648 --sha-w- c:\windows\system32\rivesogo.dll
1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\sagetumu.dll
1601-01-01 00:03:28 91648 --sha-w- c:\windows\system32\temekatu.dll
1601-01-01 00:03:28 37888 --sha-w- c:\windows\system32\tezejito.dll
1601-01-01 00:03:28 61440 --sha-w- c:\windows\system32\toyeleno.dll
1601-01-01 00:03:28 38912 --sha-w- c:\windows\system32\werenago.dll
1601-01-01 00:03:28 52224 --sha-w- c:\windows\system32\wiwuzoza.dll
1601-01-01 00:03:28 91648 --sha-w- c:\windows\system32\wofomobu.dll
1601-01-01 00:03:28 92160 --sha-w- c:\windows\system32\yajulose.dll
1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\yamileju.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\yawewune.dll
1601-01-01 00:03:28 92160 --sha-w- c:\windows\system32\yetazesu.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\yozezuna.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\zuwisohi.dll

============= FINISH: 15:39:50.12 ===============

**************Here is the contents of the RootRepeal scan file.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/27 15:51
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA2C80000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\RRbackups
Status: Locked to the Windows API!

Path: \\?\C:\RRbackups\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings
Status: Invisible to the Windows API!

Path: C:\RRbackups\hints.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\regcerts.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\SAM
Status: Invisible to the Windows API!

Path: C:\RRbackups\system
Status: Invisible to the Windows API!

Path: C:\RRbackups\system.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\tvt.txt
Status: Invisible to the Windows API!

Path: C:\RRbackups\usersids.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\LocalService
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve
Status: Invisible to the Windows API!

Path: c:\windows\temp\fla6c9.tmp
Status: Allocation size mismatch (API: 1114112, Raw: 393216)

Path: c:\windows\temp\perflib_perfdata_9c0.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\perflib_perfdata_71c.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Steve\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Steve\Application Data
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Steve\Local Settings\Temp\~DFFDA0.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Steve\Local Settings\Temp\~DFFDAB.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Steve\Local Settings\Temp\~DF5A6A.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Steve\Local Settings\Temp\~DF5B4B.tmp
Status: Visible to the Windows API, but not on disk.

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Steve\Application Data\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\ThinkVantage
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20060929.017\EraserUtilDrv10622.sys
Status: Locked to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Crypto
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\SystemCertificates
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Steve\Application Data\ThinkVantage\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Steve\Application Data\ThinkVantage\Client Security
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Steve\Desktop\Gemstar\Reference Info\Sarbanes Oxley\Final_SO_WP_2-BoardsAC.pdf:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\encobject.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\hwkeys.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\symkeys.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Crypto\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Crypto\RSA
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\CREDHIST
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\SystemCertificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\SystemCertificates\My
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Steve\Application Data\ThinkVantage\Client Security\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Steve\Application Data\ThinkVantage\Client Security\encobject.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\ThinkVantage\Client Security\hibernation.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\ThinkVantage\Client Security\hwkeys.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\ThinkVantage\Client Security\pwdrecovery.dat
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\ThinkVantage\Client Security\symkeys.dat
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500\7aed9ae8-8e1e-440c-883e-8ce809270829
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500\f4a669a6-d166-46be-b4e4-e7e45dd0eec5
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500\7aed9ae8-8e1e-440c-883e-8ce809270829
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500\f4a669a6-d166-46be-b4e4-e7e45dd0eec5
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Crypto\RSA\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3067553346-3959797651-20091421-1005
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500\7aed9ae8-8e1e-440c-883e-8ce809270829
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500\f4a669a6-d166-46be-b4e4-e7e45dd0eec5
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\91319be4-cbd1-4c03-89e6-bd20650ed758
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\1318e188-ac71-42d0-9995-421ac02916e3
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\1bf49682-e414-40dd-9164-d09181d31caf
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\1e50cb42-e56f-4cce-a30f-616c78f46a7d
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\3d1be575-7dbb-49bc-bebc-c9f043d650a7
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\52b242bc-b4f0-406b-94c3-605dfbd51875
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\6496e87e-5e7a-4f08-a2da-c1e7e804e342
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\89bf3772-11a6-4948-8b2c-a952c079753a
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\97383380-bc06-4968-a1ee-36669c766891
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\98cbc655-eb99-4a8f-959f-8cdbc4d712f5
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\a8e0e6aa-b226-4a67-93a9-6b372e97fc09
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\c2280830-09cb-4074-a07f-11cc915bb52b
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\c680630c-7ff0-473e-87af-b9792121acaa
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\ddb0c548-d0d0-4a5a-9f49-d659bcb0d684
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\e48285bf-c0bb-4504-88e0-1164c2dd82c2
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\ff4313a4-e409-438c-bc3c-61b7bb921de6
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\Preferred
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\SystemCertificates\My\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\SystemCertificates\My\Certificates
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\SystemCertificates\My\CRLs
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\SystemCertificates\My\CTLs
Status: Invisible to the Windows API!

Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0069f8404dc30d079a420daa017b5ab2_b6969d92-50ce-4ca5-aebe-f653240ae797
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0e8fd505887b135fb4aebaf46d679e33_b6969d92-50ce-4ca5-aebe-f653240ae797
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0f58a7887694bfd6fee25f3995f25555_b6969d92-50ce-4ca5-aebe-f653240ae797
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0fe03730b928cfe66a8c448ead25599f_b6969d92-50ce-4ca5-aebe-f653240ae797
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1abe86fcba5308ae933dff8e5b6e22fa_b6969d92-50ce-4ca5-aebe-f653240ae797
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1d2ef8b2ec07f14a57b2bf541797bd46_b6969d92-50ce-4ca5-aebe-f653240ae797
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3044af4048d0fefc4d8648ef354867f0_b6969d92-50ce-4ca5-aebe-f653240ae797
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3716b551aa4ca399b0a24d7c40032e75_b6969d92-50ce-4ca5-aebe-f653240ae797
Status: Invisible to the Windows API!

Path: C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\374cb7c1087e6fe173701f7a9331d50b_b6969d92-50ce-4ca5-aebe-f653240ae797
Status: Invisible to tSSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8964e560

==EOF==


I thank you for your time and effort and eagerly await your reply.

Best to you,

Steve

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:58 AM

Posted 04 February 2010 - 09:39 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log

Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 j.s.nelson

j.s.nelson
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 05 February 2010 - 04:38 PM

Hi Elise. Thank you for getting back to me. I'm experiencing the same issues as discussed on the previous post. As a further note, so long as I remain disconnected from the internet, my computer seems to function fine except in running the GMER application. It took me about 15 attempts, but I was finally able to copy the log information from the scan. Running the GMER scan seemed to trigger my system to shutdown, after which I received a number of blue screen error messages such as "PAGE FAULT IN NONPAGE AREA". On a few occasions after GMER completed the scan, my system became non-responsive in attempting to save the results and I had to power off the computer to reboot. At any rate, first step is to eliminate the malware. Below is the log information from the DDS scan and GMER scan. Attached is the other DDS file.

Thank you,

Steve

DDS LOG INFO:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Steve at 9:38:11.18 on Thu 02/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.846 [GMT -8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_08\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Browser Helper Object: {afd4ad01-58c1-47db-a404-fbe00a6c5486} - c:\program files\shared\lib.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Microsoft Location Finder] "c:\program files\microsoft location finder\LocationFinder.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [suScheduler] c:\program files\thinkvantage\systemupdate\UCLauncher.exe /SCHEDULER
mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~2\VPTray.exe
mRun: [cssauth] "c:\program files\ibm thinkvantage\client security solution\cssauth.exe" silent
mRun: [PDService.exe] "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe"
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [RCHotKey] "c:\program files\ringcentral\ringcentral call controller\RCHotKey.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_08\bin\jusched.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 4.0\apdproxy.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [huyoroyul] Rundll32.exe "c:\windows\system32\wohubevu.dll",a
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\virtua~1.lnk - c:\windows\system32\virtualexpander\VirtualExpander.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_08\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: schwab.com\remote
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {EE85A9FD-6E52-4227-BB82-D46A660690EA} - hxxps://service.ringcentral.com/ActiveX/RCAXSetup.cab
Filter: text/html - {230feeb7-f3c2-4a70-8ecb-926c3f9a29b2} - c:\windows\batmeter16.dll
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: psfus - psqlpwd.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\bodonope.dll lukuduni.dll c:\windows\system32\minutara.dll c:\windows\system32\hazetosi.dll c:\windows\system32\keyipole.dll c:\windows\system32\wohubevu.dll
SSODL: keyiwelot - {399b8868-a6a0-4f16-a80a-7ee50b42ccc1} - c:\windows\system32\bodonope.dll
SSODL: zufezoweh - {5e819f80-cc68-4dad-8fd0-ac2b9bca0e4f} - c:\windows\system32\minutara.dll
SSODL: peburadib - {9d6d8a27-58a3-4e04-b811-0cc7f259f8ce} - c:\windows\system32\minutara.dll
SSODL: tupavutod - {160aa315-9864-4fe4-8341-a380ee18f958} - c:\windows\system32\wohubevu.dll
STS: mujuzedij: {399b8868-a6a0-4f16-a80a-7ee50b42ccc1} - c:\windows\system32\bodonope.dll
STS: kupuhivus: {5e819f80-cc68-4dad-8fd0-ac2b9bca0e4f} - c:\windows\system32\minutara.dll
STS: mujuzedij: {9d6d8a27-58a3-4e04-b811-0cc7f259f8ce} - c:\windows\system32\minutara.dll
STS: kupuhivus: {160aa315-9864-4fe4-8341-a380ee18f958} - c:\windows\system32\wohubevu.dll
LSA: Notification Packages = scecli psqlpwd csspwntfy sagetumu.dll

============= SERVICES / DRIVERS ===============

R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);c:\windows\system32\drivers\NEOFLTR_600_13073.sys [2008-4-30 64160]
R1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-6-2 185968]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-6-2 239216]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-6-2 161392]
R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-11-15 46142]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-12-21 3968]
R2 smihlp;SMI helper driver;c:\program files\thinkvantage fingerprint software\smihlp.sys [2005-12-8 3328]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2005-8-18 1730240]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060929.017\naveng.sys [2006-9-29 79240]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060929.017\navex15.sys [2006-9-29 828872]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-6-2 83568]
S3 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2005-8-18 124608]

=============== Created Last 30 ================

2010-01-27 06:01:50 1 --sh--w- c:\windows\system32\regikuru.dll
2010-01-27 06:01:49 1 --sh--w- c:\windows\system32\rurafele.dll
2010-01-27 03:45:54 1 --sh--w- c:\windows\system32\hopalusa.dll
2010-01-27 03:45:54 1 --sh--w- c:\windows\system32\gapihovi.dll
2010-01-26 15:15:17 38400 --sh--w- c:\windows\system32\bevahosa.dll
2010-01-25 15:58:33 38912 --sh--w- c:\windows\system32\hevayubi.dll
2010-01-25 03:57:59 38400 --sh--w- c:\windows\system32\kowuyore.dll
2010-01-24 15:57:50 38400 --sh--w- c:\windows\system32\deniyiri.dll
2010-01-23 15:13:17 38400 --sh--w- c:\windows\system32\roweyubo.dll
2010-01-22 17:12:50 38400 --sh--w- c:\windows\system32\ponegiwu.dll
2010-01-22 05:12:32 37888 --sh--w- c:\windows\system32\tajojeti.dll
2010-01-21 17:12:07 38400 --sh--w- c:\windows\system32\rumadune.dll
2010-01-21 17:12:05 61440 --sh--w- c:\windows\system32\todusubi.dll
2010-01-21 05:12:09 38400 --sh--w- c:\windows\system32\tomeruga.dll
2010-01-20 01:46:34 39424 --sh--w- c:\windows\system32\horamufa.dll

==================== Find3M ====================

2010-02-01 00:25:30 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\basukavu.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\bilebivu.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\bunuzope.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\busekuja.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\fahazura.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\figohele.dll
1601-01-01 00:03:28 92160 --sha-w- c:\windows\system32\geyinehi.dll
1601-01-01 00:03:28 91648 --sha-w- c:\windows\system32\higawaka.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\jebosupe.dll
1601-01-01 00:03:28 91136 --sha-w- c:\windows\system32\jemaluja.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\jerosefo.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\kagobale.dll
1601-01-01 00:03:28 94208 --sha-w- c:\windows\system32\koyovabi.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\lodetulu.dll
1601-01-01 00:03:28 91648 --sha-w- c:\windows\system32\lojuvake.dll
1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\lukuduni.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\mifunabi.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\molugivu.dll
1601-01-01 00:03:28 49590 --sha-w- c:\windows\system32\mutipuyu.dll
1601-01-01 00:03:28 38912 --sha-w- c:\windows\system32\nasanuko.dll
1601-01-01 00:03:28 61440 --sha-w- c:\windows\system32\numimoji.dll
1601-01-01 00:03:28 91648 --sha-w- c:\windows\system32\rivesogo.dll
1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\sagetumu.dll
1601-01-01 00:03:28 91648 --sha-w- c:\windows\system32\temekatu.dll
1601-01-01 00:03:28 37888 --sha-w- c:\windows\system32\tezejito.dll
1601-01-01 00:03:28 61440 --sha-w- c:\windows\system32\toyeleno.dll
1601-01-01 00:03:28 38912 --sha-w- c:\windows\system32\werenago.dll
1601-01-01 00:03:28 52224 --sha-w- c:\windows\system32\wiwuzoza.dll
1601-01-01 00:03:28 91648 --sha-w- c:\windows\system32\wofomobu.dll
1601-01-01 00:03:28 92160 --sha-w- c:\windows\system32\yajulose.dll
1601-01-01 00:03:52 52224 --sha-w- c:\windows\system32\yamileju.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\yawewune.dll
1601-01-01 00:03:28 92160 --sha-w- c:\windows\system32\yetazesu.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\yozezuna.dll
1601-01-01 00:03:28 38400 --sha-w- c:\windows\system32\zuwisohi.dll

============= FINISH: 9:40:37.48 ===============


GMER LOG INFO:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-05 13:00:23
Windows 5.1.2600 Service Pack 2
Running: 4jmtl077.exe; Driver: C:\DOCUME~1\Steve\LOCALS~1\Temp\kxkcipog.sys


---- System - GMER 1.0.15 ----

SSDT 8965EF28 ZwConnectPort

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\iaStor.sys entry point in ".rsrc" section [0xB9ED4D24]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[992] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00D7000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip NEOFLTR_600_13073.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp NEOFLTR_600_13073.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp NEOFLTR_600_13073.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp NEOFLTR_600_13073.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\iaStor \Device\Harddisk0\DR0 8A427856

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\859A1AB1BBB41BA4B9668CC6CE6661BC\Usage@Rtvscan_lic 1011202826

---- Files - GMER 1.0.15 ----

File C:\RRbackups\Documents and Settings 0 bytes
File C:\RRbackups\Documents and Settings\Administrator 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500\7aed9ae8-8e1e-440c-883e-8ce809270829 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500\f4a669a6-d166-46be-b4e4-e7e45dd0eec5 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\All Users 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0069f8404dc30d079a420daa017b5ab2_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0e8fd505887b135fb4aebaf46d679e33_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0f58a7887694bfd6fee25f3995f25555_b6969d92-50ce-4ca5-aebe-f653240ae797 923 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0fe03730b928cfe66a8c448ead25599f_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1abe86fcba5308ae933dff8e5b6e22fa_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1d2ef8b2ec07f14a57b2bf541797bd46_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3044af4048d0fefc4d8648ef354867f0_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3716b551aa4ca399b0a24d7c40032e75_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\374cb7c1087e6fe173701f7a9331d50b_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3a7f7133842e1f8883553f4ccf29aeb5_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3f5c09c1ef854762c0bd24962e62ba8c_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\42940907ad6af5a41d485a9f41b1f30a_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\432f73dea0088265772e2f2e6c0b996a_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4a01c31f18b2882831e9bc3e4eac56be_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4a05aec4c764335f7b38e2dae2cbe2fe_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5947da6c3c4177e35ade46d3a0f1079c_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5ca6fdab503e48ba9c0a470dfd78492d_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\60573e3d34057cb643cb96e3115b9d79_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\743ec16ceada6290461d6e3ead9e2b85_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\76f494766137df8c84b62b5e01f0e19f_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7949f65432ba5a3befd415980cac2830_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7b8917a0e7264dcbb21f9d71af4d688c_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7c0822063a2cd305eac2463fbdca5e01_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7c9d3e4c1277e823e7b4cc194cb41b21_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\22adee463c4dc8eb71b35f8a9030d7eb_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\718cbccf3195c017ea0527aca54f254d_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\949f280fb03c36105f18e7430bfc7e4b_b6969d92-50ce-4ca5-aebe-f653240ae797 923 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cebd8f6337f8be2c9a6181e5b46b69cf_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\84b31007dcce2fd12bba9281b999d027_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\85fff0cf823be5a42e1f87a31af0577b_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\868c9bdbeac529a63c7c83fb94b40057_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8d5c22b043b4808081973649830fdd90_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\908177283c3bfc89af86e6bd19254589_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9402c0b166b1822c33d80d17049ba7aa_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9b55a74fc6232de2c04d566379baeb55_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9c497756b5a25509738840df2994ee20_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9e22cbdf9f3bf45b9049ba7cacf10e68_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9e7b8217c2600a96029194c63316148b_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a163817b6a1b8a1a66156d543cddfcf9_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a4dc80b9a3be770d9c39dae1f1178f28_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ae8410f6748f768c6c4474126be09c78_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b02fe69de64dbf4cf9f95ed4fa33e376_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b0e1241c60594249a24c6c499166123d_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b57a3175337cdf0e08b7cd94fe67839e_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bc41bd46201b4550564b338cbf505be4_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bf984ee80e9b213f6b4fe1189d7a9850_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d4a257ebf7975d6a4429de9c61c172f3_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dd4108eb33d9090da97b35882cc1b821_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\de4d9f6632135e3bd9ae37b36b8f07f2_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e5bb38c77aa7a079c8515e95602b2476_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f47fab41bebbc4e9a334e68d74b56a6c_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f6614baf23a4c7c3862a1078f6fd610f_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f8bd727de62461dd554ebfc3f30bacf7_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fa58d73a52ff1a0dfc13ee5155bbcb39_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_b6969d92-50ce-4ca5-aebe-f653240ae797 52 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fe19855b9f011b641bc2938dc11700a4_b6969d92-50ce-4ca5-aebe-f653240ae797 1747 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\42e7e898003fbdeb9585806ee1664b51_b6969d92-50ce-4ca5-aebe-f653240ae797 57 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_b6969d92-50ce-4ca5-aebe-f653240ae797 54 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_b6969d92-50ce-4ca5-aebe-f653240ae797 893 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\encobject.dat 1608 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\hwkeys.dat 4248 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\symkeys.dat 656 bytes
File C:\RRbackups\Documents and Settings\Default User 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500\7aed9ae8-8e1e-440c-883e-8ce809270829 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500\f4a669a6-d166-46be-b4e4-e7e45dd0eec5 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Steve 0 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3067553346-3959797651-20091421-1005 0 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3067553346-3959797651-20091421-1005\08dc74d04d0c814cb3db0258ea52253f_b6969d92-50ce-4ca5-aebe-f653240ae797 46 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3067553346-3959797651-20091421-1005\533145ef011ddf5ca3983e2545a902b4_b6969d92-50ce-4ca5-aebe-f653240ae797 2075 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3067553346-3959797651-20091421-1005\6b29ae44e85efac3c72ff4d1865d73f1_b6969d92-50ce-4ca5-aebe-f653240ae797 53 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3067553346-3959797651-20091421-1005\8f71098770f72c7a67cd8f1151619865_b6969d92-50ce-4ca5-aebe-f653240ae797 54 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\CREDHIST 160 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500 0 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500\7aed9ae8-8e1e-440c-883e-8ce809270829 388 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-1517808779-1041392943-1441970966-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500 0 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500\f4a669a6-d166-46be-b4e4-e7e45dd0eec5 388 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-2437969956-1193307834-3152931428-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005 0 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\91319be4-cbd1-4c03-89e6-bd20650ed758 388 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\1318e188-ac71-42d0-9995-421ac02916e3 388 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\1bf49682-e414-40dd-9164-d09181d31caf 388 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\1e50cb42-e56f-4cce-a30f-616c78f46a7d 388 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\3d1be575-7dbb-49bc-bebc-c9f043d650a7 388 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\52b242bc-b4f0-406b-94c3-605dfbd51875 388 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\6496e87e-5e7a-4f08-a2da-c1e7e804e342 388 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\89bf3772-11a6-4948-8b2c-a952c079753a 388 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\97383380-bc06-4968-a1ee-36669c766891 388 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\98cbc655-eb99-4a8f-959f-8cdbc4d712f5 388 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\a8e0e6aa-b226-4a67-93a9-6b372e97fc09 388 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\c2280830-09cb-4074-a07f-11cc915bb52b 388 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\c680630c-7ff0-473e-87af-b9792121acaa 388 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\ddb0c548-d0d0-4a5a-9f49-d659bcb0d684 388 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\e48285bf-c0bb-4504-88e0-1164c2dd82c2 388 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\ff4313a4-e409-438c-bc3c-61b7bb921de6 388 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\Protect\S-1-5-21-3067553346-3959797651-20091421-1005\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\ThinkVantage 0 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\ThinkVantage\Client Security 0 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\ThinkVantage\Client Security\encobject.dat 8040 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\ThinkVantage\Client Security\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\ThinkVantage\Client Security\hwkeys.dat 6372 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\ThinkVantage\Client Security\pwdrecovery.dat 1104 bytes
File C:\RRbackups\Documents and Settings\Steve\Application Data\ThinkVantage\Client Security\symkeys.dat 2624 bytes
File C:\RRbackups\hints.dat 8192 bytes
File C:\RRbackups\regcerts.dat 8192 bytes
File C:\RRbackups\SAM 262144 bytes
File C:\RRbackups\system 8912896 bytes
File C:\RRbackups\system.dat 12288 bytes
File C:\RRbackups\tvt.txt 9050 bytes
File C:\RRbackups\usersids.dat 16640 bytes
File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:58 AM

Posted 06 February 2010 - 07:21 AM

Hello j.s.nelson,

Thats a looooot of vundo combined with a rootkit. Although we should be able to clean this without too many problems, please consider the following first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 j.s.nelson

j.s.nelson
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 06 February 2010 - 05:38 PM

Hi Elise, Thanks for the warnings. I proceeded with the clean up, then will not use this pc for anything of a confidential nature. I may reformat the OS at a later date. Here is a log of the scan. PLease advise next steps.

Steve


ComboFix 10-02-05.04 - Steve 02/06/2010 14:23:18.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.922 [GMT -8:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Shared
c:\windows\system32\minutara.dll
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
c:\program files\Shared\lib.dll
c:\program files\Shared\lib.sig
c:\windows\BA_00001.dll
c:\windows\EventSystem.log
c:\windows\system32\bevahosa.dll
c:\windows\system32\bilebivu.dll
c:\windows\system32\bunuzope.dll
c:\windows\system32\busekuja.dll
c:\windows\system32\deniyiri.dll
c:\windows\system32\fahazura.dll
c:\windows\system32\gapihovi.dll
c:\windows\system32\hevayubi.dll
c:\windows\system32\hopalusa.dll
c:\windows\system32\jebosupe.dll
c:\windows\system32\jerosefo.dll
c:\windows\system32\kagobale.dll
c:\windows\system32\kowuyore.dll
c:\windows\system32\lodetulu.dll
c:\windows\system32\lukuduni.dll
c:\windows\system32\mifunabi.dll
c:\windows\system32\minutara.dll
c:\windows\system32\molugivu.dll
c:\windows\system32\nasanuko.dll
c:\windows\system32\ponegiwu.dll
c:\windows\system32\regikuru.dll
c:\windows\system32\roweyubo.dll
c:\windows\system32\rumadune.dll
c:\windows\system32\rurafele.dll
c:\windows\system32\sagetumu.dll
c:\windows\system32\tajojeti.dll
c:\windows\system32\tezejito.dll
c:\windows\system32\todusubi.dll
c:\windows\system32\tomeruga.dll
c:\windows\system32\werenago.dll
c:\windows\system32\yawewune.dll
c:\windows\system32\yozezuna.dll
c:\windows\system32\zuwisohi.dll
c:\windows\Tasks\qsbzfgej.job

.
((((((((((((((((((((((((( Files Created from 2010-01-06 to 2010-02-06 )))))))))))))))))))))))))))))))
.

2010-01-25 04:42 . 2010-01-25 04:42 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\Yahoo!
2010-01-23 04:52 . 2010-01-23 04:52 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-01-21 00:24 . 2010-01-21 00:24 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-20 01:46 . 2010-01-20 01:46 39424 --sh--w- c:\windows\system32\horamufa.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-06 22:16 . 2006-04-30 03:59 40 ----a-w- c:\windows\system32\profile.dat
2010-02-01 00:25 . 2006-04-30 04:06 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2010-01-23 17:43 . 2009-10-18 04:22 -------- d-----w- c:\program files\Bonjour
2010-01-20 16:00 . 2006-04-30 03:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-10 05:19 . 2006-04-30 03:41 21275 ----a-w- c:\windows\system32\drivers\AegisP.sys
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\basukavu.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\figohele.dll
1601-01-01 00:03 . 1601-01-01 00:03 92160 --sha-w- c:\windows\system32\geyinehi.dll
1601-01-01 00:03 . 1601-01-01 00:03 91648 --sha-w- c:\windows\system32\higawaka.dll
1601-01-01 00:03 . 1601-01-01 00:03 91136 --sha-w- c:\windows\system32\jemaluja.dll
1601-01-01 00:03 . 1601-01-01 00:03 94208 --sha-w- c:\windows\system32\koyovabi.dll
1601-01-01 00:03 . 1601-01-01 00:03 91648 --sha-w- c:\windows\system32\lojuvake.dll
1601-01-01 00:03 . 1601-01-01 00:03 49590 --sha-w- c:\windows\system32\mutipuyu.dll
1601-01-01 00:03 . 1601-01-01 00:03 61440 --sha-w- c:\windows\system32\numimoji.dll
1601-01-01 00:03 . 1601-01-01 00:03 91648 --sha-w- c:\windows\system32\rivesogo.dll
1601-01-01 00:03 . 1601-01-01 00:03 91648 --sha-w- c:\windows\system32\temekatu.dll
1601-01-01 00:03 . 1601-01-01 00:03 61440 --sha-w- c:\windows\system32\toyeleno.dll
1601-01-01 00:03 . 1601-01-01 00:03 52224 --sha-w- c:\windows\system32\wiwuzoza.dll
1601-01-01 00:03 . 1601-01-01 00:03 91648 --sha-w- c:\windows\system32\wofomobu.dll
1601-01-01 00:03 . 1601-01-01 00:03 92160 --sha-w- c:\windows\system32\yajulose.dll
1601-01-01 00:03 . 1601-01-01 00:03 52224 --sha-w- c:\windows\system32\yamileju.dll
1601-01-01 00:03 . 1601-01-01 00:03 92160 --sha-w- c:\windows\system32\yetazesu.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4de43306-6d37-42f9-abb3-55eee7027762}]
1601-01-01 00:03 52224 --sha-w- c:\windows\system32\yamileju.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1]
@="{E4000AC4-5E5F-4956-807A-C5854405D64F}"
[HKEY_CLASSES_ROOT\CLSID\{E4000AC4-5E5F-4956-807A-C5854405D64F}]
2007-01-03 04:34 73728 ----a-w- c:\windows\system32\VirtualExpander\VEShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-25 101080]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-09-15 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-09-15 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]
"TpShocks"="TpShocks.exe" [2005-11-07 106496]
"TP4EX"="tp4ex.exe" [2005-10-17 65536]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2005-11-17 237568]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-09 94208]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2006-01-25 106496]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 487424]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2005-08-19 85696]
"cssauth"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauth.exe" [2005-12-22 1996336]
"PDService.exe"="c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe" [2005-11-15 49152]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2005-10-28 335872]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-29 196696]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-30 169472]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-04-17 409600]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-04-17 98304]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 208896]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-13 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 49263]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-16 57344]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 188416]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

c:\documents and settings\Steve\Start Menu\Programs\Startup\
VirtualExpander.lnk - c:\windows\system32\VirtualExpander\VirtualExpander.exe [2007-1-2 434176]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-6-3 25214]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-29 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-08 21:59 39936 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 06:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 03:16 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\acrobat_sl.exe"=
"c:\\Program Files\\ThinkPad\\ConnectUtilities\\ACTray.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\AdobeUpdateManager.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\apdproxy.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\ThinkPad\\Bluetooth Software\\BTTray.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=
"c:\\Program Files\\Digital Line Detect\\DLG.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\EvtEng.exe"=
"c:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktopDisplay.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"=
"c:\\Program Files\\Symantec Client Security\\Symantec Client Firewall\\ISSVC.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Location Finder\\LocationFinder.exe"=
"c:\\Program Files\\Maxtor\\OneTouch Status\\MaxMenuMgr.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\Program Files\\IBM ThinkVantage\\Client Security Solution\\pwmgr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\S24EvMon.exe"=
"c:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Microsoft SQL Server\\80\\Tools\\Binn\\sqlmangr.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\VirtualExpander\\VirtualExpander.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\SNDSrvc.exe"=
"c:\\Program Files\\Symantec Client Security\\Symantec AntiVirus\\DefWatch.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\RegSrvc.exe"=
"c:\\Program Files\\ThinkPad\\ConnectUtilities\\SvcGuiHlpr.exe"=

R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);c:\windows\system32\drivers\NEOFLTR_600_13073.sys [4/30/2008 11:54 AM 64160]
R2 PrivateDisk;PrivateDisk;c:\program files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys [11/15/2005 12:11 PM 46142]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [12/21/2005 3:45 PM 3968]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [12/8/2005 1:44 PM 3328]
S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [8/18/2005 4:22 PM 124608]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrv10622
.
Contents of the 'Scheduled Tasks' folder

2010-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2010-02-06 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-04-30 08:12]

2006-06-03 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-04-30 00:32]

2010-02-06 c:\windows\Tasks\User_Feed_Synchronization-{0299AEE1-FA5A-4302-8809-A9FF41AD52C6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Send To &Bluetooth - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: schwab.com\remote
DPF: {EE85A9FD-6E52-4227-BB82-D46A660690EA} - hxxps://service.ringcentral.com/ActiveX/RCAXSetup.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - c:\program files\Shared\lib.dll
HKLM-Run-RCHotKey - c:\program files\RingCentral\RingCentral Call Controller\RCHotKey.exe
HKLM-Run-huyoroyul - c:\windows\system32\wohubevu.dll
HKLM-Run-yevuzudopa - sagetumu.dll
SharedTaskScheduler-{399b8868-a6a0-4f16-a80a-7ee50b42ccc1} - c:\windows\system32\bodonope.dll
SharedTaskScheduler-{5e819f80-cc68-4dad-8fd0-ac2b9bca0e4f} - c:\windows\system32\minutara.dll
SharedTaskScheduler-{9d6d8a27-58a3-4e04-b811-0cc7f259f8ce} - c:\windows\system32\minutara.dll
SharedTaskScheduler-{160aa315-9864-4fe4-8341-a380ee18f958} - c:\windows\system32\wohubevu.dll
SSODL-keyiwelot-{399b8868-a6a0-4f16-a80a-7ee50b42ccc1} - c:\windows\system32\bodonope.dll
SSODL-zufezoweh-{5e819f80-cc68-4dad-8fd0-ac2b9bca0e4f} - c:\windows\system32\minutara.dll
SSODL-peburadib-{9d6d8a27-58a3-4e04-b811-0cc7f259f8ce} - c:\windows\system32\minutara.dll
SSODL-tupavutod-{160aa315-9864-4fe4-8341-a380ee18f958} - c:\windows\system32\wohubevu.dll
Notify-ACNotify - ACNotify.dll



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\vrlogon.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll

- - - - - - - > 'lsass.exe'(756)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
.
Completion time: 2010-02-06 14:29:14
ComboFix-quarantined-files.txt 2010-02-06 22:29

Pre-Run: 34,654,781,440 bytes free
Post-Run: 34,612,609,024 bytes free

- - End Of File - - 04DFEA59372C6A018928A410B99E059D


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:58 AM

Posted 07 February 2010 - 05:03 AM

Hello j.s.nelson,

Can you please let me know if you are still getting redirected?

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
File::
c:\windows\system32\horamufa.dll
c:\windows\system32\basukavu.dll
c:\windows\system32\figohele.dll
c:\windows\system32\geyinehi.dll
c:\windows\system32\higawaka.dll
c:\windows\system32\jemaluja.dll
c:\windows\system32\koyovabi.dll
c:\windows\system32\lojuvake.dll
c:\windows\system32\mutipuyu.dll
c:\windows\system32\numimoji.dll
c:\windows\system32\rivesogo.dll
c:\windows\system32\temekatu.dll
c:\windows\system32\toyeleno.dll
c:\windows\system32\wiwuzoza.dll
c:\windows\system32\wofomobu.dll
c:\windows\system32\yajulose.dll
c:\windows\system32\yamileju.dll
c:\windows\system32\yetazesu.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4de43306-6d37-42f9-abb3-55eee7027762}]

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply, please include the following:
  • Combofix.txt

Edited by elise025, 07 February 2010 - 05:04 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 j.s.nelson

j.s.nelson
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 07 February 2010 - 12:34 PM

Having new issues here. I had normal functionality of the PC so long as I was disconnected from the internet, but when I launched Internet Explorer for the first time since the repair, a program was automatically loaded onto the PC. This program claims it is for evaluation purposes, but does not allow me to close the program; it requires selecting an option. I powered off the PC, then it launched again when the PC booted up.

This program is called "Your PC Protector", and it performs a scan and identifies that a number of files are infected with the following viruses: Email.worm.win32.merond.a, Trojan.win32.agent.azsy, Trojan.win32.agent2.dtb, Trojan.downloader.win32.small.ydh, Trojan.downloader.win32.agent.ahoe, Net-worm.win32.kido.ih. Despite being disconnected from the internet, it continues to give me pop-ups that tell me my PC is under attack. It is also giving me various messages from the control bar, one with a misspelling. I'm looking at seven pop-ups now. One indicates these programs are infected: iexplorer.exe, msimn.exe, wmplayer.exe, notepad.exe, explorer.exe, calc.exe, user32.exe, pools.exe, paint.exe, wab.exe, setup.exe, cluadmin.exe. One is from "Windows Security Center", which lists "Your PC Protector" as a recommendation for virus protection. There is also a Microsoft error window with a svchost.exe error message. Also, I can no longer launch Symantec to turn off scanning, or launch notepad (or MS Word, Excel, etc), so I am not sure I can run the CF-script.

Is "Your PC Protector" legitimate? How did it only load now after I ran ComboFix? What next?

Steve



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:58 AM

Posted 07 February 2010 - 01:01 PM

Hello j.s.nelson,

Please do not run the CFScript I instructed you in my last post, instead proceed with Malwarebytes Antimalware. If you encounter any problems when installing/running the program, let me know and we will find a work around.

"Your PC Protector" is NOT a legitimate application. After Combofix was run there were multiple bad files left, so probably one of those "invited" other nasty stuff.

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



In your next reply, please include the following:
  • MBAM log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 j.s.nelson

j.s.nelson
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 07 February 2010 - 06:35 PM

Hi elise. In my last post I mentioned that I could not launch various applications. This is the case for the MBAM program as well...I double click on the desktop icon and nothing happens. Also, I no longer have browser functionality, so I can't launch it from the MajorGeeks site. Any other ideas?
Steve

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:58 AM

Posted 08 February 2010 - 04:07 AM

Is MBAM already installed on your computer? If so, rename the following file: c:\program files\malwarebytes' antimalware\mbam.exe to winlogon.exe (rightclick on the file and select rename).

If the file on your desktop is the installer file, rename that to winlogon.exe

Let me know if you make any progress this way.

If not, please let me know if you have the possibility to download and burn a CD (download size approx 270 MB) on a clean computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 j.s.nelson

j.s.nelson
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 08 February 2010 - 12:01 PM

The desktop file is the installer file. I renamed it as instructed and attempted to start it up, but it did not work. When I attempted to start up this application, as with the other applications, I get a pop-up from the status bar stating "Warning! Running of this application is impossible! The file is infected with a virus. Please activate your antivirus program." So this new virus is preventing me from running any other application. It is as if the first set of viruses anticipated the steps to clean the computer, then invited/activated this new virus when those steps were taken. Doesn't give much hope that we'll rid the computer of all the virus fragments.

I can download and burn a CD.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:58 AM

Posted 08 February 2010 - 12:16 PM

Hello j.s.nelson,

We can spend another day figuring out how to find a work around to get MBAM to work, but the method below is much easier (though more work for you). The advantage is we will have a log without windows running, so we can kill all malware without being hindered.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

OK this file is big Print these instruction out so that you know what you are doing

Two programs to download

First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Non-Microsoft
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

In your next reply, please include the following:
  • OTL.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#13 j.s.nelson

j.s.nelson
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 08 February 2010 - 12:34 PM

Hi elise. Just to clarify, I am accessing this forum from a clean PC. I can no longer launch Explorer, notepad, or any other application from the infected PC. I assume I should be running ISO burner from the clean PC? Please confirm before I proceed. Thanks.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:58 AM

Posted 08 February 2010 - 02:46 PM

Yes, you should make the OTLPE CD on your clean computer. After that you use that CD to boot your infected computer.

If you have any more questions, just let me know, thats what I am here for smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#15 j.s.nelson

j.s.nelson
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:58 PM

Posted 08 February 2010 - 05:30 PM

Hi elise. I ran the otlpe scan. The results are included below. Not sure if this makes a difference, but I was not asked if I wanted to load the remote registry, and in the driver settings, there was no setting for "non-Microsoft", so I left the setting unchanged from "Use safe list". Thank you.

OTL logfile created on: 2/8/2010 2:17:16 PM - Run
OTLPE by OldTimer - Version 3.1.28.0 Folder = X:\Programs\OTLPE
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600) - Type = SYSTEM
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 83.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.66 Gb Total Space | 32.20 Gb Free Space | 46.23% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 276.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO
Current User Name: SYSTEM
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
Using ControlSet: ControlSet003

========== Win32 Services (SafeList) ==========

SRV - [2010/02/07 11:32:58 | 000,037,376 | ---- | M] () [Auto] -- C:\Program Files\svchost.exe -- (AdbUpd)
SRV - [2010/02/06 20:54:09 | 000,135,664 | ---- | M] (Google Inc.) [Auto] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
SRV - [2009/09/21 18:36:02 | 000,545,568 | ---- | M] (Apple Inc.) [On_Demand] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/08/28 21:42:54 | 000,144,672 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/04/26 10:09:06 | 000,182,768 | ---- | M] (Google) [On_Demand] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/12/12 13:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/09/28 14:24:36 | 000,156,976 | ---- | M] (Seagate Technology LLC) [Auto] -- C:\Program Files\Maxtor\Sync\SyncServices.exe -- (Maxtor Sync Service)
SRV - [2006/09/23 14:44:52 | 000,072,704 | ---- | M] (Adobe Systems) [On_Demand] -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2006/04/29 23:05:06 | 000,032,256 | ---- | M] () [On_Demand] -- C:\WINDOWS\system32\drivers\psasrv.exe -- (PsaSrv)
SRV - [2006/04/17 15:12:28 | 000,151,552 | ---- | M] (Lenovo) [Auto] -- C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe -- (AcSvc)
SRV - [2006/04/17 15:12:26 | 000,040,960 | ---- | M] () [Auto] -- C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe -- (AcPrfMgrSvc)
SRV - [2006/02/17 17:54:24 | 000,540,745 | ---- | M] (Intel Corporation ) [Auto] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2006/02/17 17:52:24 | 000,114,753 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2006/02/17 17:51:46 | 000,217,164 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2005/12/21 20:34:58 | 000,077,824 | ---- | M] () [Auto] -- C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe -- (TVT Scheduler)
SRV - [2005/12/21 20:20:56 | 001,384,448 | ---- | M] () [Auto] -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe -- (TVT Backup Service)
SRV - [2005/12/21 19:17:54 | 000,722,480 | ---- | M] (IBM) [Auto] -- C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe -- (TSSCoreService)
SRV - [2005/12/20 23:46:24 | 000,405,504 | ---- | M] (ATI Technologies Inc.) [Auto] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2005/12/14 13:51:12 | 000,622,700 | ---- | M] (Diskeeper Corporation) [Disabled] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2005/12/01 03:09:00 | 000,073,728 | ---- | M] (Lenovo Group Limited) [Auto] -- C:\WINDOWS\system32\IPSSVC.EXE -- (IPSSVC)
SRV - [2005/11/11 03:33:00 | 000,073,782 | ---- | M] () [Auto] -- C:\WINDOWS\system32\ibmpmsvc.exe -- (IBMPMSVC)
SRV - [2005/11/01 17:04:02 | 000,258,103 | ---- | M] (Broadcom Corporation.) [Auto] -- C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2005/10/03 14:04:04 | 000,102,400 | ---- | M] () [Auto] -- C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor4.0)
SRV - [2005/08/18 19:23:16 | 001,730,240 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2005/08/18 19:22:24 | 000,124,608 | ---- | M] (symantec) [On_Demand] -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2005/08/18 19:22:02 | 000,019,648 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2005/08/01 19:32:40 | 000,040,960 | ---- | M] () [Auto] -- C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe -- (UCLauncherService)
SRV - [2005/07/20 16:05:36 | 000,202,368 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe -- (SymSecurePort)
SRV - [2005/07/20 16:05:02 | 000,079,488 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe -- (ISSVC)
SRV - [2005/06/20 14:15:00 | 000,077,824 | ---- | M] (Lenovo.) [Auto] -- C:\WINDOWS\system32\TPHDEXLG.exe -- (TPHDEXLGSVC)
SRV - [2005/06/06 23:26:22 | 000,032,768 | ---- | M] () [Auto] -- C:\WINDOWS\system32\TpKmpSvc.exe -- (TpKmpSVC)
SRV - [2005/06/02 11:21:46 | 000,161,392 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2005/06/02 11:21:46 | 000,083,568 | ---- | M] (Symantec Corporation) [On_Demand] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2005/06/02 11:21:44 | 000,239,216 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\ccProxy.exe -- (ccProxy)
SRV - [2005/06/02 11:21:40 | 000,185,968 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2005/05/04 02:04:28 | 009,150,464 | ---- | M] (Microsoft Corporation) [Auto] -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe -- (MSSQL$MICROSOFTSMLBIZ)
SRV - [2005/05/03 23:42:56 | 000,323,584 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE -- (SQLAgent$MICROSOFTSMLBIZ)
SRV - [2005/04/05 13:17:22 | 000,206,552 | ---- | M] (Symantec Corporation) [Auto] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2005/03/30 23:48:22 | 000,992,864 | ---- | M] (Symantec Corporation) [On_Demand] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2004/10/22 05:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/09/30 12:49:36 | 000,027,136 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\irmon.dll -- (Irmon)
SRV - [2004/08/11 02:46:56 | 000,483,328 | ---- | M] (Microsoft Corporation) [On_Demand] -- c:\Program Files\Windows Media Connect\mswmccds.exe -- (WmcCds) Windows Media Connect (WMC)
SRV - [2004/08/10 23:50:42 | 000,028,160 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Windows Media Connect\mswmcls.exe -- (WmcCdsLs) Windows Media Connect (WMC)
SRV - [2004/07/15 03:49:26 | 000,032,768 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)
SRV - [2003/07/28 14:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
DRV - File not found [Kernel | System] -- -- (PCIDump)
DRV - File not found [Kernel | System] -- -- (lbrtfdc)
DRV - File not found [Kernel | System] -- -- (Changer)
DRV - File not found [Kernel | On_Demand] -- -- (catchme)
DRV - [2010/02/07 11:28:42 | 000,005,427 | ---- | M] (IBM Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\EGATHDRV.SYS -- (EGATHDRV)
DRV - [2009/11/10 00:19:44 | 000,021,275 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP) AEGIS Protocol (IEEE 802.1x)
DRV - [2009/08/28 21:42:52 | 000,040,448 | ---- | M] (Apple, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/05/18 16:17:00 | 000,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/04/30 14:54:28 | 000,064,160 | ---- | M] (Juniper Networks) [Kernel | System] -- C:\WINDOWS\system32\drivers\NEOFLTR_600_13073.sys -- (NEOFLTR_600_13073) Juniper Networks TDI Filter Driver (NEOFLTR_600_13073)
DRV - [2007/05/03 15:37:08 | 000,022,152 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2006/09/23 14:39:10 | 000,020,640 | ---- | M] (Sonic Solutions) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20)
DRV - [2006/09/23 00:57:40 | 000,176,816 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\SymcData\scfidsdefs\20060922.004\SymIDSCo.sys -- (SYMIDSCO)
DRV - [2006/09/15 03:00:00 | 000,387,432 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Common Files\Symantec Shared\eengine\eectrl.sys -- (eeCtrl)
DRV - [2006/08/23 03:00:00 | 000,828,872 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20060929.017\NAVEX15.SYS -- (NAVEX15)
DRV - [2006/08/23 03:00:00 | 000,079,240 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20060929.017\NAVENG.SYS -- (NAVENG)
DRV - [2006/04/29 23:05:08 | 000,016,256 | ---- | M] (Lenovo) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2006/02/17 18:41:50 | 000,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2006/01/27 17:11:42 | 000,181,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2006/01/13 02:33:22 | 000,006,016 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\IBMBLDID.sys -- (IBMTPCHK)
DRV - [2005/12/21 19:14:58 | 000,012,544 | ---- | M] (IBM) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\ibmfilter.sys -- (ibmfilter)
DRV - [2005/12/21 18:45:56 | 000,003,968 | ---- | M] (IBM Corp.) [Kernel | Auto] -- C:\Program Files\SMI2\smi2.sys -- (smi2)
DRV - [2005/12/20 23:51:46 | 001,419,264 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/12/15 16:19:20 | 000,173,056 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2005/12/15 16:19:20 | 000,152,960 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (AEAudioService)
DRV - [2005/12/08 16:54:24 | 000,028,800 | ---- | M] (UPEK Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\tcusb.sys -- (TcUsb)
DRV - [2005/12/08 16:44:40 | 000,003,328 | ---- | M] (UPEK Inc.) [Kernel | Auto] -- C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys -- (smihlp)
DRV - [2005/12/07 03:12:00 | 000,004,442 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2005/12/06 13:21:32 | 000,936,448 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hsx_dpv.sys -- (HSF_DPV)
DRV - [2005/12/06 13:20:48 | 000,192,512 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hsxhwazl.sys -- (HSXHWAZL)
DRV - [2005/12/06 13:20:42 | 000,670,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hsx_cnxt.sys -- (winachsf)
DRV - [2005/12/05 02:55:30 | 001,428,096 | ---- | M] (Intel® Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel®
DRV - [2005/12/01 03:09:00 | 000,005,120 | ---- | M] (Lenovo Group Limited) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\PROCDD.SYS -- (PROCDD)
DRV - [2005/11/30 17:58:00 | 000,085,760 | ---- | M] (Lenovo) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\shockprf.sys -- (Shockprf)
DRV - [2005/11/30 03:51:00 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\SMAPINT.SYS -- (Smapint)
DRV - [2005/11/30 03:51:00 | 000,009,343 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\TDSMAPI.SYS -- (TDSMAPI)
DRV - [2005/11/21 04:41:00 | 000,007,168 | ---- | M] () [Kernel | System] -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
DRV - [2005/11/15 15:11:28 | 000,046,142 | R--- | M] (Utimaco Safeware AG) [Kernel | Auto] -- C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\privatediskm.sys -- (PrivateDisk)
DRV - [2005/11/11 03:33:00 | 000,010,112 | ---- | M] (Lenovo.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ibmpmdrv.sys -- (IBMPMDRV)
DRV - [2005/11/08 11:27:20 | 000,011,520 | ---- | M] (IBM Corp.) [Kernel | System] -- C:\WINDOWS\system32\drivers\ANC.sys -- (ANC)
DRV - [2005/11/01 16:53:14 | 001,342,122 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2005/11/01 16:51:06 | 000,056,648 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2005/10/12 14:07:12 | 000,874,240 | ---- | M] (Intel Corporation) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2005/10/05 17:57:08 | 000,012,544 | ---- | M] (Conexant) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2005/09/15 15:53:10 | 000,177,664 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/08/01 07:10:00 | 000,092,700 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/08/01 07:10:00 | 000,087,004 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/08/01 07:10:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/08/01 07:10:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/08/01 07:10:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/08/01 07:10:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/08/01 07:10:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/07/28 05:30:00 | 000,088,704 | ---- | M] (Sonic Solutions) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/07/07 11:03:34 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/07/07 11:02:56 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/07/07 07:10:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2005/07/05 16:57:06 | 000,017,699 | ---- | M] (IBM Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\TPHKDRV.sys -- (TPHKDRV)
DRV - [2005/06/20 14:18:00 | 000,004,736 | ---- | M] (Lenovo.) [Kernel | System] -- C:\WINDOWS\system32\drivers\ShockMgr.sys -- (ShockMgr)
DRV - [2005/05/17 12:20:08 | 000,015,872 | ---- | M] (Atmel, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\atmeltpm.sys -- (atmeltpm)
DRV - [2005/04/05 13:17:02 | 000,267,192 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2005/04/05 13:17:00 | 000,017,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2005/04/05 13:16:58 | 000,036,984 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\System32\Drivers\SYMIDS.SYS -- (SYMIDS)
DRV - [2005/04/05 13:16:56 | 000,047,192 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\System32\Drivers\SYMNDIS.SYS -- (SYMNDIS)
DRV - [2005/04/05 13:16:54 | 000,173,208 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\System32\Drivers\SYMFW.SYS -- (SYMFW)
DRV - [2005/04/05 13:16:52 | 000,011,512 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\WINDOWS\System32\Drivers\SYMDNS.SYS -- (SYMDNS)
DRV - [2005/04/01 22:36:04 | 000,123,200 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2005/03/30 23:48:20 | 000,372,832 | ---- | M] (Symantec Corporation) [Kernel | On_Demand] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/02/04 22:14:32 | 000,053,896 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2005/02/04 22:14:30 | 000,324,232 | ---- | M] (Symantec Corporation) [Kernel | System] -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2005/01/07 19:07:18 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/04 07:00:00 | 000,027,440 | ---- | M] () [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2004/08/04 07:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/04 07:00:00 | 000,007,936 | ---- | M] (Microsoft Corporation) [Recognizer | System] -- C:\WINDOWS\system32\drivers\fs_rec.sys -- (Fs_Rec)
DRV - [2004/08/04 07:00:00 | 000,002,864 | ---- | M] (Microsoft Corporation) [Adapter | On_Demand] -- C:\WINDOWS\system32\winsock.dll -- (Winsock)
DRV - [2004/08/04 01:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 01:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/04 01:00:52 | 000,028,672 | ---- | M] (National Semiconductor Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nscirda.sys -- (NSCIRDA)
DRV - [2004/08/04 00:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/09/11 01:36:54 | 000,021,060 | ---- | M] (InterVideo, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\iviaspi.sys -- (Iviaspi)
DRV - [2001/08/17 16:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 16:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 16:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 16:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 16:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 15:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 15:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 15:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 15:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 15:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 15:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 15:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 15:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 15:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 15:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 14:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)
DRV - [2001/08/17 14:12:10 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®
DRV - [2000/05/31 22:29:54 | 000,007,012 | ---- | M] (Microsoft Corporation) [Kernel | Auto] -- C:\WINDOWS\system32\drivers\PMEMNT.SYS -- (pmem)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://news.yahoo.com [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\Steve_ON_C\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\Steve_ON_C\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\Steve_ON_C\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\Steve_ON_C\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
IE - HKU\Steve_ON_C\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\Steve_ON_C\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
IE - HKU\Steve_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\Steve_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local




O1 HOSTS File: ([2010/02/06 17:18:19 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {4de43306-6d37-42f9-abb3-55eee7027762} - C:\WINDOWS\System32\yamileju.dll ()
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (ADC PlugIn) - {77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02} - C:\Program Files\adc32.dll (ASC - AntiSpyware)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll (Yahoo! Inc.)
O3 - HKU\Administrator_ON_C\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\Steve_ON_C\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\Steve_ON_C\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe (Lenovo)
O4 - HKLM..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe (Lenovo)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\AMSG.EXE (LENOVO)
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BATLOGEX.DLL ()
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [cssauth] C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [EZEJMNAP] C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE (Lenovo Group Limited)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe ()
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe (HP)
O4 - HKLM..\Run: [ISUSPM Startup] c:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LPManager] C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE (Lenovo Group Limited)
O4 - HKLM..\Run: [mxomssmenu] C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe (Maxtor Corporation)
O4 - HKLM..\Run: [PDService.exe] C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe (Utimaco Safeware AG)
O4 - HKLM..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (Google Inc.)
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe ()
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TP4EX] C:\WINDOWS\System32\TP4EX.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe ()
O4 - HKLM..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe (Lenovo)
O4 - HKLM..\Run: [TpShocks] C:\WINDOWS\System32\TpShocks.exe (Lenovo, Ltd. and IBM Corporation.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec Client Security\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\Steve_ON_C..\Run: [Microsoft Location Finder] C:\Program Files\Microsoft Location Finder\LocationFinder.exe (Microsoft Corporation)
O4 - HKU\Steve_ON_C..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\Steve_ON_C..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - HKU\Steve_ON_C..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\Administrator_ON_C..\RunOnce: [configmsi] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - HKU\Administrator_ON_C..\RunOnce: [supportdir] File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\Steve_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\Steve_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\Steve_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\NPJPI150_08.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000006 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\Steve_ON_C\..Trusted Domains: schwab.com ([remote] https in Trusted sites)
O15 - HKU\Steve_ON_C\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...ows-i586-jc.cab (Java Plug-in 1.5.0_08)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4.2/...all-142-win.cab (Java Plug-in 1.4.2)
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_08)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_08)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {EE85A9FD-6E52-4227-BB82-D46A660690EA} https://service.ringcentral.com/ActiveX/RCAXSetup.cab (RCSetup Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.76.182 68.87.78.134
O20 - AppInit_DLLs: (lukuduni.dll) - File not found
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (vrlogon.dll) - C:\WINDOWS\System32\vrlogon.dll (UPEK Inc.)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O20 - Winlogon\Notify\psfus: DllName - psqlpwd.dll - C:\WINDOWS\System32\psqlpwd.dll (UPEK Inc.)
O20 - Winlogon\Notify\tpfnf2: DllName - notifyf2.dll - C:\WINDOWS\System32\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - tphklock.dll - C:\WINDOWS\System32\tphklock.dll ()
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/03 12:39:49 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- C:\Program Files\alggui.exe "%1" %* ()

========== Files/Folders - Created Within 30 Days ==========

[2010/02/07 18:18:57 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Steve\Desktop\winlogon.exe.exe
[2010/02/07 11:52:38 | 000,000,000 | R--D | C] -- C:\Documents and Settings\LocalService\Favorites
[2010/02/07 11:43:32 | 000,000,000 | ---D | C] -- C:\Your PC Protector
[2010/02/07 11:37:27 | 000,000,000 | ---D | C] -- C:\Program Files\schtml
[2010/02/07 11:33:05 | 000,962,560 | ---- | C] (ASC - AntiSpyware) -- C:\Program Files\adc32.dll
[2010/02/07 11:32:50 | 000,000,000 | ---D | C] -- C:\Program Files\Your PC Protector
[2010/02/06 21:00:00 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\Cookies
[2010/02/06 20:59:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/02/06 20:54:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/02/06 17:40:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Steve\Desktop\VirusFix
[2010/02/06 17:22:34 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/02/06 17:19:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/02/06 17:01:21 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/02/06 16:58:24 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/02/06 16:58:24 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/02/06 16:58:24 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/02/06 16:58:24 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/02/06 16:58:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/06 16:50:19 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/01/27 16:04:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Steve\Desktop\OutlookBU
[2010/01/24 23:42:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Steve\Local Settings\Application Data\Yahoo!
[2010/01/22 23:52:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
[11 C:\Documents and Settings\Steve\Desktop\*.tmp files -> C:\Documents and Settings\Steve\Desktop\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2099/01/01 12:00:00 | 000,094,208 | -HS- | M] () -- C:\WINDOWS\System32\koyovabi.dll
[2099/01/01 12:00:00 | 000,092,160 | -HS- | M] () -- C:\WINDOWS\System32\yetazesu.dll
[2099/01/01 12:00:00 | 000,092,160 | -HS- | M] () -- C:\WINDOWS\System32\yajulose.dll
[2099/01/01 12:00:00 | 000,092,160 | -HS- | M] () -- C:\WINDOWS\System32\geyinehi.dll
[2099/01/01 12:00:00 | 000,091,648 | -HS- | M] () -- C:\WINDOWS\System32\wofomobu.dll
[2099/01/01 12:00:00 | 000,091,648 | -HS- | M] () -- C:\WINDOWS\System32\temekatu.dll
[2099/01/01 12:00:00 | 000,091,648 | -HS- | M] () -- C:\WINDOWS\System32\rivesogo.dll
[2099/01/01 12:00:00 | 000,091,648 | -HS- | M] () -- C:\WINDOWS\System32\lojuvake.dll
[2099/01/01 12:00:00 | 000,091,648 | -HS- | M] () -- C:\WINDOWS\System32\higawaka.dll
[2099/01/01 12:00:00 | 000,091,136 | -HS- | M] () -- C:\WINDOWS\System32\jemaluja.dll
[2099/01/01 12:00:00 | 000,061,440 | -HS- | M] () -- C:\WINDOWS\System32\toyeleno.dll
[2099/01/01 12:00:00 | 000,061,440 | -HS- | M] () -- C:\WINDOWS\System32\numimoji.dll
[2099/01/01 12:00:00 | 000,060,928 | -HS- | M] () -- C:\WINDOWS\System32\pusuyogu.dll
[2099/01/01 12:00:00 | 000,060,928 | -HS- | M] () -- C:\WINDOWS\System32\nijonina.dll
[2099/01/01 12:00:00 | 000,052,224 | -HS- | M] () -- C:\WINDOWS\System32\yamileju.dll
[2099/01/01 12:00:00 | 000,052,224 | -HS- | M] () -- C:\WINDOWS\System32\wiwuzoza.dll
[2099/01/01 12:00:00 | 000,051,720 | -HS- | M] () -- C:\WINDOWS\System32\kojoyapi.exe
[2099/01/01 12:00:00 | 000,049,590 | -HS- | M] () -- C:\WINDOWS\System32\mutipuyu.dll
[2099/01/01 12:00:00 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\figohele.dll
[2099/01/01 12:00:00 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\basukavu.dll
[2010/02/08 17:03:15 | 000,000,056 | ---- | M] () -- C:\Program Files\wp4.dat
[2010/02/08 17:03:15 | 000,000,002 | ---- | M] () -- C:\Program Files\wp3.dat
[2010/02/08 17:03:14 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\NetworkService\NTUSER.DAT
[2010/02/08 17:03:14 | 000,262,144 | -H-- | M] () -- C:\Documents and Settings\LocalService\NTUSER.DAT
[2010/02/08 17:03:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/08 17:02:57 | 012,320,768 | -H-- | M] () -- C:\Documents and Settings\Steve\NTUSER.DAT
[2010/02/08 17:02:55 | 000,000,040 | ---- | M] () -- C:\WINDOWS\System32\profile.dat
[2010/02/08 17:02:54 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/08 17:02:50 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Steve\ntuser.ini
[2010/02/08 17:00:03 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/08 17:00:02 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\vhablapv.job
[2010/02/08 17:00:01 | 000,962,560 | ---- | M] (ASC - AntiSpyware) -- C:\Program Files\adc32.dll
[2010/02/08 17:00:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{0299AEE1-FA5A-4302-8809-A9FF41AD52C6}.job
[2010/02/08 16:59:57 | 000,001,541 | ---- | M] () -- C:\Your PC Protector.lnk
[2010/02/08 16:59:27 | 1608,962,048 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/07 18:34:50 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\tuzuteri
[2010/02/07 18:14:30 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Steve\Desktop\winlogon.exe.exe
[2010/02/07 11:59:06 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/07 11:33:05 | 000,043,520 | ---- | M] () -- C:\Program Files\alggui.exe
[2010/02/07 11:33:00 | 000,000,009 | ---- | M] () -- C:\Program Files\nuar.old
[2010/02/07 11:32:58 | 000,037,376 | ---- | M] () -- C:\Program Files\svchost.exe
[2010/02/07 11:32:58 | 000,000,036 | ---- | M] () -- C:\Program Files\skynet.dat
[2010/02/07 11:32:57 | 000,001,667 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Your PC Protector.lnk
[2010/02/07 11:31:06 | 000,060,928 | -HS- | M] () -- C:\WINDOWS\System32\hazagebi.dll
[2010/02/07 11:29:41 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2010/02/07 11:28:42 | 000,005,427 | ---- | M] (IBM Corporation) -- C:\WINDOWS\System32\EGATHDRV.SYS
[2010/02/06 17:28:16 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/06 17:18:19 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/02/06 17:01:29 | 000,000,264 | RHS- | M] () -- C:\BOOT.INI
[2010/02/06 16:57:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\VPC32.INI
[2010/02/06 14:55:56 | 003,849,084 | R--- | M] () -- C:\Documents and Settings\Steve\Desktop\ComboFix.exe
[2010/02/05 21:28:14 | 000,040,960 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\Bosch Opportunity letter 2.4.2010.doc
[2010/02/03 21:02:33 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/27 17:17:40 | 052,428,800 | ---- | M] () -- C:\Documents and Settings\Steve\My Documents\SecureDrive.vol
[2010/01/22 23:52:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/19 20:46:34 | 000,039,424 | -HS- | M] () -- C:\WINDOWS\System32\horamufa.dll
[2010/01/19 20:08:33 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010/01/19 20:08:31 | 000,038,446 | ---- | M] () -- C:\Documents and Settings\Steve\Application Data\Microsoft Excel.ADR
[2010/01/11 16:51:23 | 004,813,338 | -H-- | M] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\IconCache.db
[11 C:\Documents and Settings\Steve\Desktop\*.tmp files -> C:\Documents and Settings\Steve\Desktop\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,094,208 | -HS- | C] () -- C:\WINDOWS\System32\koyovabi.dll
[2099/01/01 12:00:00 | 000,092,160 | -HS- | C] () -- C:\WINDOWS\System32\yetazesu.dll
[2099/01/01 12:00:00 | 000,092,160 | -HS- | C] () -- C:\WINDOWS\System32\yajulose.dll
[2099/01/01 12:00:00 | 000,092,160 | -HS- | C] () -- C:\WINDOWS\System32\geyinehi.dll
[2099/01/01 12:00:00 | 000,091,648 | -HS- | C] () -- C:\WINDOWS\System32\wofomobu.dll
[2099/01/01 12:00:00 | 000,091,648 | -HS- | C] () -- C:\WINDOWS\System32\temekatu.dll
[2099/01/01 12:00:00 | 000,091,648 | -HS- | C] () -- C:\WINDOWS\System32\rivesogo.dll
[2099/01/01 12:00:00 | 000,091,648 | -HS- | C] () -- C:\WINDOWS\System32\lojuvake.dll
[2099/01/01 12:00:00 | 000,091,648 | -HS- | C] () -- C:\WINDOWS\System32\higawaka.dll
[2099/01/01 12:00:00 | 000,091,136 | -HS- | C] () -- C:\WINDOWS\System32\jemaluja.dll
[2099/01/01 12:00:00 | 000,061,440 | -HS- | C] () -- C:\WINDOWS\System32\toyeleno.dll
[2099/01/01 12:00:00 | 000,061,440 | -HS- | C] () -- C:\WINDOWS\System32\numimoji.dll
[2099/01/01 12:00:00 | 000,060,928 | -HS- | C] () -- C:\WINDOWS\System32\pusuyogu.dll
[2099/01/01 12:00:00 | 000,060,928 | -HS- | C] () -- C:\WINDOWS\System32\nijonina.dll
[2099/01/01 12:00:00 | 000,052,224 | -HS- | C] () -- C:\WINDOWS\System32\yamileju.dll
[2099/01/01 12:00:00 | 000,052,224 | -HS- | C] () -- C:\WINDOWS\System32\wiwuzoza.dll
[2099/01/01 12:00:00 | 000,051,720 | -HS- | C] () -- C:\WINDOWS\System32\kojoyapi.exe
[2099/01/01 12:00:00 | 000,049,590 | -HS- | C] () -- C:\WINDOWS\System32\mutipuyu.dll
[2099/01/01 12:00:00 | 000,039,424 | -HS- | C] () -- C:\WINDOWS\System32\figohele.dll
[2099/01/01 12:00:00 | 000,039,424 | -HS- | C] () -- C:\WINDOWS\System32\basukavu.dll
[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\tuzuteri
[2010/02/07 11:43:33 | 000,001,541 | ---- | C] () -- C:\Your PC Protector.lnk
[2010/02/07 11:33:05 | 000,043,520 | ---- | C] () -- C:\Program Files\alggui.exe
[2010/02/07 11:33:00 | 000,000,009 | ---- | C] () -- C:\Program Files\nuar.old
[2010/02/07 11:32:58 | 000,037,376 | ---- | C] () -- C:\Program Files\svchost.exe
[2010/02/07 11:32:58 | 000,000,056 | ---- | C] () -- C:\Program Files\wp4.dat
[2010/02/07 11:32:58 | 000,000,036 | ---- | C] () -- C:\Program Files\skynet.dat
[2010/02/07 11:32:58 | 000,000,002 | ---- | C] () -- C:\Program Files\wp3.dat
[2010/02/07 11:32:57 | 000,001,667 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Your PC Protector.lnk
[2010/02/07 11:31:07 | 000,000,294 | ---- | C] () -- C:\WINDOWS\tasks\vhablapv.job
[2010/02/07 11:31:06 | 000,060,928 | -HS- | C] () -- C:\WINDOWS\System32\hazagebi.dll
[2010/02/06 20:54:13 | 000,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/06 20:54:13 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/06 17:01:29 | 000,000,194 | ---- | C] () -- C:\Boot.bak
[2010/02/06 17:01:22 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/02/06 16:58:24 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/02/06 16:58:24 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/02/06 16:58:24 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/02/06 16:58:24 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/02/06 16:58:24 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/06 16:57:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2010/02/06 16:49:34 | 003,849,084 | R--- | C] () -- C:\Documents and Settings\Steve\Desktop\ComboFix.exe
[2010/02/05 21:30:32 | 000,040,960 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\Bosch Opportunity letter 2.4.2010.doc
[2010/01/19 20:46:34 | 000,039,424 | -HS- | C] () -- C:\WINDOWS\System32\horamufa.dll
[2008/07/06 21:52:18 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\fusioncache.dat
[2007/01/21 18:56:15 | 000,038,446 | ---- | C] () -- C:\Documents and Settings\Steve\Application Data\Microsoft Excel.ADR
[2006/06/10 15:03:47 | 000,028,672 | ---- | C] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/06/03 13:43:50 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/06/03 12:39:39 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\fusioncache.dat
[2006/04/29 23:09:21 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/04/29 23:08:54 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2006/04/29 23:08:37 | 000,006,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\IBMBLDID.sys
[2006/04/29 22:56:27 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/04/29 22:56:27 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/04/29 22:56:27 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/04/29 22:56:27 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/04/29 22:56:27 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/04/29 22:56:27 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/04/29 22:55:45 | 000,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
[2006/04/29 22:55:25 | 000,000,148 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/04/29 22:49:57 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2006/04/29 22:42:19 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\FPCALL.dll
[2006/04/29 22:41:26 | 000,009,343 | ---- | C] () -- C:\WINDOWS\System32\drivers\TDSMAPI.SYS
[2006/04/29 22:38:45 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSMAPIP.SYS
[2006/04/29 22:22:16 | 000,002,481 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/11/01 16:59:16 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2005/10/17 17:22:24 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\DEVMAN.DLL
[2005/09/06 12:05:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/09 13:03:43 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/01/07 17:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/05/16 00:29:04 | 000,000,607 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2001/11/23 19:18:00 | 000,000,597 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 14:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[1980/01/01 02:00:00 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[1980/01/01 02:00:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\notifyf2.dll
[1980/01/01 02:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[1980/01/01 02:00:00 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\tphklock.dll
[1980/01/01 02:00:00 | 000,020,594 | ---- | C] () -- C:\WINDOWS\batmeter16.dll
[1980/01/01 02:00:00 | 000,015,896 | ---- | C] () -- C:\WINDOWS\mark_32.dll
[1980/01/01 02:00:00 | 000,000,487 | ---- | C] () -- C:\WINDOWS\System32\IPSCTRL.INI

========== LOP Check ==========

[2006/04/29 22:53:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\IBM
[2006/06/03 14:33:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ThinkVantage
[2006/07/03 10:00:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Juniper Networks
[2006/04/29 23:03:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Lenovo
[2006/07/03 09:24:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Juniper Networks
[2007/08/01 09:24:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\Flickr
[2006/04/29 22:53:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\IBM
[2008/09/20 17:00:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\ICAClient
[2006/06/10 15:09:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\InterVideo
[2008/09/20 16:52:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\Juniper Networks
[2006/08/19 15:49:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\Leadertech
[2006/06/03 14:33:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\ThinkVantage
[2010/02/07 11:29:41 | 000,000,316 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job
[2010/02/08 17:00:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{0299AEE1-FA5A-4302-8809-A9FF41AD52C6}.job
[2010/02/08 17:00:02 | 000,000,294 | ---- | M] () -- C:\WINDOWS\Tasks\vhablapv.job

========== Purity Check ==========


< End of report >





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users