Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google and other search engine links redirect


  • This topic is locked This topic is locked
16 replies to this topic

#1 tbbucs44

tbbucs44

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 28 May 2010 - 12:32 AM

Starting a couple of days ago, I noticed that most links from Google, Bing, and Yahoo searches will redirect me to random sites when I click them. This happens in Firefox and IE. It is only happening on one of my Windows login accounts. My other account does not exhibit this behavior


DDS (Ver_10-03-17.01) - NTFSx86
Run by dalgu210 at 0:55:31.76 on Fri 05/28/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2214 [GMT -4:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {56A2CB4F-4200-4BEA-B9AD-99EA05AF3114}
FW: Trend Micro OfficeScan Enterprise Client Firewall *disabled* {62582529-66AE-465D-AE65-7711A2487F56}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Insight\Tools\aiclient.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Marriott\Installation Gatekeeper\IGK.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Rational\ClearCase\bin\lockmgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\system32\SgLogPlayer.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\HDXPLUS\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\HDXPLUS\bin\tgsrvc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\cccredmgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\WINDOWS\TEMP\CWDB5C.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\TechSmith\Snagit 9\Snagit32.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\TechSmith\Snagit 9\TSCHelp.exe
C:\Program Files\TechSmith\Snagit 9\SnagPriv.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\TechSmith\Snagit 9\snagiteditor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\MODI\11.0\MSPVIEW.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Documents and Settings\dalgu210.HDQBEPC985989\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mgs.marriott.com
mDefault_Page_URL = hxxp://mgs.marriott.com
mStart Page = hxxp://mgs.marriott.com
uInternet Connection Wizard,ShellNext = hxxp://mgs.marriott.com/
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol search\AOLSearch.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol search\AOLSearch.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: TeaLeaf Client-Side Capture Helper: {7d87c094-453c-45ee-9520-299cc7438c8e} - c:\program files\tealeaf\TLCSC.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: TeaLeaf Client-Side Capture: {5f13c4fe-3ba7-47bc-a084-9737998590a4} - c:\program files\tealeaf\TLCSC.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [NetSP - restore settings on power failure] "c:\program files\at&t global network client\NetSP.exe" -show
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\dalgu210.hdqbepc985989\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [DiskeeperSystray] "c:\program files\executive software\diskeeper\DkIcon.exe"
mRun: [SgeEcView] "c:\program files\utimaco\safeguard easy\Ecview.exe"
mRun: [EdWizard] "c:\program files\utimaco\safeguard easy\EdWizard.exe" as
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [CCDoctorLogonTesting] "c:\program files\rational\clearcase\bin\ccdoctor.exe" /LogonStartup
mRun: [hdxplus] "c:\program files\hdxplus\bin\sprtcmd.exe" /P HDXPLUS
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 9\Snagit32.exe
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} - hxxps://equeststaging.marriott.com/download/CfxIEAx.cab
DPF: {619A4D9B-FB37-471E-8CF3-3AA0CBA33804} - hxxps://equeststaging.marriott.com/Download/EquestTr.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9E4046F1-0606-11D6-ACBD-00D0B7190EE7} - hxxps://equeststaging.marriott.com/Download/sdgARViewer.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://comsysits.webex.com/client/wbs26-vzbprodcn/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: ACNotify - ACNotify.dll
Notify: ccnotify - ccnotify.dll
Notify: ckpNotify - ckpNotify.dll
Notify: NotLog - SGLogEx.dll
Notify: SGLogNotification - SGLogNotification.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
LSA: Notification Packages = scecli ACGina
mASetup: egrid_viewer - regedit /s "c:\program files\marriott\egrid viewer\eGridFAQURL.reg"
mASetup: PQMove - cscript c:\stage\applications\marriott\pqmove\migrate.vbs

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dalgu2~1.hdq\applic~1\mozilla\firefox\profiles\whkls4md.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - plugin: c:\documents and settings\dalgu210.hdqbepc985989\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\dalgu210.hdqbepc985989\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\dalgu210.hdqbepc985989\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\dalgu210.hdqbepc985989\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\dalgu210.hdqbepc985989\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AES-256;AES-256;c:\windows\system32\drivers\AES256.sys [2008-9-16 19712]
R0 SgeFlt;SgeFlt;c:\windows\system32\drivers\SGEFLT.sys [2007-7-20 62720]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2006-12-25 19760]
R2 Installation Gatekeeper;Installation Gatekeeper;c:\program files\marriott\installation gatekeeper\IGK.exe [2003-7-21 7168]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [2008-1-7 17328]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2009-9-22 1221928]
R2 sprtsvc_hdxplus;SupportSoft Sprocket Service (hdxplus);c:\program files\hdxplus\bin\sprtsvc.exe [2009-9-23 202016]
R2 tgsrvc_hdxplus;SupportSoft Repair Service (hdxplus);c:\program files\hdxplus\bin\tgsrvc.exe [2009-9-23 148768]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2009-5-21 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2009-5-21 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-1-18 24652]
R3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [2007-2-26 81920]
R3 Mvfs;Atria Multi-Version FS;c:\windows\system32\drivers\mvfs50.sys [2008-6-4 330544]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-12-9 338448]
R3 TmPfw;OfficeScan NT Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2008-6-3 488768]
S2 Albd;Atria Location Broker;c:\program files\rational\clearcase\bin\albd_server.exe [2008-2-13 176698]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]
S3 GomezAnywhere;Gomez Anywhere Connector Service;c:\program files\gomez\gomez anywhere connector\bin\wrapper.exe [2009-1-13 204800]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-1-18 30192]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2008-1-7 14924]
S3 S3Inc;S3Inc;c:\windows\system32\drivers\s3mt3d.sys [2006-5-31 41216]
S3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [2007-8-1 65664]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2008-6-3 652552]

=============== Created Last 30 ================

2010-05-28 02:33:25 0 d--h--w- c:\windows\system32\GroupPolicy
2010-05-14 20:55:41 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-05-14 20:55:41 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS
2010-05-11 19:49:33 0 d-----w- c:\program files\IVCsoft
2010-05-06 14:52:50 0 d-----w- c:\program files\common files\Software Update Utility
2010-05-06 14:52:39 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM
2010-05-06 14:52:15 0 d-----w- c:\program files\AIM

==================== Find3M ====================

2010-05-25 17:34:38 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-25 17:34:34 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-04-05 03:06:08 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 0:55:59.78 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:14 AM

Posted 29 May 2010 - 03:11 PM

Hello, tbbucs44.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 tbbucs44

tbbucs44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 29 May 2010 - 05:32 PM

Thanks for your help aommaster. Here are the log files you requested:

Logfile of random's system information tool 1.07 (written by random/random)
Run by dalgu210 at 2010-05-29 18:14:02
Microsoft Windows XP Professional Service Pack 2
System drive C: has 3 GB (4%) free of 95 GB
Total RAM: 3070 MB (75% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:14:11 PM, on 5/29/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Insight\Tools\aiclient.exe
C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Marriott\Installation Gatekeeper\IGK.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Rational\ClearCase\bin\lockmgr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\system32\SgLogPlayer.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\Program Files\HDXPLUS\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HDXPLUS\bin\tgsrvc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\cccredmgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\YM61B8.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\HDXPLUS\bin\sprtcmd.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\TechSmith\Snagit 9\Snagit32.exe
C:\PROGRA~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\TechSmith\Snagit 9\TSCHelp.exe
C:\Program Files\TechSmith\Snagit 9\SnagPriv.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\TechSmith\Snagit 9\snagiteditor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcFnF5.exe
C:\Documents and Settings\dalgu210.HDQBEPC985989\Desktop\RSIT.exe
C:\Program Files\trend micro\dalgu210.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mgs.marriott.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mgs.marriott.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mgs.marriott.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mgs.marriott.com/
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: TeaLeaf Client-Side Capture Helper - {7D87C094-453C-45EE-9520-299CC7438C8E} - C:\Program Files\TeaLeaf\TLCSC.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (file missing)
O3 - Toolbar: TeaLeaf Client-Side Capture - {5F13C4FE-3BA7-47BC-A084-9737998590A4} - C:\Program Files\TeaLeaf\TLCSC.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SgeEcView] "C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe"
O4 - HKLM\..\Run: [EdWizard] "C:\Program Files\Utimaco\SafeGuard Easy\EdWizard.exe" as
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [CCDoctorLogonTesting] "C:\Program Files\Rational\ClearCase\bin\ccdoctor.exe" /LogonStartup
O4 - HKLM\..\Run: [hdxplus] "C:\Program Files\HDXPLUS\bin\sprtcmd.exe" /P HDXPLUS
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\dalgu210.HDQBEPC985989\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Snagit 9.lnk = C:\Program Files\TechSmith\Snagit 9\Snagit32.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU)
O9 - Extra 'Tools' menuitem: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU)
O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\Documents and Settings\dalgu210.HDQBEPC985989\Start Menu\Programs\CarbonPoker\CarbonPoker.lnk (HKCU)
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX IE 2000 Control) - https://equeststaging.marriott.com/download/CfxIEAx.cab
O16 - DPF: {619A4D9B-FB37-471E-8CF3-3AA0CBA33804} (eQuestTr.UserC1) - https://equeststaging.marriott.com/Download/EquestTr.CAB
O16 - DPF: {9E4046F1-0606-11D6-ACBD-00D0B7190EE7} (sdgARViewer.newViewer) - https://equeststaging.marriott.com/Download/sdgARViewer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://comsysits.webex.com/client/wbs26-vz...bex/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mihdq.marrcorp.marriott.com
O17 - HKLM\Software\..\Telephony: DomainName = mihdq.marrcorp.marriott.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mihdq.marrcorp.marriott.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mihdq.marrcorp.marriott.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = mihdq.marrcorp.marriott.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: ccnotify - ccnotify.dll (file missing)
O20 - Winlogon Notify: NotLog - SGLogEx.dll (file missing)
O20 - Winlogon Notify: SGLogNotification - SGLogNotification.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Asset Insight Client (AICLIENT) - Unknown owner - C:\Program Files\Insight\Tools\aiclient.exe
O23 - Service: Atria Location Broker (Albd) - IBM Corporation - C:\Program Files\Rational\ClearCase\bin\albd_server.exe
O23 - Service: BES Client (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Rational Cred Manager (cccredmgr) - IBM Corporation - C:\WINDOWS\system32\cccredmgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Gomez Anywhere Connector Service (GomezAnywhere) - Unknown owner - C:\Program Files\Gomez\Gomez Anywhere Connector\bin\wrapper.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Installation Gatekeeper - Marriott International - C:\Program Files\Marriott\Installation Gatekeeper\IGK.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: IBM Rational Lock Manager (LockMgr) - IBM Corporation - C:\Program Files\Rational\ClearCase\bin\lockmgr.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: IBM Rational ClearQuest Mail Service (MailService) - IBM Corporation - C:\Program Files\Rational\ClearQuest\mailservice.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SafeGuard Easy Client (SgeClient) - Unknown owner - C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
O23 - Service: SafeGuard® Easy Control (SgeCtl) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
O23 - Service: SafeGuard SGLOG Player (SgLogPlayer) - Utimaco Safeware AG - C:\WINDOWS\system32\SgLogPlayer.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft Sprocket Service (hdxplus) (sprtsvc_hdxplus) - SupportSoft, Inc. - C:\Program Files\HDXPLUS\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (hdxplus) (tgsrvc_hdxplus) - SupportSoft, Inc. - C:\Program Files\HDXPLUS\bin\tgsrvc.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: SafeGuard® Easy Workstation Server (WksCfgSrv) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 20297 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1532298954-725345543-39320Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1532298954-725345543-39320UA.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2869680714-1471076481-1152482959-1008Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2869680714-1471076481-1152482959-1008UA.job
C:\WINDOWS\tasks\PMTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}]
SnagIt Toolbar Loader - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll [2009-04-17 68936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2008-02-01 1377576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2006-02-02 110652]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7D87C094-453C-45EE-9520-299CC7438C8E}]
TeaLeaf Client-Side Capture Helper - C:\Program Files\TeaLeaf\TLCSC.dll [2008-09-23 565248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-05-27 278128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll [2010-05-27 814648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{5F13C4FE-3BA7-47BC-A084-9737998590A4} - TeaLeaf Client-Side Capture - C:\Program Files\TeaLeaf\TLCSC.dll [2008-09-23 565248]
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - Snagit - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll [2009-04-17 211272]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll []
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-05-27 278128]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-05-18 8433664]
"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2007-05-18 81920]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-04 59392]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2007-07-05 110592]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2007-07-05 512000]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2007-04-09 1015808]
"SoundMAX"=C:\Program Files\Analog Devices\SoundMAX\Smax4.exe [2007-04-03 839680]
""= []
"TpShocks"=C:\WINDOWS\system32\TpShocks.exe [2006-12-25 181808]
"PWRMGRTR"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor []
"BLOG"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog []
"EZEJMNAP"=C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe [2007-04-27 243248]
"DLA"=C:\WINDOWS\System32\DLA\DLACTRLW.EXE [2006-02-02 122940]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-07-27 81920]
"ACTray"=C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe [2007-08-21 413696]
"ACWLIcon"=C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe [2007-08-21 126976]
"TPHOTKEY"=C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe [2007-03-09 66176]
"TPFNF7"=C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe [2007-04-10 58416]
"LPManager"=C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe [2007-03-23 120368]
"DiskeeperSystray"=C:\Program Files\Executive Software\Diskeeper\DkIcon.exe [2004-10-04 176216]
"SgeEcView"=C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe [2008-09-16 24653]
"EdWizard"=C:\Program Files\Utimaco\SafeGuard Easy\EdWizard.exe [2008-09-16 352345]
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-11-20 30192]
"LogitechCommunicationsManager"=C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe [2007-10-25 563984]
"LogitechQuickCamRibbon"=C:\Program Files\Logitech\QuickCam\Quickcam.exe [2007-10-25 2178832]
"CCDoctorLogonTesting"=C:\Program Files\Rational\ClearCase\bin\ccdoctor.exe [2008-02-13 126976]
"hdxplus"=C:\Program Files\HDXPLUS\bin\sprtcmd.exe [2009-09-23 202016]
"OfficeScanNT Monitor"=C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe [2008-12-09 718120]
"Monitor"=C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe [2009-11-10 443728]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe [2006-12-15 75520]
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []
""= []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"Aim6"= []
"NetSP - restore settings on power failure"=C:\Program Files\AT&T Global Network Client\NetSP.exe [2007-01-13 24576]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-01-18 68856]
"Google Update"=C:\Documents and Settings\dalgu210.HDQBEPC985989\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-15 133104]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
Snagit 9.lnk - C:\Program Files\TechSmith\Snagit 9\Snagit32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ACNotify]
C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll [2007-08-21 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ccnotify]
C:\WINDOWS\system32\ccnotify.dll [2007-03-30 15412]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ckpNotify]
C:\WINDOWS\system32\ckpNotify.dll [2003-06-02 24672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NotLog]
C:\WINDOWS\system32\SGLogEx.dll [2002-01-22 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SGLogNotification]
C:\WINDOWS\system32\SGLogNotification.dll [2005-03-31 69632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tpfnf2]
C:\Program Files\Lenovo\HOTKEY\notifyf2.dll [2006-09-06 34344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]
C:\Program Files\Lenovo\HOTKEY\tphklock.dll [2006-12-14 28672]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
ACGina

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SprtListen]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SprtListenPush]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SupportSoft RemoteAssist]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=1
"legalnoticecaption"=*** Legal Notice ***
"legalnoticetext"=This system which includes the data processed or stored herein is proprietary and confidential to Marriott International Inc. (Marriott). This system is for Marriott authorized personnel only and may be used copied distributed or disclosed only to the extent expressly authorized by Marriott management for the benefit of Marriott and for no other purpose. Your access to and use of this system are subject to MIP-28 (Electronic Communications) and MIP-29 (Information Security and Confidentiality).
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"disablecad"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoSMConfigurePrograms"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 1 months======

2010-05-29 17:35:55 ----D---- C:\rsit
2010-05-28 19:40:12 ----SHD---- C:\Config.Msi
2010-05-28 18:31:14 ----D---- C:\Documents and Settings\All Users\Application Data\Mozilla Firefox
2010-05-28 15:28:43 ----D---- C:\WINDOWS\system32\appmgmt
2010-05-27 22:33:25 ----HD---- C:\WINDOWS\system32\GroupPolicy
2010-05-27 22:28:27 ----D---- C:\Documents and Settings\dalgu210.HDQBEPC985989\Application Data\Macromedia
2010-05-25 23:50:33 ----A---- C:\feed.txt
2010-05-11 15:49:33 ----D---- C:\Program Files\IVCsoft
2010-05-06 10:52:50 ----D---- C:\Program Files\Common Files\Software Update Utility
2010-05-06 10:52:39 ----D---- C:\Documents and Settings\All Users\Application Data\AIM
2010-05-06 10:52:15 ----D---- C:\Program Files\AIM

======List of files/folders modified in the last 1 months======

2010-05-29 18:14:07 ----D---- C:\Program Files\Trend Micro
2010-05-29 18:09:52 ----D---- C:\WINDOWS\Temp
2010-05-29 17:57:42 ----D---- C:\Program Files
2010-05-29 17:57:30 ----D---- C:\WINDOWS\system32\CatRoot2
2010-05-29 17:56:09 ----SD---- C:\WINDOWS\Tasks
2010-05-29 17:55:59 ----D---- C:\mvfslogs
2010-05-29 17:55:58 ----SHD---- C:\WINDOWS\CSC
2010-05-29 17:55:58 ----A---- C:\TPHKLOCK.TXT
2010-05-29 17:30:45 ----D---- C:\Documents and Settings\dalgu210.HDQBEPC985989\Application Data\ZoomBrowser EX
2010-05-29 17:30:45 ----D---- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2010-05-29 17:26:18 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2010-05-29 09:41:01 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-05-29 00:59:09 ----D---- C:\WINDOWS\system32
2010-05-28 20:01:24 ----A---- C:\WINDOWS\TaxACT07.ini
2010-05-28 19:59:38 ----A---- C:\WINDOWS\TaxACT09.ini
2010-05-28 19:57:49 ----A---- C:\WINDOWS\TaxACT08.ini
2010-05-28 19:40:45 ----SHD---- C:\WINDOWS\Installer
2010-05-28 19:40:34 ----D---- C:\Program Files\Common Files\Adobe
2010-05-28 19:40:28 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2010-05-28 19:22:54 ----D---- C:\Program Files\Java
2010-05-28 19:22:14 ----D---- C:\WINDOWS\Prefetch
2010-05-28 16:33:34 ----D---- C:\WINDOWS\security
2010-05-28 15:42:19 ----D---- C:\Lbtkind
2010-05-28 15:28:25 ----D---- C:\Program Files\Google
2010-05-28 09:37:30 ----A---- C:\WINDOWS\cfgall.ini
2010-05-28 09:08:17 ----D---- C:\Program Files\Insight
2010-05-28 00:22:29 ----D---- C:\WINDOWS\system32\CatRoot
2010-05-28 00:20:10 ----D---- C:\Documents and Settings
2010-05-26 02:29:00 ----SHD---- C:\System Volume Information
2010-05-26 02:29:00 ----D---- C:\WINDOWS\system32\Restore
2010-05-25 21:04:39 ----D---- C:\Documents and Settings\dalgu210.HDQBEPC985989\Application Data\FileZilla
2010-05-14 16:55:59 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-05-14 16:55:52 ----D---- C:\WINDOWS\system32\drivers
2010-05-10 00:25:40 ----D---- C:\Program Files\CarbonPoker
2010-05-06 10:52:50 ----D---- C:\Program Files\Common Files
2010-05-06 10:44:43 ----D---- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2010-05-03 08:58:44 ----D---- C:\Program Files\AT&T Global Network Client

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ANC;ANC; C:\WINDOWS\System32\drivers\ANC.SYS [2005-11-08 11520]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-11-18 5660]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-11-18 22684]
R1 IBMTPCHK;IBMTPCHK; \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\system32\DRIVERS\tmtdi.sys [2008-12-09 76304]
R1 TPHKDRV;TPHKDRV; C:\WINDOWS\system32\DRIVERS\TPHKDRV.sys [2006-10-23 17778]
R1 TPPWRIF;TPPWRIF; C:\WINDOWS\System32\drivers\Tppwrif.sys [2007-06-18 4442]
R1 TSMAPIP;TSMAPIP; C:\WINDOWS\System32\drivers\TSMAPIP.SYS [2007-04-10 12848]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-04 8832]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.7.4.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2008-01-07 21393]
R2 agnwifi;AT&T Wi-Fi Support Driver; C:\WINDOWS\system32\DRIVERS\agnwifi.sys [2004-04-29 19328]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2006-02-02 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2006-02-02 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2006-02-02 86652]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2006-02-02 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2006-02-02 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2006-02-02 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2006-02-02 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-11-18 40544]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 rimmptsk;rimmptsk; C:\WINDOWS\system32\DRIVERS\rimmptsk.sys [2007-02-24 39936]
R2 rimsptsk;rimsptsk; C:\WINDOWS\system32\DRIVERS\rimsptsk.sys [2007-01-23 42496]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\WINDOWS\system32\DRIVERS\rixdptsk.sys [2007-03-22 37376]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2007-05-29 12416]
R2 Scap;SecureClient Application Policy Module; C:\WINDOWS\System32\DRIVERS\Scap.sys [2003-06-02 17328]
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 TmFilter;Trend Micro Filter; \??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys []
R2 TmPreFilter;Trend Micro PreFilter; \??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys []
R2 VSApiNt;Trend Micro VSAPI NT; \??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys []
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2007-04-13 306176]
R3 AEAudio;AE Audio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2007-03-23 94848]
R3 agnfilt;AGN Filter Interface; C:\WINDOWS\system32\DRIVERS\agnfilt.sys [2006-05-19 180864]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 atmeltpm;atmeltpm; C:\WINDOWS\system32\DRIVERS\atmeltpm.sys [2005-05-17 15872]
R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2007-02-27 868042]
R3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2007-01-24 67960]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-05-11 252312]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2006-12-22 988800]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2006-12-22 209664]
R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys [2007-05-31 21424]
R3 LenovoRd;LenovoRd; C:\WINDOWS\System32\Drivers\LenovoRd.sys [2007-02-26 81920]
R3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys [2007-10-11 25624]
R3 Mvfs;Atria Multi-Version FS; C:\WINDOWS\system32\DRIVERS\mvfs50.sys [2007-05-24 330544]
R3 NETw4x32;Intel® Wireless WiFi Link Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw4x32.sys [2007-06-21 2208512]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-05-18 6346720]
R3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2009-01-09 27136]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2004-08-04 67584]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2007-07-05 177664]
R3 TcUsb;TC USB Kernel Driver; C:\WINDOWS\System32\Drivers\tcusb.sys [2005-12-08 28800]
R3 tmcfw;Trend Micro Common Firewall Service; C:\WINDOWS\system32\DRIVERS\TM_CFW.sys [2008-12-09 338448]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2006-12-22 730112]
S3 avpnnic;AGN Virtual Network Adapter; C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 13952]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 FilterService;UVC Filter Service; C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys [2007-10-11 23832]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 LVcKap;Logitech AEC Driver; C:\WINDOWS\system32\DRIVERS\LVcKap.sys [2007-10-19 2109976]
S3 LVMVDrv;Logitech Machine Vision Engine Loader; C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys [2007-10-11 2142488]
S3 lvpopflt;Logitech POP Suppression Filter; C:\WINDOWS\system32\DRIVERS\lvpopflt.sys [2007-10-11 1920920]
S3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS\system32\drivers\LVUSBSta.sys [2007-10-11 41752]
S3 LVUVC;QuickCam Pro for Notebooks(UVC); C:\WINDOWS\system32\DRIVERS\lvuvc.sys [2007-10-11 3647384]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 OMVA;VPN-1 SecureClient Adapter; C:\WINDOWS\system32\DRIVERS\OMVA.sys [2003-06-02 14924]
S3 pxtdqfoc;pxtdqfoc; \??\C:\DOCUME~1\DALGU2~1.HDQ\LOCALS~1\Temp\pxtdqfoc.sys []
S3 RimUsb;BlackBerry Smartphone; C:\WINDOWS\System32\Drivers\RimUsb.sys [2008-05-20 22784]
S3 S3Inc;S3Inc; C:\WINDOWS\system32\DRIVERS\s3mt3d.sys [2001-08-17 41216]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-04 59264]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2004-09-22 18944]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcPrfMgrSvc;Ac Profile Manager Service; C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe [2007-08-21 65536]
R2 AcSvc;Access Connections Main Service; C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe [2007-08-21 184320]
R2 AICLIENT;Asset Insight Client; C:\Program Files\Insight\Tools\aiclient.exe [2004-11-03 184320]
R2 btwdins;Bluetooth Service; C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe [2007-02-27 266295]
R2 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe [2006-03-30 96341]
R2 cccredmgr;Rational Cred Manager; C:\WINDOWS\system32\cccredmgr.exe [2007-03-30 28220]
R2 Diskeeper;Diskeeper; C:\Program Files\Executive Software\Diskeeper\DkService.exe [2004-10-05 577644]
R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2007-06-01 647168]
R2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2007-05-31 36400]
R2 Installation Gatekeeper;Installation Gatekeeper; C:\Program Files\Marriott\Installation Gatekeeper\IGK.exe [2003-07-21 7168]
R2 LeapFrog Connect Device Service;LeapFrog Connect Device Service; C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe [2009-11-10 1131808]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-04-24 73728]
R2 LockMgr;IBM Rational Lock Manager; C:\Program Files\Rational\ClearCase\bin\lockmgr.exe [2008-02-13 28740]
R2 LVCOMSer;LVCOMSer; C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe [2007-10-19 186904]
R2 LVPrcSrv;Process Monitor; C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2007-10-19 141848]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 NetCfgSvr;Network Configuration Service; C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE [2007-01-13 323584]
R2 ntrtscan;OfficeScanNT RealTime Scan; C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe [2008-12-09 918824]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-05-18 163908]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2007-06-01 327680]
R2 S24EventMonitor;Intel® PROSet/Wireless Service; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2007-06-01 987136]
R2 SgeClient;SafeGuard Easy Client; C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe [2008-09-16 159835]
R2 SgeCtl;SafeGuard® Easy Control; C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe [2008-09-16 114773]
R2 SgLogPlayer;SafeGuard SGLOG Player; C:\WINDOWS\system32\SgLogPlayer.exe [2005-03-31 61440]
R2 sprtlisten;SupportSoft Listener Service; C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe [2009-09-22 1221928]
R2 tgsrvc_hdxplus;SupportSoft Repair Service (hdxplus); C:\Program Files\HDXPLUS\bin\tgsrvc.exe [2009-09-23 148768]
R2 tmlisten;OfficeScan NT Listener; C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe [2008-12-09 988456]
R2 TPHDEXLGSVC;ThinkPad HDD APS Logging Service; C:\WINDOWS\System32\TPHDEXLG.exe [2006-12-25 37168]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-09-22 38912]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WksCfgSrv;SafeGuard® Easy Workstation Server; C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe [2008-09-16 163931]
R2 YahooAUService;Yahoo! Updater; C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]
R3 TmPfw;OfficeScan NT Firewall; C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe [2008-06-03 488768]
S2 Albd;Atria Location Broker; C:\Program Files\Rational\ClearCase\bin\albd_server.exe [2008-02-13 176698]
S2 BESClient;BES Client; C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe [2007-02-26 2138112]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2010-01-05 135664]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-26 183280]
S2 LVSrvLauncher;LVSrvLauncher; C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe [2007-10-19 141848]
S2 MailService;IBM Rational ClearQuest Mail Service; C:\Program Files\Rational\ClearQuest\mailservice.exe [2008-07-30 73795]
S2 sprtsvc_hdxplus;SupportSoft Sprocket Service (hdxplus); C:\Program Files\HDXPLUS\bin\sprtsvc.exe [2009-09-23 202016]
S2 SupportSoft RemoteAssist;SupportSoft RemoteAssist; C:\Program Files\Common Files\supportsoft\bin\ssrc.exe [2009-09-22 386424]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 GomezAnywhere;Gomez Anywhere Connector Service; C:\Program Files\Gomez\Gomez Anywhere Connector\bin\wrapper.exe [2009-01-13 204800]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-11-20 30192]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 PictureTaker;PictureTaker; C:\WINDOWS\system32\PCTKRNT.SYS [2008-01-07 61440]
S3 TmProxy;OfficeScan NT Proxy Service; C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe [2008-06-03 652552]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.06 2010-05-29 17:36:17

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\IBM\GSK7\gsk7BUI.isu"
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP CIO Components Installer-->MsiExec.exe /I{F7B0E599-C114-4493-BC4D-D8FC7CBBABBB}
Adobe Download Manager-->"C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Agent Ransack Version 1.7.3-->"C:\Program Files\Mythicsoft\Agent Ransack\unins000.exe"
AIM 7-->C:\Program Files\AIM\uninst.exe
AnalogX AutoTune-->C:\Program Files\AnalogX\AutoTune\autou.exe
Asset Insight 5.5-->MsiExec.exe /X{E891AFB5-1A10-4A87-B16C-FBDE17DCFC6D}
BigFix Enterprise Client-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BF7023BC-319B-4FE1-B569-C854A19F81F8}\setup.exe" -l0x9 -removeonly
BlackBerry Device Software v5.0.0 for the BlackBerry 9630 smartphone-->MsiExec.exe /X{B866835D-EC31-4B05-851C-EBE73F2461FC}
Canon Camera Access Library-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon G.726 WMP-Decoder-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\G726Decoder\G726DecUnInstall.ini"
Canon MovieEdit Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\MVWUninst.ini"
Canon RAW Image Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities EOS Utility-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities PhotoStitch-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities ZoomBrowser EX-->"C:\Program Files\Common Files\Canon\UIW\1.2.0.0\Uninst.exe" "C:\Program Files\Canon\ZoomBrowser EX\Program\Uninst.ini"
Citrix ICA Web Client 6.30-->MsiExec.exe /I{0143A812-7F0A-4984-9047-4919004648DE}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Computer Account Creator v1.0.0.16-->MsiExec.exe /X{67EBE1DE-6760-452F-B53D-523C92E8F8FC}
Crystal Reports Plug-in-->MsiExec.exe /X{47BB2546-DA17-477E-8E82-BBD377E597C4}
Diskeeper Professional Edition-->MsiExec.exe /I{E87BE7F8-3077-40C1-8592-956F649A2781}
Download Updater (AOL LLC)-->C:\Program Files\Common Files\Software Update Utility\uninstall.exe
Equest Plugin-->"C:\Program Files\SIFXINST\SIFXINST.EXE" /UnapplyFile B6D6824B-FFB7-4D27-9183-9C9C59E101F6 /Prompt
Fiddler (remove only)-->"C:\Program Files\Fiddler\uninst.exe"
Fiddler2-->"C:\Program Files\Fiddler2\uninst.exe"
FileZilla Client 3.0.8-->C:\Program Files\FileZilla FTP Client\uninstall.exe
Genesys Meeting Center-->MsiExec.exe /I{22D0BEDD-585D-4DBD-94A2-6C3C3B0E3644}
GIMP 2.4.5-->"C:\Program Files\GIMP-2.0\setup\unins000.exe"
Gomez Anywhere Connector-->C:\Program Files\Gomez\Gomez Anywhere Connector\uninstall.exe
Gomez Script Recorder-->C:\Program Files\Gomez\Gomez Script Recorder\uninstall.exe
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Talk Plugin-->MsiExec.exe /I{6BB42024-D62A-33F5-B883-52069E2C9668}
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_A22A7357696681C5.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows XP (KB909095)-->"C:\WINDOWS\$NtUninstallKB909095$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB910678)-->"C:\WINDOWS\$NtUninstallKB910678$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB916089)-->"C:\WINDOWS\$NtUninstallKB916089$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB935448)-->"C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB981128)-->"C:\WINDOWS\$NtUninstallKB981128$\spuninst\spuninst.exe"
IBM DB2 Connect Client 7.1-->MsiExec.exe /X{254E3B8F-4B1B-4904-9522-FBE75E1918AA}
IBM Rational ClearCase-->MsiExec.exe /I{681411BD-5AD8-4DA5-BBEE-EF20E3628D33}
IBM Rational ClearQuest-->MsiExec.exe /I{CE7BC4DE-8956-4B80-BFB7-541812764162}
Installation Gatekeeper 3.3.5.1-->MsiExec.exe /I{AB8C2740-ABAC-4749-AA71-9E4DD1221EBE}
Intel® PRO Network Connections Drivers-->Prounstl.exe
Intel® PROSet/Wireless Software-->C:\WINDOWS\Installer\iProInst.exe
InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
LeapFrog Connect-->C:\Program Files\LeapFrog\LeapFrog Connect\uninst.exe
LeapFrog Connect-->MsiExec.exe /X{7E7D778E-121D-4BBD-BA29-FAA81B9FBD8C}
LeapFrog Leapster2 Plugin-->MsiExec.exe /X{7452472E-FC85-4AEB-8B67-24C63ECCF5C8}
Logitech Legacy USB Camera Driver Package-->"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\legacyqcam\11.10.2016\LgDrvInst.exe" -remove -instdir"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\legacyqcam\" -enumdelay=2000 -enabledifx -forcedelete -usbhubsfirst -forceremove -cumulativeremove -promptuninstall -arpregkey"legacyqcam_11.10" /clone_wait /hide_progress
Logitech QuickCam Driver Package-->"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\11.50.1145\LgDrvInst.exe" -remove -instdir"C:\Program Files\Common Files\LogiShrd\LogiDriverStore\lvdrivers\" -enumdelay=2000 -enabledifx -forcedelete -usbhubsfirst -forceremove -cumulativeremove -promptuninstall -arpregkey"lvdrivers_11.50" /clone_wait /hide_progress
Logitech QuickCam-->MsiExec.exe /X{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}
Macromedia Flash Player 8-->MsiExec.exe /X{5E8A1B08-0FBD-4543-9646-F2C2D0D05750}
Marriott Application Installer-->MsiExec.exe /X{9B9A67F2-82F4-4BFA-AA5F-7D81153515C8}
Marriott eGrid Viewer-->MsiExec.exe /X{A6D83542-AB8F-4540-BD3A-7BCEE0B09719}
mCore-->MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver-->MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
MI-Connector 6.9 Patch-->MsiExec.exe /I{DF59575D-3D13-4052-8AB5-3A8593C27C56}
MI-Connector-->MsiExec.exe /X{2E21CBDA-1EDF-4C18-A561-DB53D683229F}
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2003 Web Components-->MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Converter Pack-->MsiExec.exe /X{6EECB283-E65F-40EF-86D3-D51BF02A8D43}
Microsoft Office Professional Edition 2003-->MsiExec.exe /X{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Project Standard 2003-->MsiExec.exe /X{903A0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003-->MsiExec.exe /X{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Web Components-->MsiExec.exe /I{90260409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft VC9 runtime libraries-->MsiExec.exe /I{C4124E95-5061-4776-8D5D-E3D931C778E1}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
mMHouse-->MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (3.6.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr-->MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mProSafe-->MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MSXML 4.0-->MsiExec.exe /I{428102E6-8A39-48B9-8389-847F5A44A600}
MSXML 4.0-->MsiExec.exe /I{54BB0384-1C33-488F-A95B-877E480D3EDC}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
MVision-->MsiExec.exe /I{35725FBC-A136-4A46-9F29-091759D9BB93}
mWlsSafe-->MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
On Screen Display-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall.XP 132 C:\Program Files\Lenovo\HOTKEY\tphk_tp.inf
Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe"
Pineapple 1.6.0.2-->MsiExec.exe /I{6BCAA466-5A2E-4EFE-BB45-C4A30D85DAB0}
PQMOVE-->MsiExec.exe /X{FEC19276-615C-41B0-9F98-DC1A0E634B11}
Presentation Director-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{65706020-7B6F-41F2-8047-FC69579E386A}\Setup.exe" -l0x9 -AddRemove
Productivity Center Supplement for ThinkPad-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D728E945-256D-4477-B377-6BBA693714AC}\setup.exe" -l0x9 -AddRemove
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RecordNow Audio-->MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
RecordNow Copy-->MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
RecordNow Data-->MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
Remote Desktop Connection-->MsiExec.exe /X{35D027A4-57BA-4E59-94DB-DFB36FFFDC1E}
SafeGuard® Easy Client 4.50.2 -->MsiExec.exe /I{65581228-D981-47F6-8E93-703808B8CB0E}
ScrewDrivers Client v4-->MsiExec.exe /I{665ECEFC-F101-43AC-B750-2C17BF03CF4F}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft .NET Framework 2.0 (KB928365)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {8056AC9E-49C5-4375-9ADE-B2F862C9DF51} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB974455)-->"C:\WINDOWS\ie7updates\KB974455-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB978207)-->"C:\WINDOWS\ie7updates\KB978207-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9L$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows XP (KB883939)-->"C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896688)-->"C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899588)-->"C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899589)-->"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901190)-->"C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB903235)-->"C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905915)-->"C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB916281)-->"C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159)-->"C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917537)-->"C:\WINDOWS\$NtUninstallKB917537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899)-->"C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883)-->"C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922760)-->"C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925454)-->"C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928090)-->"C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931768)-->"C:\WINDOWS\$NtUninstallKB931768$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933566)-->"C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937143)-->"C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937894)-->"C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941693)-->"C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Security Update for Windows XP (KB942615)-->"C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943055)-->"C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944533)-->"C:\WINDOWS\$NtUninstallKB944533$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB945553)-->"C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946026)-->"C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948590)-->"C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Security Update for Windows XP (KB948881)-->"C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950749)-->"C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953155)-->"C:\WINDOWS\$NtUninstallKB953155$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958470)-->"C:\WINDOWS\$NtUninstallKB958470$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971032)-->"C:\WINDOWS\$NtUninstallKB971032$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Skype™ 3.6-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Snagit 9.1.2-->MsiExec.exe /I{B440D659-FECA-4BDD-A12B-5C9F05790FF3}
Sonic DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic Express Labeler-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Sonic Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe" -l0x9 -removeonly
Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
System Migration Assistant-->MsiExec.exe /X{F705E3E1-A471-426B-9A09-73429F3418EE}
TaxACT 2007-->C:\PROGRA~1\2NDSTO~1\TAXACT~1\Unta07.exe C:\PROGRA~1\2NDSTO~1\TAXACT~1\Install.log
TaxACT 2008-->C:\PROGRA~1\2NDSTO~1\TAXACT~2\Unta08.exe C:\PROGRA~1\2NDSTO~1\TAXACT~2\Install.log
TaxACT 2009-->C:\2NDSTO~1\TAXACT~1\Unta09.exe C:\2NDSTO~1\TAXACT~1\Install_1040.log
TeaLeaf Client-Side Capture-->C:\Program Files\InstallShield Installation Information\{EC306B8C-4407-40E8-B61A-52A47C4BE31D}\setup.exe -runfromtemp -l0x0009 -removeonly
TeaLeaf RealiTea Viewer-->C:\Program Files\InstallShield Installation Information\{870A6FE0-5126-11D4-B580-00C04F187599}\setup.exe -runfromtemp -l0x0009 -removeonly
TextPad 5-->MsiExec.exe /X{B6EC7388-E277-4A5B-8C8F-71067A41BA64}
ThinkPad Bluetooth with Enhanced Data Rate Software-->MsiExec.exe /X{84814E6B-2581-46EC-926A-823BD1C670F6}
ThinkPad EasyEject Utility -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1297C681-92D7-40EF-93BF-03F66EC5105C}\Setup.exe" -l0x9 -AddRemove
ThinkPad FullScreen Magnifier-->RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\Lenovo\Zoom\TpScrex.inf
ThinkPad Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588\UIU32m.exe -U -ITkp0588k.inf
ThinkPad Power Management Driver-->RunDll32.exe tpinspm.dll,Uninstall
ThinkPad Power Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}\Setup.exe" -l0x9 -AddRemove
ThinkPad UltraNav Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17CBC505-D1AE-459D-B445-3D2000A85842}\Setup.exe" -l0x9 UNINSTALL
ThinkVantage Access Connections-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7EB114D8-207F-45AE-BABD-1669715F2630}\setup.exe" -l0x9 anything
ThinkVantage Active Protection System-->MsiExec.exe /X{46A84694-59EC-48F0-964C-7E76E9F8A2ED}
ThinkVantage Productivity Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CF5737AF-8550-4546-A69B-0EA9EF5A9B55}\setup.exe" -l0x9 -AddRemove
Trend Micro OfficeScan Client-->"C:\Program Files\Trend Micro\OfficeScan Client\ntrmv.exe"
Update for Windows XP (KB896727)-->"C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB917425)-->"C:\WINDOWS\$NtUninstallKB917425$\spuninst\spuninst.exe"
Update for Windows XP (KB919010)-->"C:\WINDOWS\$NtUninstallKB919010$\spuninst\spuninst.exe"
Update for Windows XP (KB922580)-->"C:\WINDOWS\$NtUninstallKB922580$\spuninst\spuninst.exe"
Update for Windows XP (KB929338)-->"C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update for Windows XP (KB932590)-->"C:\WINDOWS\$NtUninstallKB932590$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Use the entry named LeapFrog Connect to uninstall (LeapFrog Leapster2 Plugin)-->MsiExec.exe /X{7452472E-FC85-4AEB-8B67-24C63ECCF5C8}
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
WebEx-->C:\WINDOWS\DOWNLO~1\atcliun.exe
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray-->"C:\WINDOWS\$NtUninstallKB952011$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Hotfix - KB824995-->C:\WINDOWS\$NtUninstallKB824995$\spuninst\spuninst.exe
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB883667-->C:\WINDOWS\$NtUninstallKB883667$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890047-->C:\WINDOWS\$NtUninstallKB890047$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
WinSQL-->MsiExec.exe /I{38E22835-979D-4D47-BCC2-C338F15DAC5A}
WinZip Pro 10.0-->MsiExec.exe /X{7D7B76A7-3C30-41A3-8038-BBE9BC2B5F55}
Yahoo! Software Update-->C:\PROGRA~1\Yahoo!\SOFTWA~1\UNINST~1.EXE

======Security center information======

AV: Trend Micro OfficeScan Antivirus
FW: Trend Micro OfficeScan Enterprise Client Firewall (disabled)
FW: Trend Micro Personal Firewall

======System event log======

Computer Name: HDQBEPC985989
Event Code: 11194
Message: The system failed to update and remove host (A) resource records (RRs)
for network adapter
with settings:


Adapter Name : {ACF0484D-3ED6-4164-AD91-412AD68C2A69}

Host Name : HDQBEPC985989

Primary Domain Suffix : mihdq.marrcorp.marriott.com

DNS server list :

162.130.10.9, 162.130.128.97

Sent update to server : 192.1.1.1

IP Address(es) :

162.130.155.171


The reason for this failure is because the DNS server sent the update
either (a) does not support the DNS dynamic update protocol, or (cool.gif the
authoritative zone for the DNS domain name specified in these A RRs does
not currently accept DNS dynamic updates.

Record Number: 2659
Source Name: DnsApi
Time Written: 20100510174555.000000-240
Event Type: warning
User:

Computer Name: HDQBEPC985989
Event Code: 40961
Message: The Security System could not establish a secured connection with the server DNS/ns-west.cerf.net. No authentication protocol was available.

Record Number: 2658
Source Name: LSASRV
Time Written: 20100510174540.000000-240
Event Type: warning
User:

Computer Name: HDQBEPC985989
Event Code: 40960
Message: The Security System detected an attempted downgrade attack for
server DNS/ns-west.cerf.net. The failure code from authentication protocol Kerberos
was "There are currently no logon servers available to service the logon request.
(0xc000005e)".

Record Number: 2657
Source Name: LSASRV
Time Written: 20100510174540.000000-240
Event Type: warning
User:

Computer Name: HDQBEPC985989
Event Code: 29
Message: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Record Number: 2649
Source Name: W32Time
Time Written: 20100510174424.000000-240
Event Type: error
User:

Computer Name: HDQBEPC985989
Event Code: 14
Message: The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 15 minutes.

Record Number: 2648
Source Name: W32Time
Time Written: 20100510174424.000000-240
Event Type: warning
User:

=====Application event log=====

Computer Name: HDQBEPC985989
Event Code: 1
Message:
Record Number: 86536
Source Name: nview_info
Time Written: 20100518201851.000000-240
Event Type: error
User:

Computer Name: HDQBEPC985989
Event Code: 1
Message:
Record Number: 86535
Source Name: nview_info
Time Written: 20100518201801.000000-240
Event Type: error
User:

Computer Name: HDQBEPC985989
Event Code: 20
Message:
Record Number: 86534
Source Name: Google Update
Time Written: 20100518195105.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: HDQBEPC985989
Event Code: 20
Message:
Record Number: 86533
Source Name: Google Update
Time Written: 20100518194106.000000-240
Event Type: error
User: HDQBEPC985989\dalgu210

Computer Name: HDQBEPC985989
Event Code: 20
Message:
Record Number: 86530
Source Name: Google Update
Time Written: 20100518165120.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ThinkPad\ConnectUtilities;C:\Program Files\Intel\Wireless\Bin\;C:\Program Files\Executive Software\Diskeeper\;C:\Program Files\Utimaco\SafeGuard Easy\;C:\Program Files\Rational\common;C:\Program Files\Rational\ClearCase\bin;C:\Program Files\TeaLeaf;
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 11, GenuineIntel
"PROCESSOR_REVISION"=0f0b
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"HALTYPE"=acpiapic_mp
"TYPE"=LAPTOP
"SUPPORTTYPE"=Full
"MANUFACTURER"=LENOVO
"IMAGEMODELTYPE"=6458-5KU
"BIOSMODELTYPE"=6458-5KU
"SonicCentral"=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
"TPCCommon"=C:\PROGRA~1\THINKV~1\PrdCtr
"SMA"=C:\Program Files\ThinkVantage\SMA\
"PROFILE"=Corporate-ExecuStay
"TISDIR"=C:\Program Files\Rational\common
"IBMLDAP_ALTHOME"=C:\Program Files\Rational\common\codeset
"CLASSPATH"=C:\Program Files\Rational\ClearQuest\cqjni.jar
"IBM_JAVA_HOME"=C:\Program Files\Rational\common\java\jre\bin
"MeetingCenterApp"=C:\Program Files\Meeting Center\

-----------------EOF-----------------


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-29 17:46:01
Windows 5.1.2600 Service Pack 2
Running: ry7nimn6.exe; Driver: C:\DOCUME~1\DALGU2~1.HDQ\LOCALS~1\Temp\pxtdqfoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8CE1380, 0x2F1D27, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[388] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[388] kernel32.dll!WaitForSingleObject 7C802520 5 Bytes JMP 7C883527 C:\WINDOWS\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[388] WS2_32.dll!send 71AB428A 5 Bytes JMP 01EF5366
.text C:\Program Files\Mozilla Firefox\firefox.exe[388] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 01EF552A
.text C:\Program Files\Mozilla Firefox\firefox.exe[388] WS2_32.dll!recv 71AB615A 5 Bytes JMP 01EF53D9
.text C:\Program Files\Mozilla Firefox\firefox.exe[388] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 01EF5490
.text C:\Program Files\Mozilla Firefox\firefox.exe[388] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 01EF5624
.text C:\WINDOWS\Explorer.EXE[644] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 00E95BAC
.text C:\WINDOWS\Explorer.EXE[644] kernel32.dll!CreateProcessInternalW 7C819527 5 Bytes JMP 00E95ADE

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Scap.sys (Check Point Software Technologies)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Scap.sys (Check Point Software Technologies)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SGEFLT.SYS (PnP Disk Filter Driver/Windows ® 2000 DDK provider)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SGEFLT.SYS (PnP Disk Filter Driver/Windows ® 2000 DDK provider)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Scap.sys (Check Point Software Technologies)
AttachedDevice \Driver\Tcpip \Device\RawIp Scap.sys (Check Point Software Technologies)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [644] 0x02ED0000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls@AppSecDll C:\Documents and Settings\NetworkService\Local Settings\Application Data\Windows Server\zoxjkh.dll

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:14 AM

Posted 29 May 2010 - 05:58 PM

Hello, tbbucs44.
Viewpoint Warning!

Your logs show Viewpoint Manager installed, Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

Viewpoint to Plunge Into Adware

I suggest you remove the program now. Go to Start > Control Panel > Add or Remove Programs. From within Add or Remove Programs uninstall the following if they exist:
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player




Backdoor warning!

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advise you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed.
In most cases, a reformat and clean install of the Operating System is the best solution for your (and probably other's) safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?


Again, if you would like me to attempt to clean it, I will be happy to do so. But if you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful. Should you have any questions, please feel free to ask.

Please let me know what you decide to do. If you decide to continue with the fix, please proceed with the steps below.




We need to download and run ComboFix (by sUBs)
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  3. Double click on ComboFix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  5. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  6. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  7. Click on Yes, to continue scanning for malware.
  8. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 tbbucs44

tbbucs44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 29 May 2010 - 06:43 PM

Below is the ComboFix log...

ComboFix 10-05-29.03 - dalgu210 05/29/2010 19:21:54.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2232 [GMT -4:00]
Running from: c:\documents and settings\dalgu210.HDQBEPC985989\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {56A2CB4F-4200-4BEA-B9AD-99EA05AF3114}
FW: Trend Micro OfficeScan Enterprise Client Firewall *disabled* {62582529-66AE-465D-AE65-7711A2487F56}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
The following files were disabled during the run:
c:\documents and settings\svc-clearcase_albd\Local Settings\Application Data\Windows Server\zoxjkh.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\dalgu210.HDQBEPC985989\Local Settings\Application Data\Windows Server
c:\documents and settings\dalgu210.HDQBEPC985989\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\dalgu210.HDQBEPC985989\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\dalgu210.HDQBEPC985989\Local Settings\Application Data\Windows Server\zoxjkh.dll
c:\documents and settings\dalgu210.HDQBEPC985989\Recent\Thumbs.db
c:\documents and settings\dalgu210\g2mdlhlpx.exe
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\zoxjkh.dll
c:\documents and settings\neary\Local Settings\Application Data\Windows Server
c:\documents and settings\neary\Local Settings\Application Data\Windows Server\zoxjkh.dll
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server\zoxjkh.dll
c:\documents and settings\svc-clearcase_albd\Local Settings\Application Data\Windows Server
c:\documents and settings\svc-clearcase_albd\Local Settings\Application Data\Windows Server\zoxjkh.dll
c:\documents and settings\svc-clearcase_albd\Local Settings\Application Data\Windows Server\zoxjkh.dll.vir
C:\feed.txt
c:\windows\system32\Thumbs.db
c:\windows\system32\vb6ko.dll

----- BITS: Possible infected sites -----

hxxp://hdxplus-lb.marriott.com
.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-29 )))))))))))))))))))))))))))))))
.

2010-05-29 23:25 . 2010-05-29 23:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
2010-05-29 21:35 . 2010-05-29 22:14 -------- d-----w- C:\rsit
2010-05-28 22:31 . 2010-05-28 22:31 -------- d-----w- c:\documents and settings\neary\Local Settings\Application Data\Mozilla
2010-05-28 02:33 . 2010-05-28 02:33 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-05-17 21:26 . 2010-05-17 21:26 -------- d-----w- c:\documents and settings\dalgu210.HDQBEPC985989\Local Settings\Application Data\AIM
2010-05-14 20:55 . 2001-08-17 17:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-05-14 20:55 . 2001-08-17 17:56 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS
2010-05-11 19:49 . 2010-05-11 19:49 -------- d-----w- c:\program files\IVCsoft
2010-05-06 14:52 . 2010-05-06 14:52 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-05-06 14:52 . 2010-05-06 14:52 -------- d-----w- c:\documents and settings\svc-clearcase_albd\Local Settings\Application Data\AIM
2010-05-06 14:52 . 2010-05-06 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-05-06 14:52 . 2010-05-06 14:52 -------- d-----w- c:\program files\AIM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-29 23:05 . 2008-01-18 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-05-29 22:14 . 2008-07-25 15:55 -------- d-----w- c:\program files\Trend Micro
2010-05-29 21:30 . 2008-01-23 02:40 -------- d-----w- c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\ZoomBrowser EX
2010-05-29 21:30 . 2008-01-23 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-05-29 21:26 . 2008-01-19 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-29 15:33 . 2008-02-22 21:04 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-29 15:33 . 2008-02-23 04:08 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-05-28 23:40 . 2008-01-07 16:00 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-28 23:22 . 2008-01-07 17:32 -------- d-----w- c:\program files\Java
2010-05-28 22:31 . 2010-05-28 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Mozilla Firefox
2010-05-28 19:28 . 2008-01-19 00:14 -------- d-----w- c:\program files\Google
2010-05-28 13:08 . 2008-01-07 16:01 -------- d-----w- c:\program files\Insight
2010-05-28 04:22 . 2010-05-28 04:20 91920 ----a-w- c:\documents and settings\neary\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-28 04:21 . 2010-05-28 04:21 -------- d-----w- c:\documents and settings\neary\Application Data\Intel
2010-05-26 18:11 . 2010-05-14 17:27 12800 ----a-w- c:\documents and settings\All Users\Application Data\SupportSoft\hdxplus\SYSTEM\exec\LB_URL_Fix.exe
2010-05-26 01:04 . 2008-01-23 03:09 -------- d-----w- c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\FileZilla
2010-05-10 04:25 . 2010-01-15 03:09 -------- d-----w- c:\program files\CarbonPoker
2010-05-06 14:44 . 2008-11-26 13:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2010-05-04 22:28 . 2010-01-28 15:38 59904 ----a-w- c:\documents and settings\All Users\Application Data\SupportSoft\hdxplus\SYSTEM\exec\CheckForExpirationAndChangePassword.exe
2010-05-03 12:58 . 2008-01-07 17:26 -------- d-----w- c:\program files\AT&T Global Network Client
2010-04-19 18:59 . 2010-04-19 18:59 255472 ----a-w- c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-16 13:18 . 2010-04-16 13:18 -------- d--h--r- c:\documents and settings\All Users\Application Data\yahoo!
2010-04-16 04:41 . 2010-04-14 04:46 -------- d-----w- c:\program files\Yahoo!
2010-04-13 18:01 . 2008-08-01 13:58 -------- d-----w- c:\program files\TeaLeaf
2010-04-06 13:47 . 2010-04-06 13:46 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-04-05 03:06 . 2010-04-05 03:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-01 15:56 . 2010-05-28 22:31 155648 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\softokn3.dll
2010-04-01 15:56 . 2010-05-28 22:31 98304 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\nssdbm3.dll
2010-04-01 15:56 . 2010-05-28 22:31 249856 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\freebl3.dll
2010-03-30 21:31 . 2010-02-25 22:16 63488 ----a-w- c:\documents and settings\All Users\Application Data\SupportSoft\hdxplus\SYSTEM\exec\BF_SupportJob.exe
2010-03-05 22:59 . 2010-01-28 15:38 106496 ----a-w- c:\documents and settings\All Users\Application Data\SupportSoft\hdxplus\SYSTEM\exec\Interop.ActiveDs.dll
2010-03-05 22:59 . 2010-01-28 15:38 6144 ----a-w- c:\documents and settings\All Users\Application Data\SupportSoft\hdxplus\SYSTEM\exec\SecurePasswordTextBox.dll
2010-03-05 22:59 . 2010-01-28 15:38 14336 ----a-w- c:\documents and settings\All Users\Application Data\SupportSoft\hdxplus\SYSTEM\exec\SupportActionLoggerLibrary.dll
2010-03-03 20:57 . 2010-03-03 20:57 503808 ----a-w- c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Sun\Java\Deployment\cache\javaws\http\Ddl.javafx.com\P80\RNjavafx-jmc-natives-windows-i586__V1.2.3_b36.jar\msvcp71.dll
2010-03-03 20:57 . 2010-03-03 20:57 499712 ----a-w- c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Sun\Java\Deployment\cache\javaws\http\Ddl.javafx.com\P80\RNjavafx-jmc-natives-windows-i586__V1.2.3_b36.jar\jmc.dll
2010-03-03 20:57 . 2010-03-03 20:57 348160 ----a-w- c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Sun\Java\Deployment\cache\javaws\http\Ddl.javafx.com\P80\RNjavafx-jmc-natives-windows-i586__V1.2.3_b36.jar\msvcr71.dll
2010-03-03 20:57 . 2010-03-03 20:57 61440 ----a-w- c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Sun\Java\Deployment\cache\javaws\http\Ddl.javafx.com\P80\RNjavafx-rt-natives-windows-i586__V1.2.3_b36.jar\decora-sse.dll
2010-03-03 20:57 . 2010-03-03 20:57 12800 ----a-w- c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Sun\Java\Deployment\cache\javaws\http\Ddl.javafx.com\P80\RNjavafx-rt-natives-windows-i586__V1.2.3_b36.jar\decora-d3d.dll
2009-11-20 14:44 . 2009-11-20 14:44 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetSP - restore settings on power failure"="c:\program files\AT&T Global Network Client\NetSP.exe" [2007-01-13 24576]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-19 68856]
"Google Update"="c:\documents and settings\dalgu210.HDQBEPC985989\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-15 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-18 8433664]
"nwiz"="nwiz.exe" [2007-05-18 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-18 81920]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-07-06 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-06 512000]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"TpShocks"="TpShocks.exe" [2006-12-26 181808]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-06-18 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-06-18 208896]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-08-21 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-08-21 126976]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-10 58416]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-23 120368]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2004-10-05 176216]
"SgeEcView"="c:\program files\Utimaco\SafeGuard Easy\Ecview.exe" [2008-09-16 24653]
"EdWizard"="c:\program files\Utimaco\SafeGuard Easy\EdWizard.exe" [2008-09-16 352345]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-20 30192]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"CCDoctorLogonTesting"="c:\program files\Rational\ClearCase\bin\ccdoctor.exe" [2008-02-13 126976]
"hdxplus"="c:\program files\HDXPLUS\bin\sprtcmd.exe" [2009-09-23 202016]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-12-09 718120]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-2-27 561213]
Snagit 9.lnk - c:\program files\TechSmith\Snagit 9\Snagit32.exe [2009-4-17 7226184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ccnotify]
2007-03-30 20:09 15412 ----a-w- c:\windows\system32\ccnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2003-06-02 17:25 24672 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NotLog]
2002-01-22 20:28 110592 ----a-w- c:\windows\system32\SGLogEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SGLogNotification]
2005-03-31 16:27 69632 ----a-w- c:\windows\system32\SGLogNotification.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 23:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 18:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
AppSecDll REG_SZ c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\zoxjkh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"35760:TCP"= 35760:TCP:Trend Micro OfficeScan Listener

R0 AES-256;AES-256;c:\windows\system32\drivers\AES256.sys [9/16/2008 3:19 PM 19712]
R0 SgeFlt;SgeFlt;c:\windows\system32\drivers\SGEFLT.sys [7/20/2007 1:21 PM 62720]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [12/25/2006 11:03 PM 19760]
R2 Installation Gatekeeper;Installation Gatekeeper;c:\program files\Marriott\Installation Gatekeeper\IGK.exe [7/21/2003 1:22 PM 7168]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [1/7/2008 1:23 PM 17328]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [9/22/2009 5:27 PM 1221928]
R2 sprtsvc_hdxplus;SupportSoft Sprocket Service (hdxplus);c:\program files\hdxplus\bin\sprtsvc.exe [9/23/2009 6:24 PM 202016]
R2 tgsrvc_hdxplus;SupportSoft Repair Service (hdxplus);c:\program files\hdxplus\bin\tgsrvc.exe [9/23/2009 6:23 PM 148768]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [5/21/2009 9:02 PM 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [5/21/2009 9:00 PM 36368]
R3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [2/26/2007 9:29 PM 81920]
R3 Mvfs;Atria Multi-Version FS;c:\windows\system32\drivers\mvfs50.sys [6/4/2008 11:42 AM 330544]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [12/9/2008 4:45 AM 338448]
R3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [6/3/2008 11:08 AM 488768]
S2 Albd;Atria Location Broker;c:\program files\Rational\ClearCase\bin\albd_server.exe [2/13/2008 4:50 PM 176698]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 11:36 PM 135664]
S3 GomezAnywhere;Gomez Anywhere Connector Service;c:\program files\Gomez\Gomez Anywhere Connector\bin\wrapper.exe [1/13/2009 3:36 PM 204800]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/18/2008 8:23 PM 30192]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [1/7/2008 1:23 PM 14924]
S3 S3Inc;S3Inc;c:\windows\system32\drivers\s3mt3d.sys [5/31/2006 9:11 AM 41216]
S3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [8/1/2007 1:13 PM 65664]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [6/3/2008 11:08 AM 652552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PQMove]
2009-03-18 14:54 208 ----a-w- c:\stage\Applications\Marriott\PQMOVE\migrate.vbs
.
Contents of the 'Scheduled Tasks' folder

2010-05-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-19 18:20]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:36]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:36]

2010-05-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1532298954-725345543-39320Core.job
- c:\documents and settings\dalgu210\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-19 19:06]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1532298954-725345543-39320UA.job
- c:\documents and settings\dalgu210\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-19 19:06]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2869680714-1471076481-1152482959-1008Core.job
- c:\documents and settings\dalgu210.HDQBEPC985989\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-15 20:15]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2869680714-1471076481-1152482959-1008UA.job
- c:\documents and settings\dalgu210.HDQBEPC985989\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-15 20:15]

2010-05-29 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-01-07 08:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mgs.marriott.com
mStart Page = hxxp://mgs.marriott.com
uInternet Connection Wizard,ShellNext = hxxp://mgs.marriott.com/
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {619A4D9B-FB37-471E-8CF3-3AA0CBA33804} - hxxps://equeststaging.marriott.com/Download/EquestTr.CAB
DPF: {9E4046F1-0606-11D6-ACBD-00D0B7190EE7} - hxxps://equeststaging.marriott.com/Download/sdgARViewer.cab
FF - ProfilePath - c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Mozilla\Firefox\Profiles\whkls4md.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - plugin: c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\dalgu210.HDQBEPC985989\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
ShellIconOverlayIdentifiers-{ba930330-a721-11d3-a7b9-00500464ee16} - Sgedrse.Dll
ShellIconOverlayIdentifiers-{2030D939-54A7-4fea-9B06-49EA77EFC87F} - Sgedrse.Dll
HKCU-Run-Aim6 - (no file)
Notify-ACNotify - ACNotify.dll
ActiveSetup-egrid_viewer - regedit
AddRemove-Yahoo! Software Update - c:\progra~1\Yahoo!\SOFTWA~1\UNINST~1.EXE
AddRemove-Yahoo! Toolbar - c:\progra~1\Yahoo!\Common\UNYT_W~1.EXE
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-29 19:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1968)
c:\windows\system32\tvt_gina.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\windows\system32\WININET.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\program files\ThinkPad\ConnectUtilities\Res\US\ACGinaRes.dll
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\system32\ccasenp.dll
c:\windows\system32\ccnotify.dll
c:\windows\system32\SGLogEx.dll
c:\windows\system32\SGLogNotification.dll
c:\windows\system32\GetUserSid.dll

- - - - - - - > 'lsass.exe'(2024)
c:\windows\system32\ccasenp.dll

- - - - - - - > 'explorer.exe'(14284)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\nview.dll
c:\program files\Utimaco\SafeGuard Easy\SgMsgBhk.dll
c:\program files\Utimaco\SafeGuard Easy\SgeDrse.dll
c:\program files\Utimaco\SafeGuard Easy\SgeUtil.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ccasenp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\SCardSvr.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Insight\Tools\aiclient.exe
c:\program files\BigFix Enterprise\BES Client\BESClient.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Rational\ClearCase\bin\lockmgr.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AT&T Global Network Client\NetCfgSv.EXE
c:\program files\Trend Micro\OfficeScan Client\ntrtscan.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Utimaco\SafeGuard Easy\SgeClient.exe
c:\program files\Utimaco\SafeGuard Easy\SgeCtl.exe
c:\windows\system32\SgLogPlayer.exe
c:\windows\System32\TPHDEXLG.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\cccredmgr.exe
c:\program files\Trend Micro\OfficeScan Client\tmlisten.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\TEMP\XX8A89.EXE
c:\program files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\TpShocks.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Lenovo\Zoom\TpScrex.exe
c:\progra~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
c:\program files\TechSmith\Snagit 9\TSCHelp.exe
c:\program files\TechSmith\Snagit 9\SnagPriv.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\TechSmith\Snagit 9\snagiteditor.exe
.
**************************************************************************
.
Completion time: 2010-05-29 19:37:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-29 23:37

Pre-Run: 3,499,692,032 bytes free
Post-Run: 3,979,767,808 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 970B9DD539B9A24D4FF3EA0E32DE3E84


#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:14 AM

Posted 29 May 2010 - 09:52 PM

Hello, tbbucs44.
Okay, little bit more to do.
We need to run a Combofix script
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    CODE
    http://www.bleepingcomputer.com/forums/t/319780/google-and-other-search-engine-links-redirect/

    Collect::
    c:\windows\system32\drivers\logiflt.iad
    c:\windows\system32\drivers\lvuvc.hs
  4. Save this as CFScript.txt, in the same location as ComboFix.exe
  5. Now, drag and drop CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 tbbucs44

tbbucs44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 30 May 2010 - 08:02 AM

Thanks for your help so far. Here is the ComboFix log

ComboFix 10-05-29.03 - dalgu210 05/30/2010 8:42.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2384 [GMT -4:00]
Running from: c:\documents and settings\dalgu210.HDQBEPC985989\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\dalgu210.HDQBEPC985989\Desktop\CFScript.txt
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {56A2CB4F-4200-4BEA-B9AD-99EA05AF3114}
FW: Trend Micro OfficeScan Enterprise Client Firewall *disabled* {62582529-66AE-465D-AE65-7711A2487F56}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point

file zipped: c:\windows\system32\drivers\logiflt.iad
file zipped: c:\windows\system32\drivers\lvuvc.hs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\dalgu210.HDQBEPC985989\Recent\Thumbs.db
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
c:\documents and settings\svc-clearcase_albd\Local Settings\Application Data\Windows Server
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\drivers\lvuvc.hs

----- BITS: Possible infected sites -----

hxxp://hdxplus-lb.marriott.com
.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.

2010-05-29 21:35 . 2010-05-29 22:14 -------- d-----w- C:\rsit
2010-05-28 04:22 . 2010-05-28 04:22 -------- d-----w- c:\documents and settings\neary\Local Settings\Application Data\AIM Toolbar
2010-05-28 04:21 . 2010-05-28 04:21 -------- d-----w- c:\documents and settings\neary\Local Settings\Application Data\TechSmith
2010-05-28 04:20 . 2009-09-21 18:35 -------- d-----w- c:\documents and settings\neary\Local Settings\Application Data\Adobe
2010-05-28 04:20 . 2006-05-31 17:45 -------- d-----w- c:\documents and settings\neary\Local Settings\Application Data\ApplicationHistory
2010-05-28 04:20 . 2010-05-28 04:21 -------- d-----w- c:\documents and settings\neary
2010-05-28 02:33 . 2010-05-28 02:33 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-05-17 21:26 . 2010-05-17 21:26 -------- d-----w- c:\documents and settings\dalgu210.HDQBEPC985989\Local Settings\Application Data\AIM
2010-05-14 20:55 . 2001-08-17 17:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2010-05-14 20:55 . 2001-08-17 17:56 7552 ----a-w- c:\windows\system32\drivers\SONYPVU1.SYS
2010-05-14 17:27 . 2010-05-26 18:11 12800 ----a-w- c:\documents and settings\All Users\Application Data\SupportSoft\hdxplus\SYSTEM\exec\LB_URL_Fix.exe
2010-05-11 19:49 . 2010-05-11 19:49 -------- d-----w- c:\program files\IVCsoft
2010-05-06 14:52 . 2010-05-06 14:52 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-05-06 14:52 . 2010-05-06 14:52 -------- d-----w- c:\documents and settings\svc-clearcase_albd\Local Settings\Application Data\AIM
2010-05-06 14:52 . 2010-05-06 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM
2010-05-06 14:52 . 2010-05-06 14:52 -------- d-----w- c:\program files\AIM
2010-05-05 14:13 . 2010-04-20 06:09 28 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\unregister.bat
2010-05-05 14:13 . 2010-04-20 06:09 30552 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\Uninstaller.exe
2010-05-05 14:13 . 2010-04-20 06:09 3910200 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\AIMinst.exe
2010-05-05 14:13 . 2010-04-20 06:09 404568 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\tbsetup.exe
2010-05-05 14:13 . 2010-04-20 06:09 25 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\register.bat
2010-05-05 14:13 . 2010-04-20 06:09 11608 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\tbinst.dll
2010-05-05 14:13 . 2010-04-20 06:09 457576 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\setup.exe
2010-05-05 14:13 . 2010-04-20 06:09 245080 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\migrator.exe
2010-05-05 14:13 . 2010-04-20 06:09 83816 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\ProgUpd.dll
2010-05-05 14:13 . 2010-04-20 06:09 36704 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\postproc.exe
2010-05-05 14:13 . 2010-04-20 06:09 10072 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\imappver.dll
2010-05-05 14:13 . 2010-04-20 06:09 1062232 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\gui.dll
2010-05-05 14:12 . 2010-04-20 06:09 180824 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\dlupd.exe
2010-05-05 14:12 . 2010-04-20 06:09 97112 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\bsetutil.exe
2010-05-05 14:12 . 2010-04-20 06:09 111960 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\AOLSearch.dll
2010-05-05 14:12 . 2009-12-16 12:07 136528 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\AOLSetup.exe
2010-05-05 14:12 . 2010-04-20 06:09 95792 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\AOLFirewallMgr.dll
2010-05-05 14:12 . 2010-04-20 06:09 2351472 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4506.2.4\AIMLang.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 03:04 . 2008-01-23 03:09 -------- d-----w- c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\FileZilla
2010-05-29 23:05 . 2008-01-18 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-05-29 22:14 . 2008-07-25 15:55 -------- d-----w- c:\program files\Trend Micro
2010-05-29 21:30 . 2008-01-23 02:40 -------- d-----w- c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\ZoomBrowser EX
2010-05-29 21:30 . 2008-01-23 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-05-29 21:26 . 2008-01-19 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-28 23:40 . 2008-01-07 16:00 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-28 23:22 . 2008-01-07 17:32 -------- d-----w- c:\program files\Java
2010-05-28 22:31 . 2010-05-28 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Mozilla Firefox
2010-05-28 19:28 . 2008-01-19 00:14 -------- d-----w- c:\program files\Google
2010-05-28 13:08 . 2008-01-07 16:01 -------- d-----w- c:\program files\Insight
2010-05-28 04:22 . 2010-05-28 04:20 91920 ----a-w- c:\documents and settings\neary\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-28 04:21 . 2010-05-28 04:21 -------- d-----w- c:\documents and settings\neary\Application Data\Intel
2010-05-10 04:25 . 2010-01-15 03:09 -------- d-----w- c:\program files\CarbonPoker
2010-04-19 18:59 . 2010-04-19 18:59 255472 ----a-w- c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-04-16 13:18 . 2010-04-16 13:18 -------- d--h--r- c:\documents and settings\All Users\Application Data\yahoo!
2010-04-16 04:41 . 2010-04-14 04:46 -------- d-----w- c:\program files\Yahoo!
2010-04-13 18:01 . 2008-08-01 13:58 -------- d-----w- c:\program files\TeaLeaf
2010-04-06 13:47 . 2010-04-06 13:46 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-04-05 03:06 . 2010-04-05 03:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-01 15:56 . 2010-05-28 22:31 155648 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\softokn3.dll
2010-04-01 15:56 . 2010-05-28 22:31 98304 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\nssdbm3.dll
2010-04-01 15:56 . 2010-05-28 22:31 249856 ----a-w- c:\documents and settings\All Users\Application Data\Mozilla Firefox\freebl3.dll
2010-03-30 21:31 . 2010-02-25 22:16 63488 ----a-w- c:\documents and settings\All Users\Application Data\SupportSoft\hdxplus\SYSTEM\exec\BF_SupportJob.exe
2010-03-05 22:59 . 2010-01-28 15:38 106496 ----a-w- c:\documents and settings\All Users\Application Data\SupportSoft\hdxplus\SYSTEM\exec\Interop.ActiveDs.dll
2010-03-05 22:59 . 2010-01-28 15:38 6144 ----a-w- c:\documents and settings\All Users\Application Data\SupportSoft\hdxplus\SYSTEM\exec\SecurePasswordTextBox.dll
2010-03-05 22:59 . 2010-01-28 15:38 14336 ----a-w- c:\documents and settings\All Users\Application Data\SupportSoft\hdxplus\SYSTEM\exec\SupportActionLoggerLibrary.dll
2010-03-03 20:57 . 2010-03-03 20:57 503808 ----a-w- c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Sun\Java\Deployment\cache\javaws\http\Ddl.javafx.com\P80\RNjavafx-jmc-natives-windows-i586__V1.2.3_b36.jar\msvcp71.dll
2010-03-03 20:57 . 2010-03-03 20:57 499712 ----a-w- c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Sun\Java\Deployment\cache\javaws\http\Ddl.javafx.com\P80\RNjavafx-jmc-natives-windows-i586__V1.2.3_b36.jar\jmc.dll
2010-03-03 20:57 . 2010-03-03 20:57 348160 ----a-w- c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Sun\Java\Deployment\cache\javaws\http\Ddl.javafx.com\P80\RNjavafx-jmc-natives-windows-i586__V1.2.3_b36.jar\msvcr71.dll
2010-03-03 20:57 . 2010-03-03 20:57 61440 ----a-w- c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Sun\Java\Deployment\cache\javaws\http\Ddl.javafx.com\P80\RNjavafx-rt-natives-windows-i586__V1.2.3_b36.jar\decora-sse.dll
2010-03-03 20:57 . 2010-03-03 20:57 12800 ----a-w- c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Sun\Java\Deployment\cache\javaws\http\Ddl.javafx.com\P80\RNjavafx-rt-natives-windows-i586__V1.2.3_b36.jar\decora-d3d.dll
2009-11-20 14:44 . 2009-11-20 14:44 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetSP - restore settings on power failure"="c:\program files\AT&T Global Network Client\NetSP.exe" [2007-01-13 24576]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-19 68856]
"Google Update"="c:\documents and settings\dalgu210.HDQBEPC985989\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-15 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-18 8433664]
"nwiz"="nwiz.exe" [2007-05-18 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-18 81920]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-07-06 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-06 512000]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"TpShocks"="TpShocks.exe" [2006-12-26 181808]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-06-18 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-06-18 208896]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-04-27 243248]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-08-21 413696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-08-21 126976]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-04-10 58416]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-03-23 120368]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2004-10-05 176216]
"SgeEcView"="c:\program files\Utimaco\SafeGuard Easy\Ecview.exe" [2008-09-16 24653]
"EdWizard"="c:\program files\Utimaco\SafeGuard Easy\EdWizard.exe" [2008-09-16 352345]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-20 30192]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"CCDoctorLogonTesting"="c:\program files\Rational\ClearCase\bin\ccdoctor.exe" [2008-02-13 126976]
"hdxplus"="c:\program files\HDXPLUS\bin\sprtcmd.exe" [2009-09-23 202016]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-12-09 718120]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-2-27 561213]
Snagit 9.lnk - c:\program files\TechSmith\Snagit 9\Snagit32.exe [2009-4-17 7226184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ccnotify]
2007-03-30 20:09 15412 ----a-w- c:\windows\system32\ccnotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2003-06-02 17:25 24672 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NotLog]
2002-01-22 20:28 110592 ----a-w- c:\windows\system32\SGLogEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SGLogNotification]
2005-03-31 16:27 69632 ----a-w- c:\windows\system32\SGLogNotification.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 23:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 18:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
AppSecDll REG_SZ c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server\zoxjkh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"35760:TCP"= 35760:TCP:Trend Micro OfficeScan Listener

R0 AES-256;AES-256;c:\windows\system32\drivers\AES256.sys [9/16/2008 3:19 PM 19712]
R0 SgeFlt;SgeFlt;c:\windows\system32\drivers\SGEFLT.sys [7/20/2007 1:21 PM 62720]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [12/25/2006 11:03 PM 19760]
R2 Installation Gatekeeper;Installation Gatekeeper;c:\program files\Marriott\Installation Gatekeeper\IGK.exe [7/21/2003 1:22 PM 7168]
R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [1/7/2008 1:23 PM 17328]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [9/22/2009 5:27 PM 1221928]
R2 sprtsvc_hdxplus;SupportSoft Sprocket Service (hdxplus);c:\program files\hdxplus\bin\sprtsvc.exe [9/23/2009 6:24 PM 202016]
R2 tgsrvc_hdxplus;SupportSoft Repair Service (hdxplus);c:\program files\hdxplus\bin\tgsrvc.exe [9/23/2009 6:23 PM 148768]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [5/21/2009 9:00 PM 36368]
R3 LenovoRd;LenovoRd;c:\windows\system32\drivers\LenovoRd.sys [2/26/2007 9:29 PM 81920]
R3 Mvfs;Atria Multi-Version FS;c:\windows\system32\drivers\mvfs50.sys [6/4/2008 11:42 AM 330544]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [12/9/2008 4:45 AM 338448]
R3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [6/3/2008 11:08 AM 488768]
S2 Albd;Atria Location Broker;c:\program files\Rational\ClearCase\bin\albd_server.exe [2/13/2008 4:50 PM 176698]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 11:36 PM 135664]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [5/21/2009 9:02 PM 230928]
S3 GomezAnywhere;Gomez Anywhere Connector Service;c:\program files\Gomez\Gomez Anywhere Connector\bin\wrapper.exe [1/13/2009 3:36 PM 204800]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/18/2008 8:23 PM 30192]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [1/7/2008 1:23 PM 14924]
S3 S3Inc;S3Inc;c:\windows\system32\drivers\s3mt3d.sys [5/31/2006 9:11 AM 41216]
S3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [8/1/2007 1:13 PM 65664]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [6/3/2008 11:08 AM 652552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\PQMove]
2009-03-18 14:54 208 ----a-w- c:\stage\Applications\Marriott\PQMOVE\migrate.vbs
.
Contents of the 'Scheduled Tasks' folder

2010-05-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-01-19 18:20]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:36]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:36]

2010-05-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1532298954-725345543-39320Core.job
- c:\documents and settings\dalgu210\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-19 19:06]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1004336348-1532298954-725345543-39320UA.job
- c:\documents and settings\dalgu210\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-19 19:06]

2010-05-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2869680714-1471076481-1152482959-1008Core.job
- c:\documents and settings\dalgu210.HDQBEPC985989\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-15 20:15]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2869680714-1471076481-1152482959-1008UA.job
- c:\documents and settings\dalgu210.HDQBEPC985989\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-15 20:15]

2010-05-30 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-01-07 08:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mgs.marriott.com
mStart Page = hxxp://mgs.marriott.com
uInternet Connection Wizard,ShellNext = hxxp://mgs.marriott.com/
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {619A4D9B-FB37-471E-8CF3-3AA0CBA33804} - hxxps://equeststaging.marriott.com/Download/EquestTr.CAB
DPF: {9E4046F1-0606-11D6-ACBD-00D0B7190EE7} - hxxps://equeststaging.marriott.com/Download/sdgARViewer.cab
FF - ProfilePath - c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Mozilla\Firefox\Profiles\whkls4md.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - plugin: c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\dalgu210.HDQBEPC985989\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\dalgu210.HDQBEPC985989\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-30 08:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1956)
c:\windows\system32\tvt_gina.dll
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\windows\system32\WININET.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\program files\ThinkPad\ConnectUtilities\Res\US\ACGinaRes.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\system32\ccasenp.dll
c:\windows\system32\ccnotify.dll
c:\windows\system32\SGLogEx.dll
c:\windows\system32\SGLogNotification.dll
c:\windows\system32\GetUserSid.dll

- - - - - - - > 'lsass.exe'(2012)
c:\windows\system32\ccasenp.dll
.
Completion time: 2010-05-30 08:56:59
ComboFix-quarantined-files.txt 2010-05-30 12:56
ComboFix2.txt 2010-05-29 23:37

Pre-Run: 4,332,044,288 bytes free
Post-Run: 4,291,985,408 bytes free

- - End Of File - - 3BB605DD1B7AA2D00E8134CDB9794B48
Upload was successful


#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:14 AM

Posted 30 May 2010 - 12:10 PM

Hi!

Looks good. Are you still getting the redirects?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 tbbucs44

tbbucs44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 30 May 2010 - 12:37 PM

Thanks. The redirects have stopped. I know your original post warned that even after the trojan was removed that the computer may still be comprimized. I have, in the past, and would continue to use the computer (laptop) for finanical transactions. The laptop normally either sits behind the firewall and other security mechanisms at my workplace. Or at home, it sits behind the wireless router. I'm not sure if this would prevent someone from accessing the computer or not. Based on this information, and what you are seeing now in the logs, what would you recommend? I'd really rather not reformat/reinstall, but obviously I don't want to be at risk of someone remotely controlling my computer. I've already changed my passwords (from a clean PC) on the websites where I perform sensitive transactions. If I don't reformat, are there other steps I should perform periodically to try to detect whether a trojan has returned?

Also, if you could explain what the problem was (i.e. which file(s) were affected), and what the most likely way it aquired it on my PC, I would appreciate it. Two things that come to mind is that I recently was on vacation using the unsecure free wireless internet at the hotel. And also, a few months back, my wife got one of those fake virus alerts that looks like a Windows message and clicked the 'OK' button.

Thanks again for your help. It is VERY MUCH appreciated!

#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:14 AM

Posted 30 May 2010 - 12:49 PM

Hello, tbbucs44.
You're more than welcome smile.gif

QUOTE
Based on this information, and what you are seeing now in the logs, what would you recommend?

If you have a look at the link I sent you in the trojan warning post, you'll find that trojans seem to create a link between your PC and the PC it is connecting to, thus bypassing your firewalls, routers, etc.
However, from the look of your logs, you don't appear to have any globally open ports that are harmful so it may be okay. However, you can't really tell how much damage a trojan has done.

QUOTE
If I don't reformat, are there other steps I should perform periodically to try to detect whether a trojan has returned?

For trojans, just frequent virus scans with updated scanners should do the trick smile.gif

QUOTE
Also, if you could explain what the problem was (i.e. which file(s) were affected), and what the most likely way it aquired it on my PC

The two files we removed used the Combofix script appear to have found their way on your system
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\drivers\lvuvc.hs
How they got on there depends on your internet browsing style. It could be anything from a torrent to a bad download, from a bad site to an advert using an exploit.

QUOTE
And also, a few months back, my wife got one of those fake virus alerts that looks like a Windows message and clicked the 'OK' button.

That is probably how it got on there. Unsecure wireless connects just enable you to access networks. While virusses jumping through a network to another computer is possible, it seems unlikely in your case since you do have a firewall.

We've got a little bit more to do. We'll have you patch up a vulnerable java version and then run an online scan just to make sure we haven't missed anything
We need to update your version of Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  1. Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  2. Look for "JDK 6 Update 20 (JDK or JRE)".
  3. Click the Download JRE button to the right.
  4. Select your Platform: "Windows".
  5. Select your Language: "Multi-language".
  6. Read the License Agreement, and then check the box that says: "Accept License Agreement".
  7. Click Continue and the page will refresh.
  8. Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  9. Close any programs you may have running - especially your web browser.
  10. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  11. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  12. Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  13. Repeat as many times as necessary to remove each Java versions.
  14. Reboot your computer once all Java components are removed.
  15. Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Please make sure you turn on the Java Automatic Update Feature

Then you will not have to remember to update it when Java introduces a new version.
Java is updated very frequently, and the old versions are malware magnets.

Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.

NEXT:

We need to run an ESET Online Scan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the ESET Online Scanner button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the Eset Smart Installer icon on your desktop.
  4. Check the "YES, I accept the Terms of Use"
  5. Click the Start button.
  6. Accept any security warnings from your browser.
  7. Check Scan archives
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push "List of found threats"
  11. Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the "< button.
  13. Push Finish

In your next reply, please include the following:
  • Eset Scan Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 tbbucs44

tbbucs44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 30 May 2010 - 08:34 PM

I installed the latest version of JRE and ran ESET. Here is the results from ESET...

C:\Documents and Settings\dalgu210\Local Settings\Application Data\Windows Server\zoxjkh.dll Win32/Bamital.BJ trojan cleaned by deleting - quarantined
C:\Documents and Settings\dalgu210.HDQBEPC985989\Application Data\Sun\Java\Deployment\cache\6.0\55\3002d2f7-1ea8d188 a variant of Java/TrojanDownloader.Agent.NAE trojan deleted - quarantined
C:\Documents and Settings\dalgu210.HDQBEPC985989\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Plugin.jar-23323269-3a281f87.zip a variant of Java/TrojanDownloader.Agent.NAE trojan deleted - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\dalgu210.HDQBEPC985989\Local Settings\Application Data\Windows Server\zoxjkh.dll.vir Win32/Bamital.BJ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Local Settings\Application Data\Windows Server\zoxjkh.dll.vir Win32/Bamital.BJ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\neary\Local Settings\Application Data\Windows Server\zoxjkh.dll.vir Win32/Bamital.BJ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\Windows Server\zoxjkh.dll.vir Win32/Bamital.BJ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\svc-clearcase_albd\Local Settings\Application Data\Windows Server\zoxjkh.dll.vir Win32/Bamital.BJ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\svc-clearcase_albd\Local Settings\Application Data\Windows Server\zoxjkh.dll.vir.vir Win32/Bamital.BJ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7EEA6DAE-E145-4795-8DCF-22B0B3125DE6}\RP10\A0003984.dll Win32/Bamital.BJ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7EEA6DAE-E145-4795-8DCF-22B0B3125DE6}\RP7\A0003534.dll Win32/Bamital.BJ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7EEA6DAE-E145-4795-8DCF-22B0B3125DE6}\RP7\A0003554.dll Win32/Bamital.BJ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7EEA6DAE-E145-4795-8DCF-22B0B3125DE6}\RP7\A0003556.dll Win32/Bamital.BJ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7EEA6DAE-E145-4795-8DCF-22B0B3125DE6}\RP7\A0003557.dll Win32/Bamital.BJ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7EEA6DAE-E145-4795-8DCF-22B0B3125DE6}\RP7\A0003558.dll Win32/Bamital.BJ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7EEA6DAE-E145-4795-8DCF-22B0B3125DE6}\RP7\A0003564.dll Win32/Bamital.BJ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7EEA6DAE-E145-4795-8DCF-22B0B3125DE6}\RP7\A0003565.dll Win32/Bamital.BJ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{7EEA6DAE-E145-4795-8DCF-22B0B3125DE6}\RP7\A0003566.dll Win32/Bamital.BJ trojan cleaned by deleting - quarantined


#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:14 AM

Posted 30 May 2010 - 09:02 PM

Hello, tbbucs44.
Looks good smile.gif
We need to uninstall Combofix
  1. Click on your Start Menu, then Run....
  2. Now type combofix /uninstall in the runbox and click OK. Notice the space between the "x" and "/".




Your Log looks Clean please take the time to read below to secure your machine and take the necessary steps to keep it clean smile.gif

There are many ways to reduce the chance of getting infected in the future. Below, I have listed a few:
  1. Practice Safe Internet
    • Be weary about attachments in emails. Avoid opening .exe, .com, .bat, or .pif files.
    • Watch out for Foistware. More info can be found on Foistware, And how to avoid it.
    • Do not fall for Rogue/Suspect Anti-Spyware Products & Web Sites
    • Do not go to adult sites.
    • When using an Instant Messaging program be cautious about clicking on links people send to you.
    • Stay away from Warez and Crack sites. In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
    • Use McAfee Siteadvisor to look up info on a site if you are not sure whether it is legitimate
    • Do not install any software without first reading the End User License Agreement, otherwise known as the EULA.
  2. Make Internet Explorer more secure
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt

        When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Make Firefox more secure
    Firefox is a relatively safe browser compared to Internet Explorer. However, if you'd still like to enhance security, consider some of these extensions:
    • NoScript: Add-on which automatically blocks Javascript and Java from running on sites.
    • Firekeeper: Add-on which aims to protect your from malicious websites which may exploit browser and code security flaws.
    • KeyScrambler: Add-on that protects your passwords from being detected by keyloggers.
  4. Keep Windows updated
    Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer. Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install.
  5. Install and update the following programs frequently
    1. An outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here
    2. An antivirus software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats. Three good antivirus programs free for non-commercial home use are Avast! and Antivir and AVG Antivirus
    3. An antispyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates. SUPERAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    4. SpywareBlaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    5. MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  6. Keep your other software updated too
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

Some more links you might find of interest:

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 tbbucs44

tbbucs44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 30 May 2010 - 09:43 PM

Thanks so much for your help and advice. A couple of questions for you...

From all the logs, is there anyway to know how long these infected files had been on the PC? I'm just wondering if this is something that happened recently or has been there for a while. The original symptom of the Google redirects only started a day or so before I posted to this forum, but I'm wondering whether the trojan had been there for much longer.

My PC has Trend Micro OfficeScan installed and running. Before I posted to this forum and ran a complete scan and it found nothing. This is the Antivirus software of choice of the company I work for (and I'm assuming they ensure it's kept up to date). I do not have permission to disable or replace it. Why was ESET able to find all these infected files, and OfficeScan wasn't? Do you recommend I run ESET occasionally to what it finds (that OfficeScan doesn't)?

Thanks again for all your help.

#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:14 AM

Posted 30 May 2010 - 10:01 PM

Hi!
You're more than welcome smile.gif

QUOTE
From all the logs, is there anyway to know how long these infected files had been on the PC? I'm just wondering if this is something that happened recently or has been there for a while. The original symptom of the Google redirects only started a day or so before I posted to this forum, but I'm wondering whether the trojan had been there for much longer.

The date signature says the 29th of march. Those were the files we used the Combofix script on. As for the other files that combofix removed, I'm not too sure but they were probably created at around the same time.

QUOTE
My PC has Trend Micro OfficeScan installed and running. Before I posted to this forum and ran a complete scan and it found nothing. This is the Antivirus software of choice of the company I work for (and I'm assuming they ensure it's kept up to date). I do not have permission to disable or replace it. Why was ESET able to find all these infected files, and OfficeScan wasn't? Do you recommend I run ESET occasionally to what it finds (that OfficeScan doesn't)?

Each virus scanner has its own strengths and weaknesses and it just turns out that since ESET is an online scanner, it is more frequently updated and can hence catch more of the newer infections.

Running ESET every now and then won't hurt. Most people don't do it because it takes a while to finish the scan. As for Trend Micro, I'm not a big fan of their antivirus software. I use AVG (which is free) but Avast which I've heard is good too is also a popuplar AV choice.

Hope that answers your questions. If not, let me know smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 tbbucs44

tbbucs44
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 31 May 2010 - 12:02 AM

I just noticed that my 'Hide extensions for known file types' setting got set to 'checked' (true) somewhere during this process. Is that normal? And is there any reason (for security purposes), it is recommended to keep that setting?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users