Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Hijack.FolderOptions and a Google Hijack/Redirect


  • This topic is locked This topic is locked
24 replies to this topic

#1 bark.chris

bark.chris

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:new york
  • Local time:12:24 AM

Posted 25 September 2010 - 01:18 PM

Hi Bleeping Computer,

I hope you can help with my infection.

I have followed the preparation guide for this post. The DDS script did not work properly on my system; it generates one "dds-Notepad" file full of garbled text. Near the beginning there is readable sentence, "This program cannot be run in DOS mode."

The GMER file is attached as requested.

About a week ago my system got infected. My regular scans with AVG and Malwarebytes took care of some of this, but a few problems remain I am concerned about:

--Malwarebytes detects a malware it calls Hijack.FolderOptions. File extensions are hidden, as is the
option to turn them on. The System Restore interface is also inaccessible. Malwarebytes attempts to delete this malware on reboot, but the problem reoccurs.

--In Firefox, Google searches entered in the location bar are redirected to another search engine, http://search.search-tab.com/. The XULRunner 1.9.1 appears as a Firefox extension, and I am unable to remove it. Searches using Bing or Yahoo seem to be OK.

--Shortly after this all began, I ran the most recent Windows Software Removal Tool. It identified and deleted
Win32/Alureon.H. I have run the tool again and found no trace of this trojan. But of course, I suspect that all these issues are interrelated.

Thank you for your attention,

bark.chris

Attached Files

  • Attached File  ark.log   1.79KB   6 downloads


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:24 AM

Posted 30 September 2010 - 10:06 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 bark.chris

bark.chris
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:new york
  • Local time:12:24 AM

Posted 30 September 2010 - 12:49 PM

Hi myrti,
Thank you for responding to my post. The problems I'm having remain the same since my first post. I have not attempted any fixes since then.

Here are the OTL results as requested:

OTL logfile created on: 9/30/2010 1:27:09 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\cbarker\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 61.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 88.27 Gb Total Space | 37.24 Gb Free Space | 42.19% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CB_THINKPAD
Current User Name: cbarker
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/30 13:10:01 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\cbarker\desktop\OTL.exe
PRC - [2010/09/23 13:43:23 | 000,621,920 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010/07/21 09:13:20 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010/07/15 09:32:06 | 002,065,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2010/07/15 09:32:03 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010/07/15 09:32:01 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010/07/15 09:31:27 | 000,723,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010/07/15 09:31:26 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010/07/13 10:53:20 | 003,152,384 | ---- | M] (Luis Cobian, CobianSoft) -- C:\Program Files\Cobian Backup 10\cbInterface.exe
PRC - [2010/07/13 10:53:18 | 000,421,376 | ---- | M] (Luis Cobian, CobianSoft) -- C:\Program Files\Cobian Backup 10\Cobian.exe
PRC - [2010/02/26 01:10:20 | 021,979,992 | ---- | M] () -- C:\Documents and Settings\cbarker\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2010/02/16 19:44:06 | 000,492,344 | ---- | M] (Glarysoft Ltd) -- C:\Program Files\Glary Utilities\Integrator.exe
PRC - [2010/01/24 23:16:18 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2010/01/22 18:10:13 | 000,085,096 | ---- | M] (Autodesk) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
PRC - [2008/05/14 16:42:40 | 000,487,424 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
PRC - [2008/05/14 16:42:30 | 001,155,072 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
PRC - [2008/05/14 16:32:28 | 000,950,272 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
PRC - [2008/05/14 16:25:12 | 000,520,192 | ---- | M] () -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
PRC - [2008/05/14 15:58:54 | 000,644,408 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
PRC - [2008/05/09 05:50:46 | 000,253,952 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/10/22 23:24:02 | 000,620,152 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
PRC - [2006/03/09 20:14:12 | 000,094,208 | ---- | M] () -- C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
PRC - [2006/02/17 19:54:24 | 000,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2006/02/17 19:52:24 | 000,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2006/02/17 19:51:46 | 000,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2005/12/15 18:19:22 | 000,925,696 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2005/12/14 15:51:12 | 000,622,700 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2005/12/01 05:09:00 | 000,073,728 | ---- | M] (Lenovo Group Limited) -- C:\WINDOWS\system32\IPSSVC.EXE
PRC - [2005/11/11 05:33:00 | 000,073,782 | ---- | M] () -- C:\WINDOWS\system32\ibmpmsvc.exe
PRC - [2005/11/01 19:04:02 | 000,258,103 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
PRC - [2005/10/26 04:44:30 | 000,086,016 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
PRC - [2005/08/01 21:32:40 | 000,040,960 | ---- | M] () -- C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
PRC - [2005/07/05 18:57:12 | 000,077,824 | ---- | M] () -- C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
PRC - [2005/06/20 16:15:00 | 000,077,824 | ---- | M] (Lenovo.) -- C:\WINDOWS\system32\TPHDEXLG.exe
PRC - [2005/06/07 01:26:22 | 000,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe


========== Modules (SafeList) ==========

MOD - [2010/09/30 13:10:01 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\cbarker\desktop\OTL.exe
MOD - [2007/03/08 11:36:28 | 000,201,216 | ---- | M] () -- C:\WINDOWS\ikaxicedojodohuj.dll
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2005/12/01 05:09:00 | 000,086,016 | ---- | M] (Lenovo Group Limited) -- C:\WINDOWS\system32\PROCHLP.DLL
MOD - [2004/08/04 09:00:00 | 000,713,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\opengl32.dll
MOD - [2004/08/04 09:00:00 | 000,266,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ddraw.dll
MOD - [2004/08/04 09:00:00 | 000,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\glu32.dll
MOD - [2004/08/04 09:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2004/08/04 09:00:00 | 000,008,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dciman32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\6to4ex.dll -- (6to4)
SRV - [2010/07/21 09:13:20 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010/07/15 09:32:01 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2010/01/24 23:16:18 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/01/22 18:10:13 | 000,085,096 | ---- | M] (Autodesk) [Auto | Running] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
SRV - [2008/05/14 16:42:30 | 001,155,072 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe -- (TVT Scheduler)
SRV - [2008/05/14 16:32:28 | 000,950,272 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe -- (TVT Backup Service)
SRV - [2008/05/14 16:25:12 | 000,520,192 | ---- | M] () [Auto | Running] -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe -- (TVT Backup Protection Service)
SRV - [2008/05/14 15:58:54 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
SRV - [2008/05/09 05:50:46 | 000,253,952 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe -- (TVT_UpdateMonitor)
SRV - [2008/03/10 01:04:52 | 000,065,536 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe -- (mi-raysat_3dsMax2009_32)
SRV - [2006/02/17 19:54:24 | 000,540,745 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2006/02/17 19:52:24 | 000,114,753 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2006/02/17 19:51:46 | 000,217,164 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2005/12/14 15:51:12 | 000,622,700 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2005/12/01 05:09:00 | 000,073,728 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\WINDOWS\system32\IPSSVC.EXE -- (IPSSVC)
SRV - [2005/11/11 05:33:00 | 000,073,782 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\ibmpmsvc.exe -- (IBMPMSVC)
SRV - [2005/11/01 19:04:02 | 000,258,103 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2005/08/01 21:32:40 | 000,040,960 | ---- | M] () [Auto | Running] -- C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe -- (UCLauncherService)
SRV - [2005/06/20 16:15:00 | 000,077,824 | ---- | M] (Lenovo.) [Auto | Running] -- C:\WINDOWS\system32\TPHDEXLG.exe -- (TPHDEXLGSVC)
SRV - [2005/06/07 01:26:22 | 000,032,768 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\TpKmpSvc.exe -- (TpKmpSVC)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\wvrsjbyp.sys -- (rbnefv)
DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\kouxge.sys -- (porwwira)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\mcdbus.sys -- (mcdbus)
DRV - [2010/09/22 21:57:34 | 000,874,240 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS -- (iaStor)
DRV - [2010/08/28 13:33:23 | 000,033,536 | ---- | M] (Lenovo) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tvtfilter.sys -- (tvtfilter)
DRV - [2010/07/15 09:32:05 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010/07/15 09:31:28 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010/06/02 09:05:10 | 000,029,584 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2010/03/21 11:38:03 | 000,030,144 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2009/09/29 16:06:14 | 003,565,056 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2009/03/15 06:25:46 | 000,056,268 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2008/05/09 05:50:48 | 000,046,144 | ---- | M] (Lenovo) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tvtumon.sys -- (tvtumon)
DRV - [2008/02/22 16:54:40 | 000,037,312 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tvti2c.sys -- (TVTI2C)
DRV - [2006/04/20 19:06:50 | 000,181,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®
DRV - [2006/02/17 20:41:50 | 000,013,568 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2005/12/15 18:19:20 | 000,173,056 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2005/12/08 18:54:24 | 000,028,800 | ---- | M] (UPEK Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tcusb.sys -- (TcUsb)
DRV - [2005/12/08 18:44:40 | 000,003,328 | ---- | M] (UPEK Inc.) [Kernel | Auto | Running] -- C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys -- (smihlp)
DRV - [2005/12/07 05:12:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2005/12/06 15:21:32 | 000,936,448 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hsx_dpv.sys -- (HSF_DPV)
DRV - [2005/12/06 15:20:48 | 000,192,512 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hsxhwazl.sys -- (HSXHWAZL)
DRV - [2005/12/06 15:20:42 | 000,670,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hsx_cnxt.sys -- (winachsf)
DRV - [2005/12/05 04:55:30 | 001,428,096 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w39n51.sys -- (w39n51) Intel®
DRV - [2005/12/01 05:09:00 | 000,005,120 | ---- | M] (Lenovo Group Limited) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PROCDD.SYS -- (PROCDD)
DRV - [2005/11/30 19:58:00 | 000,085,760 | ---- | M] (Lenovo) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\shockprf.sys -- (Shockprf)
DRV - [2005/11/30 05:51:00 | 000,014,848 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SMAPINT.SYS -- (Smapint)
DRV - [2005/11/30 05:51:00 | 000,009,343 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TDSMAPI.SYS -- (TDSMAPI)
DRV - [2005/11/21 06:41:00 | 000,007,168 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
DRV - [2005/11/18 20:21:14 | 000,058,624 | ---- | M] (Sierra Wireless Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\swmx01.sys -- (swmx01) Sierra Wireless USB MUX Driver (#01)
DRV - [2005/11/11 05:33:00 | 000,010,112 | ---- | M] (Lenovo.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ibmpmdrv.sys -- (IBMPMDRV)
DRV - [2005/11/01 18:53:14 | 001,342,122 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2005/11/01 18:51:06 | 000,056,648 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2005/09/15 17:53:10 | 000,177,664 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/08/05 19:42:18 | 000,073,600 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SWNC5E01.sys -- (SWNC5E01) Sierra Wireless MUX NDIS Driver (#01)
DRV - [2005/07/05 18:57:06 | 000,017,699 | ---- | M] (IBM Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\TPHKDRV.sys -- (TPHKDRV)
DRV - [2005/06/20 16:18:00 | 000,004,736 | ---- | M] (Lenovo.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ShockMgr.sys -- (ShockMgr)
DRV - [2005/01/07 21:07:18 | 000,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/04 03:07:44 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 03:07:44 | 000,041,088 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/04 03:00:52 | 000,028,672 | ---- | M] (National Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nscirda.sys -- (NSCIRDA)
DRV - [2004/08/04 02:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/08/04 00:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2001/08/17 18:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 18:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 18:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 18:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 18:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 17:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 17:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 17:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 17:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 17:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 17:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 17:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 17:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 17:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 17:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 16:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)
DRV - [2000/06/01 16:29:54 | 000,007,012 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PMEMNT.SYS -- (PMEM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3038731106-559485279-2363235673-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3038731106-559485279-2363235673-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-3038731106-559485279-2363235673-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-3038731106-559485279-2363235673-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-3038731106-559485279-2363235673-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3038731106-559485279-2363235673-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-21-3038731106-559485279-2363235673-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.order.1: "Google"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.855
FF - prefs.js..extensions.enabledItems: {d37dc5d0-431d-44e5-8c91-49419370caa1}:2.6.18
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://search.search-tab.com/?sid=10101057100&s="
FF - prefs.js..network.proxy.http: "proxy.nyit.edu"
FF - prefs.js..network.proxy.http_port: 80
FF - prefs.js..network.proxy.ssl: "proxy.nyit.edu"
FF - prefs.js..network.proxy.ssl_port: 80
FF - prefs.js..network.proxy.type: 0

FF - user.js..browser.search.selectedEngine: "Google"
FF - user.js..browser.search.order.1: "Google"
FF - user.js..keyword.URL: "http://search.search-tab.com/?sid=10101057100&s="

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2010/09/23 13:43:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{1A68B962-733C-46E5-AB75-A6D9796EA632}: C:\Documents and Settings\cbarker\Local Settings\Application Data\{1A68B962-733C-46E5-AB75-A6D9796EA632} [2010/09/20 09:45:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/16 11:35:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/09/16 11:35:37 | 000,000,000 | ---D | M]

[2010/01/06 18:52:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\cbarker\Application Data\Mozilla\Extensions
[2010/09/25 14:10:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\cbarker\Application Data\Mozilla\Firefox\Profiles\bz7q5l1f.default\extensions
[2010/04/27 10:35:21 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\cbarker\Application Data\Mozilla\Firefox\Profiles\bz7q5l1f.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/06/19 08:32:33 | 000,000,000 | ---D | M] (FoxClocks) -- C:\Documents and Settings\cbarker\Application Data\Mozilla\Firefox\Profiles\bz7q5l1f.default\extensions\{d37dc5d0-431d-44e5-8c91-49419370caa1}
[2010/01/07 14:39:33 | 000,002,172 | ---- | M] () -- C:\Documents and Settings\cbarker\Application Data\Mozilla\Firefox\Profiles\bz7q5l1f.default\searchplugins\bing.xml
[2010/09/15 16:54:02 | 000,001,189 | ---- | M] () -- C:\Documents and Settings\cbarker\Application Data\Mozilla\Firefox\Profiles\bz7q5l1f.default\searchplugins\scroogle.xml
[2010/09/25 14:10:14 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/09/13 11:13:36 | 000,002,075 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml

O1 HOSTS File: ([2004/08/04 09:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3038731106-559485279-2363235673-1005\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3038731106-559485279-2363235673-1005\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BATLOGEX.DLL ()
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe ()
O4 - HKLM..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [Ywelopo] C:\WINDOWS\ikaxicedojodohuj.DLL ()
O4 - HKU\S-1-5-21-3038731106-559485279-2363235673-1005..\Run: [Cobian Backup 10] C:\Program Files\Cobian Backup 10\Cobian.exe (Luis Cobian, CobianSoft)
O4 - Startup: C:\Documents and Settings\cbarker\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\cbarker\Application Data\Dropbox\bin\Dropbox.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3038731106-559485279-2363235673-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3038731106-559485279-2363235673-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 1
O7 - HKU\S-1-5-21-3038731106-559485279-2363235673-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: AVG Tray = C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} http://www-307.ibm.com/pc/support/acpir.cab (IASRunner Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4.2/...all-142-win.cab (Java Plug-in 1.4.2)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 207.69.188.185 207.69.188.186 207.69.188.187
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\psfus: DllName - psqlpwd.dll - C:\WINDOWS\System32\psqlpwd.dll (UPEK Inc.)
O20 - Winlogon\Notify\tpfnf2: DllName - notifyf2.dll - C:\WINDOWS\System32\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - tphklock.dll - C:\WINDOWS\System32\tphklock.dll ()
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/01/24 20:16:25 | 000,000,000 | ---D | M] - C:\Autodesk -- [ NTFS ]
O32 - AutoRun File - [2010/01/06 16:57:12 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{09b30927-fbbd-11de-b15d-00130228f8ac}\Shell - "" = AutoRun
O33 - MountPoints2\{09b30927-fbbd-11de-b15d-00130228f8ac}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: klmdb.sys - Driver
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {05803E70-5243-F17C-3488-CEA2BA2BBC07} - Outlook Express
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {18346107-BB59-C132-A223-2E134B027E6B} - Java (Sun)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {21B9DED0-11C1-54F4-1730-1B2B33A29BFF} - Internet Explorer Version Update
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {3F068DF6-038A-B62F-0746-67C919A5A197} - Browser Customizations
ActiveX: {3FE5C515-96EE-E62E-8265-BB4C7CFF5A29} - Internet Explorer Version Update
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {4429ED43-2FFB-0D24-DE46-E4116D9BA16E} - DirectAnimation
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5C450517-421C-9C22-3071-DFB0C62FBAD4} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {5ECA847D-6AA7-B5A5-3AF0-443A7C974B5C} - Microsoft Windows Media Player 6.4
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73fa19d0-2d75-11d2-995d-00c04f98bbc9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {7CB5E03E-B1C0-3B6D-D590-053C6777CB44} - Outlook Express
ActiveX: {7F188E6B-6671-2298-377A-2446BA3B32BD} - Browser Customizations
ActiveX: {7FBFF647-5486-D52F-95F4-2D0C246DCA90} - Browser Customizations
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Macromedia Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.clmp3enc - C:\Program Files\CyberLink\Power2Go\CLMP3Enc.ACM (CyberLink Corp.)
Drivers32: msacm.divxa32 - C:\WINDOWS\System32\msaud32_divx.acm (Microsoft Corporation)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

NetSvcs: 6to4 - C:\WINDOWS\System32\6to4ex.dll File not found
NetSvcs: Ias - C:\WINDOWS\System32\Iasex.dll File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/09/30 13:10:01 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\cbarker\Desktop\OTL.exe
[2010/09/28 11:23:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\cbarker\Desktop\To Tony
[2010/09/25 15:33:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\cbarker\Desktop\Bleeping Computer
[2010/09/22 21:57:34 | 000,874,240 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\drivers\IASTOR.SYS
[2010/09/22 08:07:51 | 000,874,240 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\drivers\juaqwrde.sys
[2010/09/21 23:09:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010/09/20 09:45:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\cbarker\Local Settings\Application Data\{1A68B962-733C-46E5-AB75-A6D9796EA632}
[2010/09/20 09:35:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Update
[2010/09/19 13:03:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/09/19 13:03:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/09/18 10:28:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/09/18 10:28:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/09/17 11:38:41 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\cbarker\.COMMgr
[2010/09/17 11:32:40 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Documents\Server
[2010/09/17 11:31:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\cbarker\Application Data\B3C6EC7E45894AD24F47807F62FF33A8
[2010/09/01 10:42:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\cbarker\Local Settings\Application Data\Safe mirror
[2010/09/01 09:53:12 | 000,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 10
[2010/08/31 23:36:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/09/30 13:30:38 | 000,000,304 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2010/09/30 13:10:01 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\cbarker\Desktop\OTL.exe
[2010/09/30 13:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/09/30 12:55:25 | 009,437,184 | -H-- | M] () -- C:\Documents and Settings\cbarker\NTUSER.DAT
[2010/09/30 12:48:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2010/09/30 12:35:00 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\Updater.job
[2010/09/30 12:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/09/30 11:56:41 | 000,000,023 | ---- | M] () -- C:\WINDOWS\BlendSettings.ini
[2010/09/30 11:48:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2010/09/30 11:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/09/30 10:54:53 | 000,000,426 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{9510B2D5-20B8-4127-A103-EE32E13C0395}.job
[2010/09/30 10:48:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2010/09/30 10:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/09/30 09:48:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2010/09/30 09:11:14 | 065,481,338 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/09/30 09:03:57 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Ghaseyeguwivi.bin
[2010/09/30 09:02:18 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
[2010/09/30 09:02:09 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/30 09:02:08 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/29 22:51:05 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\cbarker\ntuser.ini
[2010/09/29 22:48:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2010/09/29 22:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/09/29 21:48:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2010/09/29 18:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/09/29 17:48:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2010/09/29 17:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/09/29 16:48:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2010/09/29 16:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/09/29 15:48:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2010/09/29 15:44:24 | 000,002,155 | ---- | M] () -- C:\Documents and Settings\cbarker\Application Data\Microsoft\Internet Explorer\Quick Launch\iTunes.lnk
[2010/09/29 14:48:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2010/09/29 14:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/09/29 13:48:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2010/09/29 12:40:53 | 000,169,802 | ---- | M] () -- C:\Documents and Settings\cbarker\Desktop\Piven_Weight of the Poor.pdf
[2010/09/29 12:01:31 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Yxolumamumusetu.dat
[2010/09/29 09:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/09/28 15:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/09/28 11:22:10 | 000,002,329 | ---- | M] () -- C:\Documents and Settings\cbarker\Application Data\Microsoft\Internet Explorer\Quick Launch\Adobe Acrobat 8 Professional.lnk
[2010/09/28 11:16:20 | 000,002,533 | ---- | M] () -- C:\Documents and Settings\cbarker\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2007.lnk
[2010/09/27 23:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010/09/27 18:48:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2010/09/26 22:58:37 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/26 20:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/09/26 19:48:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2010/09/26 19:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/09/26 00:02:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/09/25 11:29:38 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\cbarker\defogger_reenable
[2010/09/24 09:24:39 | 000,006,144 | ---- | M] () -- C:\Documents and Settings\cbarker\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/24 08:48:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2010/09/22 21:57:34 | 000,874,240 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\drivers\IASTOR.SYS
[2010/09/22 21:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/09/22 20:53:00 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2010/09/22 19:09:11 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\r8fFbyg6.dat
[2010/09/22 19:00:08 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2010/09/22 08:07:51 | 000,874,240 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\drivers\juaqwrde.sys
[2010/09/22 08:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010/09/22 07:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010/09/22 06:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010/09/22 05:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010/09/22 04:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010/09/22 03:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010/09/22 02:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/09/22 01:00:00 | 000,000,380 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/09/21 23:07:50 | 035,552,200 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT1.exe
[2010/09/20 09:35:36 | 000,000,674 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\.wtav
[2010/09/16 17:40:20 | 000,002,489 | ---- | M] () -- C:\Documents and Settings\cbarker\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Calculator Plus.lnk
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/09/29 12:40:53 | 000,169,802 | ---- | C] () -- C:\Documents and Settings\cbarker\Desktop\Piven_Weight of the Poor.pdf
[2010/09/25 11:29:38 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\cbarker\defogger_reenable
[2010/09/22 19:01:35 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\r8fFbyg6.dat
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At48.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At47.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At46.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At45.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At44.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At43.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At42.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At41.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At40.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At39.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At38.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At37.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At36.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At35.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At34.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At33.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At32.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At31.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At30.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At29.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At28.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At27.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At26.job
[2010/09/22 19:00:08 | 000,000,342 | ---- | C] () -- C:\WINDOWS\tasks\At25.job
[2010/09/20 09:45:59 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Yxolumamumusetu.dat
[2010/09/20 09:45:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Ghaseyeguwivi.bin
[2010/09/20 09:35:52 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\Updater.job
[2010/09/20 09:35:36 | 000,000,674 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\.wtav
[2010/07/25 14:57:02 | 000,293,352 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/05/18 09:49:35 | 000,000,400 | ---- | C] () -- C:\WINDOWS\g_nhqnsp583.ini
[2010/04/18 11:49:52 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2010/04/14 18:47:09 | 000,014,820 | -HS- | C] () -- C:\Documents and Settings\cbarker\Local Settings\Application Data\TcP0eIPn2W
[2010/04/14 18:47:09 | 000,014,820 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\TcP0eIPn2W
[2010/03/22 11:37:44 | 000,013,174 | -HS- | C] () -- C:\Documents and Settings\cbarker\Local Settings\Application Data\OIXQ
[2010/03/22 11:37:44 | 000,013,174 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\OIXQ
[2010/02/02 12:04:48 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\cbarker\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/23 11:12:14 | 000,290,919 | ---- | C] () -- C:\WINDOWS\System32\pythoncom21.dll
[2010/01/23 11:12:14 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes21.dll
[2010/01/23 11:10:43 | 000,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll
[2010/01/23 11:10:43 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini
[2010/01/22 18:30:27 | 000,000,111 | ---- | C] () -- C:\WINDOWS\EPSON Perfection 3170.ini
[2010/01/12 17:40:02 | 000,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2010/01/06 19:02:56 | 000,002,481 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2010/01/06 18:59:56 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\notifyf2.dll
[2010/01/06 18:59:56 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\tphklock.dll
[2010/01/06 18:57:50 | 000,000,487 | ---- | C] () -- C:\WINDOWS\System32\IPSCTRL.INI
[2010/01/06 16:56:45 | 000,000,130 | ---- | C] () -- C:\Documents and Settings\cbarker\Local Settings\Application Data\fusioncache.dat
[2010/01/06 16:46:00 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2010/01/06 16:36:54 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2010/01/06 16:36:54 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2010/01/06 16:36:53 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2010/01/06 16:36:53 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2010/01/06 16:36:53 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2010/01/06 16:36:53 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2010/01/06 16:36:17 | 000,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
[2010/01/06 16:35:59 | 000,000,148 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2010/01/06 16:24:31 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\FPCALL.dll
[2010/01/06 16:23:38 | 000,009,343 | ---- | C] () -- C:\WINDOWS\System32\drivers\TDSMAPI.SYS
[2010/01/06 16:20:30 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSMAPIP.SYS
[2005/11/01 18:59:16 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2005/10/17 19:22:24 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\DEVMAN.DLL
[2004/08/09 15:03:43 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2002/05/16 02:29:04 | 000,000,607 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2001/11/23 21:18:00 | 000,000,597 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 16:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
[1980/01/01 04:00:00 | 000,533,568 | ---- | C] () -- C:\WINDOWS\System32\msbnmaqy.dll
[1980/01/01 04:00:00 | 000,201,216 | ---- | C] () -- C:\WINDOWS\ikaxicedojodohuj.dll
[1980/01/01 04:00:00 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[1980/01/01 04:00:00 | 000,049,056 | ---- | C] () -- C:\WINDOWS\ukavevamiwokoj.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 09:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
[2004/08/04 09:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2004/08/04 03:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\dllcache\agp440.sys
[2004/08/04 03:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2004/08/04 09:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2004/08/04 09:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2004/08/04 02:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/04 02:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2004/08/04 09:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/04 09:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll
[2005/12/08 19:02:02 | 000,023,040 | ---- | M] (UPEK Inc.) MD5=C42EEDD4D1A6095594B4FB148D9D1F43 -- C:\Program Files\ThinkVantage Fingerprint Software\eventlog.dll

< MD5 for: IASTOR.SYS >
[2005/10/12 16:07:12 | 000,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\DRIVERS\OTHER\IASTOR.SYS
[2005/10/12 16:07:12 | 000,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\IBMTOOLS\drivers\IMSM\IASTOR.SYS
[2010/09/22 21:57:34 | 000,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\WINDOWS\system32\drivers\IASTOR.SYS

< MD5 for: NETLOGON.DLL >
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtUninstallKB975467$\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 09:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 09:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/04 09:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 05:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 05:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[2004/08/04 09:00:00 | 000,344,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\hnetcfg.dll
[2010/05/06 06:41:50 | 000,184,320 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iepeers.dll
[2 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/08/09 14:45:10 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/09 14:45:10 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/09 14:45:10 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/07/15 09:31:28 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgldx86.sys
[2010/07/15 09:32:05 | 000,243,024 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\system32\drivers\avgtdix.sys
[2010/08/30 17:26:40 | 000,049,536 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\cdrom.sys
[2010/09/22 21:57:34 | 000,874,240 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\IASTOR.SYS
[2010/09/22 08:07:51 | 000,874,240 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\juaqwrde.sys
[2010/08/28 13:33:23 | 000,033,536 | ---- | M] (Lenovo) -- C:\WINDOWS\system32\drivers\tvtfilter.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\WINDOWS\System32\MRT1.exe:SummaryInformation
< End of report >






OTL Extras logfile created on: 9/30/2010 1:27:09 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\cbarker\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 61.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 88.27 Gb Total Space | 37.24 Gb Free Space | 42.19% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CB_THINKPAD
Current User Name: cbarker
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-3038731106-559485279-2363235673-1005\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with FastStone] -- "C:\Program Files\FastStone Image Viewer\FSViewer.exe" "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~3\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\cbarker\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\cbarker\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3
"{00997239-8A42-DEA0-7FA0-1AF26D4174D4}" = CCC Help Dutch
"{01B98AF5-3F68-2B2A-96A9-756427755EE1}" = CCC Help Japanese
"{03694711-6C4B-0CF0-5774-22130FCE0B85}" = Catalyst Control Center Graphics Light
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{0E0131B2-CF18-40D9-A331-60A3746C1204}" = EPSON Scan
"{0F27E26B-6B0D-3339-9C3D-9D9553F0474A}" = Catalyst Control Center Localization All
"{1007F41F-7D69-468E-8017-3849A5A973C2}" = ThinkVantage Technologies Welcome Message
"{11E48F3E-8975-FEDB-D68C-ED6A5C3DEA43}" = CCC Help Korean
"{1297C681-92D7-40EF-93BF-03F66EC5105C}" = ThinkPad EasyEject Utility
"{137DCFE3-F690-9908-5E9E-9CB49FA89D2B}" = ccc-core-preinstall
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2111B23F-7FDA-4A41-8309-E5A1663CA296}" = ThinkPad Keyboard Customizer Utility
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java™ 6 Update 18
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2A43FF29-0D97-4445-B82D-9324F176AED5}" = ThinkVantage System Update
"{2AB45FAF-2D92-0409-8D33-E2FE6172280E}" = Autodesk 3ds Max Design 2009 32-bit ProMaterials™ Library
"{2ABCF36B-7253-88EE-E3EE-0239EED2C935}" = CCC Help Spanish
"{2C996783-CAE7-C5B5-DDF5-88613DCFC907}" = Skins
"{2ECFBC62-FC62-CA66-8C85-FC867A6E2ECB}" = CCC Help Portuguese
"{305D5417-E687-0409-AA09-53DE06E059F8}" = Autodesk 3ds Max Design 2009 32-bit Movies
"{342F5437-C87D-4BB5-89B9-B23E16C6A395}" = Microsoft Visual C++ 8.0 Support DLLs
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{3D347E6D-5A03-4342-B5BA-6A771885F379}" = Autodesk Backburner 2008.1
"{3F4EC965-28EF-45C3-B063-04B25D4E9679}" = ThinkPad Bluetooth with Enhanced Data Rate Software
"{3F9B2FD2-1C83-4401-9967-C3636638E958}" = Adobe SING CS3
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 5.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F3E17F8-F1C8-4A4B-9EB8-1EE2D190CDA9}" = Adobe Setup
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{53823917-21A6-A0EE-9F4B-F9F153C8C075}" = Catalyst Control Center Graphics Full Existing
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{5545EEE1-FA36-4F76-B6BE-5696E7F4E2D6}" = VBA (2627.01)
"{56B8B892-317E-4FDE-9E4D-44B189848A27}" = Adobe Setup
"{5783F2D7-4001-0409-0002-0060B0CE6BBA}" = AutoCAD 2006 - English
"{5783F2D7-8001-0409-0002-0060B0CE6BBA}" = AutoCAD 2010 - English
"{5783F2D7-8001-0409-1002-0060B0CE6BBA}" = AutoCAD 2010 Language Pack - English
"{57FA0525-01F9-4051-8DE9-CBF43CAC68D9}" = Catalyst Control Center - Branding
"{597E70FF-7C46-4EED-8092-91B7C2E0529D}" = Google SketchUp 7
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69F30A63-7771-9A9E-3881-4C71B1904492}" = ccc-utility
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6B707CD5-2425-00B2-B5C8-677862351118}" = CCC Help German
"{6B9DD988-5ECB-4623-BBFF-8A8F2DA3ED16}" = Rhinoceros 4.0 Evaluation
"{6C11D561-620B-47DA-A693-4C597F3CDF40}" = EPSON Smart Panel
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{71A4AF1A-9C08-9EC0-D246-C120866B798C}" = Catalyst Control Center Core Implementation
"{72806716-7088-41B2-8FA6-717A2A164DAB}" = ThinkVantage Active Protection System
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76F571DE-144F-E890-CDFA-020241BC5201}" = ccc-core-static
"{797A9B18-BC2A-C4DD-AF56-0E89699B8030}" = CCC Help Chinese Traditional
"{7DA0C101-5C7C-40C9-A485-68E12780232C}" = Sierra Wireless MC5720 Package for Access Connections
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}" = ThinkPad UltraNav Wizard
"{83073C45-3003-4671-9A86-243AAADD915A}" = Microsoft Calculator Plus
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{986F64DC-FF15-449D-998F-EE3BCEC6666A}" = Help Center
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A346205-EA92-4406-B1AB-50379DA3F057}" = Autodesk DWF Viewer 7
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9F9F3775-7E5B-4028-B5E5-DA1C042517A8}" = EPSON Photo Print
"{9FABBC7B-287C-90FD-050E-FB51EA2FF60F}" = CCC Help Italian
"{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}" = ThinkPad Power Manager
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D1C130-C6AB-D8FD-10FC-942FFB9A64F8}" = CCC Help Chinese Standard
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A7ACD5B8-72E1-5E50-E8CF-748E5F224F27}" = Catalyst Control Center Graphics Full New
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-1033-F400-7760-000000000003}" = Adobe Acrobat 8 Professional - English, Français, Deutsch
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B69CC1A5-0404-11D6-ABCB-005004C21D30}" = EPSON Copy Utility
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BB65C393-C76E-4F06-9B0C-2124AA8AF97B}" = Adobe Flash Player 9 ActiveX
"{BBE9576A-0405-F53B-1B69-65D993A13A01}" = CCC Help English
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C251E4E6-89BA-0409-9B42-1B3D01D34783}" = Autodesk 3ds Max Design 2009 32-bit Architectural Materials Library
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{C54ED2B6-1AF2-416F-BBA8-5E2B8CDCB5C4}" = XP Themes
"{C6FA39A7-26B1-480A-BC74-6D17531AC222}" = Access Help
"{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}" = ClearType Tuning Control Panel Applet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB3F8375-B600-4B9F-83C9-238ED1E583FD}" = Adobe InDesign CS3
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF292E8C-9606-3B51-6EEF-6AA7D254A30A}" = CCC Help Swedish
"{CF5737AF-8550-4546-A69B-0EA9EF5A9B55}" = ThinkVantage Productivity Center
"{CFADE4AF-C0CF-4A04-A776-741318F1658F}" = Content Transfer
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D1696920-9794-4BBC-8A30-7A88763DE5A2}" = ABBYY FineReader 5.0 Sprint
"{D1BB4446-AE9C-4256-9A7F-4D46604D2462}" = Adobe Setup
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D3C9E16D-AA27-491F-A29D-6FDF6B60AFC0}" = VZAccess Manager for Lenovo
"{D728E945-256D-4477-B377-6BBA693714AC}" = Productivity Center Supplement for ThinkPad
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E5072660-B723-422B-BB74-EAA300BF716B}" = System Migration Assistant
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E7E836B8-4BDD-454F-82E6-5FEA17C83AD4}" = Message Center
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2
"{EA664480-3844-11D5-8C25-444553540000}" = TrackPoint Accessibility Features
"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler
"{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}" = ScanToWeb
"{F015E93D-8D56-D76A-6B7D-A3C171471DEC}" = CCC Help French
"{F08E8D2E-F132-4742-9C87-D5FF223A016A}" = Adobe Illustrator CS3
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F151F2B3-0C32-44D3-90E2-E639B8024622}" = Rescue and Recovery
"{F386C340-DF4B-4BBA-9503-420FB7EDB395}" = Wallpapers
"{F681200C-0446-0409-ABE4-EA9105E40EE4}" = Autodesk 3ds Max Design 2009 32-bit Additional Maps and Material Libraries
"{F6A04D96-C6D7-498C-9099-BCAD0D99778D}" = Diskeeper Lite
"{F850707C-B6A0-4B56-8709-F89CF8F9AC6D}" = Eraser
"{FC081D4D-DF1B-4CF1-B530-027E4118D846}" = ThinkPad Configuration
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"{FDD8070F-E3B9-0409-822C-CCFE5E82C14D}" = Autodesk 3ds Max Design 2009 32-bit
"7-Zip" = 7-Zip 4.65
"Adobe Acrobat 8 Professional - English, Français, Deutsch" = Adobe Acrobat 8.1.4 Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_05ba3a63f36684fe0c5dde2ebe6f8f5" = Adobe InDesign CS3
"Adobe_2ac78060bc5856b0c1cf873bb919b58" = Adobe Photoshop CS3
"Adobe_a04a925a57548091300ada368235fc6" = Adobe Illustrator CS3
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"AutoCAD 2010 - English" = AutoCAD 2010 - English
"AVG9Uninstall" = AVG Free 9.0
"AwayTask" = ThinkVantage Away Manager
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588" = ThinkPad Modem
"CobBackup10" = Cobian Backup 10
"DVD Shrink_is1" = DVD Shrink 3.2
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Eraser" = Eraser
"FastStone Image Viewer" = FastStone Image Viewer 3.8
"FBX Plugin 2009.0 for Max 2009" = FBX Plugin 2009.0 for Max 2009
"Gadwin PrintScreen" = Gadwin PrintScreen
"Glary Utilities_is1" = Glary Utilities 2.20.0.831
"GOM Player" = GOM Player
"ie8" = Windows Internet Explorer 8
"InstallShield_{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2
"MainType2_is1" = MainType 2.1.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.10)" = Mozilla Firefox (3.6.10)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"PC-Doctor 5 for Windows" = PC-Doctor 5 for Windows
"PCMCIAPW" = ThinkPad PC Card Power Policy
"Power Management Driver" = ThinkPad Power Management Driver
"PowerISO" = PowerISO
"Presentation Director" = ThinkPad Presentation Director
"ProInst" = Intel® PROSet/Wireless Software
"PROSet" = Intel® PRO Network Connections Drivers
"Silent Package Run-Time Sample" = EPSON PERF 3170Guide
"SynTPDeinstKey" = ThinkPad UltraNav Driver
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"ThinkPadSoftwareInstaller" = Software Installer
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Zero Assumption Recovery_is1" = Zero Assumption Recovery Version 8.5

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3038731106-559485279-2363235673-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/23/2010 3:57:50 PM | Computer Name = CB_THINKPAD | Source = Application Error | ID = 1000
Description = Faulting application oblivion.exe, version 0.1.0.228, faulting module
oblivion.exe, version 0.1.0.228, fault address 0x0011a15f.

Error - 9/24/2010 9:24:17 AM | Computer Name = CB_THINKPAD | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/25/2010 3:29:47 PM | Computer Name = CB_THINKPAD | Source = Application Error | ID = 1000
Description = Faulting application oblivion.exe, version 0.1.0.228, faulting module
oblivion.exe, version 0.1.0.228, fault address 0x0011a15f.

Error - 9/25/2010 5:51:44 PM | Computer Name = CB_THINKPAD | Source = Application Error | ID = 1000
Description = Faulting application acrobat.exe, version 8.1.0.137, faulting module
bib.dll, version 1.2.1.1, fault address 0x0000c3e7.

Error - 9/26/2010 1:35:57 PM | Computer Name = CB_THINKPAD | Source = Application Error | ID = 1000
Description = Faulting application oblivion.exe, version 0.1.0.228, faulting module
oblivion.exe, version 0.1.0.228, fault address 0x0011a15f.

Error - 9/26/2010 7:52:03 PM | Computer Name = CB_THINKPAD | Source = Application Error | ID = 1000
Description = Faulting application oblivion.exe, version 0.1.0.228, faulting module
oblivion.exe, version 0.1.0.228, fault address 0x0011a15f.

Error - 9/29/2010 9:11:58 PM | Computer Name = CB_THINKPAD | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module ikaxicedojodohuj.dll, version 0.0.0.0, fault address 0x000126d7.

Error - 9/29/2010 9:12:11 PM | Computer Name = CB_THINKPAD | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

Error - 9/29/2010 9:12:49 PM | Computer Name = CB_THINKPAD | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/30/2010 11:56:46 AM | Computer Name = CB_THINKPAD | Source = Application Error | ID = 1000
Description = Faulting application oblivion.exe, version 0.1.0.228, faulting module
oblivion.exe, version 0.1.0.228, fault address 0x002c7c6c.

[ OSession Events ]
Error - 5/4/2010 3:11:08 PM | Computer Name = CB_THINKPAD | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 2091
seconds with 840 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 9/30/2010 9:03:38 AM | Computer Name = CB_THINKPAD | Source = Service Control Manager | ID = 7023
Description = The MicroSoft Reporting Tools service terminated with the following
error: %%126

Error - 9/30/2010 9:48:00 AM | Computer Name = CB_THINKPAD | Source = Schedule | ID = 7901
Description = The At34.job command failed to start due to the following error: %%2147942402

Error - 9/30/2010 10:00:00 AM | Computer Name = CB_THINKPAD | Source = Schedule | ID = 7901
Description = The At11.job command failed to start due to the following error: %%2147942402

Error - 9/30/2010 10:48:00 AM | Computer Name = CB_THINKPAD | Source = Schedule | ID = 7901
Description = The At35.job command failed to start due to the following error: %%2147942402

Error - 9/30/2010 10:52:36 AM | Computer Name = CB_THINKPAD | Source = Service Control Manager | ID = 7034
Description = The mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit
32-bit service terminated unexpectedly. It has done this 1 time(s).

Error - 9/30/2010 11:00:00 AM | Computer Name = CB_THINKPAD | Source = Schedule | ID = 7901
Description = The At12.job command failed to start due to the following error: %%2147942402

Error - 9/30/2010 11:48:00 AM | Computer Name = CB_THINKPAD | Source = Schedule | ID = 7901
Description = The At36.job command failed to start due to the following error: %%2147942402

Error - 9/30/2010 12:00:00 PM | Computer Name = CB_THINKPAD | Source = Schedule | ID = 7901
Description = The At13.job command failed to start due to the following error: %%2147942402

Error - 9/30/2010 12:48:00 PM | Computer Name = CB_THINKPAD | Source = Schedule | ID = 7901
Description = The At37.job command failed to start due to the following error: %%2147942402

Error - 9/30/2010 1:00:00 PM | Computer Name = CB_THINKPAD | Source = Schedule | ID = 7901
Description = The At14.job command failed to start due to the following error: %%2147942402


< End of report >


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:24 AM

Posted 01 October 2010 - 04:02 AM

Hi,

please run a scan with ComboFix next:

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 bark.chris

bark.chris
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:new york
  • Local time:12:24 AM

Posted 01 October 2010 - 09:05 AM

Hi myrti,

Here is the ComboFix log:

ComboFix 10-09-30.03 - cbarker 10/01/2010 9:51.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1261 [GMT -4:00]
Running from: c:\documents and settings\cbarker\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\.wtav
c:\documents and settings\cbarker\.COMMgr
c:\documents and settings\cbarker\Application Data\B3C6EC7E45894AD24F47807F62FF33A8
c:\documents and settings\cbarker\Application Data\B3C6EC7E45894AD24F47807F62FF33A8\enemies-names.txt
c:\documents and settings\cbarker\Application Data\B3C6EC7E45894AD24F47807F62FF33A8\local.ini
c:\documents and settings\cbarker\Local Settings\Application Data\{1A68B962-733C-46E5-AB75-A6D9796EA632}
c:\documents and settings\cbarker\Local Settings\Application Data\{1A68B962-733C-46E5-AB75-A6D9796EA632}\chrome.manifest
c:\documents and settings\cbarker\Local Settings\Application Data\{1A68B962-733C-46E5-AB75-A6D9796EA632}\chrome\content\_cfg.js
c:\documents and settings\cbarker\Local Settings\Application Data\{1A68B962-733C-46E5-AB75-A6D9796EA632}\chrome\content\overlay.xul
c:\documents and settings\cbarker\Local Settings\Application Data\{1A68B962-733C-46E5-AB75-A6D9796EA632}\install.rdf
c:\program files\Mozilla Firefox\searchplugins\google_search.xml
c:\windows\ikaxicedojodohuj.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_USERINIT
-------\Service_6to4
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2010-09-01 to 2010-10-01 )))))))))))))))))))))))))))))))
.

2010-09-23 17:43 . 2010-09-23 17:43 620896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2010-09-23 17:43 . 2010-09-23 17:43 4093792 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-09-23 17:43 . 2010-09-23 17:43 3586912 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-09-23 17:43 . 2010-09-23 17:43 1619296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-09-23 17:43 . 2010-09-23 17:43 1377632 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-09-23 17:43 . 2010-09-23 17:43 942432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-09-23 17:43 . 2010-09-23 17:43 598368 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-09-23 17:43 . 2010-09-23 17:43 4371296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-09-23 17:43 . 2010-09-23 17:43 300896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-09-23 17:42 . 2010-09-23 17:42 1690952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-09-23 01:57 . 2010-09-23 01:57 874240 ----a-w- c:\windows\system32\drivers\IASTOR.SYS
2010-09-22 12:07 . 2010-09-22 12:07 874240 ----a-w- c:\windows\system32\drivers\juaqwrde.sys
2010-09-22 03:09 . 2010-09-23 02:05 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-20 13:58 . 2010-09-20 13:58 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-09-20 13:45 . 2010-10-01 13:29 0 ----a-w- c:\windows\Ghaseyeguwivi.bin
2010-09-20 13:45 . 2010-10-01 01:40 120 ----a-w- c:\windows\Yxolumamumusetu.dat
2010-09-20 13:35 . 2010-09-20 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-09-19 17:02 . 2010-09-19 17:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-01 14:42 . 2010-09-01 14:42 -------- d-----w- c:\documents and settings\cbarker\Local Settings\Application Data\Safe mirror

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-01 13:57 . 2010-06-22 19:19 -------- d-----w- c:\documents and settings\cbarker\Application Data\Dropbox
2010-09-29 13:47 . 2010-02-28 16:05 -------- d-----w- c:\program files\uTorrent
2010-09-29 13:47 . 2010-02-28 16:05 -------- d-----w- c:\documents and settings\cbarker\Application Data\uTorrent
2010-09-25 18:24 . 2010-01-06 20:44 -------- d-----w- c:\program files\Google
2010-09-22 23:09 . 2010-09-22 23:01 112 ----a-w- c:\documents and settings\All Users\Application Data\r8fFbyg6.dat
2010-09-22 23:00 . 1980-01-01 08:00 94724 ----a-w- c:\windows\system32\rundll32.exe.tmp
2010-09-22 03:07 . 2010-01-07 22:27 35552200 ----a-w- c:\windows\system32\MRT1.exe
2010-09-20 13:39 . 2010-01-06 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-09-12 03:54 . 2010-01-14 22:31 -------- d-----w- c:\documents and settings\cbarker\Application Data\Skype
2010-09-11 22:59 . 2010-01-14 22:32 -------- d-----w- c:\documents and settings\cbarker\Application Data\skypePM
2010-09-09 13:04 . 2010-06-23 15:23 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-09-01 14:42 . 2010-09-01 13:53 -------- d-----w- c:\program files\Cobian Backup 10
2010-08-31 03:49 . 2010-08-31 03:49 28116 ---h--w- c:\windows\system32\mlfcache.dat
2010-08-30 21:26 . 2004-08-04 06:59 49536 ------w- c:\windows\system32\drivers\cdrom.sys
2010-08-30 13:58 . 2010-01-08 14:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-28 17:52 . 2010-06-29 23:24 23552 ------w- c:\windows\system32\drivers\psasrv.exe
2010-08-28 17:33 . 2010-03-21 15:42 -------- d-----w- c:\program files\Common Files\Lenovo
2010-08-28 17:33 . 2010-01-06 20:21 -------- d-----w- c:\program files\Lenovo
2010-08-28 17:33 . 2010-08-28 17:33 33536 ------w- c:\windows\system32\drivers\tvtfilter.sys
2010-08-07 21:07 . 2010-08-07 21:07 -------- d-----w- c:\program files\Common Files\Skype
2010-08-07 21:07 . 2010-01-14 22:31 -------- d-----r- c:\program files\Skype
2010-08-07 21:07 . 2010-01-14 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-08-02 15:56 . 2010-07-25 18:57 293352 ------w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-15 13:32 . 2010-01-06 23:20 243024 ------w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 13:32 . 2010-07-15 13:32 12536 ------w- c:\windows\system32\avgrsstx.dll
2010-07-15 13:31 . 2010-01-06 23:20 216400 ------w- c:\windows\system32\drivers\avgldx86.sys
2010-07-05 13:20 . 2010-01-06 20:58 36720 ------w- c:\documents and settings\cbarker\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.
CODE
<pre>
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray .exe
c:\program files\Analog Devices\Core\smax4pnp .exe
c:\program files\Analog Devices\SoundMAX\smax4 .exe
c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy .exe
c:\program files\Lenovo\PkgMgr\HOTKEY\tphkmgr .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Synaptics\SynTP\syntplpr .exe
c:\program files\ThinkPad\Utilities\tpkmapap .exe
c:\program files\ThinkVantage\PrdCtr\lpmgr .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\tp4ex .exe
c:\windows\system32\tpshocks .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ------w- c:\documents and settings\cbarker\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ------w- c:\documents and settings\cbarker\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ------w- c:\documents and settings\cbarker\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cobian Backup 10"="c:\program files\Cobian Backup 10\Cobian.exe" [2010-07-13 421376]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 208896]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-10 94208]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-14 487424]
"Ywelopo"="c:\windows\ikaxicedojodohuj.dll" [N/A]

c:\documents and settings\cbarker\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\cbarker\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 13:32 12536 ------w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-08 22:59 39936 ------w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 07:45 28672 ------w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 04:16 24576 ------w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"AMSG"=c:\program files\ThinkVantage\AMSG\Amsg.exe
"EZEJMNAP"=c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"suScheduler"=c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"ContentTransferWMDetector.exe"=c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe
"Ywelopo"=rundll32.exe "c:\windows\ikaxicedojodohuj.dll",Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\cbarker\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/6/2010 7:20 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/6/2010 7:20 PM 243024]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 5:50 AM 46144]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/15/2010 9:31 AM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 9:32 AM 308136]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [3/10/2008 1:04 AM 65536]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [12/8/2005 6:44 PM 3328]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [5/14/2008 4:25 PM 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 5:50 AM 253952]
R3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 8:21 PM 58624]
R3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 7:42 PM 73600]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 4:54 PM 37312]
S0 kzjgdnhl;kzjgdnhl; [x]
S0 porwwira;porwwira;c:\windows\system32\drivers\kouxge.sys --> c:\windows\system32\drivers\kouxge.sys [?]
S0 rbnefv;rbnefv;c:\windows\system32\drivers\wvrsjbyp.sys --> c:\windows\system32\drivers\wvrsjbyp.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-10-01 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-01-07 23:44]

2010-10-01 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-04-18 09:12]

2010-09-30 c:\windows\Tasks\User_Feed_Synchronization-{9510B2D5-20B8-4127-A103-EE32E13C0395}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
FF - ProfilePath - c:\documents and settings\cbarker\Application Data\Mozilla\Firefox\Profiles\bz7q5l1f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.search-tab.com/?sid=10101057100&s=
FF - prefs.js: network.proxy.http - proxy.nyit.edu
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.ssl - proxy.nyit.edu
FF - prefs.js: network.proxy.ssl_port - 80
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-tab.com/?sid=10101057100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
Notify-NavLogon - (no file)
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-01 09:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1172)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(1228)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

- - - - - - - > 'explorer.exe'(5220)
c:\windows\system32\WININET.dll
c:\windows\system32\PROCHLP.DLL
c:\documents and settings\cbarker\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.EXE
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\TpKmpSVC.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\ThinkVantage\SystemUpdate\UCLauncherService.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Cobian Backup 10\cbInterface.exe
.
**************************************************************************
.
Completion time: 2010-10-01 10:01:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-01 14:01

Pre-Run: 39,938,895,872 bytes free
Post-Run: 39,889,154,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - BA6C2CA8AF643246D79A09E8E9535E30


#6 bark.chris

bark.chris
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:new york
  • Local time:12:24 AM

Posted 01 October 2010 - 09:40 AM

Hi myrti,

After running Combofix,
-Folder Options are available again, and file extensions are visible;
-System Restore control panel is also available;
-XULRunner no longer appears as a Firefox extension.

This seems to have fixed (some/all?) of the infection.

bark.chris





#7 bark.chris

bark.chris
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:new york
  • Local time:12:24 AM

Posted 02 October 2010 - 11:51 AM

Hi myrti,

My system appears to be running normally again. Malwarebytes’ Quick Scan confirms that Hijack.FolderOptions has gone.

The only irregularity to note was a RUNDLL error message I received at startup, stating C:\WINDOWS\\ikaxicedojohuj.dll could not be found.

bark.chris

#8 bark.chris

bark.chris
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:new york
  • Local time:12:24 AM

Posted 03 October 2010 - 03:54 PM

Hi myrti,

Not sure if you're still monitoring this topic, but I have discovered that something is continuing to mess with Firefox, and I
still unable to load Google as a search engine in the location bar of the browser.

I have tried resetting Firefox defaults: about:config > keyword.URL > reset, as well as starting FireFox in safe mode and selecting "restore default search engines." Neither works.

However, I can still navigate to http://www.google.com and search from here. The search results do not appear to be interfered with.

Any suggestions? Would reinstalling Firefox solve the problem?

Thanks,

bark.chris


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:24 AM

Posted 04 October 2010 - 08:18 AM

Hi,

sorry about the delay. My PC stopped working over the week-end.

There is an infection left and we need to address it:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
dds::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
driver::
kzjgdnhl
porwwira
rbnefv
file::
c:\windows\system32\drivers\kouxge.sys
c:\windows\system32\drivers\wvrsjbyp.sys
c:\windows\system32\drivers\juaqwrde.sys
c:\windows\Ghaseyeguwivi.bin
c:\windows\Yxolumamumusetu.dat
renv::

c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray .exe
c:\program files\Analog Devices\Core\smax4pnp .exe
c:\program files\Analog Devices\SoundMAX\smax4 .exe
c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy .exe
c:\program files\Lenovo\PkgMgr\HOTKEY\tphkmgr .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Synaptics\SynTP\syntpenh .exe
c:\program files\Synaptics\SynTP\syntplpr .exe
c:\program files\ThinkPad\Utilities\tpkmapap .exe
c:\program files\ThinkVantage\PrdCtr\lpmgr .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\tp4ex .exe
c:\windows\system32\tpshocks .exe

firefox::

FF - ProfilePath - c:\documents and settings\cbarker\Application Data\Mozilla\Firefox\Profiles\bz7q5l1f.default\

FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-tab.com/?sid=10101057100&s=
FF - prefs.js: keyword.URL - hxxp://search.search-tab.com/?sid=10101057100&s=


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Let me know if this helps with your Firefox too.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 bark.chris

bark.chris
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:new york
  • Local time:12:24 AM

Posted 04 October 2010 - 09:13 AM

Hi myrti,

The Combofix script is below.

After running ComboxFix, the value for keyword.URL in my Firefox configuration has been restored to www.google.com, but Google still does not appear as an option in the location bar. I also tried resetting this from safe mode as before.

bark.chris



ComboFix 10-09-30.03 - cbarker 10/04/2010 9:47.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1396 [GMT -4:00]
Running from: c:\documents and settings\cbarker\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\cbarker\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\Ghaseyeguwivi.bin"
"c:\windows\system32\drivers\juaqwrde.sys"
"c:\windows\system32\drivers\kouxge.sys"
"c:\windows\system32\drivers\wvrsjbyp.sys"
"c:\windows\Yxolumamumusetu.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Ghaseyeguwivi.bin
c:\windows\system32\drivers\juaqwrde.sys
c:\windows\Yxolumamumusetu.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kzjgdnhl
-------\Service_porwwira
-------\Service_rbnefv


((((((((((((((((((((((((( Files Created from 2010-09-04 to 2010-10-04 )))))))))))))))))))))))))))))))
.

2010-10-03 17:29 . 2010-10-03 17:29 -------- d-----w- c:\program files\Common Files\Java
2010-10-03 17:29 . 2010-10-03 17:29 503808 ----a-w- c:\documents and settings\cbarker\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4b4a1805-n\msvcp71.dll
2010-10-03 17:29 . 2010-10-03 17:29 499712 ----a-w- c:\documents and settings\cbarker\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4b4a1805-n\jmc.dll
2010-10-03 17:29 . 2010-10-03 17:29 348160 ----a-w- c:\documents and settings\cbarker\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4b4a1805-n\msvcr71.dll
2010-10-03 17:29 . 2010-10-03 17:29 61440 ----a-w- c:\documents and settings\cbarker\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-535502ed-n\decora-sse.dll
2010-10-03 17:29 . 2010-10-03 17:29 12800 ----a-w- c:\documents and settings\cbarker\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-535502ed-n\decora-d3d.dll
2010-10-03 17:28 . 2010-10-03 17:28 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-03 17:28 . 2010-10-03 17:28 -------- d-----w- c:\program files\Java
2010-10-03 17:27 . 2010-10-03 17:27 79488 ----a-w- c:\documents and settings\cbarker\Application Data\Sun\Java\jre1.6.0_21\gtapi.dll
2010-10-03 17:27 . 2010-10-03 17:27 152576 ----a-w- c:\documents and settings\cbarker\Application Data\Sun\Java\jre1.6.0_21\lzma.dll
2010-10-02 17:10 . 2010-10-02 17:10 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-09-23 17:43 . 2010-09-23 17:43 620896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2010-09-23 17:43 . 2010-09-23 17:43 4093792 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-09-23 17:43 . 2010-09-23 17:43 3586912 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-09-23 17:43 . 2010-09-23 17:43 1619296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-09-23 17:43 . 2010-09-23 17:43 1377632 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-09-23 17:43 . 2010-09-23 17:43 942432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcfgx.dll
2010-09-23 17:43 . 2010-09-23 17:43 598368 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll
2010-09-23 17:43 . 2010-09-23 17:43 4371296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-09-23 17:43 . 2010-09-23 17:43 300896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll
2010-09-23 17:42 . 2010-09-23 17:42 1690952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-09-23 01:57 . 2010-09-23 01:57 874240 ----a-w- c:\windows\system32\drivers\IASTOR.SYS
2010-09-22 03:09 . 2010-09-23 02:05 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-20 13:58 . 2010-09-20 13:58 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-09-20 13:35 . 2010-09-20 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-09-19 17:02 . 2010-09-19 17:02 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-04 13:56 . 2010-06-22 19:19 -------- d-----w- c:\documents and settings\cbarker\Application Data\Dropbox
2010-10-04 13:47 . 2010-01-07 23:16 -------- d-----w- c:\program files\QuickTime
2010-10-02 17:15 . 2010-01-07 16:02 -------- d-----w- c:\program files\Common Files\Adobe
2010-10-01 15:31 . 2010-01-07 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-09-29 13:47 . 2010-02-28 16:05 -------- d-----w- c:\program files\uTorrent
2010-09-29 13:47 . 2010-02-28 16:05 -------- d-----w- c:\documents and settings\cbarker\Application Data\uTorrent
2010-09-25 18:24 . 2010-01-06 20:44 -------- d-----w- c:\program files\Google
2010-09-22 23:09 . 2010-09-22 23:01 112 ----a-w- c:\documents and settings\All Users\Application Data\r8fFbyg6.dat
2010-09-22 23:00 . 1980-01-01 08:00 94724 ----a-w- c:\windows\system32\rundll32.exe.tmp
2010-09-22 03:07 . 2010-01-07 22:27 35552200 ----a-w- c:\windows\system32\MRT1.exe
2010-09-20 13:39 . 2010-01-06 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-09-12 03:54 . 2010-01-14 22:31 -------- d-----w- c:\documents and settings\cbarker\Application Data\Skype
2010-09-11 22:59 . 2010-01-14 22:32 -------- d-----w- c:\documents and settings\cbarker\Application Data\skypePM
2010-09-01 14:42 . 2010-09-01 13:53 -------- d-----w- c:\program files\Cobian Backup 10
2010-08-31 03:49 . 2010-08-31 03:49 28116 ---h--w- c:\windows\system32\mlfcache.dat
2010-08-30 21:26 . 2004-08-04 06:59 49536 ------w- c:\windows\system32\drivers\cdrom.sys
2010-08-30 13:58 . 2010-01-08 14:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-28 17:52 . 2010-06-29 23:24 23552 ------w- c:\windows\system32\drivers\psasrv.exe
2010-08-28 17:33 . 2010-03-21 15:42 -------- d-----w- c:\program files\Common Files\Lenovo
2010-08-28 17:33 . 2010-01-06 20:21 -------- d-----w- c:\program files\Lenovo
2010-08-28 17:33 . 2010-08-28 17:33 33536 ------w- c:\windows\system32\drivers\tvtfilter.sys
2010-08-07 21:07 . 2010-08-07 21:07 -------- d-----w- c:\program files\Common Files\Skype
2010-08-07 21:07 . 2010-01-14 22:31 -------- d-----r- c:\program files\Skype
2010-08-07 21:07 . 2010-01-14 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-08-02 15:56 . 2010-07-25 18:57 293352 ------w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-07-15 13:32 . 2010-01-06 23:20 243024 ------w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 13:32 . 2010-07-15 13:32 12536 ------w- c:\windows\system32\avgrsstx.dll
2010-07-15 13:31 . 2010-01-06 23:20 216400 ------w- c:\windows\system32\drivers\avgldx86.sys
.
CODE
<pre>
c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ------w- c:\documents and settings\cbarker\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ------w- c:\documents and settings\cbarker\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ------w- c:\documents and settings\cbarker\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cobian Backup 10"="c:\program files\Cobian Backup 10\Cobian.exe" [2010-07-13 421376]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-12-07 151552]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-12-07 208896]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-12-15 925696]
"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-03-10 94208]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-14 487424]
"Ywelopo"="c:\windows\ikaxicedojodohuj.dll" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\cbarker\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\cbarker\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 13:32 12536 ------w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-12-08 22:59 39936 ------w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 07:45 28672 ------w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 04:16 24576 ------w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"AMSG"=c:\program files\ThinkVantage\AMSG\Amsg.exe
"EZEJMNAP"=c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"suScheduler"=c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"ContentTransferWMDetector.exe"=c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe
"Ywelopo"=rundll32.exe "c:\windows\ikaxicedojodohuj.dll",Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\cbarker\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/6/2010 7:20 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/6/2010 7:20 PM 243024]
R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [5/9/2008 5:50 AM 46144]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/15/2010 9:31 AM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 9:32 AM 308136]
R2 mi-raysat_3dsMax2009_32;mental ray 3.6 Satellite for Autodesk 3ds Max Design 2009 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2009\mentalray\satellite\raysat_3dsMax2009_32server.exe [3/10/2008 1:04 AM 65536]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [12/8/2005 6:44 PM 3328]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [5/14/2008 4:25 PM 520192]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [5/9/2008 5:50 AM 253952]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 4:54 PM 37312]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 8:21 PM 58624]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 7:42 PM 73600]
.
Contents of the 'Scheduled Tasks' folder

2010-10-04 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-01-07 23:44]

2010-10-04 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-04-18 09:12]

2010-10-03 c:\windows\Tasks\User_Feed_Synchronization-{9510B2D5-20B8-4127-A103-EE32E13C0395}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
FF - ProfilePath - c:\documents and settings\cbarker\Application Data\Mozilla\Firefox\Profiles\bz7q5l1f.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-04 09:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'lsass.exe'(1064)
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll

- - - - - - - > 'explorer.exe'(5776)
c:\windows\system32\WININET.dll
c:\windows\system32\PROCHLP.DLL
c:\documents and settings\cbarker\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\TpKmpSVC.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\ThinkVantage\SystemUpdate\UCLauncherService.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
c:\program files\Cobian Backup 10\cbInterface.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-10-04 10:00:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-04 14:00
ComboFix2.txt 2010-10-01 14:01

Pre-Run: 38,991,462,400 bytes free
Post-Run: 39,013,748,736 bytes free

- - End Of File - - 2B353AF4B91DEE629B6CA67D91A5099B




#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:24 AM

Posted 04 October 2010 - 09:25 AM

Hi,

please run the following script as well:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
Renv::

c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy .exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

What do you mean by location bar? The address bar? Or the drop down menu for the search area?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 bark.chris

bark.chris
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:new york
  • Local time:12:24 AM

Posted 04 October 2010 - 12:59 PM

Hi myrti,

I ran ComboFix again with the new script. The scan completed, but after restart I received a message from Windows, "system recovered from serious error," and no log was produced. Shall I try again? When running the scan, I got another notice saying that PEV.cfxxe had unexepectedly closed.

Re: Firefox - sorry; I mean the Search Bar, at the top right of the browser window. The dropdown menu lists the other default search engines - Bing, Yahoo, Amazon, etc., but no Google. Perhaps this is a residue of the bogus XULRunner extension. I am able to work around this by visiting Google.com directly. A search like this *appears* to be free of any tampering.

bark.chris

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:24 AM

Posted 04 October 2010 - 01:37 PM

Hi,

before running it again, could you please go to this folder: c:\documents and settings\cbarker\Application Data\Mozilla\Firefox\Profiles\bz7q5l1f.default
If you can not find one of the folders please make sure that you can see all folders: http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

and check for user.js.bak and prefs.js.bak. If they are present please zip them and attach them to your next reply.

regards myrti

Edited by myrti, 04 October 2010 - 01:40 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 bark.chris

bark.chris
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:new york
  • Local time:12:24 AM

Posted 04 October 2010 - 03:34 PM

Hi myrti,

Please find the Firefox profiles attached

bark.chris

Attached Files



#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:06:24 AM

Posted 05 October 2010 - 04:22 AM

Hi,

thanks. Can you please run ComboFix without a script again and post the log in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users