Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Defender says I have Vundo.gen!p

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Defender says I have Vundo.gen!p

Unread postby effingcow » August 29th, 2008, 12:06 pm

It also says that I have sucessfully quarantined it, but I'd feel better having the thing off my computer. I have run hjt and combofix... I also made an uninstall log.

the hjt log is blue,
combofix is green.
uninstall log is purple

It says that this thing is supposed to have a lot of pop ups, but I haven't had any at all....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:50 AM, on 8/29/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\vsnp2uvc.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Waterproof\winlogon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [snp2uvc] C:\Windows\vsnp2uvc.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LenovoOobeOffers] c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [CameraApplicationLauncher] C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Windows Logon Applicationedc] C:\Users\Waterproof\winlogon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://c:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxba_device - - C:\Windows\system32\lxbacoms.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13223 bytes







ComboFix 08-08-28.04 - Waterproof 2008-08-29 6:56:38.2 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.631 [GMT -4:00]
Running from: C:\Users\Waterproof\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Users\Waterproof\AppData\Roaming\macromedia\Flash Player\#SharedObjects\3KS38BBT\interclick.com
C:\Users\Waterproof\AppData\Roaming\macromedia\Flash Player\#SharedObjects\3KS38BBT\interclick.com\ud.sol
C:\Users\Waterproof\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Users\Waterproof\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Windows\system32\blphcltrj0e7fg.scr
C:\Windows\system32\fclfrkdw.dll
C:\Windows\system32\fgxirxpi.exe
C:\Windows\system32\fhuexe.dll
C:\Windows\system32\fttfwnit.dll
C:\Windows\system32\jkkLCtTN.dll
C:\Windows\system32\lphcltrj0e7fg.exe
C:\Windows\system32\MSINET.oca
C:\Windows\system32\OnXHjiOq.ini
C:\Windows\System32\OnXHjiOq.ini2
C:\Windows\system32\p32
C:\Windows\system32\pac.txt
C:\Windows\system32\phcltrj0e7fg.bmp
C:\Windows\system32\qOijHXnO.dll
C:\Windows\system32\sysrest.sys
C:\Windows\system32\sysrest32.exe
C:\Windows\system32\tidkrlnk.exe
C:\Windows\System32\tinwfttf.ini
C:\Windows\system32\trkwexes.dll
C:\Windows\system32\urqPheEV.dll
C:\Windows\System32\VEehPqru.ini
C:\Windows\System32\VEehPqru.ini2
C:\Windows\system32\vtUOGXol.dll
C:\Windows\system32\wrdhqkct.dll
C:\Windows\system32\x64

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSREST.SYS
-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.

2008-08-29 06:09 . 2008-08-29 06:09 224,255,928 --a------ C:\Windows\MEMORY.DMP
2008-08-28 23:11 . 2008-08-28 23:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-28 21:08 . 2008-08-28 22:37 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-28 21:08 . 2008-08-28 22:37 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-08-28 21:08 . 2008-08-28 21:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-28 17:25 . 2008-08-28 17:25 203,776 --a------ C:\Windows\System32\wtlmhlnl.exe
2008-08-28 16:44 . 2008-08-28 16:44 71 --a------ C:\Users\Waterproof\7812.bat
2008-08-28 10:50 . 2008-08-28 10:50 <DIR> d-------- C:\Windows\System32\kp4
2008-08-28 10:50 . 2008-08-28 10:50 99,328 --a------ C:\Windows\faceback.exe
2008-08-28 10:49 . 2008-08-28 10:49 <DIR> d-------- C:\Windows\System32\eMaxt02
2008-08-28 10:49 . 2008-08-28 10:50 <DIR> d-------- C:\Temp\bbc2
2008-08-28 10:49 . 2008-08-29 06:57 <DIR> d-------- C:\Temp
2008-08-28 10:49 . 2008-08-28 16:43 44,544 --a------ C:\Users\Waterproof\index.exe
2008-08-28 10:49 . 2008-08-28 10:49 71 --a------ C:\Users\Waterproof\3434.bat
2008-08-28 10:43 . 2008-08-28 10:43 <DIR> d-------- C:\Users\All Users\PopCap
2008-08-28 10:43 . 2008-08-28 10:43 <DIR> d-------- C:\ProgramData\PopCap
2008-08-28 10:43 . 2008-08-28 10:43 <DIR> d-------- C:\Program Files\PopCap Games
2008-08-27 10:03 . 1999-12-17 10:13 86,016 --a------ C:\Windows\unvise32.exe
2008-08-26 18:09 . 2008-08-26 18:09 <DIR> d-------- C:\Program Files\GoldWave
2008-08-26 18:07 . 2008-08-26 18:07 <DIR> d-------- C:\Program Files\AltoMP3 Gold
2008-08-26 17:55 . 2008-08-26 17:55 <DIR> d-------- C:\Users\Waterproof\AppData\Roaming\Roxio
2008-08-26 17:55 . 2008-08-26 17:55 <DIR> d-------- C:\Users\All Users\Roxio
2008-08-26 17:55 . 2008-08-26 17:55 <DIR> d-------- C:\ProgramData\Roxio
2008-08-26 17:39 . 2008-08-26 18:15 <DIR> d-------- C:\UW20
2008-08-26 17:05 . 2008-08-26 17:05 <DIR> d-------- C:\Users\All Users\HP Product Assistant
2008-08-26 17:05 . 2008-08-26 17:05 <DIR> d-------- C:\ProgramData\HP Product Assistant
2008-08-26 17:02 . 2008-08-26 17:02 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-08-26 17:02 . 2008-08-26 17:02 <DIR> d-------- C:\Program Files\Common Files\HP
2008-08-26 17:01 . 2008-08-26 17:01 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-08-26 16:58 . 2008-08-26 17:05 <DIR> d-------- C:\Program Files\HP
2008-08-26 16:55 . 2008-08-26 17:07 <DIR> d-------- C:\Users\All Users\HP
2008-08-26 16:55 . 2008-08-26 17:07 <DIR> d-------- C:\ProgramData\HP
2008-08-26 16:55 . 2008-08-26 17:28 157,583 --a------ C:\Windows\hpoins26.dat
2008-08-26 12:16 . 2008-08-28 22:40 <DIR> d-------- C:\Users\Waterproof\AppData\Roaming\vusbsp
2008-08-18 19:56 . 2008-07-19 01:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-18 19:56 . 2008-07-18 23:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-18 19:56 . 2008-07-19 01:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-18 19:56 . 2008-07-19 01:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-18 19:56 . 2008-07-18 23:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-18 19:56 . 2008-07-19 01:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-18 19:56 . 2008-07-19 01:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-18 19:56 . 2008-07-19 01:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-18 19:56 . 2008-07-18 23:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-14 06:03 . 2008-07-15 21:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-14 06:01 . 2008-04-10 01:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-14 06:01 . 2008-06-18 23:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-14 06:01 . 2008-04-18 01:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-14 06:00 . 2008-06-26 21:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-14 06:00 . 2008-06-27 00:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-07 15:48 . 2008-08-07 15:49 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-07 01:50 . 2008-08-13 03:20 <DIR> d-------- C:\Program Files\Full Tilt Poker
2008-08-03 01:56 . 2008-08-28 22:39 <DIR> d-------- C:\Users\Waterproof\AppData\Roaming\OpenOffice.org2
2008-08-02 17:42 . 2008-08-02 17:42 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4
2008-08-02 06:45 . 2008-08-02 06:45 <DIR> d-------- C:\Windows\Sun
2008-08-01 16:07 . 2008-08-01 16:08 <DIR> d-------- C:\Windows\System32\Adobe
2008-07-31 18:58 . 2008-07-31 18:58 <DIR> d-------- C:\Program Files\iTunes
2008-07-31 18:58 . 2008-07-31 18:58 <DIR> d-------- C:\Program Files\iPod
2008-07-31 18:43 . 2008-07-31 18:44 <DIR> d-------- C:\Program Files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 14:47 --------- d-----w C:\Users\Waterproof\AppData\Roaming\LimeWire
2008-08-28 05:54 --------- d-----w C:\Program Files\Trillian
2008-08-14 10:09 --------- d-----w C:\Program Files\Windows Mail
2008-08-07 05:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-02 21:39 --------- d-----w C:\Program Files\Java
2008-07-31 23:00 --------- d-----w C:\Users\Waterproof\AppData\Roaming\Apple Computer
2008-07-27 03:16 --------- d-----w C:\Program Files\Microsoft Games
2008-07-19 07:09 --------- d-----w C:\Program Files\AskPBar
2008-07-19 01:24 --------- d-----w C:\Users\Waterproof\AppData\Roaming\App Launcher Gadget
2008-07-17 07:08 --------- d-----w C:\Program Files\MSECache
2008-07-17 06:52 --------- d-----w C:\Users\Waterproof\AppData\Roaming\Microsoft Web Folders
2008-07-17 06:37 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-15 17:27 --------- d-----w C:\Program Files\Lexmark X5100 Series
2008-07-13 10:12 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-12 17:41 --------- d-----w C:\Program Files\LimeWire
2008-07-12 17:17 --------- d-----w C:\ProgramData\Apple Computer
2008-07-12 17:15 --------- d-----w C:\Program Files\QuickTime
2008-07-12 17:15 --------- d-----w C:\Program Files\Bonjour
2008-07-12 17:08 --------- d-----w C:\ProgramData\Apple
2008-07-12 17:08 --------- d-----w C:\Program Files\Common Files\Apple
2008-07-12 06:04 --------- d-----w C:\ProgramData\Lenovo
2008-07-10 16:35 32,000 ----a-w C:\Windows\system32\drivers\usbaapl.sys
2008-07-09 23:00 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-09 22:05 --------- d-----w C:\Users\Waterproof\AppData\Roaming\Leadertech
2008-07-09 21:37 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-09 21:17 --------- d-----w C:\ProgramData\Symantec
2008-07-09 21:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-09 21:13 --------- d-----w C:\Program Files\Norton Internet Security
2008-07-09 21:12 806 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-07-09 21:12 8,014 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-07-09 21:12 115,000 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-07-09 21:12 --------- d-----w C:\Program Files\Symantec
2008-07-09 20:59 --------- d-----w C:\Users\Waterproof\AppData\Roaming\Lenovo
2008-07-09 20:55 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-07-09 20:54 100 ----a-w C:\Windows\system32\drivers\Lenovo_7659_N2U.MRK
2008-06-27 22:38 53,248 --sh--w C:\Users\Waterproof\winlogon.exe
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-12 05:14 1,732 ----a-w C:\tvtpktfilter.dat
2008-06-12 03:55 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-06-12 03:53 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-06-12 03:52 988,216 ----a-w C:\Windows\System32\winload.exe
2008-06-12 03:52 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-06-12 03:52 615,992 ----a-w C:\Windows\System32\ci.dll
2008-06-12 03:52 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-06-12 03:52 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-06-12 03:52 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-06-12 03:52 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-06-12 03:52 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-06-12 03:52 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-06-12 03:52 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-01-21 02:43 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0A94B116-4504-4e26-AB05-E61E474AA38B}"= "C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL" [2008-07-19 03:09 61440]

[HKEY_CLASSES_ROOT\clsid\{0a94b116-4504-4e26-ab05-e61e474aa38b}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-20 22:23 1233920]
"Windows Logon Applicationedc"="C:\Users\Waterproof\winlogon.exe" [2008-06-27 18:38 53248]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-11-29 14:04 59168]
"PWMTRV"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2007-12-06 13:11 324896]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2007-12-06 13:11 214576]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-05 05:20 820520]
"snp2uvc"="C:\Windows\vsnp2uvc.exe" [2006-12-28 22:48 569344]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 01:49 66176]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 13:32 243248]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-07-09 16:40 1282048]
"LenovoOobeOffers"="c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe" [2007-09-25 15:53 28672]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-01-08 23:12 536576]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-11-15 19:21 217176]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 06:51 91688]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-04-26 13:10 120368]
"AMSG"="C:\Program Files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 14:00 419376]
"CameraApplicationLauncher"="C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe" [2007-08-22 20:26 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 07:27 144784]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 18:48 419112]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 18:49 124200]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59 115816]
"IS CfgWiz"="C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" [2007-01-12 22:28 431752]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 23:13 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 23:13 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 23:13 133656]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 13:50 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 12:47 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 13:47 289064]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 21:17 49152]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 16:31 80896]

C:\Users\Waterproof\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 19:41:28 393216]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-03-29 16:11:50 719664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 20:38:52 214360]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 04:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{994FB1BF-3B05-4D3D-B5A8-9A32BCCF60A5}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{BE81EE69-8783-4988-9E64-1E7EEF70F978}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{748F7A36-C95F-4356-BDA0-2C930A79677E}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{2642E82F-AE32-48F4-BC6A-F7E95575D099}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{D893D200-9126-4A4E-AE2A-4D843133EB2B}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{056C1D64-1AD5-4717-B38F-D66EFEC16058}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{7C7F5A76-6079-467B-8A18-0B4B8195A91B}"= UDP:C:\Windows\System32\lxbacoms.exe:Lexmark Communications System
"{40817FE4-D1BA-4B82-8A08-7606601ADE11}"= TCP:C:\Windows\System32\lxbacoms.exe:Lexmark Communications System
"{66C31868-57A6-4001-895D-4B71027CD110}"= UDP:C:\Windows\System32\spool\drivers\w32x86\3\lxbapswx.exe:Printer Status Window
"{FAC413EC-B54E-4BB2-8CEE-B374023EB1B0}"= TCP:C:\Windows\System32\spool\drivers\w32x86\3\lxbapswx.exe:Printer Status Window
"{EF49CA3D-8267-4FC0-A957-E465C8F67324}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{A4A176D1-F5EE-4BFE-A518-AC3FDFC143E8}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{C3E9063A-971B-4DCB-93A2-614AC0EE6D60}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{53906E77-27BE-41EF-AD49-BA13C9F718E2}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{9683E431-E588-4A52-BCA4-197F24D2E82B}C:\\users\\waterproof\\appdata\\local\\temp\\vusbsp\\vonagetalkusb.exe"= UDP:C:\users\waterproof\appdata\local\temp\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"UDP Query User{940D550F-8105-4A8D-A052-4E74FF4FED5F}C:\\users\\waterproof\\appdata\\local\\temp\\vusbsp\\vonagetalkusb.exe"= TCP:C:\users\waterproof\appdata\local\temp\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"TCP Query User{4FADB00A-E2A5-4F21-A71E-A7CD2B4AFCBB}C:\\users\\waterproof\\appdata\\roaming\\vusbsp\\vonagetalkusb.exe"= UDP:C:\users\waterproof\appdata\roaming\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"UDP Query User{8981B39C-2F8E-4123-BF42-C6D3C6F9C73F}C:\\users\\waterproof\\appdata\\roaming\\vusbsp\\vonagetalkusb.exe"= TCP:C:\users\waterproof\appdata\roaming\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"{617C5A68-B086-462A-9BE7-08B3F5BA67C5}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{6B0A4DC4-9C19-43F9-804C-C1E904D0FFEF}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{365DD8CC-F926-49A3-993A-1297672A7117}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{976D515E-E2BC-4040-8BBF-D2D3A4E8D25A}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{898A948D-841A-47F8-ABFB-1EFC939CABB3}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{8D685019-8334-40F3-A2D4-38163DFCD119}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{A98782BD-8C4D-4F79-B6D6-105C9872D92A}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{08348A5B-3772-4C13-BC12-E048CBFC5423}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{DF39095D-DF41-4712-87DB-09B714EB1D74}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{25EBD56A-6227-4298-A225-9CB8A4D1B32F}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{4F7D0682-F6B6-400B-9137-5DC89D4CC714}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{76486E61-FAE2-455A-B522-E81D9BE308D4}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{F95EED90-5805-46AF-898F-94DF14996AFE}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{7763661D-3D1A-4123-959D-8679A847D5CB}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{009D7874-056C-4F46-8339-5745209EBDFD}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{FA08B81B-5398-4827-85B5-63AB31FCC68D}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{FCC7C48E-958A-4090-9EA1-AFA154981299}"= UDP:C:\Users\Waterproof\AppData\Local\Temp\.tt1797.tmp:enable
"{DCC3B91A-9560-4976-84E1-5D6FDC737F2A}"= TCP:C:\Users\Waterproof\AppData\Local\Temp\.tt1797.tmp:enable

R0 Shockprf;Shockprf;C:\Windows\system32\DRIVERS\Apsx86.sys [2007-10-16 21:33]
R0 TPDIGIMN;TPDIGIMN;C:\Windows\system32\DRIVERS\ApsHM86.sys [2007-10-16 21:32]
R1 DLARTL_M;DLARTL_M;C:\Windows\system32\Drivers\DLARTL_M.SYS [2007-02-08 23:05]
R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiif32.sys [2006-08-30 06:04]
R1 TPPWRIF;TPPWRIF;C:\Windows\system32\drivers\Tppwr32v.sys [2007-12-06 13:11]
R2 AEADIFilters;Andrea ADI Filters Service;C:\Windows\system32\AEADISRV.EXE [2007-02-05 18:44]
R2 lxba_device;lxba_device;C:\Windows\system32\lxbacoms.exe [2007-04-24 22:24]
R2 TPHKSVC;On Screen Display;C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe [2007-03-02 01:07]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-01-08 23:03]
R3 TVTI2C;Lenovo SM bus driver;C:\Windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 18:59]
S3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2007-03-29 14:46]
S3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys [2007-02-27 01:20]
S3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-02-27 01:20]
S3 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20070108.003\IDSvix86.sys [2006-12-28 02:48]
S4 ErrDev;Microsoft Hardware Error Device Driver;C:\Windows\system32\drivers\errdev.sys [2008-01-20 22:23]
S4 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-01-20 22:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-08-29 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 18:54]

2008-08-29 C:\Windows\Tasks\User_Feed_Synchronization-{7D0A9B2B-A02A-4A6B-9DF0-B9E3EEF4E5BB}.job
- C:\Windows\system32\msfeedssync.exe [2008-01-20 22:25]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MSServer - C:\Windows\system32\jkkLCtTN.dll
HKLM-Run-lphcltrj0e7fg - C:\Windows\system32\lphcltrj0e7fg.exe
HKLM-Run-inrhcgtrj0e7fg - C:\Users\Waterproof\AppData\Local\Temp\.ttF079.tmp.exe
HKLM-Run-e0f3b564 - C:\Windows\system32\fttfwnit.dll
HKLM-Run-BMe3c086f8 - C:\Windows\system32\wrdhqkct.dll
ShellExecuteHooks-{C85BD9F1-5B95-46DA-9F39-979DB6B58484} - C:\Windows\system32\jkkLCtTN.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\Waterproof\AppData\Roaming\Mozilla\Firefox\Profiles\qwhnxym8.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - http://www.google.com
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\nppopcaploader.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 07:05:50
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\system32\winlogon.exe
-> C:\Users\Waterproof\winlogon.exe
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\ibmpmsvc.exe
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Windows\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Windows\System32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.exe
C:\Windows\System32\wsqmcons.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-08-29 7:11:52 - machine was rebooted [Waterproof]
ComboFix-quarantined-files.txt 2008-08-29 11:11:22

Pre-Run: 42,239,029,248 bytes free
Post-Run: 40,947,822,592 bytes free

360 --- E O F --- 2008-08-27 02:42:25



32 Bit HP CIO Components Installer
Access Help
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8
Adobe Shockwave Player 11
AltoMP3 Gold 5.20
AppCore
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
AV
Bonjour
Camera Center
ccCommon
Client Security Solution
Compatibility Pack for the 2007 Office system
Diskeeper Home
DIY Writer
Drag-to-Disc
Full Tilt Poker
GoldWave v5.23
Help Center
HijackThis 2.0.2
HP Customer Participation Program 10.0
HP Imaging Device Functions 10.0
HP Photosmart C4340 All-In-One Driver Software 10.0 Rel .3
HP Photosmart Essential 2.5
HP Smart Web Printing
HP Solution Center 10.0
HP Update
Integrated Camera
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
InterVideo WinDVD
iTunes
Java(TM) 6 Update 2
Java(TM) 6 Update 4
Java(TM) 6 Update 7
Lenovo Registration
Lenovo System Interface Driver
Lexmark X5100 Series
LiveUpdate 3.2 (Symantec Corporation)
Maintenance Manager
Message Center
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft Office 2000 SR-1 Small Business
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.1)
MSRedist
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
Multimedia Center For Think Offerings
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
OCR Software by I.R.I.S. 10.0
On Screen Display
OpenOffice.org 2.4
PC-Doctor 5 for Windows
Picasa 2
PopCap Browser Plugin
Presentation Director
Productivity Center Supplement for ThinkPad
QuickTime
Registry patch for Windows Vista USB S3 PM Enablement
Registry patch of Changing Timing of IDLE IRP by Finger Print Driver for Windows Vista
Registry Patch of Enabling Device Initiated Power Management(DIPM) on SATA for Windows Vista
Registry patch to improve USB device detection on resume from sleep for Windows Vista
Rescue and Recovery
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Shop for HP Supplies
Sonic Icons for Lenovo
SoundMAX
SPBBC 32bit
Spybot - Search & Destroy
Symantec Real Time Storage Protection Component
SymNet
System Migration Assistant
System Update
ThinkPad Bluetooth with Enhanced Data Rate Software 6.0.1.4900
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Mobility Center Customization
ThinkPad Modem
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad UltraNav Driver
ThinkPad UltraNav Utility
Thinkpad Wireless LAN Adapters Software (11a/b/g/n)
ThinkVantage Access Connections
ThinkVantage Active Protection System
ThinkVantage Productivity Center
ThinkVantage Technologies Welcome Message
Trillian
VitalSource Bookshelf
Wallpapers
Windows Driver Package - Intel (e1express) Net (04/26/2007 9.7.240.0)
Windows Driver Package - Intel (iaStor) hdc (02/12/2007 7.0.0.1020)
Windows Driver Package - Intel hdc (11/15/2006 8.2.0.1011)
Windows Driver Package - Intel hdc (11/15/2006 8.2.0.1011)
Windows Driver Package - Intel hdc (12/06/2006 6.8.0.3002)
Windows Driver Package - Intel System (09/15/2006 7.0.0.1011)
Windows Driver Package - Intel System (09/15/2006 8.0.0.1008)
Windows Driver Package - Intel System (09/15/2006 8.0.0.1010)
Windows Driver Package - Intel System (09/15/2006 8.2.0.1000)
Windows Driver Package - Intel USB (09/15/2006 8.0.0.1008)
Windows Driver Package - Lenovo (IBMPMDRV) System (05/31/2007 1.43)
Windows Driver Package - Ricoh Company MMC Host Controller (08/08/2007 6.00.03.02)
Windows Driver Package - Ricoh Company MS Host Controller (07/30/2007 6.00.01.11)
Windows Driver Package - Ricoh Company xD Host Controller (07/30/2007 6.00.01.13)
Windows Live Toolbar
Windows Live Toolbar



any help would be really really appreciated. Thanks!
effingcow
Regular Member
 
Posts: 31
Joined: August 29th, 2008, 11:57 am
Location: Aruba
Advertisement
Register to Remove

Re: Defender says I have Vundo.gen!p

Unread postby jmw3 » September 1st, 2008, 11:23 pm

Welcome effingcow

I will be helping you under the guidance of one of our expert coaches.
Please give me a little time to get back to you with instructions.

In the meantime please note the following:
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • Continue to respond to this thread until I give you the All Clean!
Please Note: My instructions to you are checked by an expert prior to posting. This may cause a small delay between posts.
Thanks
John
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Defender says I have Vundo.gen!p

Unread postby effingcow » September 1st, 2008, 11:48 pm

Hi,

Thanks for helping me with my computer! I was just wondering if after we boot this bug is my computer going to be all back to normal or is there going to be some, for lack of a better word, scarring? Vundo has made this thing sooo slow, I just hope we can get it all better!

thanks,
amanda
effingcow
Regular Member
 
Posts: 31
Joined: August 29th, 2008, 11:57 am
Location: Aruba

Re: Defender says I have Vundo.gen!p

Unread postby jmw3 » September 3rd, 2008, 5:07 am

Hello Amanda
We should be able to get it back to normal.

CFScript
Close any open browsers.
If Combofix prompts you to update the program allow it to do so.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
File::
C:\Windows\System32\wtlmhlnl.exe
C:\Users\Waterproof\7812.bat
C:\Windows\faceback.exe
C:\Users\Waterproof\index.exe
C:\Users\Waterproof\3434.bat
C:\Windows\unvise32.exe
C:\Users\Waterproof\winlogon.exe
C:\Users\Waterproof\AppData\Local\Temp\.tt1797.tmp
C:\Users\Waterproof\AppData\Local\Temp\.tt1797.tmp
C:\Program Files\Mozilla Firefox\plugins\nppopcaploader.dll

Folder::
C:\Windows\System32\eMaxt02
C:\Temp\bbc2
C:\Users\All Users\PopCap
C:\ProgramData\PopCap
C:\Program Files\PopCap Games
C:\Users\Waterproof\AppData\Roaming\LimeWire
C:\Program Files\AskPBar
C:\Program Files\LimeWire

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0A94B116-4504-4e26-AB05-E61E474AA38B}"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D893D200-9126-4A4E-AE2A-4D843133EB2B}"=-
"{056C1D64-1AD5-4717-B38F-D66EFEC16058}"=-
"{EF49CA3D-8267-4FC0-A957-E465C8F67324}"=-
"{A4A176D1-F5EE-4BFE-A518-AC3FDFC143E8}"=-
"{FCC7C48E-958A-4090-9EA1-AFA154981299}"=-
"{DCC3B91A-9560-4976-84E1-5D6FDC737F2A}"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

To post in next reply:
Combofix log
New HJT log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Defender says I have Vundo.gen!p

Unread postby effingcow » September 3rd, 2008, 1:15 pm

Hijack This Log
Combo Fix Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:27 PM, on 9/3/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (file missing)
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [snp2uvc] C:\Windows\vsnp2uvc.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LenovoOobeOffers] c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [CameraApplicationLauncher] C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\geBsrRlk.dll,#1
O4 - HKLM\..\Run: [BMe3c086f8] Rundll32.exe "C:\Windows\system32\wdwrcjug.dll",s
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://c:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxba_device - - C:\Windows\system32\lxbacoms.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11201 bytes




ComboFix 08-09-01.05 - Waterproof 2008-09-03 12:03:54.4 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.648 [GMT -4:00]
Running from: C:\Users\Waterproof\Downloads\ComboFix.exe
Command switches used :: C:\Users\Waterproof\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AskPBar
C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
C:\Program Files\Mozilla Firefox\plugins\nppopcaploader.dll
C:\Program Files\PopCap Games
C:\Program Files\PopCap Games\PopCap Browser Plugin\Uninstall.exe
C:\ProgramData\PopCap
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\_version.bin
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\Bejeweled2.dll
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\_ContinuumBold11.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\_ContinuumBold11Outline.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\_ContinuumBold14.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\_ContinuumBold20.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\_ContinuumBold28outline.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\_ContinuumBold8.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\_LiquidCrystal15.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\_QuincyCaps19.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\BigFont.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\BigFont.txt
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\BigFont_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\ContinuumBold11.txt
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\ContinuumBold11Outline.txt
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\ContinuumBold14.txt
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\ContinuumBold20.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\ContinuumBold20.txt
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\ContinuumBold28outline.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\ContinuumBold28outline.txt
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\ContinuumBold8.txt
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\LiquidCrystal15.txt
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\data\QuincyCaps19.txt
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\extras0.txt
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\extras1.txt
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\extras2.txt
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\extras3.txt
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\extras4.txt
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\_thumbgem.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\al_litgems.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\ArrowUp.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\ArrowUp_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\backdrops\backdrop00.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\backdrops\backdrop01.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\backdrops\backdrop02.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\backdrops\backdrop03.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\backdrops\backdrop04.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\backdrops\backdrop05.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\backdrops\backdrop06.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\barleft.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\barmid.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\barright.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\bigstar.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\bomb.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\bomb.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\bomb_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\Classicmode.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\Classicmode_.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\DialogBox.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\DialogBox_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\DialogButton.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\DialogButton_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\DialogTitle.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\DialogTitle_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\explosion.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\FRAME.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\FRAME.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\FRAME_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\GADJET3balls.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\GADJET3balls_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gameover.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gameover_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem_add.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem_add_white.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem0.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem0_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem1.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem1_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem2.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem2_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem3.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem3_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem4.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem4_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem5.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem5_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem6.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem6_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gemshard.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\gemshard_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\HELP-INDICATOR.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\HELP-INDICATOR_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\help_indicator_arrows_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\HelpFrame.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\HelpFrame_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\HelpHorz.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\HelpHorz_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\HelpVert.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\HelpVert_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\Hint-rollover.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\Hint-rollover_.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\HINT.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\Hint_.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\hint_arrow.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\hint_arrow_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\hypergem.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\hypergem_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\MainMenu.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\MainMenu_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\mainmenubkg\bkg.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\MainMenuButtons.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\MainMenuButtons_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\MENU-rollover.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\MENU-rollover_.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\menu.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\MENU_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\nr_ringdude.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\PAUSE.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\PAUSE_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\powerglow.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\puzzglow.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\puzzglow_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\puzzleframe.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\puzzleframe_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\Puzzlewidget.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\Puzzlewidget_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\Redlight.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\Redlight_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\rock.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\rock_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\rockchunk.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\rockchunk_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\SCOREPOD.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\scorePod_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\selector.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\selector_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\Spark1.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\Spark1_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\Spark2.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\Spark2_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\Spark3.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\Spark3_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\sparkle.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\thumbgem.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\UNDO.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\UNDO_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\deluxeglow.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\tellmemore1.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\tellmemoreback.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellback.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellback_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellbuttons1.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellbuttons1_.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upselldeluxe1.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upselldeluxe1_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellimage_.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellimage1.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellimage2.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellimage3.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellimage4.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellimage5.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellimage6.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellimage7.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upselllogo1.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upselllogo1_.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\WARNING-LIGHT.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\WARNING-LIGHT_.gif
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\whitelovebar6.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\images\whitelovebar9.jpg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\profile.txt
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle0.bpz
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle0.sol
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle1.bpz
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle1.sol
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle2.bpz
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle2.sol
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle3.bpz
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle3.sol
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle4.bpz
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle4.sol
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle5.bpz
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle5.sol
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle6.bpz
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle6.sol
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\tutorial0.bpz
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\tutorial1.bpz
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\tutorial1.sol
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\tutorial2.bpz
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\tutorial2.sol
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\resources.xml
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\bad2.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\bombexplode.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_bad2.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_bombexplode.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_combo22.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_combo32.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_combo42.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_gemongem2.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_go.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_gotset2.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_mainmenu_gamestart.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_mainmenu_mouseover.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_menuclick2.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_multishot.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_select.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\click2.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\combo22.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\combo32.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\combo42.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\gemongem2.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\Go.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\gotset2.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\mainmenu_gamestart.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\mainmenu_mouseover.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\menuclick.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\menuclick2.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\multishot.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\select.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_combo52.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_combo62.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_combo72.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_electro_explode.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_electro_path.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_electro_start.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_excellent1.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_explode2.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_Game_Over.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_Get_ready.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_good.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_gotsetbig2.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_hypergem_creation.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_hypergem_destroyed.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_incredible.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_Level_Complete.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_levelup1.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_No_More_Moves.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_Puzzle_solved.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_Time_Up.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_warning1.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_whirlpool1.wav
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\combo52.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\combo62.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\combo72.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\electro_explode.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\electro_path.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\electro_start.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\excellent1.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\explode2.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\Game_Over.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\Get_ready.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\Good.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\gotsetbig2.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\hypergem_creation.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\hypergem_destroyed.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\Incredible.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\Level_Complete.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\levelup1.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\No_More_Moves.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\Puzzle_Solved.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\Time_Up.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\warning1.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\whirlpool1.ogg
C:\ProgramData\PopCap\PopCapLoader\PopCap\logo.bmp
C:\ProgramData\PopCap\PopCapLoader\PopCap\logoversion.txt
C:\Temp\bbc2
C:\Temp\bbc2\i5dB.log
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\_version.bin
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\Bejeweled2.dll
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\_ContinuumBold11.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\_ContinuumBold11Outline.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\_ContinuumBold14.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\_ContinuumBold20.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\_ContinuumBold28outline.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\_ContinuumBold8.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\_LiquidCrystal15.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\_QuincyCaps19.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\BigFont.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\BigFont.txt
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\BigFont_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\ContinuumBold11.txt
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\ContinuumBold11Outline.txt
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\ContinuumBold14.txt
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\ContinuumBold20.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\ContinuumBold20.txt
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\ContinuumBold28outline.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\ContinuumBold28outline.txt
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\ContinuumBold8.txt
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\LiquidCrystal15.txt
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\data\QuincyCaps19.txt
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\extras0.txt
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\extras1.txt
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\extras2.txt
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\extras3.txt
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\extras4.txt
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\_thumbgem.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\al_litgems.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\ArrowUp.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\ArrowUp_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\backdrops\backdrop00.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\backdrops\backdrop01.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\backdrops\backdrop02.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\backdrops\backdrop03.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\backdrops\backdrop04.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\backdrops\backdrop05.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\backdrops\backdrop06.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\barleft.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\barmid.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\barright.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\bigstar.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\bomb.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\bomb.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\bomb_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\Classicmode.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\Classicmode_.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\DialogBox.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\DialogBox_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\DialogButton.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\DialogButton_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\DialogTitle.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\DialogTitle_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\explosion.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\FRAME.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\FRAME.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\FRAME_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\GADJET3balls.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\GADJET3balls_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gameover.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gameover_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem_add.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem_add_white.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem0.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem0_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem1.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem1_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem2.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem2_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem3.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem3_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem4.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem4_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem5.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem5_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem6.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gem6_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gemshard.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\gemshard_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\HELP-INDICATOR.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\HELP-INDICATOR_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\help_indicator_arrows_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\HelpFrame.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\HelpFrame_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\HelpHorz.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\HelpHorz_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\HelpVert.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\HelpVert_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\Hint-rollover.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\Hint-rollover_.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\HINT.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\Hint_.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\hint_arrow.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\hint_arrow_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\hypergem.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\hypergem_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\MainMenu.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\MainMenu_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\mainmenubkg\bkg.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\MainMenuButtons.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\MainMenuButtons_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\MENU-rollover.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\MENU-rollover_.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\menu.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\MENU_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\nr_ringdude.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\PAUSE.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\PAUSE_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\powerglow.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\puzzglow.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\puzzglow_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\puzzleframe.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\puzzleframe_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\Puzzlewidget.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\Puzzlewidget_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\Redlight.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\Redlight_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\rock.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\rock_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\rockchunk.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\rockchunk_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\SCOREPOD.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\scorePod_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\selector.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\selector_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\Spark1.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\Spark1_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\Spark2.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\Spark2_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\Spark3.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\Spark3_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\sparkle.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\thumbgem.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\UNDO.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\UNDO_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\deluxeglow.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\tellmemore1.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\tellmemoreback.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellback.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellback_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellbuttons1.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellbuttons1_.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upselldeluxe1.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upselldeluxe1_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellimage_.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellimage1.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellimage2.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellimage3.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellimage4.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellimage5.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellimage6.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upsellimage7.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upselllogo1.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\upsell\upselllogo1_.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\WARNING-LIGHT.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\WARNING-LIGHT_.gif
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\whitelovebar6.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\images\whitelovebar9.jpg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\profile.txt
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle0.bpz
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle0.sol
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle1.bpz
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle1.sol
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle2.bpz
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle2.sol
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle3.bpz
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle3.sol
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle4.bpz
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle4.sol
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle5.bpz
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle5.sol
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle6.bpz
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\puzzle6.sol
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\tutorial0.bpz
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\tutorial1.bpz
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\tutorial1.sol
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\tutorial2.bpz
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\puzzles\tutorial2.sol
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\resources.xml
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\bad2.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\bombexplode.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_bad2.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_bombexplode.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_combo22.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_combo32.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_combo42.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_gemongem2.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_go.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_gotset2.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_mainmenu_gamestart.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_mainmenu_mouseover.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_menuclick2.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_multishot.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\cached_select.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\click2.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\combo22.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\combo32.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\combo42.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\gemongem2.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\Go.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\gotset2.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\mainmenu_gamestart.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\mainmenu_mouseover.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\menuclick.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\menuclick2.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\multishot.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\select.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_combo52.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_combo62.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_combo72.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_electro_explode.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_electro_path.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_electro_start.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_excellent1.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_explode2.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_Game_Over.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_Get_ready.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_good.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_gotsetbig2.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_hypergem_creation.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_hypergem_destroyed.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_incredible.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_Level_Complete.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_levelup1.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_No_More_Moves.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_Puzzle_solved.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_Time_Up.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_warning1.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\cached_whirlpool1.wav
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\combo52.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\combo62.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\combo72.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\electro_explode.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\electro_path.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\electro_start.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\excellent1.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\explode2.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\Game_Over.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\Get_ready.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\Good.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\gotsetbig2.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\hypergem_creation.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\hypergem_destroyed.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\Incredible.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\Level_Complete.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\levelup1.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\No_More_Moves.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\Puzzle_Solved.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\Time_Up.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\warning1.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\bejeweled2\sounds\stream\whirlpool1.ogg
C:\Users\All Users\PopCap\PopCapLoader\PopCap\logo.bmp
C:\Users\All Users\PopCap\PopCapLoader\PopCap\logoversion.txt
C:\Users\Waterproof\AppData\Roaming\LimeWire
C:\Users\Waterproof\AppData\Roaming\LimeWire\active.mojito
C:\Users\Waterproof\AppData\Roaming\LimeWire\createtimes.cache
C:\Users\Waterproof\AppData\Roaming\LimeWire\fileurns.bak
C:\Users\Waterproof\AppData\Roaming\LimeWire\fileurns.cache
C:\Users\Waterproof\AppData\Roaming\LimeWire\filters.props
C:\Users\Waterproof\AppData\Roaming\LimeWire\gnutella.net
C:\Users\Waterproof\AppData\Roaming\LimeWire\installation.props
C:\Users\Waterproof\AppData\Roaming\LimeWire\library.dat
C:\Users\Waterproof\AppData\Roaming\LimeWire\limewire.props
C:\Users\Waterproof\AppData\Roaming\LimeWire\mojito.props
C:\Users\Waterproof\AppData\Roaming\LimeWire\passive.mojito
C:\Users\Waterproof\AppData\Roaming\LimeWire\questions.props
C:\Users\Waterproof\AppData\Roaming\LimeWire\responses.cache
C:\Users\Waterproof\AppData\Roaming\LimeWire\simpp.xml
C:\Users\Waterproof\AppData\Roaming\LimeWire\spam.dat
C:\Users\Waterproof\AppData\Roaming\LimeWire\tables.props
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme.lwtp
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\01_star.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\02_star.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\03_star.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\04_star.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\05_star.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\chat.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\forward_dn.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\forward_up.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\kill.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\kill_on.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\logo.png
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\notsearching.png
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\pause_dn.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\pause_up.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\play_dn.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\play_up.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\question.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\rewind_dn.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\rewind_up.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\searching.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\stop_dn.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\stop_up.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\theme.txt
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\version.txt
C:\Users\Waterproof\AppData\Roaming\LimeWire\themes\windows_theme\warning.gif
C:\Users\Waterproof\AppData\Roaming\LimeWire\version.xml
C:\Users\Waterproof\AppData\Roaming\LimeWire\xml\data\audio.sxml
C:\Users\Waterproof\winlogon.exe
C:\Windows\system32\efcaXOiH.dll
C:\Windows\system32\efCTnmmj.dll
C:\Windows\System32\eMaxt02
C:\Windows\System32\eMaxt02\eMaxt022328.exe
C:\Windows\system32\geBqQIXp.dll
C:\Windows\system32\geBsrRlk.dll
C:\Windows\system32\jkkLEVpm.dll
C:\Windows\system32\opnlighe.dll
C:\Windows\System32\pXIQqBeg.ini
C:\Windows\System32\pXIQqBeg.ini2
C:\Windows\system32\rqrSLeBU.dll
C:\Windows\system32\ufayfxxl.dll
C:\Windows\system32\wdwrcjug.dll
C:\Windows\System32\wtlmhlnl.exe
C:\Windows\unvise32.exe
.
---- Previous Run -------
.
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Windows\faceback.exe
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\MSINET.oca
C:\Windows\system32\pac.txt

.
((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-09-02 21:14 . 2008-09-02 21:14 <DIR> d-------- C:\Users\Waterproof\AppData\Roaming\U3
2008-09-02 21:08 . 2008-09-02 21:08 <DIR> d-------- C:\C
2008-09-02 08:38 . 2008-09-02 08:38 <DIR> d-------- C:\Users\Waterproof\AppData\Roaming\HP
2008-09-02 08:37 . 2008-09-02 08:37 121 ---hs---- C:\Windows\System32\oylnxynu.ini
2008-09-02 08:36 . 2008-09-02 08:36 <DIR> d-------- C:\B
2008-09-02 08:36 . 2008-09-02 08:36 64,512 --a------ C:\Windows\System32\unyxnlyo.dll
2008-09-01 23:39 . 2008-09-01 23:39 <DIR> d-------- C:\A
2008-09-01 17:54 . 2008-09-01 17:54 <DIR> d-------- C:\Users\All Users\Hewlett-Packard
2008-09-01 17:54 . 2008-09-01 17:54 <DIR> d-------- C:\ProgramData\Hewlett-Packard
2008-08-29 12:18 . 2008-08-29 12:18 <DIR> d-------- C:\Program Files\Mjcore
2008-08-29 12:16 . 2008-08-29 12:16 75,598 --a------ C:\Windows\System32\opnklmMf.dll
2008-08-29 12:11 . 2008-08-29 12:11 <DIR> d-------- C:\Windows\System32\wTR02
2008-08-29 12:11 . 2008-08-29 12:18 <DIR> d-------- C:\Windows\System32\hid
2008-08-29 12:11 . 2008-08-29 12:11 <DIR> d-------- C:\Temp\dax41
2008-08-29 06:09 . 2008-08-29 06:09 224,255,928 --a------ C:\Windows\MEMORY.DMP
2008-08-28 23:11 . 2008-08-28 23:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-28 21:08 . 2008-08-28 22:37 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-28 21:08 . 2008-08-28 22:37 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-08-28 21:08 . 2008-08-28 21:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-28 10:50 . 2008-08-29 12:11 <DIR> d-------- C:\Windows\System32\kp4
2008-08-28 10:49 . 2008-09-03 12:05 <DIR> d-------- C:\Temp
2008-08-26 18:09 . 2008-08-26 18:09 <DIR> d-------- C:\Program Files\GoldWave
2008-08-26 18:07 . 2008-08-26 18:07 <DIR> d-------- C:\Program Files\AltoMP3 Gold
2008-08-26 17:55 . 2008-08-26 17:55 <DIR> d-------- C:\Users\Waterproof\AppData\Roaming\Roxio
2008-08-26 17:55 . 2008-08-26 17:55 <DIR> d-------- C:\Users\All Users\Roxio
2008-08-26 17:55 . 2008-08-26 17:55 <DIR> d-------- C:\ProgramData\Roxio
2008-08-26 17:39 . 2008-08-26 18:15 <DIR> d-------- C:\UW20
2008-08-26 17:05 . 2008-08-26 17:05 <DIR> d-------- C:\Users\All Users\HP Product Assistant
2008-08-26 17:05 . 2008-08-26 17:05 <DIR> d-------- C:\ProgramData\HP Product Assistant
2008-08-26 17:02 . 2008-08-26 17:02 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-08-26 17:02 . 2008-08-26 17:02 <DIR> d-------- C:\Program Files\Common Files\HP
2008-08-26 17:01 . 2008-08-26 17:01 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-08-26 17:00 . 2007-10-30 05:20 970,752 --a------ C:\Windows\System32\hpotiop6.dll
2008-08-26 17:00 . 2007-10-30 05:20 729,088 --a------ C:\Windows\System32\hpowiax8.dll
2008-08-26 17:00 . 2007-10-30 05:25 372,736 --a------ C:\Windows\System32\hppldcoi.dll
2008-08-26 17:00 . 2007-10-30 05:20 303,104 --a------ C:\Windows\System32\hpovst14.dll
2008-08-26 17:00 . 2007-11-07 05:41 271,704 --a------ C:\Windows\System32\hpzids01.dll
2008-08-26 17:00 . 2007-10-20 18:25 118,272 --a------ C:\Windows\System32\hpz3l5mu.dll
2008-08-26 16:58 . 2008-08-26 17:05 <DIR> d-------- C:\Program Files\HP
2008-08-26 16:55 . 2008-09-02 08:37 <DIR> d-------- C:\Users\All Users\HP
2008-08-26 16:55 . 2008-09-02 08:37 <DIR> d-------- C:\ProgramData\HP
2008-08-26 16:55 . 2008-08-26 17:28 157,583 --a------ C:\Windows\hpoins26.dat
2008-08-26 12:16 . 2008-09-01 17:49 <DIR> d-------- C:\Users\Waterproof\AppData\Roaming\vusbsp
2008-08-18 19:56 . 2008-07-19 01:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-18 19:56 . 2008-07-18 23:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-18 19:56 . 2008-07-19 01:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-18 19:56 . 2008-07-19 01:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-18 19:56 . 2008-07-18 23:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-18 19:56 . 2008-07-19 01:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-18 19:56 . 2008-07-19 01:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-18 19:56 . 2008-07-19 01:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-18 19:56 . 2008-07-18 23:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-14 06:03 . 2008-07-15 21:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-14 06:01 . 2008-04-10 01:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-14 06:01 . 2008-06-18 23:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-14 06:01 . 2008-04-18 01:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-14 06:00 . 2008-06-26 21:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-14 06:00 . 2008-06-27 00:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-07 15:48 . 2008-08-07 15:49 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-07 01:50 . 2008-08-13 03:20 <DIR> d-------- C:\Program Files\Full Tilt Poker
2008-08-03 01:56 . 2008-09-02 21:10 <DIR> d-------- C:\Users\Waterproof\AppData\Roaming\OpenOffice.org2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 05:54 --------- d-----w C:\Program Files\Trillian
2008-08-14 10:09 --------- d-----w C:\Program Files\Windows Mail
2008-08-07 05:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-02 21:42 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-08-02 21:39 --------- d-----w C:\Program Files\Java
2008-07-31 23:00 --------- d-----w C:\Users\Waterproof\AppData\Roaming\Apple Computer
2008-07-31 22:58 --------- d-----w C:\Program Files\iTunes
2008-07-31 22:58 --------- d-----w C:\Program Files\iPod
2008-07-31 22:44 --------- d-----w C:\Program Files\Safari
2008-07-27 03:16 --------- d-----w C:\Program Files\Microsoft Games
2008-07-19 01:24 --------- d-----w C:\Users\Waterproof\AppData\Roaming\App Launcher Gadget
2008-07-17 07:08 --------- d-----w C:\Program Files\MSECache
2008-07-17 06:52 --------- d-----w C:\Users\Waterproof\AppData\Roaming\Microsoft Web Folders
2008-07-17 06:37 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-15 17:27 --------- d-----w C:\Program Files\Lexmark X5100 Series
2008-07-13 10:12 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-12 17:17 --------- d-----w C:\ProgramData\Apple Computer
2008-07-12 17:15 --------- d-----w C:\Program Files\QuickTime
2008-07-12 17:15 --------- d-----w C:\Program Files\Bonjour
2008-07-12 17:08 --------- d-----w C:\ProgramData\Apple
2008-07-12 17:08 --------- d-----w C:\Program Files\Common Files\Apple
2008-07-12 06:04 --------- d-----w C:\ProgramData\Lenovo
2008-07-10 16:35 32,000 ----a-w C:\Windows\system32\drivers\usbaapl.sys
2008-07-09 23:00 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-09 22:05 --------- d-----w C:\Users\Waterproof\AppData\Roaming\Leadertech
2008-07-09 21:37 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-09 21:17 --------- d-----w C:\ProgramData\Symantec
2008-07-09 21:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-09 21:13 --------- d-----w C:\Program Files\Norton Internet Security
2008-07-09 21:12 806 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-07-09 21:12 8,014 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-07-09 21:12 115,000 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-07-09 21:12 --------- d-----w C:\Program Files\Symantec
2008-07-09 20:59 --------- d-----w C:\Users\Waterproof\AppData\Roaming\Lenovo
2008-07-09 20:55 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-07-09 20:54 100 ----a-w C:\Windows\system32\drivers\Lenovo_7659_N2U.MRK
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-12 05:14 1,732 ----a-w C:\tvtpktfilter.dat
2008-06-12 03:55 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-06-12 03:53 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-06-12 03:52 988,216 ----a-w C:\Windows\System32\winload.exe
2008-06-12 03:52 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-06-12 03:52 615,992 ----a-w C:\Windows\System32\ci.dll
2008-06-12 03:52 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-06-12 03:52 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-06-12 03:52 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-06-12 03:52 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-06-12 03:52 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-06-12 03:52 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-06-12 03:52 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-01-21 02:43 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot@2008-08-29_ 7.09.39.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-29 11:05:07 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-03 16:08:44 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-08-29 11:06:02 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-09-03 16:08:44 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-08-29 01:42:01 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-02 12:37:40 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-29 01:42:01 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-02 12:37:40 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-29 01:42:01 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-02 12:37:40 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-29 10:15:53 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-09-03 15:57:39 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-01-21 02:23:26 131,584 ----a-w C:\Windows\System32\drivers\Dot4.sys
+ 2008-01-21 02:23:28 16,384 ----a-w C:\Windows\System32\drivers\Dot4Prt.sys
+ 2008-01-21 02:23:26 36,864 ----a-w C:\Windows\System32\drivers\Dot4usb.sys
- 2008-08-29 11:06:52 105,376 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-09-03 01:15:41 104,792 ----a-w C:\Windows\System32\perfc009.dat
- 2008-08-29 11:06:52 604,452 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-09-03 01:15:41 603,466 ----a-w C:\Windows\System32\perfh009.dat
+ 2007-09-14 17:52:06 3,019,264 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\hpbcfgre.dll
+ 2006-11-30 15:14:06 671,816 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\hpcdmc32.dll
+ 2007-06-29 15:55:44 326,144 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\hpfie5mu.dll
+ 2007-08-10 14:06:48 356,352 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\hpfig5mu.dll
+ 2007-06-29 15:56:06 113,664 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\hpfrs5mu.dll
+ 2007-07-31 17:52:28 57,344 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\hpuac5mu.dll
+ 2007-10-20 22:14:14 977,920 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\hpz3c5mu.dll
+ 2007-10-20 22:25:08 1,789,440 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\hpz3r5mu.dll
+ 2007-10-20 22:25:42 235,008 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\hpzc35mu.dll
+ 2007-10-20 22:22:40 790,528 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\hpzev5mu.dll
+ 2007-10-20 22:22:54 302,592 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\hpzpr5mu.dll
+ 2007-10-20 22:33:22 6,312,448 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\hpzst5mu.dll
+ 2007-10-20 22:22:28 3,354,112 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\hpzui5mu.dll
+ 2007-10-20 22:13:08 1,176,576 ----a-w C:\Windows\System32\spool\drivers\w32x86\3\hpzur5mu.dll
+ 2007-10-20 22:21:50 278,016 ----a-w C:\Windows\System32\spool\prtprocs\w32x86\hpzpp5mu.dll
- 2008-08-29 11:07:00 5,344 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1433960662-359803117-349027270-1005_UserData.bin
+ 2008-09-03 01:09:56 5,782 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1433960662-359803117-349027270-1005_UserData.bin
- 2008-08-29 11:06:57 82,814 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-03 01:09:56 84,908 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-08-29 11:06:34 35,464 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-02 12:35:02 35,560 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-08-29 10:05:29 297,766 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-09-01 21:46:23 302,158 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-08-28 05:20:46 32,768 ----a-w C:\Windows\System32\wTR02\wTR022328.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-11-29 59168]
"PWMTRV"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2007-12-06 324896]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2007-12-06 214576]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-05 820520]
"snp2uvc"="C:\Windows\vsnp2uvc.exe" [2006-12-28 569344]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-07-09 1282048]
"LenovoOobeOffers"="c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe" [2007-09-25 28672]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-01-08 536576]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-11-15 217176]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-04-26 120368]
"AMSG"="C:\Program Files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 419376]
"CameraApplicationLauncher"="C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe" [2007-08-22 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 419112]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 124200]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"IS CfgWiz"="C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" [2007-01-12 431752]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 133656]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"MSServer"="C:\Windows\system32\geBsrRlk.dll" [BU]
"BMe3c086f8"="C:\Windows\system32\wdwrcjug.dll" [BU]
"e0f3b564"="C:\Windows\system32\unyxnlyo.dll" [2008-09-02 64512]

C:\Users\Waterproof\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-03-29 719664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{994FB1BF-3B05-4D3D-B5A8-9A32BCCF60A5}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{BE81EE69-8783-4988-9E64-1E7EEF70F978}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{748F7A36-C95F-4356-BDA0-2C930A79677E}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{2642E82F-AE32-48F4-BC6A-F7E95575D099}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{7C7F5A76-6079-467B-8A18-0B4B8195A91B}"= UDP:C:\Windows\System32\lxbacoms.exe:Lexmark Communications System
"{40817FE4-D1BA-4B82-8A08-7606601ADE11}"= TCP:C:\Windows\System32\lxbacoms.exe:Lexmark Communications System
"{66C31868-57A6-4001-895D-4B71027CD110}"= UDP:C:\Windows\System32\spool\drivers\w32x86\3\lxbapswx.exe:Printer Status Window
"{FAC413EC-B54E-4BB2-8CEE-B374023EB1B0}"= TCP:C:\Windows\System32\spool\drivers\w32x86\3\lxbapswx.exe:Printer Status Window
"{C3E9063A-971B-4DCB-93A2-614AC0EE6D60}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{53906E77-27BE-41EF-AD49-BA13C9F718E2}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{9683E431-E588-4A52-BCA4-197F24D2E82B}C:\\users\\waterproof\\appdata\\local\\temp\\vusbsp\\vonagetalkusb.exe"= UDP:C:\users\waterproof\appdata\local\temp\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"UDP Query User{940D550F-8105-4A8D-A052-4E74FF4FED5F}C:\\users\\waterproof\\appdata\\local\\temp\\vusbsp\\vonagetalkusb.exe"= TCP:C:\users\waterproof\appdata\local\temp\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"TCP Query User{4FADB00A-E2A5-4F21-A71E-A7CD2B4AFCBB}C:\\users\\waterproof\\appdata\\roaming\\vusbsp\\vonagetalkusb.exe"= UDP:C:\users\waterproof\appdata\roaming\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"UDP Query User{8981B39C-2F8E-4123-BF42-C6D3C6F9C73F}C:\\users\\waterproof\\appdata\\roaming\\vusbsp\\vonagetalkusb.exe"= TCP:C:\users\waterproof\appdata\roaming\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"{617C5A68-B086-462A-9BE7-08B3F5BA67C5}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{6B0A4DC4-9C19-43F9-804C-C1E904D0FFEF}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{365DD8CC-F926-49A3-993A-1297672A7117}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{976D515E-E2BC-4040-8BBF-D2D3A4E8D25A}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{898A948D-841A-47F8-ABFB-1EFC939CABB3}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{8D685019-8334-40F3-A2D4-38163DFCD119}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{A98782BD-8C4D-4F79-B6D6-105C9872D92A}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{08348A5B-3772-4C13-BC12-E048CBFC5423}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{DF39095D-DF41-4712-87DB-09B714EB1D74}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{25EBD56A-6227-4298-A225-9CB8A4D1B32F}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{4F7D0682-F6B6-400B-9137-5DC89D4CC714}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{76486E61-FAE2-455A-B522-E81D9BE308D4}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{F95EED90-5805-46AF-898F-94DF14996AFE}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{7763661D-3D1A-4123-959D-8679A847D5CB}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{009D7874-056C-4F46-8339-5745209EBDFD}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{FA08B81B-5398-4827-85B5-63AB31FCC68D}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"TCP Query User{2AD5DD5B-B32E-4593-A57F-26F4B37A2957}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{8534ABF4-7562-4E56-8087-B0301C6450C9}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 Shockprf;Shockprf;C:\Windows\system32\DRIVERS\Apsx86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;C:\Windows\system32\DRIVERS\ApsHM86.sys [2007-10-16 19504]
R1 DLARTL_M;DLARTL_M;C:\Windows\system32\Drivers\DLARTL_M.SYS [2007-02-08 28120]
R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiif32.sys [2006-08-30 13744]
R1 TPPWRIF;TPPWRIF;C:\Windows\system32\drivers\Tppwr32v.sys [2007-12-06 12080]
R3 TVTI2C;Lenovo SM bus driver;C:\Windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336]
S3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2007-03-29 79664]
S3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys [2007-02-27 81200]
S3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-02-27 16432]
S3 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20070108.003\IDSvix86.sys [2006-12-28 212280]
S4 ErrDev;Microsoft Hardware Error Device Driver;C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{0076C234-2AE1-43E0-BE7F-12C145C36700} - (no file)
HKCU-Run-Windows Logon Applicationedc - C:\Users\Waterproof\winlogon.exe



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 12:10:01
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\unyxnlyo.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\ibmpmsvc.exe
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Windows\System32\AEADISRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Windows\System32\lxbacoms.exe
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Windows\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\ZOOM\TpScrex.exe
C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.exe
C:\Windows\System32\igfxsrvc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\VSSVC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Windows\System32\wbem\WMIADAP.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Common Files\Lenovo\BMGR\bmgr32.exe
C:\Windows\System32\cscript.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2008-09-03 12:17:25 - machine was rebooted [Waterproof]
ComboFix-quarantined-files.txt 2008-09-03 16:16:53
ComboFix2.txt 2008-08-29 11:11:54

Pre-Run: 44,023,042,048 bytes free
Post-Run: 42,851,385,344 bytes free

952 --- E O F --- 2008-08-29 11:15:52



Thanks for your help... What's the prognosis doc?
effingcow
Regular Member
 
Posts: 31
Joined: August 29th, 2008, 11:57 am
Location: Aruba

Re: Defender says I have Vundo.gen!p

Unread postby jmw3 » September 4th, 2008, 1:59 am

Hi effingcow

Is there a some reason you ran HijackThis in Safe Mode? If you can could you post a new HijackThis log run in Normal Mode.

Thanks
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Defender says I have Vundo.gen!p

Unread postby jmw3 » September 4th, 2008, 4:39 am

Fix HiJackThis Entries
  • Open HiJackThis
  • Click on do a system scan only
  • Place a checkmark next to these lines(if still present):

O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL (file missing)

  • Close all windows except Hijackthis and click Fix Checked
  • Click Yes when prompted
  • Close HijackThis.

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
File::
C:\Windows\System32\oylnxynu.ini
C:\Windows\System32\unyxnlyo.dll
C:\Windows\System32\opnklmMf.dll
C:\Windows\system32\geBsrRlk.dll
C:\Windows\system32\wdwrcjug.dll

Folder::
C:\A
C:\B
C:\C
C:\Program Files\Mjcore
C:\Windows\System32\wTR02
C:\Windows\System32\hid
C:\Temp\dax41

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSServer"=-
"BMe3c086f8"=-
"e0f3b564"="-

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

To post in next reply:
Combofix log
New HJT log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Defender says I have Vundo.gen!p

Unread postby effingcow » September 4th, 2008, 3:29 pm

I ran it in safe mode, because until your first post, my computer wasn't really functioning well in normal mode. (it is working a lot better now) there are a few runDLL's that are missing that my computer lets me know about on startup. are you interested in those?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:13 PM, on 9/4/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\vsnp2uvc.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [snp2uvc] C:\Windows\vsnp2uvc.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LenovoOobeOffers] c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [CameraApplicationLauncher] C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://c:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxba_device - - C:\Windows\system32\lxbacoms.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12822 bytes


ComboFix 08-09-03.06 - Waterproof 2008-09-04 14:00:07.5 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.196 [GMT -4:00]
Running from: C:\Users\Waterproof\Downloads\ComboFix.exe
Command switches used :: C:\Users\Waterproof\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\A
C:\B
C:\C
C:\Program Files\Mjcore
C:\Temp\dax41
C:\Temp\dax41\A3G.log
C:\Windows\System32\hid
C:\Windows\System32\opnklmMf.dll
C:\Windows\System32\oylnxynu.ini
C:\Windows\System32\wTR02
C:\Windows\System32\wTR02\wTR022328.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-04 to 2008-09-04 )))))))))))))))))))))))))))))))
.

2008-09-02 21:14 . 2008-09-02 21:14 <DIR> d-------- C:\Users\Waterproof\AppData\Roaming\U3
2008-09-02 08:38 . 2008-09-02 08:38 <DIR> d-------- C:\Users\Waterproof\AppData\Roaming\HP
2008-09-01 17:54 . 2008-09-01 17:54 <DIR> d-------- C:\Users\All Users\Hewlett-Packard
2008-09-01 17:54 . 2008-09-01 17:54 <DIR> d-------- C:\ProgramData\Hewlett-Packard
2008-08-29 06:09 . 2008-08-29 06:09 224,255,928 --a------ C:\Windows\MEMORY.DMP
2008-08-28 23:11 . 2008-08-28 23:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-28 21:08 . 2008-08-28 22:37 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-08-28 21:08 . 2008-08-28 22:37 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-08-28 21:08 . 2008-08-28 21:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-28 10:50 . 2008-08-29 12:11 <DIR> d-------- C:\Windows\System32\kp4
2008-08-28 10:49 . 2008-09-04 14:01 <DIR> d-------- C:\Temp
2008-08-26 18:09 . 2008-08-26 18:09 <DIR> d-------- C:\Program Files\GoldWave
2008-08-26 18:07 . 2008-08-26 18:07 <DIR> d-------- C:\Program Files\AltoMP3 Gold
2008-08-26 17:55 . 2008-08-26 17:55 <DIR> d-------- C:\Users\Waterproof\AppData\Roaming\Roxio
2008-08-26 17:55 . 2008-08-26 17:55 <DIR> d-------- C:\Users\All Users\Roxio
2008-08-26 17:55 . 2008-08-26 17:55 <DIR> d-------- C:\ProgramData\Roxio
2008-08-26 17:39 . 2008-08-26 18:15 <DIR> d-------- C:\UW20
2008-08-26 17:05 . 2008-08-26 17:05 <DIR> d-------- C:\Users\All Users\HP Product Assistant
2008-08-26 17:05 . 2008-08-26 17:05 <DIR> d-------- C:\ProgramData\HP Product Assistant
2008-08-26 17:02 . 2008-08-26 17:02 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-08-26 17:02 . 2008-08-26 17:02 <DIR> d-------- C:\Program Files\Common Files\HP
2008-08-26 17:01 . 2008-08-26 17:01 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-08-26 17:00 . 2007-10-30 05:20 970,752 --a------ C:\Windows\System32\hpotiop6.dll
2008-08-26 17:00 . 2007-10-30 05:20 729,088 --a------ C:\Windows\System32\hpowiax8.dll
2008-08-26 17:00 . 2007-10-30 05:25 372,736 --a------ C:\Windows\System32\hppldcoi.dll
2008-08-26 17:00 . 2007-10-30 05:20 303,104 --a------ C:\Windows\System32\hpovst14.dll
2008-08-26 17:00 . 2007-11-07 05:41 271,704 --a------ C:\Windows\System32\hpzids01.dll
2008-08-26 17:00 . 2007-10-20 18:25 118,272 --a------ C:\Windows\System32\hpz3l5mu.dll
2008-08-26 16:58 . 2008-08-26 17:05 <DIR> d-------- C:\Program Files\HP
2008-08-26 16:55 . 2008-09-02 08:37 <DIR> d-------- C:\Users\All Users\HP
2008-08-26 16:55 . 2008-09-02 08:37 <DIR> d-------- C:\ProgramData\HP
2008-08-26 16:55 . 2008-08-26 17:28 157,583 --a------ C:\Windows\hpoins26.dat
2008-08-26 12:16 . 2008-09-04 09:20 <DIR> d-------- C:\Users\Waterproof\AppData\Roaming\vusbsp
2008-08-18 19:56 . 2008-07-19 01:09 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-18 19:56 . 2008-07-18 23:44 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-18 19:56 . 2008-07-19 01:09 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-18 19:56 . 2008-07-19 01:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-18 19:56 . 2008-07-18 23:44 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-18 19:56 . 2008-07-19 01:10 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-18 19:56 . 2008-07-19 01:10 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-18 19:56 . 2008-07-19 01:10 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-18 19:56 . 2008-07-18 23:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-14 06:03 . 2008-07-15 21:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-14 06:01 . 2008-04-10 01:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-14 06:01 . 2008-06-18 23:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-14 06:01 . 2008-04-18 01:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-14 06:00 . 2008-06-26 21:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-14 06:00 . 2008-06-27 00:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-07 15:48 . 2008-08-07 15:49 <DIR> d-------- C:\Program Files\Apple Software Update
2008-08-07 01:50 . 2008-08-13 03:20 <DIR> d-------- C:\Program Files\Full Tilt Poker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-03 23:36 --------- d-----w C:\Users\Waterproof\AppData\Roaming\OpenOffice.org2
2008-08-28 05:54 --------- d-----w C:\Program Files\Trillian
2008-08-14 10:09 --------- d-----w C:\Program Files\Windows Mail
2008-08-07 05:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-02 21:42 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-08-02 21:39 --------- d-----w C:\Program Files\Java
2008-07-31 23:00 --------- d-----w C:\Users\Waterproof\AppData\Roaming\Apple Computer
2008-07-31 22:58 --------- d-----w C:\Program Files\iTunes
2008-07-31 22:58 --------- d-----w C:\Program Files\iPod
2008-07-31 22:44 --------- d-----w C:\Program Files\Safari
2008-07-27 03:16 --------- d-----w C:\Program Files\Microsoft Games
2008-07-19 01:24 --------- d-----w C:\Users\Waterproof\AppData\Roaming\App Launcher Gadget
2008-07-17 07:08 --------- d-----w C:\Program Files\MSECache
2008-07-17 06:52 --------- d-----w C:\Users\Waterproof\AppData\Roaming\Microsoft Web Folders
2008-07-17 06:37 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-15 17:27 --------- d-----w C:\Program Files\Lexmark X5100 Series
2008-07-13 10:12 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-12 17:17 --------- d-----w C:\ProgramData\Apple Computer
2008-07-12 17:15 --------- d-----w C:\Program Files\QuickTime
2008-07-12 17:15 --------- d-----w C:\Program Files\Bonjour
2008-07-12 17:08 --------- d-----w C:\ProgramData\Apple
2008-07-12 17:08 --------- d-----w C:\Program Files\Common Files\Apple
2008-07-12 06:04 --------- d-----w C:\ProgramData\Lenovo
2008-07-10 16:35 32,000 ----a-w C:\Windows\system32\drivers\usbaapl.sys
2008-07-09 23:00 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-09 22:05 --------- d-----w C:\Users\Waterproof\AppData\Roaming\Leadertech
2008-07-09 21:37 --------- d-----w C:\Program Files\MSXML 4.0
2008-07-09 21:17 --------- d-----w C:\ProgramData\Symantec
2008-07-09 21:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-09 21:13 --------- d-----w C:\Program Files\Norton Internet Security
2008-07-09 21:12 806 ----a-w C:\Windows\system32\drivers\SYMEVENT.INF
2008-07-09 21:12 8,014 ----a-w C:\Windows\system32\drivers\SYMEVENT.CAT
2008-07-09 21:12 115,000 ----a-w C:\Windows\system32\drivers\SYMEVENT.SYS
2008-07-09 21:12 --------- d-----w C:\Program Files\Symantec
2008-07-09 20:59 --------- d-----w C:\Users\Waterproof\AppData\Roaming\Lenovo
2008-07-09 20:55 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-07-09 20:54 100 ----a-w C:\Windows\system32\drivers\Lenovo_7659_N2U.MRK
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-06-12 05:14 1,732 ----a-w C:\tvtpktfilter.dat
2008-06-12 03:55 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-06-12 03:53 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-06-12 03:52 988,216 ----a-w C:\Windows\System32\winload.exe
2008-06-12 03:52 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-06-12 03:52 615,992 ----a-w C:\Windows\System32\ci.dll
2008-06-12 03:52 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-06-12 03:52 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-06-12 03:52 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-06-12 03:52 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-06-12 03:52 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-06-12 03:52 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-06-12 03:52 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-01-21 02:43 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot_2008-09-03_12.15.48.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-03 23:31:36 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-09-03 23:31:36 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-09-03 16:08:44 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-03 23:34:56 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-09-03 16:08:44 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-09-03 23:34:04 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-09-02 12:37:40 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-04 00:32:56 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-09-02 12:37:40 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-04 00:32:56 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-02 12:37:40 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-04 00:32:56 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-03 15:57:39 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-09-04 17:59:56 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-01-21 02:27:08 52,696 ----a-w C:\Windows\System32\mrt.exe
+ 2008-08-05 15:11:02 15,888,504 ----a-w C:\Windows\System32\mrt.exe
+ 2008-09-03 17:43:51 2,456 ----a-w C:\Windows\System32\networklist\icons\{7EF3108E-0BC6-4EDC-92F7-701352BDA008}_24.bin
+ 2008-09-03 17:43:52 4,280 ----a-w C:\Windows\System32\networklist\icons\{7EF3108E-0BC6-4EDC-92F7-701352BDA008}_32.bin
+ 2008-09-03 17:43:52 9,560 ----a-w C:\Windows\System32\networklist\icons\{7EF3108E-0BC6-4EDC-92F7-701352BDA008}_48.bin
- 2008-09-03 01:15:41 104,792 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-09-04 00:01:15 105,376 ----a-w C:\Windows\System32\perfc009.dat
- 2008-09-03 01:15:41 603,466 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-09-04 00:01:15 604,452 ----a-w C:\Windows\System32\perfh009.dat
- 2008-08-26 21:41:37 6,291,456 ----a-w C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-09-03 20:46:38 6,291,456 ----a-w C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2008-09-03 01:09:56 5,782 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1433960662-359803117-349027270-1005_UserData.bin
+ 2008-09-03 23:35:23 6,402 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1433960662-359803117-349027270-1005_UserData.bin
- 2008-09-03 01:09:56 84,908 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-03 23:35:21 85,716 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-08-26 21:41:15 3,146 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-09-03 23:19:29 3,146 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-09-02 12:35:02 35,560 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-03 23:25:39 39,136 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-09-01 21:46:23 302,158 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-09-04 15:54:26 304,400 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPFNF7"="C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-11-29 59168]
"PWMTRV"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2007-12-06 324896]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2007-12-06 214576]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-05 820520]
"snp2uvc"="C:\Windows\vsnp2uvc.exe" [2006-12-28 569344]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-07-09 1282048]
"LenovoOobeOffers"="c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe" [2007-09-25 28672]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-01-08 536576]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-11-15 217176]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-04-26 120368]
"AMSG"="C:\Program Files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 419376]
"CameraApplicationLauncher"="C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe" [2007-08-22 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 419112]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 124200]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"IS CfgWiz"="C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" [2007-01-12 431752]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-11 133656]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]

C:\Users\Waterproof\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [2007-03-29 719664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{994FB1BF-3B05-4D3D-B5A8-9A32BCCF60A5}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{BE81EE69-8783-4988-9E64-1E7EEF70F978}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{748F7A36-C95F-4356-BDA0-2C930A79677E}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{2642E82F-AE32-48F4-BC6A-F7E95575D099}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{7C7F5A76-6079-467B-8A18-0B4B8195A91B}"= UDP:C:\Windows\System32\lxbacoms.exe:Lexmark Communications System
"{40817FE4-D1BA-4B82-8A08-7606601ADE11}"= TCP:C:\Windows\System32\lxbacoms.exe:Lexmark Communications System
"{66C31868-57A6-4001-895D-4B71027CD110}"= UDP:C:\Windows\System32\spool\drivers\w32x86\3\lxbapswx.exe:Printer Status Window
"{FAC413EC-B54E-4BB2-8CEE-B374023EB1B0}"= TCP:C:\Windows\System32\spool\drivers\w32x86\3\lxbapswx.exe:Printer Status Window
"{C3E9063A-971B-4DCB-93A2-614AC0EE6D60}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{53906E77-27BE-41EF-AD49-BA13C9F718E2}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{9683E431-E588-4A52-BCA4-197F24D2E82B}C:\\users\\waterproof\\appdata\\local\\temp\\vusbsp\\vonagetalkusb.exe"= UDP:C:\users\waterproof\appdata\local\temp\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"UDP Query User{940D550F-8105-4A8D-A052-4E74FF4FED5F}C:\\users\\waterproof\\appdata\\local\\temp\\vusbsp\\vonagetalkusb.exe"= TCP:C:\users\waterproof\appdata\local\temp\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"TCP Query User{4FADB00A-E2A5-4F21-A71E-A7CD2B4AFCBB}C:\\users\\waterproof\\appdata\\roaming\\vusbsp\\vonagetalkusb.exe"= UDP:C:\users\waterproof\appdata\roaming\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"UDP Query User{8981B39C-2F8E-4123-BF42-C6D3C6F9C73F}C:\\users\\waterproof\\appdata\\roaming\\vusbsp\\vonagetalkusb.exe"= TCP:C:\users\waterproof\appdata\roaming\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"{617C5A68-B086-462A-9BE7-08B3F5BA67C5}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{6B0A4DC4-9C19-43F9-804C-C1E904D0FFEF}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{365DD8CC-F926-49A3-993A-1297672A7117}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{976D515E-E2BC-4040-8BBF-D2D3A4E8D25A}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{898A948D-841A-47F8-ABFB-1EFC939CABB3}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{8D685019-8334-40F3-A2D4-38163DFCD119}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{A98782BD-8C4D-4F79-B6D6-105C9872D92A}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{08348A5B-3772-4C13-BC12-E048CBFC5423}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{DF39095D-DF41-4712-87DB-09B714EB1D74}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{25EBD56A-6227-4298-A225-9CB8A4D1B32F}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{4F7D0682-F6B6-400B-9137-5DC89D4CC714}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{76486E61-FAE2-455A-B522-E81D9BE308D4}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{F95EED90-5805-46AF-898F-94DF14996AFE}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{7763661D-3D1A-4123-959D-8679A847D5CB}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{009D7874-056C-4F46-8339-5745209EBDFD}"= Disabled:UDP:C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{FA08B81B-5398-4827-85B5-63AB31FCC68D}"= Disabled:TCP:C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"TCP Query User{2AD5DD5B-B32E-4593-A57F-26F4B37A2957}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{8534ABF4-7562-4E56-8087-B0301C6450C9}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{D57F6772-8A7E-4424-B43C-E7BE3234BC42}C:\\users\\waterproof\\appdata\\roaming\\vusbsp\\vonagetalkusb.exe"= UDP:C:\users\waterproof\appdata\roaming\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"UDP Query User{6C543C89-00DE-481B-8E4C-44B9B4172C4F}C:\\users\\waterproof\\appdata\\roaming\\vusbsp\\vonagetalkusb.exe"= TCP:C:\users\waterproof\appdata\roaming\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe

R0 Shockprf;Shockprf;C:\Windows\system32\DRIVERS\Apsx86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;C:\Windows\system32\DRIVERS\ApsHM86.sys [2007-10-16 19504]
R1 DLARTL_M;DLARTL_M;C:\Windows\system32\Drivers\DLARTL_M.SYS [2007-02-08 28120]
R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiif32.sys [2006-08-30 13744]
R1 TPPWRIF;TPPWRIF;C:\Windows\system32\drivers\Tppwr32v.sys [2007-12-06 12080]
R2 AEADIFilters;Andrea ADI Filters Service;C:\Windows\system32\AEADISRV.EXE [2007-02-05 69632]
R2 lxba_device;lxba_device;C:\Windows\system32\lxbacoms.exe [2007-04-24 537520]
R2 TPHKSVC;On Screen Display;C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe [2007-03-02 55936]
R2 TVT Backup Protection Service;TVT Backup Protection Service;C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-01-08 569344]
R3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2007-03-29 79664]
R3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys [2007-02-27 81200]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-02-27 16432]
R3 TVTI2C;Lenovo SM bus driver;C:\Windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336]
S3 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20070108.003\IDSvix86.sys [2006-12-28 212280]
S4 ErrDev;Microsoft Hardware Error Device Driver;C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-04 14:04:39
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-04 14:07:20
ComboFix-quarantined-files.txt 2008-09-04 18:07:12
ComboFix2.txt 2008-09-03 16:17:28
ComboFix3.txt 2008-08-29 11:11:54

Pre-Run: 39,681,171,456 bytes free
Post-Run: 39,554,351,104 bytes free

304 --- E O F --- 2008-09-04 17:35:26
effingcow
Regular Member
 
Posts: 31
Joined: August 29th, 2008, 11:57 am
Location: Aruba

Re: Defender says I have Vundo.gen!p

Unread postby jmw3 » September 5th, 2008, 3:18 am

Hello effingcow

I'm assuming those missing files are malicious files that have been deleted, but if you could let me know what they are so I can check them out. Other than that your logs are looking good.

ATF Cleaner
Download ATF Cleaner here by Atribune.
    Double-click ATF-Cleaner.exe to run the program
    Under Main choose: Select All
    Click the Empty Selected button
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button
    NOTE: If you would like to keep your saved passwords, please click No at the prompt
Click Exit on the Main menu to close the program.

Kaspersky Online Scan
Right click on your favourite web browser (Internet Explorer, Firefox, etc) and select Run As Administrator to run it
Go to Kaspersky website and perform an online antivirus scan
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply

To post in next reply:
Kaspersky log
New HJT log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Defender says I have Vundo.gen!p

Unread postby effingcow » September 5th, 2008, 9:59 am

It won't let me run a Kapersky scan. (It won't let me press accept) It says I need to have the latest update of Java, which I do. I tried updating java anyway, it still wont let me.
effingcow
Regular Member
 
Posts: 31
Joined: August 29th, 2008, 11:57 am
Location: Aruba

Re: Defender says I have Vundo.gen!p

Unread postby jmw3 » September 5th, 2008, 2:11 pm

Hi effingcow

If you're using Firefox try running the scan with Internet Explorer. There is a known issue trying to run this scan with Firefox.

Also do this:

Download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

  • Double-click on JavaRa.exe to start the program
  • From the drop-down menu, choose English and click on Select
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK
  • A logfile will pop up. Please save it to a convenient location
  • Click on Additional Tasks then tick Remove Useless JRE Files
  • Click Go then OK when prompted & close the program.

Try running the Kaspersky scan again.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Defender says I have Vundo.gen!p

Unread postby effingcow » September 7th, 2008, 11:19 pm

So, what's going on with my computer. You haven't really told me anything... it seems like it's running better, is it really better? this comp is still under warranty, should I be trying to get a new one?

KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, September 7, 2008
Operating System: Microsoft Windows Vista Business Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, September 07, 2008 23:18:02
Records in database: 1201055
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
E:\
Scan statistics
Files scanned 100691
Threat name 11
Infected objects 12
Suspicious objects 0
Duration of the scan 01:46:08

File name Threat name Threats count
C:\Program Files\GoldWave\GoldWave.exe Infected: Backdoor.Win32.VB.fuy 1
C:\QooBox\Quarantine\C\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.a 1
C:\QooBox\Quarantine\C\Users\Waterproof\winlogon.exe.vir Infected: Trojan.Win32.Agent.uvi 1
C:\QooBox\Quarantine\C\Windows\faceback.exe.vir Infected: Trojan-Downloader.Win32.Agent.adtd 1
C:\QooBox\Quarantine\C\Windows\System32\eMaxt02\eMaxt022328.exe.vir Infected: Trojan-Downloader.Win32.VB.gwr 1
C:\QooBox\Quarantine\C\Windows\System32\sysrest.sys.vir Infected: Email-Worm.Win32.Zhelatin.vl 1
C:\QooBox\Quarantine\C\Windows\System32\sysrest32.exe.vir Infected: Trojan.Win32.KillAV.agz 1
C:\QooBox\Quarantine\C\Windows\System32\wtlmhlnl.exe.vir Infected: Backdoor.Win32.Frauder.bu 1
C:\QooBox\Quarantine\C\Windows\System32\wTR02\wTR022328.exe.vir Infected: Trojan-Downloader.Win32.VB.hff 1
C:\Users\Waterproof\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FH46I8E2\x12c[1].htm Infected: Exploit.JS.Agent.vj 1
C:\Users\Waterproof\Downloads\gwave523.exe Infected: Backdoor.Win32.VB.fuy 1
C:\Users\Waterproof\Downloads\picture_dl.exe Infected: Trojan.Win32.Buzus.rmj 1
The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:26 PM, on 9/7/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\vsnp2uvc.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trillian\trillian.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [snp2uvc] C:\Windows\vsnp2uvc.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LenovoOobeOffers] c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe /startup
O4 - HKLM\..\Run: [CameraApplicationLauncher] C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://c:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxba_device - - C:\Windows\system32\lxbacoms.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12842 bytes
effingcow
Regular Member
 
Posts: 31
Joined: August 29th, 2008, 11:57 am
Location: Aruba

Re: Defender says I have Vundo.gen!p

Unread postby jmw3 » September 8th, 2008, 8:33 am

So, what's going on with my computer. You haven't really told me anything... it seems like it's running better, is it really better?

I can only go by the logs you post to me & the logs are showing that Vundo has been cleaned up along with a lot of other junk. Is your computer running better?
this comp is still under warranty, should I be trying to get a new one?

I don't see any reason to get a new computer from the infections that were present.

The Kaspersky scan has flagged some legitimate files as infected. I would strongly recommend that you delete them.
by doing the following:

Run ATF Cleaner again following the previous instructions.

View Hidden Files & Folders Windows Vista
To view Hidden Files & Folders do the following:
Click Start
Open Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
Click Yes to confirm
Click OK

Delete Files & Folders
Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following files: if found, delete them (some may not be present after previous steps):

C:\Program Files\GoldWave\GoldWave.exe
C:\Users\Waterproof\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FH46I8E2\x12c[1].htm
C:\Users\Waterproof\Downloads\gwave523.exe
C:\Users\Waterproof\Downloads\picture_dl.exe

Post a new HJT log for review.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Defender says I have Vundo.gen!p

Unread postby effingcow » September 8th, 2008, 10:04 am

I couldn't delete this one:

C:\Users\Waterproof\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FH46I8E2\x12c[1].htm
when I got to windows, there was no Temporary Internet Files folder...

does this mean I cannot use goldwave anymore? i downloaded it straight from the publisher.

yes the computer is running a lot better ever since the first time you posted. thank you.

here is the new HJT log.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:33 AM, on 9/8/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\vsnp2uvc.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Waterproof\Downloads\ATF-Cleaner(2).exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [snp2uvc] C:\Windows\vsnp2uvc.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LenovoOobeOffers] c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
O4 - HKLM\..\Run: [CameraApplicationLauncher] C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://c:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxba_device - - C:\Windows\system32\lxbacoms.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12852 bytes
effingcow
Regular Member
 
Posts: 31
Joined: August 29th, 2008, 11:57 am
Location: Aruba

Re: Defender says I have Vundo.gen!p

Unread postby jmw3 » September 8th, 2008, 2:04 pm

does this mean I cannot use goldwave anymore? i downloaded it straight from the publisher.

Not necessarily. It's possible Kaspersky could have picked up a False Positive, but to be safe I would suggest un-installing Goldwave, download it again then re-install it.

Your last HijackThis log is clean. Well done. If there are no other problems it's time to clean up.

Remove Combofix
Click on Start > Run. Copy and paste in ComboFix /u and click OK. Use the image below for reference.
Image
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings
  • Hide file extensions, if required
  • Hide System/Hidden files, if required
  • Reset System Restore
You can also delete ATF-Cleaner.exe & JavaRa.zip from your desktop.

All Clean
Congratulations, good work, your system is now clean. Now that your system is safe we would like you to keep it that way.
Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

Microsoft Windows Update
Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found.
To update Windows
Go to Start > All Programs > Windows Update
To update Office
Open up any Office program.
Go to Help > Check for Updates

Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is totally free but for real-time protection you will have to pay a small one-time fee.
You can download it here

SpywareBlaster
Download and install Javacools SpywareBlaster from here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.

Download and Install a HOSTS File
A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. So the HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine.

Download BlueTack's HOSTS Manager here, using Internet Explorer (Firefox won't work):
http://www.bluetack.co.uk/forums/index.php?act=dscript&CODE=showdetails&f_id=5
A short distance down the page in the center, click on the Download button.
Agree to the license.
On the next page, to the right side of where it says Download Estimates, right click on the underlined word "Hosts Manager" choose "Save Target As" and download the installer Hosts20setup.exe to your desktop.
Double click the Installer on your desktop and let it Install the Hosts Manager
After the installation is complete, click on the Hosts Manager icon on your desktop. (You can delete the other Hosts Switch icon from your desktop).
When the Hosts Manager comes up, click the small down arrows on the Right side of the bar labeled "Options and Tools",
Click Disable DNS Service. This is important
In the Left Pane, click Download.
It will load 80,000 lines or more. When it finishes, also in the left pane, click Replace, and then click Save.
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.

If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.]

Install WinPatrol
Download it here
You can find information about how WinPatrol works here

Read some information here on how to prevent Malware.

Hopefully these steps will help keep your computer clean.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

If there are any other questions then feel free to ask or in future do not hesitate to contact us here at The Malware Removal Forums
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware