Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Topic posted for EffingCow

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Topic posted for EffingCow

Unread postby Orac » November 4th, 2008, 9:23 am

Topic posted for EffingCow

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:31:01 AM, on 11/4/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\Waterproof\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Windows\system32\regsvr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: innbanner browser enhancer - {27F25AFF-07DC-7066-F46D-3A42DDD1018E} - C:\Windows\system32\dgphjrotblgplm.dll
O2 - BHO: (no name) - {2F1C65BA-6E1E-48BE-8CFB-939DC150D5CC} - C:\Windows\system32\cbXRKCVp.dll
O2 - BHO: {b333e91c-2d51-4f8a-b3d4-c8bb7485d553} - {355d5847-bb8c-4d3b-a8f4-15d2c19e333b} - C:\Windows\system32\anfsqm.dll
O2 - BHO: (no name) - {3EF58E31-05ED-4B06-9ECE-AF2DED96A93C} - C:\Windows\system32\ssqQkHXn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {E0DA6733-5C9A-46BC-BA1F-7F4998A173D5} - C:\Windows\system32\xxyabbAS.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [CameraApplicationLauncher] C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [e0f3b564] rundll32.exe "C:\Windows\system32\gfglhsoy.dll",b
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\jkkiJBSL.dll,#1
O4 - HKLM\..\Run: [mpafamacwzx] C:\Windows\System32\regsvr32.exe /s "C:\Windows\system32\dgphjrotblgplm.dll"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Host Process] C:\Users\Waterproof\svchost.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://c:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: anfsqm.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: lxba_device - - C:\Windows\system32\lxbacoms.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12280 bytes
Orac
MRU Emeritus
MRU Emeritus
 
Posts: 1260
Joined: October 18th, 2006, 12:51 pm
Location: Third stone from the sun
Advertisement
Register to Remove

Re: Topic posted for EffingCow

Unread postby ndmmxiaomayi » November 4th, 2008, 10:10 am

Hi Orac, EffingCow,

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Backing up your data in all versions of Windows Vista
Restoring your backups
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Topic posted for EffingCow

Unread postby effingcow » November 4th, 2008, 11:15 am

Hi,

No OS disk, can you help me clean my computer?

this is the thread you guys helped me with the first time viewtopic.php?f=11&t=34261
did I have it then too?

rarr... I'm getting a mac.
effingcow
Regular Member
 
Posts: 31
Joined: August 29th, 2008, 11:57 am
Location: Aruba

Re: Topic posted for EffingCow

Unread postby ndmmxiaomayi » November 4th, 2008, 11:33 am

Hi effingcow,

I will do my best.

Step 1

Please download Combofix from one of these locations:

Link 1
Link 2
Link 3

Save it to your desktop.

Double click on ComboFix.exe & follow the prompts.

When finished, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Step 2

Please open My Computer.

Copy and paste the following into the address bar of My Computer:

C:\Qoobox\Add-Remove Programs.txt

Press Enter.

Notepad will open. Please post this log in your next reply.

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. Contents of C:\Qoobox\Add-Remove Programs.txt
  3. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Topic posted for EffingCow

Unread postby effingcow » November 4th, 2008, 12:41 pm

ComboFix 08-11-03.06 - Waterproof 2008-11-04 11:14:02.6 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.121 [GMT -5:00]
Running from: c:\users\Waterproof\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\users\Waterproof\svchost.exe
c:\windows\system32\anfsqm.dll
c:\windows\system32\arucge.dll
c:\windows\system32\bnbqjdox.exe
c:\windows\system32\bqqsykax.ini
c:\windows\system32\bqxayn.dll
c:\windows\system32\brfwmdiu.exe
c:\windows\system32\byfapaug.dll
c:\windows\system32\byXNeBuv.dll
c:\windows\system32\byXQJDvT.dll
c:\windows\system32\cbXRKCVp.dll
c:\windows\system32\coeniyci.exe
c:\windows\system32\dikaaklu.ini
c:\windows\System32\dovimdja.ini
c:\windows\system32\dtzskb.dll
c:\windows\system32\dxsyobuv.dll
c:\windows\System32\EeLmTvut.ini
c:\windows\System32\EeLmTvut.ini2
c:\windows\system32\efcDVoml.dll
c:\windows\system32\elyhnkji.dll
c:\windows\system32\EV02
c:\windows\system32\EV02\EV022328.exe
c:\windows\system32\fdhpwbjd.dll
c:\windows\system32\fkiobhwy.ini
c:\windows\system32\frzezy.dll
c:\windows\system32\fujavdxn.ini
c:\windows\system32\fxgpeakb.exe
c:\windows\system32\hfgiwt.dll
c:\windows\system32\hgGabXNE.dll
c:\windows\system32\hggffgGV.dll
c:\windows\System32\ijknhyle.ini
c:\windows\system32\jbjevvix.dll
c:\windows\system32\kedhxjfp.dll
c:\windows\System32\kejnqimp.ini
c:\windows\system32\kuhtwbox.dll
c:\windows\system32\kwufccln.exe
c:\windows\system32\kxerxkwi.ini
c:\windows\system32\kxrursuh.exe
c:\windows\system32\ltcvhalq.ini
c:\windows\system32\luygwjtj.exe
c:\windows\system32\mbfbokgu.dll
c:\windows\system32\mbilkuur.exe
c:\windows\system32\mpytyyny.dll
c:\windows\system32\MSINET.oca
c:\windows\system32\nnnlIxWo.dll
c:\windows\system32\nnnoMGAt.dll
c:\windows\System32\nXHkQqss.ini
c:\windows\System32\nXHkQqss.ini2
c:\windows\system32\oolyrsvx.exe
c:\windows\system32\oqcxgb.dll
c:\windows\system32\owqtbw.dll
c:\windows\system32\pac.txt
c:\windows\system32\pcwlreuk.ini
c:\windows\system32\pmiqnjek.dll
c:\windows\System32\pVCKRXbc.ini
c:\windows\System32\pVCKRXbc.ini2
c:\windows\System32\pyitlqlt.ini
c:\windows\System32\QsYHQqru.ini
c:\windows\System32\QsYHQqru.ini2
c:\windows\system32\rcmqpasg.dll
c:\windows\system32\rjuctmfl.ini
c:\windows\system32\rolwgyxo.dll
c:\windows\system32\sjvhvg.dll
c:\windows\system32\ssqPifCs.dll
c:\windows\System32\tAGMonnn.ini
c:\windows\System32\tAGMonnn.ini2
c:\windows\System32\tudjsjkk.ini
c:\windows\system32\tyjjnj.dll
c:\windows\System32\ubdnftbx.ini
c:\windows\system32\upkxbwtw.exe
c:\windows\system32\urhmmlre.dll
c:\windows\System32\utjfcvdh.ini
c:\windows\System32\vavnberp.ini
c:\windows\system32\vtUmJDvV.dll
c:\windows\system32\vvvzrq.dll
c:\windows\system32\vxhwbv.dll
c:\windows\system32\wapsiioj.exe
c:\windows\system32\wasknsuf.dll
c:\windows\system32\wowoflea.exe
c:\windows\system32\xakysqqb.dll
c:\windows\system32\xcbfbpok.exe
c:\windows\system32\xflhotiv.dll
c:\windows\System32\xippdppd.ini
c:\windows\system32\xwxvjdyd.dll
c:\windows\system32\xXPgfGVn.dll
c:\windows\system32\ydspiw.dll
c:\windows\system32\yoshlgfg.ini
c:\windows\system32\ypxbct.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 )))))))))))))))))))))))))))))))
.

2008-11-04 11:26 . 2008-11-04 11:26 <DIR> d-------- C:\A
2008-11-04 11:03 . 2008-11-04 11:03 147,456 --a------ c:\users\Waterproof\vbzip10.dll
2008-11-04 11:03 . 2008-11-04 11:03 115,968 --a------ c:\users\Waterproof\a.zip
2008-11-04 10:59 . 2008-11-04 10:59 <DIR> d-------- c:\users\Waterproof\Bluetooth Software
2008-11-04 10:59 . 2008-11-04 10:59 48,128 --a------ c:\users\Waterproof\index.exe
2008-11-03 16:17 . 2008-11-03 16:17 <DIR> d-------- c:\program files\Xvid
2008-11-03 16:17 . 2008-04-27 10:33 765,952 --a------ c:\windows\System32\xvidcore.dll
2008-11-03 16:17 . 2008-04-27 10:35 180,224 --a------ c:\windows\System32\xvidvfw.dll
2008-11-03 16:17 . 2007-06-28 18:55 77,824 --a------ c:\windows\System32\xvid.ax
2008-11-01 04:16 . 2008-11-01 04:16 178,176 --a------ c:\windows\System32\dgphjrotblgplm.dll
2008-10-30 12:41 . 2008-10-30 12:41 244 --ah----- C:\sqmnoopt02.sqm
2008-10-30 12:41 . 2008-10-30 12:41 232 --ah----- C:\sqmdata02.sqm
2008-10-15 13:26 . 2008-10-15 13:26 268 --ah----- C:\sqmdata01.sqm
2008-10-15 13:26 . 2008-10-15 13:26 244 --ah----- C:\sqmnoopt01.sqm
2008-10-15 10:58 . 2008-11-04 02:13 <DIR> d-------- c:\windows\System32\ws2
2008-10-15 10:58 . 2008-10-15 10:58 <DIR> d-------- c:\windows\System32\ti
2008-10-15 10:58 . 2008-10-15 10:58 <DIR> d-------- c:\temp\xp34
2008-10-15 10:58 . 2008-11-04 06:21 77,918 --a------ c:\windows\System32\whcuimxzciqlq.exe
2008-10-06 16:36 . 2008-10-06 16:36 <DIR> d-------- c:\users\Waterproof\AppData\Roaming\InterVideo
2008-10-04 02:01 . 2008-10-04 02:01 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-04 02:01 . 2008-10-04 02:01 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-04 02:01 . 2008-10-04 02:01 <DIR> d-------- c:\program files\iTunes
2008-10-04 02:01 . 2008-10-04 02:01 <DIR> d-------- c:\program files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-04 16:28 --------- d-----w c:\users\Waterproof\AppData\Roaming\OpenOffice.org2
2008-11-04 16:03 --------- d-----w c:\users\Waterproof\AppData\Roaming\LimeWire
2008-11-04 11:13 --------- d-----w c:\program files\Trillian
2008-10-27 18:13 --------- d-----w c:\program files\Full Tilt Poker
2008-10-10 00:12 --------- d-----w c:\users\Waterproof\AppData\Roaming\HP
2008-10-06 14:26 --------- d-----w c:\program files\Java
2008-09-25 02:27 --------- d-----w c:\users\Waterproof\AppData\Roaming\vusbsp
2008-09-25 02:27 --------- d-----w c:\programdata\HP Product Assistant
2008-09-20 19:45 --------- d-----w c:\programdata\PopCap
2008-09-20 19:43 --------- d-----w c:\program files\PopCap Games
2008-09-13 03:23 --------- d-----w c:\program files\QuickTime
2008-09-13 03:23 --------- d-----w c:\program files\Common Files\Apple
2008-09-12 03:03 --------- d-----w c:\program files\Windows Live
2008-09-12 02:51 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-09-12 02:47 --------- d-----w c:\programdata\WLInstaller
2008-09-10 13:27 --------- d-----w c:\programdata\Symantec
2008-09-10 13:27 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-09-08 05:34 --------- d-----w c:\users\Waterproof\AppData\Roaming\Lenovo
2008-08-29 14:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
2007-01-10 17:15 282,638 ----a-w c:\users\Waterproof\Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27F25AFF-07DC-7066-F46D-3A42DDD1018E}]
2008-11-01 04:16 178176 --a------ c:\windows\system32\dgphjrotblgplm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-11-29 59168]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2007-12-06 324896]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2007-12-06 214576]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-05 820520]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-09 1282048]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-01-08 536576]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-04-26 120368]
"CameraApplicationLauncher"="c:\program files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe" [2007-08-22 16384]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 419112]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 124200]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"mpafamacwzx"="c:\windows\system32\dgphjrotblgplm.dll" [2008-11-01 178176]

c:\users\Waterproof\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-03-29 719664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1433960662-359803117-349027270-1005]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{994FB1BF-3B05-4D3D-B5A8-9A32BCCF60A5}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BE81EE69-8783-4988-9E64-1E7EEF70F978}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{7C7F5A76-6079-467B-8A18-0B4B8195A91B}"= UDP:c:\windows\System32\lxbacoms.exe:Lexmark Communications System
"{40817FE4-D1BA-4B82-8A08-7606601ADE11}"= TCP:c:\windows\System32\lxbacoms.exe:Lexmark Communications System
"{66C31868-57A6-4001-895D-4B71027CD110}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxbapswx.exe:Printer Status Window
"{FAC413EC-B54E-4BB2-8CEE-B374023EB1B0}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxbapswx.exe:Printer Status Window
"TCP Query User{9683E431-E588-4A52-BCA4-197F24D2E82B}c:\\users\\waterproof\\appdata\\local\\temp\\vusbsp\\vonagetalkusb.exe"= UDP:c:\users\waterproof\appdata\local\temp\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"UDP Query User{940D550F-8105-4A8D-A052-4E74FF4FED5F}c:\\users\\waterproof\\appdata\\local\\temp\\vusbsp\\vonagetalkusb.exe"= TCP:c:\users\waterproof\appdata\local\temp\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"TCP Query User{4FADB00A-E2A5-4F21-A71E-A7CD2B4AFCBB}c:\\users\\waterproof\\appdata\\roaming\\vusbsp\\vonagetalkusb.exe"= UDP:c:\users\waterproof\appdata\roaming\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"UDP Query User{8981B39C-2F8E-4123-BF42-C6D3C6F9C73F}c:\\users\\waterproof\\appdata\\roaming\\vusbsp\\vonagetalkusb.exe"= TCP:c:\users\waterproof\appdata\roaming\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"{617C5A68-B086-462A-9BE7-08B3F5BA67C5}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{6B0A4DC4-9C19-43F9-804C-C1E904D0FFEF}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{365DD8CC-F926-49A3-993A-1297672A7117}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{976D515E-E2BC-4040-8BBF-D2D3A4E8D25A}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{898A948D-841A-47F8-ABFB-1EFC939CABB3}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{8D685019-8334-40F3-A2D4-38163DFCD119}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{A98782BD-8C4D-4F79-B6D6-105C9872D92A}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{08348A5B-3772-4C13-BC12-E048CBFC5423}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{DF39095D-DF41-4712-87DB-09B714EB1D74}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{25EBD56A-6227-4298-A225-9CB8A4D1B32F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{4F7D0682-F6B6-400B-9137-5DC89D4CC714}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{76486E61-FAE2-455A-B522-E81D9BE308D4}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{F95EED90-5805-46AF-898F-94DF14996AFE}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{7763661D-3D1A-4123-959D-8679A847D5CB}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{009D7874-056C-4F46-8339-5745209EBDFD}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{FA08B81B-5398-4827-85B5-63AB31FCC68D}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"TCP Query User{2AD5DD5B-B32E-4593-A57F-26F4B37A2957}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{8534ABF4-7562-4E56-8087-B0301C6450C9}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{D57F6772-8A7E-4424-B43C-E7BE3234BC42}c:\\users\\waterproof\\appdata\\roaming\\vusbsp\\vonagetalkusb.exe"= UDP:c:\users\waterproof\appdata\roaming\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"UDP Query User{6C543C89-00DE-481B-8E4C-44B9B4172C4F}c:\\users\\waterproof\\appdata\\roaming\\vusbsp\\vonagetalkusb.exe"= TCP:c:\users\waterproof\appdata\roaming\vusbsp\vonagetalkusb.exe:vonagetalkusb.exe
"{4F9235DC-F1E6-4225-9B85-548948C8B522}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{87993095-9E5E-4AFC-929B-BADAA063001B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E60A9797-7CEA-4C05-8373-050D041465A9}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{34A78E33-7B60-4E82-973F-DCF3E689E0EF}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{952AC365-C224-41A7-AC88-56D840DC8415}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{2BBBF744-CE81-47F0-BCFE-1CFDC185E1BA}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{84509A37-3EF1-4BAD-9847-E74D530677C5}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R0 Shockprf;Shockprf;c:\windows\system32\DRIVERS\Apsx86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\DRIVERS\ApsHM86.sys [2007-10-16 19504]
R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2007-02-08 28120]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2006-08-30 13744]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwr32v.sys [2007-12-06 12080]
R3 btwaudio;Bluetooth Audio Device Service;c:\windows\system32\drivers\btwaudio.sys [2007-03-29 79664]
R3 btwavdt;Bluetooth AVDT Service;c:\windows\system32\drivers\btwavdt.sys [2007-02-27 81200]
R3 btwrchid;btwrchid;c:\windows\system32\DRIVERS\btwrchid.sys [2007-02-27 16432]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336]
S4 ErrDev;Microsoft Hardware Error Device Driver;c:\windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR;c:\windows\system32\drivers\megasr.sys [2008-01-20 386616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2521d6a4-7ab3-11dd-b260-001fe1d1023f}]
\shell\Auto\command - G:\sal.xls.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\sal.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4aec243b-85f8-11dd-8668-001fe1d1023f}]
\shell\Auto\command - D:\sal.xls.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL D:\sal.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ba55dbe-955c-11dd-9370-001fe1d1023f}]
\shell\Auto\command - D:\sal.xls.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL D:\sal.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ba55dc1-955c-11dd-9370-001fe1d1023f}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ba55df1-955c-11dd-9370-001fe1d1023f}]
\shell\Auto\command - D:\sal.xls.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL D:\sal.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ba55df4-955c-11dd-9370-001fe1d1023f}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b64188c-7d98-11dd-a647-002186546e43}]
\shell\Auto\command - D:\sal.xls.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL D:\sal.xls.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-04 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 17:54]

2008-11-04 c:\windows\Tasks\User_Feed_Synchronization-{7D0A9B2B-A02A-4A6B-9DF0-B9E3EEF4E5BB}.job
- c:\windows\system32\msfeedssync.exe [2008-01-20 21:25]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3EF58E31-05ED-4B06-9ECE-AF2DED96A93C} - c:\windows\system32\ssqQkHXn.dll
BHO-{8e30fba5-1c76-4f59-800c-96c7943c79cd} - c:\windows\system32\owqtbw.dll
BHO-{B649276F-EB04-495C-806B-87810387696A} - c:\windows\system32\cbXRKCVp.dll
BHO-{E0DA6733-5C9A-46BC-BA1F-7F4998A173D5} - c:\windows\system32\xxyabbAS.dll
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKCU-Run-Host Process - c:\users\Waterproof\svchost.exe
HKLM-Run-DiskeeperSystray - c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe
HKLM-Run-MSServer - c:\windows\system32\byXQJDvT.dll
HKLM-Run-e0f3b564 - c:\windows\system32\pmiqnjek.dll
ShellExecuteHooks-{E0DA6733-5C9A-46BC-BA1F-7F4998A173D5} - c:\windows\system32\xxyabbAS.dll
ShellExecuteHooks-{C31C05B4-0A01-4DC2-8E5E-0315459F508E} - c:\windows\system32\byXQJDvT.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\users\Waterproof\AppData\Roaming\Mozilla\Firefox\Profiles\qwhnxym8.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - http://www.google.com
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 11:25:17
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\WATERP~1\AppData\Local\Temp\FXSAPIDebugLogFile.txt 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\ibmpmsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\System32\AEADISRV.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\windows\System32\lxbacoms.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\HOTKEY\TPHKSVC.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\System32\rundll32.exe
c:\program files\ThinkPad\Utilities\EZEJMNAP.EXE
c:\program files\ThinkVantage\PrdCtr\LPMGR.EXE
c:\windows\System32\igfxsrvc.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\program files\Synaptics\SynTP\SynTPLpr.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.bin
c:\program files\ThinkPad\Bluetooth Software\BTStackServer.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-11-04 11:35:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-04 16:35:04
ComboFix2.txt 2008-09-04 18:07:21

Pre-Run: 36,600,950,784 bytes free
Post-Run: 36,650,758,144 bytes free

362 --- E O F --- 2008-10-11 01:53:33




32 Bit HP CIO Components Installer
Access Help
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8
Adobe Shockwave Player 11
AltoMP3 Gold 5.20
Apple Mobile Device Support
Apple Software Update
Bonjour
BufferChm
Camera Center
Cards_Calendar_OrderGift_DoMorePlugout
Client Security Solution
Compatibility Pack for the 2007 Office system
Copy
CustomerResearchQFolder
Destination Component
DeviceDiscovery
DeviceManagementQFolder
Diskeeper Home
DIY Writer
DocProc
DocProcQFolder
Drag-to-Disc
eSupportQFolder
Fax
Full Tilt Poker
GPBaseService
Help Center
HijackThis 2.0.2
HP Customer Participation Program 10.0
HP Imaging Device Functions 10.0
HP Photosmart C4340 All-In-One Driver Software 10.0 Rel .3
HP Photosmart Essential 2.5
HP Smart Web Printing
HP Solution Center 10.0
HP Update
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
HPSSupply
Integrated Camera
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
InterVideo Register Manager
InterVideo WinDVD
iTunes
Java(TM) 6 Update 7
Lenovo Registration
Lenovo System Interface Driver
Lexmark X5100 Series
Maintenance Manager
MarketResearch
Message Center
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft Office 2000 SR-1 Small Business
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Mozilla Firefox (3.0.3)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
Multimedia Center For Think Offerings
OCR Software by I.R.I.S. 10.0
On Screen Display
OpenOffice.org 2.4
PanoStandAlone
PC-Doctor 5 for Windows
Picasa 2
PopCap Browser Plugin
Presentation Director
Productivity Center Supplement for ThinkPad
PS_AIO_03_C4340_ProductContext
PS_AIO_03_C4340_Software
PS_AIO_03_C4340_Software_Min
PSSWCORE
QuickTime
Registry patch for Windows Vista USB S3 PM Enablement
Registry patch of Changing Timing of IDLE IRP by Finger Print Driver for Windows Vista
Registry Patch of Enabling Device Initiated Power Management(DIPM) on SATA for Windows Vista
Registry patch to improve USB device detection on resume from sleep for Windows Vista
Rescue and Recovery
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02
RON Tool Innbanner
Safari
Scan
Security Update for CAPICOM (KB931906)
Shop for HP Supplies
sip
SmartWebPrintingOC
SolutionCenter
Sonic Icons for Lenovo
SoundMAX
Spybot - Search & Destroy
Status
System Migration Assistant
System Update
ThinkPad Bluetooth with Enhanced Data Rate Software 6.0.1.4900
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Setup
ThinkPad Mobility Center Customization
ThinkPad Modem
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad UltraNav Driver
ThinkPad UltraNav Utility
Thinkpad Wireless LAN Adapters Software (11a/b/g/n)
ThinkVantage Access Connections
ThinkVantage Active Protection System
ThinkVantage Productivity Center
ThinkVantage Technologies Welcome Message
Toolbox
TrayApp
Trillian
UnloadSupport
VideoToolkit01
VitalSource Bookshelf
Wallpapers
WebReg
Windows Driver Package - Intel (e1express) Net (04/26/2007 9.7.240.0)
Windows Driver Package - Intel (iaStor) hdc (02/12/2007 7.0.0.1020)
Windows Driver Package - Intel hdc (11/15/2006 8.2.0.1011)
Windows Driver Package - Intel hdc (12/06/2006 6.8.0.3002)
Windows Driver Package - Intel System (09/15/2006 7.0.0.1011)
Windows Driver Package - Intel System (09/15/2006 8.0.0.1008)
Windows Driver Package - Intel System (09/15/2006 8.0.0.1010)
Windows Driver Package - Intel System (09/15/2006 8.2.0.1000)
Windows Driver Package - Intel USB (09/15/2006 8.0.0.1008)
Windows Driver Package - Lenovo (IBMPMDRV) System (05/31/2007 1.43)
Windows Driver Package - Ricoh Company MMC Host Controller (08/08/2007 6.00.03.02)
Windows Driver Package - Ricoh Company MS Host Controller (07/30/2007 6.00.01.11)
Windows Driver Package - Ricoh Company xD Host Controller (07/30/2007 6.00.01.13)
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Xvid 1.1.3 final uninstall


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:31 AM, on 11/4/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: innbanner browser enhancer - {27F25AFF-07DC-7066-F46D-3A42DDD1018E} - C:\Windows\system32\dgphjrotblgplm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [CameraApplicationLauncher] C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [mpafamacwzx] C:\Windows\System32\regsvr32.exe /s "C:\Windows\system32\dgphjrotblgplm.dll"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://c:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Diskeeper - Unknown owner - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: lxba_device - - C:\Windows\system32\lxbacoms.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10960 bytes
effingcow
Regular Member
 
Posts: 31
Joined: August 29th, 2008, 11:57 am
Location: Aruba

Re: Topic posted for EffingCow

Unread postby effingcow » November 4th, 2008, 2:11 pm

I was wondering what the odds are that my keystrokes have been read? what percentage of people with backdoors get their identities stolen?
effingcow
Regular Member
 
Posts: 31
Joined: August 29th, 2008, 11:57 am
Location: Aruba

Re: Topic posted for EffingCow

Unread postby ndmmxiaomayi » November 5th, 2008, 10:29 am

Hi effingcow,

I was wondering what the odds are that my keystrokes have been read? what percentage of people with backdoors get their identities stolen?


I can't tell, however, here's a rough gauge - http://www.privacyrights.org/ar/idtheftsurveys.htm

Here's a whitepaper by McAfee which offers some details - http://www.mcafee.com/us/local_content/white_papers/wp_id_theft_en.pdf

Other papers (slightly old, but still relevant) that you may find useful:

http://www.antiphishing.org/reports/APWG_CrimewareReport.pdf
http://www.cippic.ca/documents/bulletins/Techniques.pdf




Step 1

Please open Notepad and copy and paste the following in the Code box into Notepad:

Code: Select all
http://malwareremoval.com/forum/viewtopic.php?f=11&t=36228

Suspect::
c:\users\Waterproof\a.zip
c:\users\Waterproof\index.exe
c:\users\Waterproof\Setup.exe

Collect::
c:\windows\System32\dgphjrotblgplm.dll
c:\windows\System32\whcuimxzciqlq.exe

DirLook::
C:\A
c:\windows\System32\ws2
c:\windows\System32\ti
c:\temp\xp34

File::
c:\users\Waterproof\vbzip10.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27F25AFF-07DC-7066-F46D-3A42DDD1018E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mpafamacwzx"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{9683E431-E588-4A52-BCA4-197F24D2E82B}c:\\users\\waterproof\\appdata\\local\\temp\\vusbsp\\vonagetalkusb.exe"=-
"UDP Query User{940D550F-8105-4A8D-A052-4E74FF4FED5F}c:\\users\\waterproof\\appdata\\local\\temp\\vusbsp\\vonagetalkusb.exe"=-
"TCP Query User{4FADB00A-E2A5-4F21-A71E-A7CD2B4AFCBB}c:\\users\\waterproof\\appdata\\roaming\\vusbsp\\vonagetalkusb.exe"=-
"UDP Query User{8981B39C-2F8E-4123-BF42-C6D3C6F9C73F}c:\\users\\waterproof\\appdata\\roaming\\vusbsp\\vonagetalkusb.exe"=-
"TCP Query User{D57F6772-8A7E-4424-B43C-E7BE3234BC42}c:\\users\\waterproof\\appdata\\roaming\\vusbsp\\vonagetalkusb.exe"=-
"UDP Query User{6C543C89-00DE-481B-8E4C-44B9B4172C4F}c:\\users\\waterproof\\appdata\\roaming\\vusbsp\\vonagetalkusb.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2521d6a4-7ab3-11dd-b260-001fe1d1023f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4aec243b-85f8-11dd-8668-001fe1d1023f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ba55dbe-955c-11dd-9370-001fe1d1023f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ba55df1-955c-11dd-9370-001fe1d1023f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b64188c-7d98-11dd-a647-002186546e43}]


Warning: The above script is just for effingcow. If you are not effingcow, please do not use this script as it may damage the workings of your system.

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.

Image

Combofix will start running. When done, a log will be produced. Please post this log in your next reply.

In addition, it will prompt you to submit some files for analyzing.

Image

Click OK.

Your web browser (by default it's Internet Explorer) will open.

Please refer to the image below to submit the file for analysis.

Click image to see full size version
Click image to see full size version

Do not mouse click on Combofix while it is running. That may cause it to stall.

Step 2

  1. Right click on the Start menu and select Explore.
  2. Click on Tools > Folder Options....
  3. Select the View tab.
  4. Under Hidden files and folders, select Show hidden files and folders.
  5. Uncheck (untick) these two boxes:
      Hide extensions for known file types
      Hide protected operating system files (Recommended)
  6. Click Yes when Windows prompts.
  7. Click OK to apply the settings.

Step 3

Plug in your flash drive.

Delete this file if present - sal.xls.exe

Repeat for all the flash drives that you have.

Step 4

  1. Click on Start > Settings > Control Panel.
  2. Double click on Programs and Features.
  3. Select Full Tilt Poker and click on Uninstall to uninstall it.
  4. Close the Control Panel window.

Here's a list of safe Poker sites:

http://www.pokerstars.net/ - This is a free to use/play site.
http://www.pokerstars.com/ - This is the paid for version.

Here's a list of bad Poker sites:

viewtopic.php?f=4&t=23145

Step 5

There is no sign of an antivirus installed on your system. There are several reasons for it. Either you have disabled your antivirus or there's no antivirus installed.

If you have disabled it, please re-enable it. If you have no antivirus installed, please get ONE antivirus and install it. Restart the computer for changes to take effect.

AntiVir Free Edition
avast! 4 Home Edition
PC Tools AntiVirus

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Topic posted for EffingCow

Unread postby effingcow » November 5th, 2008, 12:18 pm

ComboFix 08-11-04.02 - Waterproof 2008-11-05 10:17:50.7 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.136 [GMT -5:00]
Running from: c:\users\Waterproof\Downloads\ComboFix.exe
Command switches used :: c:\users\Waterproof\Desktop\CFScript.txt

FILE ::
c:\users\Waterproof\vbzip10.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Waterproof\vbzip10.dll
c:\windows\System32\dgphjrotblgplm.dll
c:\windows\System32\whcuimxzciqlq.exe

.
((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.

2008-11-05 10:10 . 2008-11-05 10:10 318,976 --a------ c:\windows\System32\CF32671.exe.vir
2008-11-04 16:03 . 2008-11-04 17:57 <DIR> d-------- c:\users\Waterproof\Contacts
2008-11-04 13:44 . 2008-09-18 00:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-11-04 13:44 . 2008-09-18 00:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-11-04 13:26 . 2008-08-11 22:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-11-04 13:26 . 2008-09-17 23:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-11-04 13:26 . 2008-09-17 23:56 125,952 --a------ c:\windows\System32\wersvc.dll
2008-11-04 13:21 . 2008-09-17 21:16 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-11-04 13:20 . 2008-08-26 20:06 288,768 --a------ c:\windows\System32\drivers\srv.sys
2008-11-04 13:11 . 2008-10-01 20:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-11-04 13:11 . 2008-10-01 22:49 827,392 --a------ c:\windows\System32\wininet.dll
2008-11-04 11:03 . 2008-11-04 11:03 115,968 --a------ c:\users\Waterproof\a.zip
2008-11-04 10:59 . 2008-11-04 10:59 <DIR> d-------- c:\users\Waterproof\Bluetooth Software
2008-11-04 10:59 . 2008-11-04 10:59 48,128 --a------ c:\users\Waterproof\index.exe
2008-11-03 16:17 . 2008-11-03 16:17 <DIR> d-------- c:\program files\Xvid
2008-11-03 16:17 . 2008-04-27 10:33 765,952 --a------ c:\windows\System32\xvidcore.dll
2008-11-03 16:17 . 2008-04-27 10:35 180,224 --a------ c:\windows\System32\xvidvfw.dll
2008-11-03 16:17 . 2007-06-28 18:55 77,824 --a------ c:\windows\System32\xvid.ax
2008-10-30 12:41 . 2008-10-30 12:41 244 --ah----- C:\sqmnoopt02.sqm
2008-10-30 12:41 . 2008-10-30 12:41 232 --ah----- C:\sqmdata02.sqm
2008-10-15 13:26 . 2008-10-15 13:26 268 --ah----- C:\sqmdata01.sqm
2008-10-15 13:26 . 2008-10-15 13:26 244 --ah----- C:\sqmnoopt01.sqm
2008-10-15 10:58 . 2008-11-04 02:13 <DIR> d-------- c:\windows\System32\ws2
2008-10-15 10:58 . 2008-10-15 10:58 <DIR> d-------- c:\windows\System32\ti
2008-10-15 10:58 . 2008-10-15 10:58 <DIR> d-------- c:\temp\xp34
2008-10-06 16:36 . 2008-10-06 16:36 <DIR> d-------- c:\users\Waterproof\AppData\Roaming\InterVideo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 13:15 --------- d-----w c:\users\Waterproof\AppData\Roaming\OpenOffice.org2
2008-11-05 12:44 --------- d-----w c:\program files\Windows Mail
2008-11-04 16:03 --------- d-----w c:\users\Waterproof\AppData\Roaming\LimeWire
2008-11-04 11:13 --------- d-----w c:\program files\Trillian
2008-10-27 18:13 --------- d-----w c:\program files\Full Tilt Poker
2008-10-10 00:12 --------- d-----w c:\users\Waterproof\AppData\Roaming\HP
2008-10-06 14:26 --------- d-----w c:\program files\Java
2008-10-04 07:01 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-04 07:01 --------- d-----w c:\program files\iTunes
2008-10-04 07:01 --------- d-----w c:\program files\iPod
2008-09-25 02:27 --------- d-----w c:\users\Waterproof\AppData\Roaming\vusbsp
2008-09-25 02:27 --------- d-----w c:\programdata\HP Product Assistant
2008-09-20 19:45 --------- d-----w c:\programdata\PopCap
2008-09-20 19:43 --------- d-----w c:\program files\PopCap Games
2008-09-13 03:23 --------- d-----w c:\program files\QuickTime
2008-09-13 03:23 --------- d-----w c:\program files\Common Files\Apple
2008-09-12 03:03 --------- d-----w c:\program files\Windows Live
2008-09-12 02:51 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-09-12 02:47 --------- d-----w c:\programdata\WLInstaller
2008-09-10 13:27 --------- d-----w c:\programdata\Symantec
2008-09-10 13:27 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-09-08 05:34 --------- d-----w c:\users\Waterproof\AppData\Roaming\Lenovo
2008-08-29 14:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
2007-01-10 17:15 282,638 ----a-w c:\users\Waterproof\Setup.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\A ----

c:\a\

---- Directory of c:\temp\xp34 ----

2008-10-15 10:58 1858 --a------ c:\temp\xp34\cPH.log

---- Directory of c:\windows\System32\ti ----

2008-10-15 01:41 190257 --a------ c:\windows\System32\ti\RFV77i37.exe

---- Directory of c:\windows\System32\ws2 ----



((((((((((((((((((((((((((((( snapshot@2008-11-04_11.33.51.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-05 15:15:57 6,291,456 ----a-w c:\windows\erdnt\Hiv-backup\SCHEMA.DAT
- 2008-09-11 07:02:18 38,240 ----a-r c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2008-11-05 12:35:49 38,240 ----a-r c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2008-11-04 16:24:17 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-11-05 12:46:48 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-11-05 12:46:48 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-11-04 16:24:46 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-11-05 12:52:31 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-11-04 16:24:46 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-11-05 12:51:58 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-11-04 16:10:48 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-11-05 12:51:39 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-04 16:10:48 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-05 12:51:39 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-04 16:10:48 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-05 12:51:39 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-04 16:13:19 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2008-11-05 15:16:09 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2008-08-04 05:45:47 430,256 ----a-w c:\windows\System32\FNTCACHE.DAT
+ 2008-11-05 12:46:39 430,256 ----a-w c:\windows\System32\FNTCACHE.DAT
- 2008-06-27 04:15:23 6,068,736 ----a-w c:\windows\System32\ieframe.dll
+ 2008-10-02 03:49:14 6,068,736 ----a-w c:\windows\System32\ieframe.dll
- 2008-01-21 02:24:54 270,336 ----a-w c:\windows\System32\iertutil.dll
+ 2008-10-02 03:49:14 270,336 ----a-w c:\windows\System32\iertutil.dll
- 2008-06-27 04:15:24 28,160 ----a-w c:\windows\System32\jsproxy.dll
+ 2008-10-02 03:49:14 28,160 ----a-w c:\windows\System32\jsproxy.dll
- 2008-06-27 04:15:28 64,512 ----a-w c:\windows\System32\migration\WininetPlugin.dll
+ 2008-06-12 03:54:16 64,512 ----a-w c:\windows\System32\migration\WininetPlugin.dll
- 2008-08-26 20:28:12 16,208,504 ----a-w c:\windows\System32\mrt.exe
+ 2008-10-07 19:19:40 16,721,856 ----a-w c:\windows\System32\mrt.exe
- 2008-06-27 04:15:24 3,578,368 ----a-w c:\windows\System32\mshtml.dll
+ 2008-10-02 03:49:15 3,578,880 ----a-w c:\windows\System32\mshtml.dll
- 2008-06-27 04:15:25 671,232 ----a-w c:\windows\System32\mstime.dll
+ 2008-10-02 03:49:16 671,232 ----a-w c:\windows\System32\mstime.dll
- 2008-01-21 02:24:08 466,944 ----a-w c:\windows\System32\netapi32.dll
+ 2008-10-16 04:47:33 466,944 ----a-w c:\windows\System32\netapi32.dll
- 2008-11-04 16:04:10 105,376 ----a-w c:\windows\System32\perfc009.dat
+ 2008-11-05 12:57:41 105,376 ----a-w c:\windows\System32\perfc009.dat
- 2008-11-04 16:04:10 604,452 ----a-w c:\windows\System32\perfh009.dat
+ 2008-11-05 12:57:41 604,452 ----a-w c:\windows\System32\perfh009.dat
- 2008-09-25 02:28:10 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-11-05 13:03:47 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2008-06-27 04:15:28 1,166,336 ----a-w c:\windows\System32\urlmon.dll
+ 2008-10-02 03:49:19 1,166,336 ----a-w c:\windows\System32\urlmon.dll
- 2008-11-04 16:01:41 8,172 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1433960662-359803117-349027270-1005_UserData.bin
+ 2008-11-05 13:16:15 8,404 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1433960662-359803117-349027270-1005_UserData.bin
- 2008-11-04 16:01:41 88,628 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-11-05 13:15:54 88,644 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-11-04 11:17:19 3,146 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-11-05 12:44:51 3,146 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-11-04 16:01:35 46,312 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-11-05 13:15:35 46,426 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-11-04 00:49:15 348,016 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-11-05 12:32:43 348,016 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2008-09-24 13:15:16 12,855 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-11-05 12:44:27 31,090,808 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-10-02 03:49:01 124,928 ----a-w c:\windows\winsxs\x86_microsoft-windows-advpack_31bf3856ad364e35_6.0.6000.16757_none_a9b61b23f5cc373c\advpack.dll
+ 2008-10-02 03:25:49 124,928 ----a-w c:\windows\winsxs\x86_microsoft-windows-advpack_31bf3856ad364e35_6.0.6000.20927_none_aa6029990ed1805a\advpack.dll
+ 2008-09-18 04:56:02 147,456 ----a-w c:\windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\Faultrep.dll
+ 2008-01-21 02:24:31 217,088 ----a-w c:\windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe
+ 2008-01-21 02:24:31 860,160 ----a-w c:\windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFaultSecure.exe
+ 2008-09-20 04:00:23 147,456 ----a-w c:\windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\Faultrep.dll
+ 2008-09-20 04:00:16 217,088 ----a-w c:\windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFault.exe
+ 2008-09-20 04:00:16 860,160 ----a-w c:\windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFaultSecure.exe
+ 2008-09-18 04:56:07 125,952 ----a-w c:\windows\winsxs\x86_microsoft-windows-feedback-service_31bf3856ad364e35_6.0.6001.18145_none_79a5b70991018b47\wersvc.dll
+ 2008-09-20 04:00:26 125,952 ----a-w c:\windows\winsxs\x86_microsoft-windows-feedback-service_31bf3856ad364e35_6.0.6001.22271_none_7a0ae2e8aa3b1988\wersvc.dll
+ 2008-10-02 03:49:05 44,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ablenetworkgraphics_31bf3856ad364e35_6.0.6000.16757_none_ebb124d316651d3b\pngfilt.dll
+ 2008-10-02 03:30:07 44,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ablenetworkgraphics_31bf3856ad364e35_6.0.6000.20927_none_ec5b33482f6a6659\pngfilt.dll
+ 2008-10-02 03:49:06 1,159,680 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6000.16757_none_b2cdcd85d9c5949f\urlmon.dll
+ 2008-10-02 03:30:37 1,162,752 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6000.20927_none_b377dbfaf2caddbd\urlmon.dll
+ 2008-10-02 03:49:19 1,166,336 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.18148_none_b4bfdc61d6e322f6\urlmon.dll
+ 2008-10-02 03:34:49 1,166,848 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.22278_none_b5290968f0191693\urlmon.dll
+ 2008-10-02 03:49:04 671,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6000.16757_none_deb05c4e7f6e540e\mstime.dll
+ 2008-10-02 03:28:20 671,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6000.20927_none_df5a6ac398739d2c\mstime.dll
+ 2008-10-02 03:49:16 671,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6001.18148_none_e0a26b2a7c8be265\mstime.dll
+ 2008-10-02 03:34:46 671,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6001.22278_none_e10b983195c1d602\mstime.dll
+ 2008-10-02 03:49:02 27,648 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16757_none_ffd3a927a4cebb32\jsproxy.dll
+ 2008-10-02 03:49:06 826,368 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16757_none_ffd3a927a4cebb32\wininet.dll
+ 2008-10-02 03:49:06 64,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16757_none_ffd3a927a4cebb32\WininetPlugin.dll
+ 2008-10-02 03:27:01 27,648 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.20927_none_007db79cbdd40450\jsproxy.dll
+ 2008-10-02 03:30:45 827,904 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.20927_none_007db79cbdd40450\wininet.dll
+ 2008-10-02 03:30:45 64,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.20927_none_007db79cbdd40450\WininetPlugin.dll
+ 2008-10-02 03:49:14 28,160 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18148_none_01c5b803a1ec4989\jsproxy.dll
+ 2008-10-02 03:49:19 827,392 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18148_none_01c5b803a1ec4989\wininet.dll
+ 2008-06-12 03:54:16 64,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18148_none_01c5b803a1ec4989\WininetPlugin.dll
+ 2008-10-02 03:34:46 28,160 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.22278_none_022ee50abb223d26\jsproxy.dll
+ 2008-10-02 03:34:49 827,904 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.22278_none_022ee50abb223d26\wininet.dll
+ 2008-10-02 03:34:49 64,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.22278_none_022ee50abb223d26\WininetPlugin.dll
+ 2008-01-21 02:24:46 2,455,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.16757_none_f97ccc016eba3585\ieapfltr.dat
+ 2008-10-02 03:49:02 383,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.16757_none_f97ccc016eba3585\ieapfltr.dll
+ 2008-01-21 02:24:46 2,455,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.20927_none_fa26da7687bf7ea3\ieapfltr.dat
+ 2008-10-02 03:26:47 380,928 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.20927_none_fa26da7687bf7ea3\ieapfltr.dll
+ 2008-10-02 03:49:02 347,136 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.16757_none_95b104b9849fbbb3\dxtmsft.dll
+ 2008-10-02 03:49:02 214,528 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.16757_none_95b104b9849fbbb3\dxtrans.dll
+ 2008-10-02 03:26:19 347,136 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.20927_none_965b132e9da504d1\dxtmsft.dll
+ 2008-10-02 03:26:20 214,528 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.20927_none_965b132e9da504d1\dxtrans.dll
+ 2008-10-02 03:49:03 477,696 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlediting_31bf3856ad364e35_6.0.6000.16757_none_46139f1146606e40\mshtmled.dll
+ 2008-10-02 03:27:54 477,696 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlediting_31bf3856ad364e35_6.0.6000.20927_none_46bdad865f65b75e\mshtmled.dll
+ 2008-10-02 03:49:03 3,593,216 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.16757_none_112dc84625252468\mshtml.dll
+ 2008-10-02 03:27:54 3,594,752 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.20927_none_11d7d6bb3e2a6d86\mshtml.dll
+ 2008-10-02 03:49:15 3,578,880 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.18148_none_131fd7222242b2bf\mshtml.dll
+ 2008-10-02 03:34:46 3,579,392 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.22278_none_138904293b78a65c\mshtml.dll
+ 2008-10-02 03:49:02 63,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-infocard_31bf3856ad364e35_6.0.6000.16757_none_588635106739b071\icardie.dll
+ 2008-10-02 03:26:46 63,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-infocard_31bf3856ad364e35_6.0.6000.20927_none_59304385803ef98f\icardie.dll
+ 2008-10-02 03:48:32 26,624 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16757_none_2d4cb5b31cfa2a15\ieUnatt.exe
+ 2008-10-02 03:50:01 633,632 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16757_none_2d4cb5b31cfa2a15\iexplore.exe
+ 2008-10-02 01:18:42 26,624 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20927_none_2df6c42835ff7333\ieUnatt.exe
+ 2008-10-02 03:32:01 633,632 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20927_none_2df6c42835ff7333\iexplore.exe
+ 2008-10-02 03:49:02 267,776 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6000.16757_none_458e60038f7fd98f\iertutil.dll
+ 2008-10-02 03:49:06 134,144 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6000.16757_none_458e60038f7fd98f\sqmapi.dll
+ 2008-10-02 03:26:48 267,776 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6000.20927_none_46386e78a88522ad\iertutil.dll
+ 2008-10-02 03:30:30 134,144 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6000.20927_none_46386e78a88522ad\sqmapi.dll
+ 2008-10-02 03:49:14 270,336 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.18148_none_47806edf8c9d67e6\iertutil.dll
+ 2008-01-21 02:24:54 129,536 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.18148_none_47806edf8c9d67e6\sqmapi.dll
+ 2008-10-02 03:34:45 270,848 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.22278_none_47e99be6a5d35b83\iertutil.dll
+ 2008-10-02 03:34:48 129,536 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.22278_none_47e99be6a5d35b83\sqmapi.dll
+ 2008-10-02 03:48:32 70,656 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16757_none_c3bb6ace6174f2ba\ie4uinit.exe
+ 2008-10-02 03:49:02 44,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16757_none_c3bb6ace6174f2ba\iernonce.dll
+ 2008-10-02 03:49:02 56,320 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16757_none_c3bb6ace6174f2ba\iesetup.dll
+ 2008-10-02 01:18:33 70,656 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20927_none_c46579437a7a3bd8\ie4uinit.exe
+ 2008-10-02 03:26:48 44,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20927_none_c46579437a7a3bd8\iernonce.dll
+ 2008-10-02 03:26:48 56,320 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20927_none_c46579437a7a3bd8\iesetup.dll
+ 2008-10-02 03:49:02 52,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-iebrshim_31bf3856ad364e35_6.0.6000.16757_none_29e0813e6824c817\iebrshim.dll
+ 2008-10-02 03:26:47 52,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-iebrshim_31bf3856ad364e35_6.0.6000.20927_none_2a8a8fb3812a1135\iebrshim.dll
+ 2008-10-02 03:49:02 6,066,176 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.16757_none_628d2249b11ab295\ieframe.dll
+ 2008-10-02 03:49:02 180,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.16757_none_628d2249b11ab295\ieui.dll
+ 2008-10-02 03:26:48 6,068,224 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.20927_none_633730beca1ffbb3\ieframe.dll
+ 2008-10-02 03:26:48 180,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.20927_none_633730beca1ffbb3\ieui.dll
+ 2008-10-02 03:49:14 6,068,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.18148_none_647f3125ae3840ec\ieframe.dll
+ 2008-01-21 02:25:05 180,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.18148_none_647f3125ae3840ec\ieui.dll
+ 2008-10-02 03:34:45 6,069,760 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.22278_none_64e85e2cc76e3489\ieframe.dll
+ 2008-10-02 03:34:45 180,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.22278_none_64e85e2cc76e3489\ieui.dll
+ 2008-10-02 03:48:32 263,168 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieinstal_31bf3856ad364e35_6.0.6000.16757_none_e6868ec8949e06cd\ieinstal.exe
+ 2008-10-02 01:18:55 263,168 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieinstal_31bf3856ad364e35_6.0.6000.20927_none_e7309d3dada34feb\ieinstal.exe
+ 2008-10-02 03:48:32 301,568 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieuser_31bf3856ad364e35_6.0.6000.16757_none_0b2ec3e4d718c67f\ieuser.exe
+ 2008-10-02 01:18:56 301,568 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieuser_31bf3856ad364e35_6.0.6000.20927_none_0bd8d259f01e0f9d\ieuser.exe
+ 2008-10-16 04:40:36 425,472 ----a-w c:\windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.16764_none_8b10fff30496576a\netapi32.dll
+ 2008-10-16 04:22:27 425,984 ----a-w c:\windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.20937_none_8bbe0f461d98ec8d\netapi32.dll
+ 2008-10-16 04:47:33 466,944 ----a-w c:\windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18157_none_8d050f6301b2186f\netapi32.dll
+ 2008-10-16 04:38:26 466,944 ----a-w c:\windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.22288_none_8d6f3cb41ae72563\netapi32.dll
+ 2008-09-15 22:29:31 2,413,072 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16752_none_f06dce5c6e7a7dc0\OESpamFilter.dat
+ 2008-09-15 22:28:34 2,413,072 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.20919_none_f129aec387715c4e\OESpamFilter.dat
+ 2008-09-15 22:29:55 2,413,072 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18143_none_f25fdd386b980c17\OESpamFilter.dat
+ 2008-09-15 22:27:41 2,413,072 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22267_none_f2d7db5384c2491f\OESpamFilter.dat
+ 2008-09-18 04:35:05 3,505,208 ----a-w c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6000.16754_none_6a18166cb7216faf\ntkrnlpa.exe
+ 2008-09-18 04:35:07 3,470,904 ----a-w c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6000.16754_none_6a18166cb7216faf\ntoskrnl.exe
+ 2008-09-18 04:27:45 3,506,744 ----a-w c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6000.20921_none_6abf2403d0296cc8\ntkrnlpa.exe
+ 2008-09-18 04:27:44 3,472,952 ----a-w c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6000.20921_none_6abf2403d0296cc8\ntoskrnl.exe
+ 2008-09-18 05:09:10 3,601,464 ----a-w c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.18145_none_6c0a2548b43efe06\ntkrnlpa.exe
+ 2008-09-18 05:09:09 3,549,240 ----a-w c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.18145_none_6c0a2548b43efe06\ntoskrnl.exe
+ 2008-09-18 04:54:44 3,601,976 ----a-w c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.22269_none_6c822363cd693b0e\ntkrnlpa.exe
+ 2008-09-18 04:54:49 3,549,752 ----a-w c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.22269_none_6c822363cd693b0e\ntoskrnl.exe
+ 2008-08-12 03:29:17 37,376 ----a-w c:\windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6000.16728_none_377f607173cc72c2\printcom.dll
+ 2008-08-12 03:29:18 441,856 ----a-w c:\windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6000.16728_none_377f607173cc72c2\win32spl.dll
+ 2008-08-12 03:17:47 37,376 ----a-w c:\windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6000.20893_none_37b84c568d275770\printcom.dll
+ 2008-08-12 03:18:17 444,928 ----a-w c:\windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6000.20893_none_37b84c568d275770\win32spl.dll
+ 2008-01-21 02:24:47 37,888 ----a-w c:\windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6001.18119_none_39716f4d70ea0119\printcom.dll
+ 2008-08-12 03:39:08 443,392 ----a-w c:\windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6001.18119_none_39716f4d70ea0119\win32spl.dll
+ 2008-08-12 03:25:35 37,888 ----a-w c:\windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6001.22241_none_39d29a048a2729fe\printcom.dll
+ 2008-08-12 03:25:37 443,392 ----a-w c:\windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6001.22241_none_39d29a048a2729fe\win32spl.dll
+ 2008-08-26 01:12:30 290,304 ----a-w c:\windows\winsxs\x86_microsoft-windows-smbserver-v1_31bf3856ad364e35_6.0.6000.16738_none_d7f8bf26f95e2296\srv.sys
+ 2008-08-27 00:49:12 290,816 ----a-w c:\windows\winsxs\x86_microsoft-windows-smbserver-v1_31bf3856ad364e35_6.0.6000.20904_none_d89ecc7412670658\srv.sys
+ 2008-08-27 01:06:25 288,768 ----a-w c:\windows\winsxs\x86_microsoft-windows-smbserver-v1_31bf3856ad364e35_6.0.6001.18130_none_d9d6fb7cf68be8cf\srv.sys
+ 2008-08-27 00:53:21 288,768 ----a-w c:\windows\winsxs\x86_microsoft-windows-smbserver-v1_31bf3856ad364e35_6.0.6001.22252_none_da4cf9040fb7f329\srv.sys
+ 2008-09-18 02:03:07 2,027,520 ----a-w c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.16754_none_b6db2e869d852707\win32k.sys
+ 2008-09-20 01:13:20 2,029,568 ----a-w c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.20922_none_b7833c67b68c3d77\win32k.sys
+ 2008-09-18 02:16:28 2,032,640 ----a-w c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.18145_none_b8cd3d629aa2b55e\win32k.sys
+ 2008-09-20 01:21:50 2,033,152 ----a-w c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.22271_none_b9326941b3dc439f\win32k.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-11-29 59168]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2007-12-06 324896]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2007-12-06 214576]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-05 820520]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-09 1282048]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-01-08 536576]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-04-26 120368]
"CameraApplicationLauncher"="c:\program files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe" [2007-08-22 16384]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 419112]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 124200]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

c:\users\Waterproof\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-03-29 719664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1433960662-359803117-349027270-1005]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{994FB1BF-3B05-4D3D-B5A8-9A32BCCF60A5}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BE81EE69-8783-4988-9E64-1E7EEF70F978}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{7C7F5A76-6079-467B-8A18-0B4B8195A91B}"= UDP:c:\windows\System32\lxbacoms.exe:Lexmark Communications System
"{40817FE4-D1BA-4B82-8A08-7606601ADE11}"= TCP:c:\windows\System32\lxbacoms.exe:Lexmark Communications System
"{66C31868-57A6-4001-895D-4B71027CD110}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxbapswx.exe:Printer Status Window
"{FAC413EC-B54E-4BB2-8CEE-B374023EB1B0}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxbapswx.exe:Printer Status Window
"{617C5A68-B086-462A-9BE7-08B3F5BA67C5}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{6B0A4DC4-9C19-43F9-804C-C1E904D0FFEF}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{365DD8CC-F926-49A3-993A-1297672A7117}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{976D515E-E2BC-4040-8BBF-D2D3A4E8D25A}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{898A948D-841A-47F8-ABFB-1EFC939CABB3}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{8D685019-8334-40F3-A2D4-38163DFCD119}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{A98782BD-8C4D-4F79-B6D6-105C9872D92A}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{08348A5B-3772-4C13-BC12-E048CBFC5423}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{DF39095D-DF41-4712-87DB-09B714EB1D74}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{25EBD56A-6227-4298-A225-9CB8A4D1B32F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{4F7D0682-F6B6-400B-9137-5DC89D4CC714}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{76486E61-FAE2-455A-B522-E81D9BE308D4}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{F95EED90-5805-46AF-898F-94DF14996AFE}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{7763661D-3D1A-4123-959D-8679A847D5CB}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{009D7874-056C-4F46-8339-5745209EBDFD}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{FA08B81B-5398-4827-85B5-63AB31FCC68D}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"TCP Query User{2AD5DD5B-B32E-4593-A57F-26F4B37A2957}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{8534ABF4-7562-4E56-8087-B0301C6450C9}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{4F9235DC-F1E6-4225-9B85-548948C8B522}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{87993095-9E5E-4AFC-929B-BADAA063001B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E60A9797-7CEA-4C05-8373-050D041465A9}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{34A78E33-7B60-4E82-973F-DCF3E689E0EF}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{952AC365-C224-41A7-AC88-56D840DC8415}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{2BBBF744-CE81-47F0-BCFE-1CFDC185E1BA}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{84509A37-3EF1-4BAD-9847-E74D530677C5}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R0 Shockprf;Shockprf;c:\windows\system32\DRIVERS\Apsx86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\DRIVERS\ApsHM86.sys [2007-10-16 19504]
R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2007-02-08 28120]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2006-08-30 13744]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwr32v.sys [2007-12-06 12080]
R2 AEADIFilters;Andrea ADI Filters Service;c:\windows\system32\AEADISRV.EXE [2007-02-05 69632]
R2 lxba_device;lxba_device;c:\windows\system32\lxbacoms.exe [2007-04-24 537520]
R2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2007-03-02 55936]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-01-08 569344]
R3 btwaudio;Bluetooth Audio Device Service;c:\windows\system32\drivers\btwaudio.sys [2007-03-29 79664]
R3 btwavdt;Bluetooth AVDT Service;c:\windows\system32\drivers\btwavdt.sys [2007-02-27 81200]
R3 btwrchid;btwrchid;c:\windows\system32\DRIVERS\btwrchid.sys [2007-02-27 16432]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336]
S4 ErrDev;Microsoft Hardware Error Device Driver;c:\windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR;c:\windows\system32\drivers\megasr.sys [2008-01-20 386616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ba55dc1-955c-11dd-9370-001fe1d1023f}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ba55df4-955c-11dd-9370-001fe1d1023f}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-11-05 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 17:54]

2008-11-05 c:\windows\Tasks\User_Feed_Synchronization-{7D0A9B2B-A02A-4A6B-9DF0-B9E3EEF4E5BB}.job
- c:\windows\system32\msfeedssync.exe [2008-01-20 21:25]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 10:20:47
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-05 10:22:55
ComboFix-quarantined-files.txt 2008-11-05 15:22:49
ComboFix2.txt 2008-11-04 16:35:22
ComboFix3.txt 2008-09-04 18:07:21

Pre-Run: 33,104,384,000 bytes free
Post-Run: 33,080,070,144 bytes free

386 --- E O F --- 2008-11-05 12:38:16



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08, on 2008-11-05
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\notepad.exe
C:\Users\Waterproof\Downloads\setupeng.exe
C:\Users\WATERP~1\AppData\Local\Temp\_av_sfx.tm~a04964\avast.setup
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [CameraApplicationLauncher] C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://c:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Diskeeper - Unknown owner - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: lxba_device - - C:\Windows\system32\lxbacoms.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11363 bytes
effingcow
Regular Member
 
Posts: 31
Joined: August 29th, 2008, 11:57 am
Location: Aruba

Re: Topic posted for EffingCow

Unread postby effingcow » November 5th, 2008, 12:32 pm

also, can I re-hide my files? or should I keep them visible for now?

thanks again. - Amanda
effingcow
Regular Member
 
Posts: 31
Joined: August 29th, 2008, 11:57 am
Location: Aruba

Re: Topic posted for EffingCow

Unread postby ndmmxiaomayi » November 6th, 2008, 10:22 am

Hi Amanda,

You can re-hide your files by reversing Step 2, Part 5. :)

Step 1

Please disable avast! Antivirus temporarily as it may interfere with the fixes. Remember to re-enable it back before proceeding to Step 3.

  • Right click on avast! Antivirus icon near the clock ( Image ) and select Stop On-Access Protection.
  • Right click on avast! Antivirus icon again select Program Settings.
  • On the left, click on Troubleshooting.
  • Uncheck (untick) this box - Disable avast! self-defense module.
  • Click OK to apply the settings.

Step 2

Please open Notepad and copy and paste the following in the Code box into Notepad:

Code: Select all
Folder::
c:\a
c:\temp\xp34
c:\windows\System32\ti

File::
c:\users\Waterproof\index.exe


Warning: The above script is just for effingcow. If you are not effingcow, please do not use this script as it may damage the workings of your system.

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.

Image

Combofix will start running. When done, a log will be produced. Please post this log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Step 3

Click on Start. Right click on Internet Explorer and select Run As Administrator. You will receive a UAC prompt. Please allow it.

Next...

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. Kaspersky Antivirus scan report
  3. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Topic posted for EffingCow

Unread postby effingcow » November 6th, 2008, 2:51 pm

ComboFix 08-11-05.02 - Waterproof 2008-11-06 10:10:49.7 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.96 [GMT -5:00]
Running from: c:\users\Waterproof\Downloads\ComboFix.exe
Command switches used :: c:\users\Waterproof\Desktop\CFScript.txt

FILE ::
c:\users\Waterproof\index.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\temp\xp34
c:\temp\xp34\cPH.log
c:\users\Waterproof\index.exe
c:\windows\System32\ti

.
((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
.

2008-11-05 11:06 . 2008-11-05 11:06 <DIR> d-------- c:\program files\Alwil Software
2008-11-05 11:06 . 2008-07-19 10:36 51,280 --a------ c:\windows\System32\drivers\aswMonFlt.sys
2008-11-04 16:03 . 2008-11-04 17:57 <DIR> d-------- c:\users\Waterproof\Contacts
2008-11-04 13:44 . 2008-09-18 00:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-11-04 13:44 . 2008-09-18 00:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-11-04 13:26 . 2008-08-11 22:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-11-04 13:26 . 2008-09-17 23:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-11-04 13:26 . 2008-09-17 23:56 125,952 --a------ c:\windows\System32\wersvc.dll
2008-11-04 13:21 . 2008-09-17 21:16 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-11-04 13:20 . 2008-08-26 20:06 288,768 --a------ c:\windows\System32\drivers\srv.sys
2008-11-04 13:11 . 2008-10-01 20:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-11-04 13:11 . 2008-10-01 22:49 827,392 --a------ c:\windows\System32\wininet.dll
2008-11-04 10:59 . 2008-11-04 10:59 <DIR> d-------- c:\users\Waterproof\Bluetooth Software
2008-11-03 16:17 . 2008-11-03 16:17 <DIR> d-------- c:\program files\Xvid
2008-11-03 16:17 . 2008-04-27 10:33 765,952 --a------ c:\windows\System32\xvidcore.dll
2008-11-03 16:17 . 2008-04-27 10:35 180,224 --a------ c:\windows\System32\xvidvfw.dll
2008-11-03 16:17 . 2007-06-28 18:55 77,824 --a------ c:\windows\System32\xvid.ax
2008-10-30 12:41 . 2008-10-30 12:41 244 --ah----- C:\sqmnoopt02.sqm
2008-10-30 12:41 . 2008-10-30 12:41 232 --ah----- C:\sqmdata02.sqm
2008-10-15 13:26 . 2008-10-15 13:26 268 --ah----- C:\sqmdata01.sqm
2008-10-15 13:26 . 2008-10-15 13:26 244 --ah----- C:\sqmnoopt01.sqm
2008-10-15 10:58 . 2008-11-04 02:13 <DIR> d-------- c:\windows\System32\ws2
2008-10-06 16:36 . 2008-10-06 16:36 <DIR> d-------- c:\users\Waterproof\AppData\Roaming\InterVideo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 15:02 --------- d-----w c:\users\Waterproof\AppData\Roaming\OpenOffice.org2
2008-11-05 15:49 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-05 15:49 --------- d-----w c:\program files\Full Tilt Poker
2008-11-05 12:44 --------- d-----w c:\program files\Windows Mail
2008-11-04 16:03 --------- d-----w c:\users\Waterproof\AppData\Roaming\LimeWire
2008-11-04 11:13 --------- d-----w c:\program files\Trillian
2008-10-10 00:12 --------- d-----w c:\users\Waterproof\AppData\Roaming\HP
2008-10-06 14:26 --------- d-----w c:\program files\Java
2008-10-04 07:01 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-04 07:01 --------- d-----w c:\program files\iTunes
2008-10-04 07:01 --------- d-----w c:\program files\iPod
2008-09-25 02:27 --------- d-----w c:\users\Waterproof\AppData\Roaming\vusbsp
2008-09-25 02:27 --------- d-----w c:\programdata\HP Product Assistant
2008-09-20 19:45 --------- d-----w c:\programdata\PopCap
2008-09-20 19:43 --------- d-----w c:\program files\PopCap Games
2008-09-13 03:23 --------- d-----w c:\program files\QuickTime
2008-09-13 03:23 --------- d-----w c:\program files\Common Files\Apple
2008-09-12 03:03 --------- d-----w c:\program files\Windows Live
2008-09-12 02:51 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-09-12 02:47 --------- d-----w c:\programdata\WLInstaller
2008-09-10 13:27 --------- d-----w c:\programdata\Symantec
2008-09-10 13:27 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-09-08 05:34 --------- d-----w c:\users\Waterproof\AppData\Roaming\Lenovo
2008-08-29 14:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot@2008-11-04_11.33.51.19 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-11 07:02:18 38,240 ----a-r c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2008-11-05 12:35:49 38,240 ----a-r c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2008-11-04 16:24:17 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-11-06 14:57:15 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-11-06 14:57:15 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-11-04 16:24:46 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-11-06 15:01:52 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-11-04 16:24:46 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-11-06 15:01:45 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-19 15:43:08 1,163,960 ----a-w c:\windows\System32\aswBoot.exe
+ 2008-07-19 15:30:53 94,392 ----a-w c:\windows\System32\AvastSS.scr
- 2008-11-04 16:10:48 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-11-06 14:57:47 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-04 16:10:48 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-06 14:57:47 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-04 16:10:48 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-06 14:57:47 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-04 16:13:19 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2008-11-06 15:09:46 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2008-07-19 15:37:42 20,560 ----a-w c:\windows\System32\drivers\aswFsBlk.sys
+ 2008-07-19 15:33:42 23,152 ----a-w c:\windows\System32\drivers\aswRdr.sys
+ 2008-07-19 15:35:18 78,416 ----a-w c:\windows\System32\drivers\aswSP.sys
+ 2008-07-19 15:32:36 42,912 ----a-w c:\windows\System32\drivers\aswTdi.sys
- 2008-08-04 05:45:47 430,256 ----a-w c:\windows\System32\FNTCACHE.DAT
+ 2008-11-05 12:46:39 430,256 ----a-w c:\windows\System32\FNTCACHE.DAT
- 2008-06-27 04:15:23 6,068,736 ----a-w c:\windows\System32\ieframe.dll
+ 2008-10-02 03:49:14 6,068,736 ----a-w c:\windows\System32\ieframe.dll
- 2008-01-21 02:24:54 270,336 ----a-w c:\windows\System32\iertutil.dll
+ 2008-10-02 03:49:14 270,336 ----a-w c:\windows\System32\iertutil.dll
- 2008-06-27 04:15:24 28,160 ----a-w c:\windows\System32\jsproxy.dll
+ 2008-10-02 03:49:14 28,160 ----a-w c:\windows\System32\jsproxy.dll
- 2008-06-27 04:15:28 64,512 ----a-w c:\windows\System32\migration\WininetPlugin.dll
+ 2008-06-12 03:54:16 64,512 ----a-w c:\windows\System32\migration\WininetPlugin.dll
- 2008-08-26 20:28:12 16,208,504 ----a-w c:\windows\System32\mrt.exe
+ 2008-10-07 19:19:40 16,721,856 ----a-w c:\windows\System32\mrt.exe
- 2008-06-27 04:15:24 3,578,368 ----a-w c:\windows\System32\mshtml.dll
+ 2008-10-02 03:49:15 3,578,880 ----a-w c:\windows\System32\mshtml.dll
- 2008-06-27 04:15:25 671,232 ----a-w c:\windows\System32\mstime.dll
+ 2008-10-02 03:49:16 671,232 ----a-w c:\windows\System32\mstime.dll
- 2008-01-21 02:24:08 466,944 ----a-w c:\windows\System32\netapi32.dll
+ 2008-10-16 04:47:33 466,944 ----a-w c:\windows\System32\netapi32.dll
- 2008-11-04 16:04:10 105,376 ----a-w c:\windows\System32\perfc009.dat
+ 2008-11-06 15:05:01 105,376 ----a-w c:\windows\System32\perfc009.dat
- 2008-11-04 16:04:10 604,452 ----a-w c:\windows\System32\perfh009.dat
+ 2008-11-06 15:05:01 604,452 ----a-w c:\windows\System32\perfh009.dat
- 2008-09-25 02:28:10 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-11-05 16:20:32 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2008-06-27 04:15:28 1,166,336 ----a-w c:\windows\System32\urlmon.dll
+ 2008-10-02 03:49:19 1,166,336 ----a-w c:\windows\System32\urlmon.dll
- 2008-11-04 16:01:41 8,172 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1433960662-359803117-349027270-1005_UserData.bin
+ 2008-11-06 15:01:23 8,484 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1433960662-359803117-349027270-1005_UserData.bin
- 2008-11-04 16:01:41 88,628 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-11-06 15:01:22 88,856 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-11-04 11:17:19 3,146 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-11-05 12:44:51 3,146 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-11-04 16:01:35 46,312 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-11-05 16:26:15 46,600 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-11-04 00:49:15 348,016 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-11-06 11:18:43 348,870 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2008-09-24 13:15:16 12,855 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-11-05 12:44:27 31,090,808 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-10-02 03:49:01 124,928 ----a-w c:\windows\winsxs\x86_microsoft-windows-advpack_31bf3856ad364e35_6.0.6000.16757_none_a9b61b23f5cc373c\advpack.dll
+ 2008-10-02 03:25:49 124,928 ----a-w c:\windows\winsxs\x86_microsoft-windows-advpack_31bf3856ad364e35_6.0.6000.20927_none_aa6029990ed1805a\advpack.dll
+ 2008-09-18 04:56:02 147,456 ----a-w c:\windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\Faultrep.dll
+ 2008-01-21 02:24:31 217,088 ----a-w c:\windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe
+ 2008-01-21 02:24:31 860,160 ----a-w c:\windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFaultSecure.exe
+ 2008-09-20 04:00:23 147,456 ----a-w c:\windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\Faultrep.dll
+ 2008-09-20 04:00:16 217,088 ----a-w c:\windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFault.exe
+ 2008-09-20 04:00:16 860,160 ----a-w c:\windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFaultSecure.exe
+ 2008-09-18 04:56:07 125,952 ----a-w c:\windows\winsxs\x86_microsoft-windows-feedback-service_31bf3856ad364e35_6.0.6001.18145_none_79a5b70991018b47\wersvc.dll
+ 2008-09-20 04:00:26 125,952 ----a-w c:\windows\winsxs\x86_microsoft-windows-feedback-service_31bf3856ad364e35_6.0.6001.22271_none_7a0ae2e8aa3b1988\wersvc.dll
+ 2008-10-02 03:49:05 44,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ablenetworkgraphics_31bf3856ad364e35_6.0.6000.16757_none_ebb124d316651d3b\pngfilt.dll
+ 2008-10-02 03:30:07 44,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ablenetworkgraphics_31bf3856ad364e35_6.0.6000.20927_none_ec5b33482f6a6659\pngfilt.dll
+ 2008-10-02 03:49:06 1,159,680 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6000.16757_none_b2cdcd85d9c5949f\urlmon.dll
+ 2008-10-02 03:30:37 1,162,752 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6000.20927_none_b377dbfaf2caddbd\urlmon.dll
+ 2008-10-02 03:49:19 1,166,336 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.18148_none_b4bfdc61d6e322f6\urlmon.dll
+ 2008-10-02 03:34:49 1,166,848 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.22278_none_b5290968f0191693\urlmon.dll
+ 2008-10-02 03:49:04 671,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6000.16757_none_deb05c4e7f6e540e\mstime.dll
+ 2008-10-02 03:28:20 671,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6000.20927_none_df5a6ac398739d2c\mstime.dll
+ 2008-10-02 03:49:16 671,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6001.18148_none_e0a26b2a7c8be265\mstime.dll
+ 2008-10-02 03:34:46 671,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6001.22278_none_e10b983195c1d602\mstime.dll
+ 2008-10-02 03:49:02 27,648 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16757_none_ffd3a927a4cebb32\jsproxy.dll
+ 2008-10-02 03:49:06 826,368 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16757_none_ffd3a927a4cebb32\wininet.dll
+ 2008-10-02 03:49:06 64,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16757_none_ffd3a927a4cebb32\WininetPlugin.dll
+ 2008-10-02 03:27:01 27,648 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.20927_none_007db79cbdd40450\jsproxy.dll
+ 2008-10-02 03:30:45 827,904 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.20927_none_007db79cbdd40450\wininet.dll
+ 2008-10-02 03:30:45 64,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.20927_none_007db79cbdd40450\WininetPlugin.dll
+ 2008-10-02 03:49:14 28,160 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18148_none_01c5b803a1ec4989\jsproxy.dll
+ 2008-10-02 03:49:19 827,392 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18148_none_01c5b803a1ec4989\wininet.dll
+ 2008-06-12 03:54:16 64,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18148_none_01c5b803a1ec4989\WininetPlugin.dll
+ 2008-10-02 03:34:46 28,160 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.22278_none_022ee50abb223d26\jsproxy.dll
+ 2008-10-02 03:34:49 827,904 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.22278_none_022ee50abb223d26\wininet.dll
+ 2008-10-02 03:34:49 64,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.22278_none_022ee50abb223d26\WininetPlugin.dll
+ 2008-01-21 02:24:46 2,455,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.16757_none_f97ccc016eba3585\ieapfltr.dat
+ 2008-10-02 03:49:02 383,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.16757_none_f97ccc016eba3585\ieapfltr.dll
+ 2008-01-21 02:24:46 2,455,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.20927_none_fa26da7687bf7ea3\ieapfltr.dat
+ 2008-10-02 03:26:47 380,928 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.20927_none_fa26da7687bf7ea3\ieapfltr.dll
+ 2008-10-02 03:49:02 347,136 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.16757_none_95b104b9849fbbb3\dxtmsft.dll
+ 2008-10-02 03:49:02 214,528 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.16757_none_95b104b9849fbbb3\dxtrans.dll
+ 2008-10-02 03:26:19 347,136 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.20927_none_965b132e9da504d1\dxtmsft.dll
+ 2008-10-02 03:26:20 214,528 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.20927_none_965b132e9da504d1\dxtrans.dll
+ 2008-10-02 03:49:03 477,696 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlediting_31bf3856ad364e35_6.0.6000.16757_none_46139f1146606e40\mshtmled.dll
+ 2008-10-02 03:27:54 477,696 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlediting_31bf3856ad364e35_6.0.6000.20927_none_46bdad865f65b75e\mshtmled.dll
+ 2008-10-02 03:49:03 3,593,216 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.16757_none_112dc84625252468\mshtml.dll
+ 2008-10-02 03:27:54 3,594,752 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.20927_none_11d7d6bb3e2a6d86\mshtml.dll
+ 2008-10-02 03:49:15 3,578,880 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.18148_none_131fd7222242b2bf\mshtml.dll
+ 2008-10-02 03:34:46 3,579,392 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.22278_none_138904293b78a65c\mshtml.dll
+ 2008-10-02 03:49:02 63,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-infocard_31bf3856ad364e35_6.0.6000.16757_none_588635106739b071\icardie.dll
+ 2008-10-02 03:26:46 63,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-infocard_31bf3856ad364e35_6.0.6000.20927_none_59304385803ef98f\icardie.dll
+ 2008-10-02 03:48:32 26,624 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16757_none_2d4cb5b31cfa2a15\ieUnatt.exe
+ 2008-10-02 03:50:01 633,632 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16757_none_2d4cb5b31cfa2a15\iexplore.exe
+ 2008-10-02 01:18:42 26,624 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20927_none_2df6c42835ff7333\ieUnatt.exe
+ 2008-10-02 03:32:01 633,632 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20927_none_2df6c42835ff7333\iexplore.exe
+ 2008-10-02 03:49:02 267,776 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6000.16757_none_458e60038f7fd98f\iertutil.dll
+ 2008-10-02 03:49:06 134,144 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6000.16757_none_458e60038f7fd98f\sqmapi.dll
+ 2008-10-02 03:26:48 267,776 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6000.20927_none_46386e78a88522ad\iertutil.dll
+ 2008-10-02 03:30:30 134,144 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6000.20927_none_46386e78a88522ad\sqmapi.dll
+ 2008-10-02 03:49:14 270,336 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.18148_none_47806edf8c9d67e6\iertutil.dll
+ 2008-01-21 02:24:54 129,536 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.18148_none_47806edf8c9d67e6\sqmapi.dll
+ 2008-10-02 03:34:45 270,848 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.22278_none_47e99be6a5d35b83\iertutil.dll
+ 2008-10-02 03:34:48 129,536 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.22278_none_47e99be6a5d35b83\sqmapi.dll
+ 2008-10-02 03:48:32 70,656 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16757_none_c3bb6ace6174f2ba\ie4uinit.exe
+ 2008-10-02 03:49:02 44,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16757_none_c3bb6ace6174f2ba\iernonce.dll
+ 2008-10-02 03:49:02 56,320 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16757_none_c3bb6ace6174f2ba\iesetup.dll
+ 2008-10-02 01:18:33 70,656 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20927_none_c46579437a7a3bd8\ie4uinit.exe
+ 2008-10-02 03:26:48 44,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20927_none_c46579437a7a3bd8\iernonce.dll
+ 2008-10-02 03:26:48 56,320 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20927_none_c46579437a7a3bd8\iesetup.dll
+ 2008-10-02 03:49:02 52,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-iebrshim_31bf3856ad364e35_6.0.6000.16757_none_29e0813e6824c817\iebrshim.dll
+ 2008-10-02 03:26:47 52,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-iebrshim_31bf3856ad364e35_6.0.6000.20927_none_2a8a8fb3812a1135\iebrshim.dll
+ 2008-10-02 03:49:02 6,066,176 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.16757_none_628d2249b11ab295\ieframe.dll
+ 2008-10-02 03:49:02 180,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.16757_none_628d2249b11ab295\ieui.dll
+ 2008-10-02 03:26:48 6,068,224 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.20927_none_633730beca1ffbb3\ieframe.dll
+ 2008-10-02 03:26:48 180,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.20927_none_633730beca1ffbb3\ieui.dll
+ 2008-10-02 03:49:14 6,068,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.18148_none_647f3125ae3840ec\ieframe.dll
+ 2008-01-21 02:25:05 180,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.18148_none_647f3125ae3840ec\ieui.dll
+ 2008-10-02 03:34:45 6,069,760 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.22278_none_64e85e2cc76e3489\ieframe.dll
+ 2008-10-02 03:34:45 180,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.22278_none_64e85e2cc76e3489\ieui.dll
+ 2008-10-02 03:48:32 263,168 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieinstal_31bf3856ad364e35_6.0.6000.16757_none_e6868ec8949e06cd\ieinstal.exe
+ 2008-10-02 01:18:55 263,168 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieinstal_31bf3856ad364e35_6.0.6000.20927_none_e7309d3dada34feb\ieinstal.exe
+ 2008-10-02 03:48:32 301,568 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieuser_31bf3856ad364e35_6.0.6000.16757_none_0b2ec3e4d718c67f\ieuser.exe
+ 2008-10-02 01:18:56 301,568 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieuser_31bf3856ad364e35_6.0.6000.20927_none_0bd8d259f01e0f9d\ieuser.exe
+ 2008-10-16 04:40:36 425,472 ----a-w c:\windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.16764_none_8b10fff30496576a\netapi32.dll
+ 2008-10-16 04:22:27 425,984 ----a-w c:\windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6000.20937_none_8bbe0f461d98ec8d\netapi32.dll
+ 2008-10-16 04:47:33 466,944 ----a-w c:\windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18157_none_8d050f6301b2186f\netapi32.dll
+ 2008-10-16 04:38:26 466,944 ----a-w c:\windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.22288_none_8d6f3cb41ae72563\netapi32.dll
+ 2008-09-15 22:29:31 2,413,072 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16752_none_f06dce5c6e7a7dc0\OESpamFilter.dat
+ 2008-09-15 22:28:34 2,413,072 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.20919_none_f129aec387715c4e\OESpamFilter.dat
+ 2008-09-15 22:29:55 2,413,072 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18143_none_f25fdd386b980c17\OESpamFilter.dat
+ 2008-09-15 22:27:41 2,413,072 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22267_none_f2d7db5384c2491f\OESpamFilter.dat
+ 2008-09-18 04:35:05 3,505,208 ----a-w c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6000.16754_none_6a18166cb7216faf\ntkrnlpa.exe
+ 2008-09-18 04:35:07 3,470,904 ----a-w c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6000.16754_none_6a18166cb7216faf\ntoskrnl.exe
+ 2008-09-18 04:27:45 3,506,744 ----a-w c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6000.20921_none_6abf2403d0296cc8\ntkrnlpa.exe
+ 2008-09-18 04:27:44 3,472,952 ----a-w c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6000.20921_none_6abf2403d0296cc8\ntoskrnl.exe
+ 2008-09-18 05:09:10 3,601,464 ----a-w c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.18145_none_6c0a2548b43efe06\ntkrnlpa.exe
+ 2008-09-18 05:09:09 3,549,240 ----a-w c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.18145_none_6c0a2548b43efe06\ntoskrnl.exe
+ 2008-09-18 04:54:44 3,601,976 ----a-w c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.22269_none_6c822363cd693b0e\ntkrnlpa.exe
+ 2008-09-18 04:54:49 3,549,752 ----a-w c:\windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.22269_none_6c822363cd693b0e\ntoskrnl.exe
+ 2008-08-12 03:29:17 37,376 ----a-w c:\windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6000.16728_none_377f607173cc72c2\printcom.dll
+ 2008-08-12 03:29:18 441,856 ----a-w c:\windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6000.16728_none_377f607173cc72c2\win32spl.dll
+ 2008-08-12 03:17:47 37,376 ----a-w c:\windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6000.20893_none_37b84c568d275770\printcom.dll
+ 2008-08-12 03:18:17 444,928 ----a-w c:\windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6000.20893_none_37b84c568d275770\win32spl.dll
+ 2008-01-21 02:24:47 37,888 ----a-w c:\windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6001.18119_none_39716f4d70ea0119\printcom.dll
+ 2008-08-12 03:39:08 443,392 ----a-w c:\windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6001.18119_none_39716f4d70ea0119\win32spl.dll
+ 2008-08-12 03:25:35 37,888 ----a-w c:\windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6001.22241_none_39d29a048a2729fe\printcom.dll
+ 2008-08-12 03:25:37 443,392 ----a-w c:\windows\winsxs\x86_microsoft-windows-p..ooler-networkclient_31bf3856ad364e35_6.0.6001.22241_none_39d29a048a2729fe\win32spl.dll
+ 2008-08-26 01:12:30 290,304 ----a-w c:\windows\winsxs\x86_microsoft-windows-smbserver-v1_31bf3856ad364e35_6.0.6000.16738_none_d7f8bf26f95e2296\srv.sys
+ 2008-08-27 00:49:12 290,816 ----a-w c:\windows\winsxs\x86_microsoft-windows-smbserver-v1_31bf3856ad364e35_6.0.6000.20904_none_d89ecc7412670658\srv.sys
+ 2008-08-27 01:06:25 288,768 ----a-w c:\windows\winsxs\x86_microsoft-windows-smbserver-v1_31bf3856ad364e35_6.0.6001.18130_none_d9d6fb7cf68be8cf\srv.sys
+ 2008-08-27 00:53:21 288,768 ----a-w c:\windows\winsxs\x86_microsoft-windows-smbserver-v1_31bf3856ad364e35_6.0.6001.22252_none_da4cf9040fb7f329\srv.sys
+ 2008-09-18 02:03:07 2,027,520 ----a-w c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.16754_none_b6db2e869d852707\win32k.sys
+ 2008-09-20 01:13:20 2,029,568 ----a-w c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.20922_none_b7833c67b68c3d77\win32k.sys
+ 2008-09-18 02:16:28 2,032,640 ----a-w c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.18145_none_b8cd3d629aa2b55e\win32k.sys
+ 2008-09-20 01:21:50 2,033,152 ----a-w c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.22271_none_b9326941b3dc439f\win32k.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-11-29 59168]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2007-12-06 324896]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2007-12-06 214576]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-05 820520]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-09 1282048]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2007-01-08 536576]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-04-26 120368]
"CameraApplicationLauncher"="c:\program files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe" [2007-08-22 16384]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2007-07-05 419112]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 124200]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]

c:\users\Waterproof\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-03-29 719664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1433960662-359803117-349027270-1005]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{994FB1BF-3B05-4D3D-B5A8-9A32BCCF60A5}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BE81EE69-8783-4988-9E64-1E7EEF70F978}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{7C7F5A76-6079-467B-8A18-0B4B8195A91B}"= UDP:c:\windows\System32\lxbacoms.exe:Lexmark Communications System
"{40817FE4-D1BA-4B82-8A08-7606601ADE11}"= TCP:c:\windows\System32\lxbacoms.exe:Lexmark Communications System
"{66C31868-57A6-4001-895D-4B71027CD110}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxbapswx.exe:Printer Status Window
"{FAC413EC-B54E-4BB2-8CEE-B374023EB1B0}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxbapswx.exe:Printer Status Window
"{617C5A68-B086-462A-9BE7-08B3F5BA67C5}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{6B0A4DC4-9C19-43F9-804C-C1E904D0FFEF}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{365DD8CC-F926-49A3-993A-1297672A7117}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{976D515E-E2BC-4040-8BBF-D2D3A4E8D25A}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{898A948D-841A-47F8-ABFB-1EFC939CABB3}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{8D685019-8334-40F3-A2D4-38163DFCD119}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{A98782BD-8C4D-4F79-B6D6-105C9872D92A}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{08348A5B-3772-4C13-BC12-E048CBFC5423}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{DF39095D-DF41-4712-87DB-09B714EB1D74}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{25EBD56A-6227-4298-A225-9CB8A4D1B32F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{4F7D0682-F6B6-400B-9137-5DC89D4CC714}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{76486E61-FAE2-455A-B522-E81D9BE308D4}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{F95EED90-5805-46AF-898F-94DF14996AFE}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{7763661D-3D1A-4123-959D-8679A847D5CB}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{009D7874-056C-4F46-8339-5745209EBDFD}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{FA08B81B-5398-4827-85B5-63AB31FCC68D}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"TCP Query User{2AD5DD5B-B32E-4593-A57F-26F4B37A2957}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{8534ABF4-7562-4E56-8087-B0301C6450C9}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{4F9235DC-F1E6-4225-9B85-548948C8B522}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{87993095-9E5E-4AFC-929B-BADAA063001B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E60A9797-7CEA-4C05-8373-050D041465A9}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{34A78E33-7B60-4E82-973F-DCF3E689E0EF}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{952AC365-C224-41A7-AC88-56D840DC8415}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{2BBBF744-CE81-47F0-BCFE-1CFDC185E1BA}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{84509A37-3EF1-4BAD-9847-E74D530677C5}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R0 Shockprf;Shockprf;c:\windows\system32\DRIVERS\Apsx86.sys [2007-10-16 103472]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\DRIVERS\ApsHM86.sys [2007-10-16 19504]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2007-02-08 28120]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2006-08-30 13744]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\Tppwr32v.sys [2007-12-06 12080]
R2 AEADIFilters;Andrea ADI Filters Service;c:\windows\system32\AEADISRV.EXE [2007-02-05 69632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2008-07-19 51280]
R2 lxba_device;lxba_device;c:\windows\system32\lxbacoms.exe [2007-04-24 537520]
R2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2007-03-02 55936]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2007-01-08 569344]
R3 btwaudio;Bluetooth Audio Device Service;c:\windows\system32\drivers\btwaudio.sys [2007-03-29 79664]
R3 btwavdt;Bluetooth AVDT Service;c:\windows\system32\drivers\btwavdt.sys [2007-02-27 81200]
R3 btwrchid;btwrchid;c:\windows\system32\DRIVERS\btwrchid.sys [2007-02-27 16432]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2007-05-22 30336]
S4 ErrDev;Microsoft Hardware Error Device Driver;c:\windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR;c:\windows\system32\drivers\megasr.sys [2008-01-20 386616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ba55dc1-955c-11dd-9370-001fe1d1023f}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ba55df4-955c-11dd-9370-001fe1d1023f}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b53c7ab3-7871-11dd-ab5b-002186546e43}]
\shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 17:54]

2008-11-06 c:\windows\Tasks\User_Feed_Synchronization-{7D0A9B2B-A02A-4A6B-9DF0-B9E3EEF4E5BB}.job
- c:\windows\system32\msfeedssync.exe [2008-01-20 21:25]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-06 10:14:34
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\Explorer.exe
-> ?:\windows\system32\iertutil.dll
-> ?:\windows\system32\iertutil.dll
.
Completion time: 2008-11-06 10:17:17
ComboFix-quarantined-files.txt 2008-11-06 15:17:06
ComboFix2.txt 2008-11-05 15:22:56
ComboFix3.txt 2008-11-04 16:35:22
ComboFix4.txt 2008-09-04 18:07:21

Pre-Run: 34,043,940,864 bytes free
Post-Run: 33,910,218,752 bytes free

394 --- E O F --- 2008-11-05 20:40:32


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, November 6, 2008
Operating System: Microsoft Windows Vista Business Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, November 06, 2008 14:50:40
Records in database: 1372367
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
E:\

Scan statistics:
Files scanned: 102731
Threat name: 3
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 02:01:49


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Windows\System32\mbfbokgu.dll.vir Infected: Trojan.Win32.Monder.ybi 1
C:\Qoobox\Quarantine\C\Windows\System32\owqtbw.dll.vir Infected: Trojan.Win32.Monder.ybi 1
C:\Users\Waterproof\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ELH4MO9K\index[1].htm Infected: Trojan-Downloader.JS.Psyme.alv 1
C:\Users\Waterproof\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FH46I8E2\x12c[1].htm Infected: Exploit.JS.Agent.vj 1

The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:47:01 PM, on 11/6/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - c:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [CameraApplicationLauncher] C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://c:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Diskeeper - Unknown owner - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: lxba_device - - C:\Windows\system32\lxbacoms.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Unknown owner - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11419 bytes


how's it looking?
effingcow
Regular Member
 
Posts: 31
Joined: August 29th, 2008, 11:57 am
Location: Aruba

Re: Topic posted for EffingCow

Unread postby ndmmxiaomayi » November 7th, 2008, 9:12 am

Looking rather good. :)

Any problems so far?

Just some junk to clear.

Download ATF Cleaner and save it to your desktop.

Right click on ATF-Cleaner.exe and select Run As Administrator to run it.

  • Click on Main at the top.
  • Tick all the boxes except the Prefetch and Cookies box.
  • Click on Empty Selected button.

If you use Firefox

  • Click on Firefox at the top.
  • Tick all the boxes except Firefox Cookies and Firefox Saved Passwords.
  • Click on Empty Selected button.

If you use Opera

  • Click on Opera at the top.
  • Tick all the boxes except Opera Cookies and Opera Saved Passwords.
  • Click on Empty Selected button.

Close ATF Cleaner when you are done.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Topic posted for EffingCow

Unread postby effingcow » November 7th, 2008, 1:45 pm

that's it? i'm done???
effingcow
Regular Member
 
Posts: 31
Joined: August 29th, 2008, 11:57 am
Location: Aruba

Re: Topic posted for EffingCow

Unread postby effingcow » November 7th, 2008, 2:23 pm

Hey,

When I'm running Avast! it still says I have viruses... it recommends that I move them to the box. Why wouldn't I just have them deleted?
effingcow
Regular Member
 
Posts: 31
Joined: August 29th, 2008, 11:57 am
Location: Aruba

Re: Topic posted for EffingCow

Unread postby ndmmxiaomayi » November 7th, 2008, 4:10 pm

What did avast! say?

Which files are infected?
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 53 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware