View Full Version : Multiple Malware; now have HiJackThis log
Hi, this is a follow up to a thread I started some time ago. I have some time to work on it again and made a bit of progress. The original symptoms are listed here, if you're interested:
http://forums.spybot.info/showthread.php?t=26542
Using /allhives (with the infected drive installed as D), Spybot found:
Aged Photo
Ardamax (which worries me, b/c Spybot said it was a keylogger)
BraveSentry
Clickspring.OuterInfo
Microsoft.WindowsSecurityCenter.TaskManager
Smitfraud-C
Virtumonde
WebHancer
At that time, I couldn't run HiJackThis (or any .exe file when booting from the infected drive). As it turns out, the malware had changed the registry entry under exefile | command | open to call some dll file instead of opening the exe. I changed this registry entry back the the default by comparing it to another WinXP laptop. Exe files now open. The HJT log is below.
----HiJackThis Log----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:47:36 PM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\Apps\Internet\Personal Communications\PCS_AGNT.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Apps\Internet\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TpChrSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Documents and Settings\LocalService\cftmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ServicePackFiles\i386\msconfig.exe
C:\Program Files\QdrModule\QdrModule15.exe
C:\DOCUME~1\"username"\LOCALS~1\Temp\ie.exe
C:\WINDOWS\system32\vyxmpupk.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.sbank.uk.ibm.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;9.*;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "about:blank"); (C:\Documents and Settings\"username"\Application Data\Mozilla\Profiles\default\yrmv02l7.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CApps%5CInternet%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\"username"\Application Data\Mozilla\Profiles\default\yrmv02l7.slt\prefs.js)
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Apps\Internet\DAP\DAPBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: StFlex IE Helper - {8334A30C-49E5-489a-B63D-5B927C1EF46E} - C:\Program Files\QdrDrive\QdrDrive15.dll
O2 - BHO: (no name) - {A8EEB996-62AA-4E48-995D-EADDCAC47476} - C:\WINDOWS\system32\jkkJcCrq.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - C:\WINDOWS\nupgxofi.dll (file missing)
O2 - BHO: (no name) - {DDE874FD-3D40-48B0-A30D-E2490AE0FA80} - C:\WINDOWS\system32\opnnnoNH.dll (file missing)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Apps\Internet\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Apps\MultiMedia\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [hpppta] C:\apps\multimedia\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\"username"\cftmon.exe
O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\ServicePackFiles\i386\msconfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\"username"\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [kcqtljfg] C:\WINDOWS\system32\vyxmpupk.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\"username"\cftmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [rI05lBmYtd] C:\Documents and Settings\All Users\Application Data\hkjcpoxe\jufepkns.exe
O4 - HKLM\..\Policies\Explorer\Run: [cbedgnqp] rundll32.exe "C:\WINDOWS\system32\gfihobetkre.drv" WLEntryPoint
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
O4 - Startup: Mouse.lnk = C:\WINDOWS\System32\main.cpl
O8 - Extra context menu item: &Download with &DAP - C:\Apps\Internet\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Apps\Internet\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Apps\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Apps\Internet\DAP\DAP.EXE
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\hkjmpsrm.dll
O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://pix.sexyads.net:8080/java/cr.cab
O16 - DPF: IBM EA2000 - https://w3-1.ibm.com/tools/us/expenses/EA2000.cab
O16 - DPF: Sametime Meeting Room Client ST20 - https://d02db540.southbury.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Sametime Meeting Room Client ST20H3 - http://www-125.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Sametime Meeting Room Client ST31 - https://www-1.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: ST MRC ST31IF1 PMR-90722999000 - https://www-1.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: STCJava - https://152.133.32.53/CACHE/webvpn/stc/1/binaries/stcjava.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_4-2-1.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4300B272-3776-48D3-9A33-D4019924AB9E}: Domain = itso.ral.ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6ED1B95-34FC-407F-9B85-07FD942A7C54}: Domain = ibm.com
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: jkkJcCrq - C:\WINDOWS\SYSTEM32\jkkJcCrq.dll
O21 - SSODL: csiCNqCRDzQO - {88CA28BF-2260-8215-2110-EAAE8DFB1731} - C:\WINDOWS\system32\aeqy.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo Project\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: ISAM SMT Service (ISAMsmt) - IBM Global Services - C:\Program Files\C4ebreg\isamsmt.exe
O23 - Service: LocalSystem (ldlcserv) - Unknown owner - C:\WINDOWS\System32\drivers\ldlcserv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Apps\Internet\AT&TNE~1\NetCfgSv.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad PM (TpChrSrv) - Unknown owner - C:\WINDOWS\System32\TpChrSrv.exe
O23 - Service: TrcBoot - Unknown owner - C:\WINDOWS\System32\drivers\trcboot.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 14332 bytes
------------------------
I have not run a Kaspersky scan because I did not think it was a good idea to connect the infected computer to the internet again.
Thank you very much for your help,
rg.
Hi rgATL
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post.
Thank you very much for your reply.
Which of the infections is most concerning (just curious)? The computer has been disconnected from the internet and not used at all since initial infection. If you are willing, I would like to try to clean it.
Thank you very much,
rg.
Hi
These are some:
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\"username"\cftmon.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\"username"\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [kcqtljfg] C:\WINDOWS\system32\vyxmpupk.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\"username"\cftmon.exe
If so, we start with this:
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Hello, sorry for the delay. The results are below. I received a Windows error after SDfix was done, the text of which is listed below as well:
----Start SDfix Log----
SDFix: Version 1.211
Run by "username" on Fri 08/01/2008 at 07:24 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Name :
grande48
Path :
\??\C:\WINDOWS\system32\drivers\grande48.sys
grande48 - Deleted
Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper
Restoring Default Schedule Service Path
Rebooting
Checking Files :
Trojan Files Found:
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\WINDOWS\system32\jkkJcCrq.dll - Deleted
C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\WINDOWS\SYSTEM32\REHKFE~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\DLLGH8~1.EXE - Deleted
C:\LOG2CB.TMP - Deleted
C:\Documents and Settings\LocalService\cftmon.exe - Deleted
C:\Documents and Settings\"username"\cftmon.exe - Deleted
C:\Documents and Settings\"username"\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com\settings.sol - Deleted
C:\Documents and Settings\"username"\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk - Deleted
C:\Documents and Settings\"username"\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk - Deleted
C:\Program Files\ISM\ism.exe - Deleted
C:\Program Files\ISM\Uninstall.exe - Deleted
C:\Program Files\QdrDrive\QdrDrive15.dll - Deleted
C:\Program Files\QdrDrive\qdrloader.exe - Deleted
C:\Program Files\QdrModule\dicy.gz - Deleted
C:\Program Files\QdrModule\kwdy.gz - Deleted
C:\Program Files\QdrModule\QdrModule15.exe - Deleted
C:\WINDOWS\system32\n.exe - Deleted
C:\WINDOWS\system32\000090.exe - Deleted
C:\WINDOWS\system32\dllgh8jkd1q8.exe - Deleted
C:\WINDOWS\system32\blackster.scr - Deleted
C:\WINDOWS\system32\ctfmonb.bmp - Deleted
C:\WINDOWS\system32\kr_done1 - Deleted
C:\WINDOWS\system32\n.ini - Deleted
C:\WINDOWS\system32\winfrun32.bin - Deleted
C:\WINDOWS\system32\drivers\spools.exe - Deleted
C:\WINDOWS\system32\nvrsul32.dll - Deleted
Folder C:\Documents and Settings\"username"\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.redtube.com - Removed
Folder C:\Documents and Settings\"username"\Start Menu\Programs\Internet Speed Monitor - Removed
Folder C:\Program Files\ISM - Removed
Folder C:\Program Files\QdrDrive - Removed
Folder C:\Program Files\QdrModule - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 19:38:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Gizmo Project\\mDNSResponder.exe"="C:\\Program Files\\Gizmo Project\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Gizmo Project\\Gizmo.exe"="C:\\Program Files\\Gizmo Project\\Gizmo.exe:*:Enabled:Gizmo Project"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Apps\\Internet\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Apps\\Internet\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Apps\\Internet\\Yahoo!\\Messenger\\YServer.exe"="C:\\Apps\\Internet\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\SPSS-16\\spss.com"="C:\\Program Files\\SPSS-16\\spss.com:*:Disabled:SPSS 16.0 (1033:com)"
"C:\\Program Files\\SPSS-16\\spss.exe"="C:\\Program Files\\SPSS-16\\spss.exe:*:Disabled:SPSS 16.0 (1033:exe)"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Sat 26 Oct 2002 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 30 May 2006 400 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Tue 30 May 2006 48 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Sat 28 Jul 2007 82,944 A..H. --- "C:\Med School\Medicine\H&P's\~WRL0454.tmp"
Sat 28 Jul 2007 84,480 A..H. --- "C:\Med School\Medicine\H&P's\~WRL0694.tmp"
Fri 27 Jul 2007 78,848 A..H. --- "C:\Med School\Medicine\H&P's\~WRL0859.tmp"
Fri 27 Jul 2007 77,312 A..H. --- "C:\Med School\Medicine\H&P's\~WRL0900.tmp"
Wed 25 Jul 2007 34,304 A..H. --- "C:\Med School\Medicine\H&P's\~WRL1424.tmp"
Fri 27 Jul 2007 79,872 A..H. --- "C:\Med School\Medicine\H&P's\~WRL1559.tmp"
Wed 25 Jul 2007 72,704 A..H. --- "C:\Med School\Medicine\H&P's\~WRL1891.tmp"
Sat 28 Jul 2007 84,992 A..H. --- "C:\Med School\Medicine\H&P's\~WRL2117.tmp"
Wed 25 Jul 2007 30,720 A..H. --- "C:\Med School\Medicine\H&P's\~WRL2149.tmp"
Wed 25 Jul 2007 31,744 A..H. --- "C:\Med School\Medicine\H&P's\~WRL2282.tmp"
Sat 28 Jul 2007 81,920 A..H. --- "C:\Med School\Medicine\H&P's\~WRL3254.tmp"
Fri 27 Jul 2007 75,776 A..H. --- "C:\Med School\Medicine\H&P's\~WRL3258.tmp"
Fri 27 Jul 2007 75,776 A..H. --- "C:\Med School\Medicine\H&P's\~WRL3296.tmp"
Wed 25 Jul 2007 73,728 A..H. --- "C:\Med School\Medicine\H&P's\~WRL3424.tmp"
Sat 28 Jul 2007 82,944 A..H. --- "C:\Med School\Medicine\H&P's\~WRL3470.tmp"
Fri 27 Jul 2007 76,288 A..H. --- "C:\Med School\Medicine\H&P's\~WRL3558.tmp"
Wed 25 Jul 2007 72,704 A..H. --- "C:\Med School\Medicine\H&P's\~WRL3739.tmp"
Wed 25 Jul 2007 33,792 A..H. --- "C:\Med School\Medicine\H&P's\~WRL3897.tmp"
Tue 26 Aug 2003 687,616 A..H. --- "C:\Documents and Settings\"username"\Local Settings\Temp\~WRL2948.tmp"
Tue 26 Aug 2003 755,200 A..H. --- "C:\Documents and Settings\"username"\Local Settings\Temp\~WRL3379.tmp"
Tue 26 Aug 2003 945,152 A..H. --- "C:\Documents and Settings\"username"\Local Settings\Temp\~WRL3682.tmp"
Mon 2 Oct 2006 50,280 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Tue 26 Aug 2003 2,479,104 ...H. --- "C:\Documents and Settings\"username"\Application Data\Microsoft\Word\~WRL0124.tmp"
Wed 22 Aug 2007 57,344 ...H. --- "C:\Documents and Settings\"username"\Application Data\Microsoft\Word\~WRL0500.tmp"
Wed 10 Jan 2007 20,480 ...H. --- "C:\Documents and Settings\"username"\Application Data\Microsoft\Word\~WRL0611.tmp"
Sat 31 Mar 2007 29,184 ...H. --- "C:\Documents and Settings\"username"\Application Data\Microsoft\Word\~WRL1214.tmp"
Thu 11 Jan 2007 20,480 ...H. --- "C:\Documents and Settings\"username"\Application Data\Microsoft\Word\~WRL2324.tmp"
Wed 22 Aug 2007 57,344 ...H. --- "C:\Documents and Settings\"username"\Application Data\Microsoft\Word\~WRL2459.tmp"
Fri 14 Dec 2007 21,504 ...H. --- "C:\Documents and Settings\"username"\Application Data\Microsoft\Word\~WRL3228.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\"username"\Application Data\U3\temp\Launchpad Removal.exe"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\aizjivs.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\awwvhxy.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\bdfcefl.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\bkl996a.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\cdtreyr.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\di4bz8x.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\dwhac4t.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\dyx8bal.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\evzvb2q.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\f8eqs5g.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\fo3jon2.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\gj8xbms.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\grexfqe.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\gsw3a5c.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\j0mox0s.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\j3g7n4f.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\leicv7e.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\m5f1ze0.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\mw8em4x.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\nzrz4m5.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\oervp3g.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\or09bun.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\pmtny74.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\pv7bheb.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\qb4dcg0.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\r0lacis.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\rfglttd.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\rp8ua1p.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\sbwt0bz.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\sfp6bop.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\w5zw086.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\x405553.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\y879a2h.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\ynt5apa.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\ypzo4dg.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\yrzr79l.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\yu0tmpa.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\z6nhpvk.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\znj29rc.dll"
Tue 29 Jan 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\zuzp0bl.dll"
Sat 19 Jun 2004 37,888 A..H. --- "C:\Documents and Settings\"username"\Desktop\"username"'sOLD Desktop\T4_kel\bus\Social\~WRL1222.tmp"
Sat 3 Jul 2004 59,904 A..H. --- "C:\Documents and Settings\"username"\Desktop\"username"'sOLD Desktop\T4_kel\bus\...\~WRL3069.tmp"
Sat 3 Jul 2004 59,392 A..H. --- "C:\Documents and Settings\"username"\Desktop\"username"'sOLD Desktop\T4_kel\bus\...\~WRL3963.tmp"
Sat 28 Feb 2004 48,640 A..H. --- "C:\Documents and Settings\"username"\Desktop\"username"'sOLD Desktop\T4_kel\bus\...\~WRL1234.tmp"
Mon 16 Feb 2004 45,568 A..H. --- "C:\Documents and Settings\"username"\Desktop\"username"'sOLD Desktop\T4_kel\bus\...\~WRL3653.tmp"
Finished!
----End SDfix Log----
.
----Start Windows Error Message----
The system has recovered from a serious error.
A log of this error has been created.
for more information about this error, click here.
Error signature
BCCode : 1000000a BCP1 : 00000016 BCP2 : 00000002 BCP3 : 00000000
BCP4 : 804DBDA3 OSVer : 5_1_2600 SP : 2_0 Product : 256_1
To view technical information about the error report, click here.
The following files will be included in this error report:
C:\DOCUME~1\"username"\LOCALS~1\Temp\WER4b88.dir00\Mini111707-01.dmp
C:\DOCUME~1\"username"\LOCALS~1\Temp\WER4b88.dir00\sysdata.xml
----End Windows Error Message----
.
----Start HiJackThis Log----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:57 PM, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\Apps\Internet\Personal Communications\PCS_AGNT.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Apps\Internet\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TpChrSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\"username"\LOCALS~1\Temp\ie.exe
C:\WINDOWS\system32\vyxmpupk.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.sbank.uk.ibm.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;9.*;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "about:blank"); (C:\Documents and Settings\"username"\Application Data\Mozilla\Profiles\default\yrmv02l7.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CApps%5CInternet%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\"username"\Application Data\Mozilla\Profiles\default\yrmv02l7.slt\prefs.js)
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Apps\Internet\DAP\DAPBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - C:\WINDOWS\nupgxofi.dll (file missing)
O2 - BHO: (no name) - {DDE874FD-3D40-48B0-A30D-E2490AE0FA80} - C:\WINDOWS\system32\opnnnoNH.dll (file missing)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Apps\Internet\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Apps\MultiMedia\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [hpppta] C:\apps\multimedia\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\"username"\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [kcqtljfg] C:\WINDOWS\system32\vyxmpupk.exe
O4 - Startup: Mouse.lnk = C:\WINDOWS\System32\main.cpl
O8 - Extra context menu item: &Download with &DAP - C:\Apps\Internet\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Apps\Internet\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Apps\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Apps\Internet\DAP\DAP.EXE
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\hkjmpsrm.dll
O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://pix.sexyads.net:8080/java/cr.cab
O16 - DPF: IBM EA2000 - https://w3-1.ibm.com/tools/us/expenses/EA2000.cab
O16 - DPF: Sametime Meeting Room Client ST20 - https://d02db540.southbury.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Sametime Meeting Room Client ST20H3 - http://www-125.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Sametime Meeting Room Client ST31 - https://www-1.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: ST MRC ST31IF1 PMR-90722999000 - https://www-1.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: STCJava - https://152.133.32.53/CACHE/webvpn/stc/1/binaries/stcjava.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_4-2-1.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4300B272-3776-48D3-9A33-D4019924AB9E}: Domain = itso.ral.ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6ED1B95-34FC-407F-9B85-07FD942A7C54}: Domain = ibm.com
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: csiCNqCRDzQO - {88CA28BF-2260-8215-2110-EAAE8DFB1731} - C:\WINDOWS\system32\aeqy.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo Project\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: ISAM SMT Service (ISAMsmt) - IBM Global Services - C:\Program Files\C4ebreg\isamsmt.exe
O23 - Service: LocalSystem (ldlcserv) - Unknown owner - C:\WINDOWS\System32\drivers\ldlcserv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Apps\Internet\AT&TNE~1\NetCfgSv.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad PM (TpChrSrv) - Unknown owner - C:\WINDOWS\System32\TpChrSrv.exe
O23 - Service: TrcBoot - Unknown owner - C:\WINDOWS\System32\drivers\trcboot.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 12708 bytes
----End HiJackThis Log----
Has that error message re-occured?
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
Hello, that error has not occurred again, but I am only using the infected computer a few minutes to complete the tasks you request. The DSS logs are below.
Thank you,
rg.
----Start DSS Main Log----
Deckard's System Scanner v20071014.68
Run by "username" on 2008-08-02 12:11:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
Backed up registry hives.
Performed disk cleanup.
System Drive C: has 3.09 GiB (less than 15%) free.
-- HijackThis (run as "username".exe) ------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:16:23 PM, on 8/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\Apps\Internet\Personal Communications\PCS_AGNT.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Apps\Internet\AT&TNE~1\NetCfgSv.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TpChrSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\"username"\LOCALS~1\Temp\ie.exe
C:\WINDOWS\system32\vyxmpupk.exe
C:\WINDOWS\system32\vyxmpupk.exe
C:\Documents and Settings\"username"\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\"username".exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.sbank.uk.ibm.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;9.*;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "about:blank"); (C:\Documents and Settings\"username"\Application Data\Mozilla\Profiles\default\yrmv02l7.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CApps%5CInternet%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\"username"\Application Data\Mozilla\Profiles\default\yrmv02l7.slt\prefs.js)
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Apps\Internet\DAP\DAPBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - C:\WINDOWS\nupgxofi.dll (file missing)
O2 - BHO: (no name) - {DDE874FD-3D40-48B0-A30D-E2490AE0FA80} - C:\WINDOWS\system32\opnnnoNH.dll (file missing)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Apps\Internet\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Apps\MultiMedia\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [hpppta] C:\apps\multimedia\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\"username"\LOCALS~1\Temp\ie.exe
O4 - HKCU\..\Run: [kcqtljfg] C:\WINDOWS\system32\vyxmpupk.exe
O4 - Startup: Mouse.lnk = C:\WINDOWS\System32\main.cpl
O8 - Extra context menu item: &Download with &DAP - C:\Apps\Internet\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Apps\Internet\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Apps\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Apps\Internet\DAP\DAP.EXE
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\hkjmpsrm.dll
O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://pix.sexyads.net:8080/java/cr.cab
O16 - DPF: IBM EA2000 - https://w3-1.ibm.com/tools/us/expenses/EA2000.cab
O16 - DPF: Sametime Meeting Room Client ST20 - https://d02db540.southbury.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Sametime Meeting Room Client ST20H3 - http://www-125.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Sametime Meeting Room Client ST31 - https://www-1.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: ST MRC ST31IF1 PMR-90722999000 - https://www-1.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: STCJava - https://152.133.32.53/CACHE/webvpn/stc/1/binaries/stcjava.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_4-2-1.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4300B272-3776-48D3-9A33-D4019924AB9E}: Domain = itso.ral.ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6ED1B95-34FC-407F-9B85-07FD942A7C54}: Domain = ibm.com
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: csiCNqCRDzQO - {88CA28BF-2260-8215-2110-EAAE8DFB1731} - C:\WINDOWS\system32\aeqy.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo Project\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: ISAM SMT Service (ISAMsmt) - IBM Global Services - C:\Program Files\C4ebreg\isamsmt.exe
O23 - Service: LocalSystem (ldlcserv) - Unknown owner - C:\WINDOWS\System32\drivers\ldlcserv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Apps\Internet\AT&TNE~1\NetCfgSv.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad PM (TpChrSrv) - Unknown owner - C:\WINDOWS\System32\TpChrSrv.exe
O23 - Service: TrcBoot - Unknown owner - C:\WINDOWS\System32\drivers\trcboot.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 12744 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys <Not Verified; VERITAS Software, Inc.; >
R0 TpPmPort - c:\windows\system32\drivers\tppmport.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R1 hpcd2k - c:\windows\system32\drivers\hpcd2k.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sys
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R1 Smapint - c:\windows\system32\drivers\smapint.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
R1 TDSMAPI - c:\windows\system32\drivers\tdsmapi.sys
R1 TPHKDRV - c:\windows\system32\drivers\tphkdrv.sys <Not Verified; IBM Corporation; ThinkPad OnScreenDisplay>
R1 TPPWR - c:\windows\system32\drivers\tppwr.sys <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R1 TSMAPIP - c:\windows\system32\drivers\tsmapip.sys
R2 AppnApi - c:\windows\system32\drivers\appnapi.sys
R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; WIDCOMM, Inc.; Bluetooth Software 1.4.2 Build 18>
R2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys
R2 NsTrcNT - c:\windows\system32\drivers\nstrcnt.sys
R2 PAR1284 - c:\windows\system32\drivers\par1284.sys <Not Verified; Warp Nine Engineering; IEEE 1284 Driver>
R2 pcscoax (3270 Coax Driver) - c:\windows\system32\drivers\pcscoax.sys
R2 pdlnctdl (Twinax CUT Adapter) - c:\windows\system32\drivers\pdlnctdl.sys
R2 pdlndldl (IBM Enterprise Extender (HPR/IP)) - c:\windows\system32\drivers\pdlndldl.sys
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
R2 PPNT - c:\windows\system32\drivers\ppnt.sys <Not Verified; Corex Technologies Corp.; CardScan>
R2 VMnetBridge (VMware Bridge Protocol) - c:\windows\system32\drivers\vmnetbridge.sys <Not Verified; VMware, Inc.; VMware Network Driver>
R2 VMnetuserif (VMware Network Application Interface) - c:\windows\system32\drivers\vmnetuserif.sys <Not Verified; VMware, Inc.; VMware Network Driver>
R2 VMparport (VMware VMparport) - c:\windows\system32\drivers\vmparport.sys <Not Verified; VMware, Inc.; VMware Workstation>
R2 vmx86 (VMware vmx86) - c:\windows\system32\drivers\vmx86.sys <Not Verified; VMware, Inc.; VMware Workstation>
R3 Anydlc - c:\windows\system32\drivers\anydlc.sys
R3 Appn - c:\windows\system32\drivers\appn.sys
R3 AppnBase - c:\windows\system32\drivers\appnbase.sys
R3 catchme - c:\windows\temp\catchme.sys (file missing)
R3 KLOGNT - c:\windows\system32\drivers\klognt.sys
R3 pdlnacom (PDLC Adapter -- COM) - c:\windows\system32\drivers\pdlnacom.sys
R3 pdlnafac (PDLC Adapter Factory) - c:\windows\system32\drivers\pdlnafac.sys
R3 pdlnampa (PDLC Adapter -- MultiProtocol Adapter) - c:\windows\system32\drivers\pdlnampa.sys
R3 pdlnatcm (Twinax Adapter Common) - c:\windows\system32\drivers\pdlnatcm.sys
R3 pdlnatdl (Twinax Adapter) - c:\windows\system32\drivers\pdlnatdl.sys
R3 pdlnatnm (Twinax Adapter Namakan) - c:\windows\system32\drivers\pdlnatnm.sys
R3 pdlnatsn (Twinax Adapter Snow) - c:\windows\system32\drivers\pdlnatsn.sys
R3 pdlnawac (PDLC Adapter -- WACType) - c:\windows\system32\drivers\pdlnawac.sys
R3 pdlncbas (PDLC CxM Classes) - c:\windows\system32\drivers\pdlncbas.sys
R3 pdlncfwk (PDLC Connection Manager) - c:\windows\system32\drivers\pdlncfwk.sys
R3 pdlndint (PDLC DLC Classes) - c:\windows\system32\drivers\pdlndint.sys
R3 pdlndlpb (PDLC LAPB) - c:\windows\system32\drivers\pdlndlpb.sys
R3 pdlndoem (PDLC OEM Interface) - c:\windows\system32\drivers\pdlndoem.sys
R3 pdlndqll (PDLC QLLC) - c:\windows\system32\drivers\pdlndqll.sys
R3 pdlndsdl (PDLC SDLC) - c:\windows\system32\drivers\pdlndsdl.sys
R3 pdlndtdl (Twinax DLC) - c:\windows\system32\drivers\pdlndtdl.sys
R3 pdlnebas (PDLC Environment) - c:\windows\system32\drivers\pdlnebas.sys
R3 pdlnecfg (PDLC Configuration) - c:\windows\system32\drivers\pdlnecfg.sys
R3 pdlnemap (PDLC Mapper) - c:\windows\system32\drivers\pdlnemap.sys
R3 pdlnemsg (PDLC Message Driver) - c:\windows\system32\drivers\pdlnemsg.sys
R3 pdlnepkt (PDLC Buffer Manager) - c:\windows\system32\drivers\pdlnepkt.sys
R3 pdlnshay (PDLC Hayes At signalling) - c:\windows\system32\drivers\pdlnshay.sys
R3 pdlnslea (PDLC SDLC Leased) - c:\windows\system32\drivers\pdlnslea.sys
R3 pdlnsv25 (PDLC V25bis signalling) - c:\windows\system32\drivers\pdlnsv25.sys
R3 pdlnsx25 (PDLC X.25) - c:\windows\system32\drivers\pdlnsx25.sys
S3 ANC - c:\windows\system32\drivers\anc.sys
S3 EGATHDRV (IBM Access Support) - c:\windows\system32\egathdrv.sys <Not Verified; IBM Corporation; IBM eGatherer>
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
S3 PRISM (Instant Wireless - Network PC CARD Driver) - c:\windows\system32\drivers\prismnds.sys <Not Verified; LINKSYS Corporation; Instant Wireless - Network PC Card>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 NetCfgSvr (Network Configuration Service) - c:\apps\internet\at&tne~1\netcfgsv.exe <Not Verified; AT&T; NetCfgSvr Module>
R2 TpChrSrv (ThinkPad PM) - c:\windows\system32\tpchrsrv.exe
R2 TrcBoot - c:\windows\system32\drivers\trcboot.exe
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>
S2 Bonjour Service - c:\program files\gizmo project\mdnsresponder.exe <Not Verified; Apple Computer, Inc.; Bonjour>
S3 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe <Not Verified; Macrovision; SafeCast Windows NT>
S3 ISAMsmt (ISAM SMT Service) - c:\program files\c4ebreg\isamsmt.exe <Not Verified; IBM Global Services; >
S3 ldlcserv (LocalSystem) - c:\windows\system32\drivers\ldlcserv.exe
S4 Irmon (Infrared Monitor) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 ISSIMon (ISSI EZUpdate) - c:\sdwork\issimsvc.exe (file missing)
S4 QCONSVC - system32\qconsvc.exe <Not Verified; IBM Corp.; IBM ThinkPad Utility>
S4 VMAuthdService (VMware Authorization Service) - c:\apps\vmware\vmware workstation\vmware-authd.exe (file missing)
S4 VMnetDHCP (VMware DHCP Service) - c:\windows\system32\vmnetdhcp.exe <Not Verified; VMware, Inc.; VMware Workstation>
S4 VMware NAT Service - c:\windows\system32\vmnat.exe <Not Verified; VMware, Inc.; VMware Workstation>
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: High Rate Wireless LAN Mini-PCI Adapter with Modem II
Device ID: PCI\VEN_1260&DEV_3873&SUBSYS_25138086&REV_01\4&139E449D&0&10F0
Manufacturer: Intel Corporation
Name: High Rate Wireless LAN Mini-PCI Adapter with Modem II
PNP Device ID: PCI\VEN_1260&DEV_3873&SUBSYS_25138086&REV_01\4&139E449D&0&10F0
Service: IMWEB51
Class GUID: {6BDD1FC5-810F-11D0-BEC7-08002BE2092F}
Description: IBM ThinkPad Fast Infrared Port
Device ID: ACPI\IBM0071\4&1D6F7EAE&0
Manufacturer: IBM
Name: IBM ThinkPad Fast Infrared Port
PNP Device ID: ACPI\IBM0071\4&1D6F7EAE&0
Service: NSCIRDA
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth LAN Access Server Driver
Device ID: ROOT\NET\0000
Manufacturer: WIDCOMM, Inc.
Name: Bluetooth LAN Access Server Driver
PNP Device ID: ROOT\NET\0000
Service: BTWDNDIS
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: AGN Virtual Network Adapter
Device ID: ROOT\NET\0001
Manufacturer: AT&T
Name: AGN Virtual Network Adapter
PNP Device ID: ROOT\NET\0001
Service: avpnnic
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems SSL VPN Adapter
Device ID: ROOT\NET\0002
Manufacturer: Cisco Systems
Name: Cisco Systems SSL VPN Adapter
PNP Device ID: ROOT\NET\0002
Service: CSVirtA
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VMware Virtual Ethernet Adapter for VMnet1
Device ID: ROOT\VMWARE\0000
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet1
PNP Device ID: ROOT\VMWARE\0000
Service: VMnetAdapter
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VMware Virtual Ethernet Adapter for VMnet8
Device ID: ROOT\VMWARE\0001
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet8
PNP Device ID: ROOT\VMWARE\0001
Service: VMnetAdapter
-- Scheduled Tasks -------------------------------------------------------------
2008-08-02 12:05:45 440 --a------ C:\WINDOWS\Tasks\BMMTask.job
2008-08-01 19:32:36 448 --a------ C:\WINDOWS\Tasks\SDMsgUpdate (SD).job
-- Files created between 2008-07-02 and 2008-08-02 -----------------------------
2008-08-01 19:11:22 0 d-------- C:\WINDOWS\ERUNT
-- Find3M Report ---------------------------------------------------------------
2008-08-01 19:33:09 0 d-------- C:\Program Files\Symantec AntiVirus
2008-05-27 18:11:47 80910406 --a------ C:\badreg.reg
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b1f03258-1dd1-11b2-844a-d95ac99666f6}]
C:\WINDOWS\nupgxofi.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDE874FD-3D40-48B0-A30D-E2490AE0FA80}]
C:\WINDOWS\system32\opnnnoNH.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [09/04/2001 01:24 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [06/24/2003 03:34 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [06/24/2003 03:33 PM]
"TP4EX"="tp4ex.exe" [09/04/2002 02:05 AM C:\WINDOWS\system32\TP4EX.exe]
"Tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [11/07/2001 06:50 AM]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [01/24/2003 05:37 PM]
"AGRSMMSG"="AGRSMMSG.exe" [06/27/2003 08:53 AM C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [01/16/2003 11:52 AM]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [02/05/2004 02:36 AM]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [02/05/2004 02:36 AM]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [02/05/2004 02:36 AM]
"Share-to-Web Namespace Daemon"="C:\Apps\MultiMedia\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" []
"hpppta"="C:\apps\multimedia\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [09/19/2003 01:17 PM C:\WINDOWS\KHALMNPR.Exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [05/22/2006 05:13 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [03/24/2006 08:14 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [05/27/2006 04:40 AM]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/14/2003 10:22 AM]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [04/14/2004 02:46 PM]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [04/14/2004 03:04 PM]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe" [05/25/2004 09:16 AM]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [07/20/2004 09:34 AM]
"QCWLIcon"="C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe" [07/30/2003 03:07 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [07/31/2007 09:45 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/13/2007 01:34 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]
"Microsoft Windows Installer"="C:\DOCUME~1\"username"\LOCALS~1\Temp\ie.exe" []
"kcqtljfg"="C:\WINDOWS\system32\vyxmpupk.exe" [04/06/2008 03:05 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"csiCNqCRDzQO"= {88CA28BF-2260-8215-2110-EAAE8DFB1731} - C:\WINDOWS\system32\aeqy.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTServ]
C:\Program Files\Common Files\Logitech\Bluetooth\lbtserv.dll 10/09/2003 01:02 AM 1064960 C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\opnnnoNH
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Configuration Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Configuration Utility.lnk
backup=C:\WINDOWS\pss\Configuration Utility.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus QuickStart.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus QuickStart.lnk
backup=C:\WINDOWS\pss\Lotus QuickStart.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C4EBReg]
"C:\Program Files\C4ebreg\c4ebreg.exe" /q
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CardScan AutoSync]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDBitSet]
"C:\Apps\MultiMedia\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\apps\internet\EarthLinkTotalAccess\TaskPanl.exe" -winstart
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Forbes]
C:\Program Files\Forbes\ForbesAlerts.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPCDTray]
"C:\Apps\MultiMedia\HP CD-DVD\Umbrella\hpcdtray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
C:\WINDOWS\System32\hphmon04.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
"C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMWEBSTA.EXE]
IMWEBSTA.EXE START
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Infuzer]
C:\Program Files\Infuzer\Infuzer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISAM SMT Service]
"C:\Program Files\C4ebreg\isamsmt.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISSI EZUpdate Service]
"c:\sdwork\issimsvc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobile Phone Suite]
C:\Apps\Logitech\Mobile Phone Suite\MobilePhoneSuite.exe -nogui
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]
"C:\Apps\Internet\Netscape\Netscape\Netscp.exe" -turbo
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCWLICON]
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Apps\MultiMedia\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Apps\MultiMedia\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
WDBtnMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"Messenger"=3 (0x3)
"ISSIMon"=3 (0x3)
"Irmon"=3 (0x3)
"cisvc"=3 (0x3)
"VMware NAT Service"=3 (0x3)
"VMnetDHCP"=3 (0x3)
"VMAuthdService"=3 (0x3)
"QCONSVC"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5ed7e116-50f6-11db-a75d-00096be0a136}]
AutoRun\command- explorer.exe http://www.cymbaltamd.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b1e1f4b-911f-11db-a763-00053c09d57c}]
AutoRun\command- F:\launch.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aaf9f9ac-bb10-11dc-a797-00053c09d57c}]
AutoRun\command- E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aaf9f9ad-bb10-11dc-a797-00053c09d57c}]
Open(&O)\command- RECYCLED\appmgmt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7cd0237-f07c-11dc-a7a1-00096be0a136}]
AutoRun\command- E:\wd_windows_tools\WDEULA.exe
-- End of Deckard's System Scanner: finished at 2008-08-02 12:25:34 ------------
----End DSS Main Log----
.
----Start DSS Extra Log----
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Pentium(R) 4 Mobile CPU 2.00GHz
Percentage of Memory in Use: 48%
Physical Memory (total/avail): 1022.98 MiB / 522.59 MiB
Pagefile Memory (total/avail): 2457.98 MiB / 2086.11 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1946.12 MiB
C: is Fixed (NTFS) - 72.88 GiB total, 3.09 GiB free.
\\.\PHYSICALDRIVE0 - HTS541080G9AT00 - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 72.88 GiB - C:
\PARTITION1 - Unknown - 1683.28 MiB
-- Security Center -------------------------------------------------------------
AUOptions is set to notify before install.
Windows Internal Firewall is disabled.
AV: Symantec AntiVirus Corporate Edition v10.1.0.401 (Symantec Corporation) Outdated
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Gizmo Project\\mDNSResponder.exe"="C:\\Program Files\\Gizmo Project\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Gizmo Project\\Gizmo.exe"="C:\\Program Files\\Gizmo Project\\Gizmo.exe:*:Enabled:Gizmo Project"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Apps\\Internet\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Apps\\Internet\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Apps\\Internet\\Yahoo!\\Messenger\\YServer.exe"="C:\\Apps\\Internet\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\SPSS-16\\spss.com"="C:\\Program Files\\SPSS-16\\spss.com:*:Disabled:SPSS 16.0 (1033:com)"
"C:\\Program Files\\SPSS-16\\spss.exe"="C:\\Program Files\\SPSS-16\\spss.exe:*:Disabled:SPSS 16.0 (1033:exe)"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\"username"\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME="username"T30
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\"username"
LOGONSERVER=\\"username"T30
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRAM FILES\THINKPAD\UTILITIES;C:\Program Files\IBM\Trace Facility;C:\Apps\Internet\Personal Communications;C:\Notes;C:\"username"\util;c:\"username"\util\perl\bin;c:\"username"\util\unixutils\usr\local\wbin;C:\Program Files\ATI Technologies\ATI Control Panel;c:\PSM;C:\Apps\IBM\Infoprint;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PCOMM_Root=C:\Apps\Internet\Personal Communications
PDBASE=C:\Apps\IBM\Infoprint
PD_SOCKET=6874
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\WINDOWS\TEMP
TMP=C:\DOCUME~1\"username"\LOCALS~1\Temp
USERDOMAIN="username"T30
USERNAME="username"
USERPROFILE=C:\Documents and Settings\"username"
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
"username" [I](admin)
Administrator (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\Program Files\eBLVD\setup.exe
--> C:\WINDOWS\IsUninst.exe -f"C:\apps\internet\WS_FTP Pro\uninst.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ibm\gsk4\gsk4BUI.isu"
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {09DA4F91-2A09-4232-AB8C-6BC740096DE3}
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C8B3C093-5B66-471F-B508-5308A57855EC}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Access ThinkPad --> MsiExec.exe /X{B5599ECB-DA72-43EE-8A30-2C80396FF8BB}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Download Manager 2.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe FrameMaker v6.0 --> C:\WINDOWS\ISUNINST.EXE -fC:\apps\Adobe\FrameMaker6.0\Uninst.isu -cC:\apps\Adobe\FrameMaker6.0\Uninst.dll
Adobe Illustrator CS --> RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{91A4AD99-69CE-4745-97B7-0E0DFBECFDE5}\setup.exe"
Adobe Photoshop 6.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\apps\Adobe\Photoshop 6.0\Uninst.isu" -c"C:\apps\Adobe\Photoshop 6.0\Uninst.dll"
Adobe Product/Adobe Studio Update 10/2001 --> "C:\Program Files\InstallShield Installation Information\{73006B34-9743-4A39-AC37-38EDFCEB6DCE}\setup.exe"
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Agere Systems AC'97 Modem --> agrsmdel
AIM 6.0 --> C:\Program Files\AIM6\uninst.exe
AirPort --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BF943523-E0EF-4658-A3CC-D8AD0905E56F}
AT&T Network Client --> C:\Apps\Internet\AT&T Net Client\NetUN.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audio Record Wizard v3.99 --> "C:\Program Files\Audio Record Wizard\unins000.exe"
Brio Enterprise Client --> C:\WINDOWS\IsUninst.exe -f"C:\apps\Brio\BRIO Query\Uninst.isu"
Brother MFL-Pro Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{71FD03B5-E653-4CB8-9B56-A466ABC9FCA9}\Setup.exe" -l0x9 Brunin03.dllBrunin03.dll
CardScan 6.0.5 --> MsiExec.exe /X{DCB63CEC-C6A3-4963-A5D0-6C03EE0CC08F}
Cisco SSL VPN Client --> C:\Program Files\Cisco Systems\SSL VPN Client\uninstall.exe
Configuration Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C0D32BED-4EA6-11D5-AD9A-0050BA1AB546}\Setup.exe"
CorelDRAW 10 --> C:\WINDOWS\Corel\uninst32.exe
CorelDRAW 10 --> MsiExec.exe /I{9E50DEC9-081B-441F-B647-98DBEA8B01DD}
CueCard (remove only) --> "C:\Program Files\CueCard\uninst.exe"
Delta Flights Palm Conduit --> "C:\Apps\Palm\PalmCDI.exe" /u "\Software\U.S. Robotics\Pilot Desktop\Application2" InnD "C:\Apps\Palm\DeltaConduit.dll" "\Software\Microsoft\Windows\CurrentVersion\Uninstall\Delta Flights"
DivX 5.0.2 Bundle --> C:\WINDOWS\unvise32.exe C:\Apps\MultiMedia\DivX_5.0.2\uninstal.log
Download Accelerator Plus --> C:\Apps\Internet\DAP\UNWISE.EXE C:\Apps\Internet\DAP\INSTALL.LOG
EDIFECS EDI Standards Database (X12) --> MsiExec.exe /I{CA1965BF-B8A6-41BB-8848-FC5699296B98}
EDIFECS SpecBuilder 5.1 --> MsiExec.exe /I{5660552E-51BC-4A17-AEB1-DF29F5C05F9D}
File Recovery Tree 25 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\File Recovery Tree 25\DeIsL1.isu" -c"C:\Program Files\File Recovery Tree 25\_ISREG32.DLL"
FirstClass @ Emory 8.043 (EOL Fall 2005) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6CBD63C1-0CF2-49AF-8B4F-37614D60A7B4}\Setup.exe" -l0x9
FRED --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC4204C7-D7B8-4483-9651-BFDDBA97F7B0}\Setup.exe" -l0x9
FRED --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{64ED36E0-5EEE-462B-A807-C547950B25E1}\setup.exe" -l0x9 -removeonly
Generations® Millennium --> C:\WINDOWS\IsUninst.exe -fC:\apps\FamilyTree\Gen7m\Uninst.isu
GetDataBack for NTFS --> "C:\Program Files\GetDataBack\GetDataBack for NTFS\Uninstall.exe" "C:\Program Files\GetDataBack\GetDataBack for NTFS\install.log" -u
Gizmo Project 2.0 --> C:\Program Files\Gizmo Project\uninst.exe
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
High Rate Wireless LAN Mini-PCI Adapter with Modem II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D75BEE78-1859-4616-9376-05550126EA60}\SETUP.EXE" -l0x9 -J -uninst
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Program Files\HijackThis\HijackThis.exe" /uninstall
hp dvd writer --> "C:\Apps\MultiMedia\HP CD-DVD\Support\Uninstall.exe"
hp instant support --> C:\Apps\MULTIM~1\HEWLET~1\HPINST~1\Uninstall.exe CeS
hp LaserJet 1010 Series --> MsiExec.exe /x {292C47B2-8DB7-47BF-896C-C3C5EE8108C4}
HP Photo and Imaging 1.0 - HP Photosmart Printer Series --> MsiExec.exe /I{0D396571-7BBD-44CE-ABB3-518BF86B72F7}
HP Photo and Imaging 1.2.1 - Scanjet 4500c Series --> MsiExec.exe /I{C0FC80E9-8172-4F02-87F5-7642DBFFEAB4}
HP PrecisionScan Pro --> C:\WINDOWS\IsUninst.exe -f"C:\apps\multimedia\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\Uninst.isu" -c"C:\apps\multimedia\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\HPUninstallIs.dll"
HP RecordNow --> MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
HP Scan-to-Web Wizard --> C:\WINDOWS\IsUninst.exe -f"C:\apps\multimedia\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\Scan-To-Web.isu"
HP Simple Backup 4.75 (OEM) --> C:\WINDOWS\IsUninst.exe -f"C:\Apps\MULTIM~1\HPCD-D~1\HP Simple Backup\DeIsL1.isu" -cC:\Apps\MULTIM~1\HPCD-D~1\HPSIMP~1\System\UNINST.DLL
IBM Access Connections --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{22B71A00-4DED-11D4-A5E5-0004AC564F43}\SETUP.EXE" -l0x9 anything
IBM Bluetooth Software --> MsiExec.exe /X{600C1577-3AB5-4E72-8F58-AC7F5A990A4C}
IBM Data Transfer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D6494BE-0759-11D5-B504-000629B04E58}\Setup.exe"
IBM NotesBuddy --> C:\WINDOWS\IsUninst.exe -fC:\Apps\IBM\NotesBuddy\Uninst.isu
IBM Personal Communications --> C:\WINDOWS\PCSUNIST.EXE C:\WINDOWS\unisthook.exe C:\WINDOWS\ISUNINST.EXE -f"C:\Apps\Internet\Personal Communications\DeIsL1.isu" -y
IBM Rapid Restore PC Setup --> MsiExec.exe /X{3B7B3B4A-AF8C-4671-A92E-3E7E9ABCB22B}
IBM RecordNow Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
IBM ThinkPad Access Support --> wscript "C:\Program Files\Support.com\bin\uninstall.vbs" -uninstall -release1
IBM ThinkPad Battery MaxiMiser and Power Management Features --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\Unbmm.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsbmm.dll"
IBM ThinkPad Configuration --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNTPUN.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsnt.dll"
IBM ThinkPad Configuration --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNTPUW.ISU -c"C:\Program Files\ThinkPad\Utilities\Tpinswin.dll"
IBM ThinkPad EasyEject Utility --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\Unezej.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsej.dll"
IBM ThinkPad Power Management Driver --> RunDll32.exe tpinspm.dll,Uninstall
IBM ThinkPad Presentation Director --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNNPDR.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsnpd.dll"
IBM ThinkPad UltraNav Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
IBM ThinkPad UltraNav Wizard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}\SETUP.EXE"
IBM TrackPoint Accessibility Features --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA664480-3844-11D5-8C25-444553540000}\setup.exe"
IBM Update Connector --> MsiExec.exe /X{31C2FBAC-67CF-4093-8F36-15A146613747}
IBM WBI Workbench --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FCCE1F6-E4AC-4EB3-BA09-1CC744C3ABD8}\Setup.exe" -l0x9 -uninst
Infoprint Select --> C:\WINDOWS\IsUninst.exe -fC:\Apps\IBM\Infoprint\Uninst.isu
Infuzer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchiSetup -ether"C:\Program Files\InstallShield Installation Information\{54FC2173-BF6C-45B9-A7F8-304FA966A856}"
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
Intellisync Desktop --> C:\WINDOWS\IsUninst.exe -fC:\APPS\PUMATECH\INTELLISYNC\Uninst.isu -c"C:\APPS\PUMATECH\INTELLISYNC\PtUninst.dll"
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
Ipswitch WS_FTP Pro --> C:\WINDOWS\ISUNINST.EXE -f"C:\apps\internet\WS_FTP Pro\uninst.isu" -c"C:\apps\internet\WS_FTP Pro\FTPInstUtils.dll"
ItsDeductible --> C:\WINDOWS\uninst.exe -fC:\Apps\ItsDeductible\DeIsL1.isu -cC:\Apps\ItsDeductible\_ISREG32.DLL
ItsDeductible7 --> C:\WINDOWS\uninst.exe -fC:\apps\ItsDeductible7\DeIsL1.isu -cC:\apps\ItsDeductible7\_ISREG32.DLL
ITSO FrameMaker Toolkit --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAA98AD0-0911-11D5-A445-400054000037}\Setup.exe" -uninst
Java 2 Runtime Environment, SE v1.4.0_01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7CF31609-270B-11D6-9445-000102308676}\Setup.exe" Anytext
Java 2 Runtime Environment, SE v1.4.1_02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFCE5837-FC21-11D6-9D24-00010240CE95}\setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
Java(TM) SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Lenovo Battery Program --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B214C3C8-FC16-42EC-B7BB-703A1BB9C790}\Setup.exe" -l0x9
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Logitech SetPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9
Lotus Notes --> C:\WINDOWS\IsUninst.exe -fc:\apps\lotus\notes\Uninst.isu
Lotus NotesSQL 3.01 driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{113EECD6-9A04-11D4-811D-00805F923B86}\Setup.exe" -uninst
Lotus SmartSuite - English --> MsiExec.exe /I{536D6172-7453-7569-7465-392E38300409}
Macromedia Flash MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}\Setup.exe" -l0x9 UNINSTALL
MetaFrame Presentation Server Client --> MsiExec.exe /I{E92B7A19-5FD5-4AEE-9FEF-7AD5DD3A675E}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 Standard --> MsiExec.exe /I{00020409-78E1-11D2-B60F-006097C998E7}
Microsoft Office XP Standard --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0050048383C9}
Microsoft Picture It! Publishing 2001 --> MsiExec.exe /I{15D9EB74-998E-4A04-B468-51C2E7B32182}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
Mobile Phone Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{36C91F9F-292E-4395-83B6-13B3C61FE93E}\setup.exe" -l0x9
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\"username"\Application Data\Move Networks\ie_bin\Uninst.exe
Mozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
MyDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5E835305-63BB-4E55-BBB7-EEBBE67774DB}\Setup.exe" -l0x9 -L0x9 /SMAINT
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Netscape (7.1) --> C:\WINDOWS\NSUninst.exe /ua "7.1b1 (en)"
Neverwinter Nights --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C503E58-B2BC-11D5-978A-0050BA84F5F7}\Setup.exe" -l0x9
Nimo Codecs Pack v5.0 (Remove Only) --> "C:\apps\MultiMedia\NimoCodecPack\uninstall.exe"
OLYMPUS CAMEDIA Master 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30BB4D60-81DB-11D5-BB77-00400536ABAC}\Setup.exe" CAMEDIA Master 4.03
Palm Desktop --> MsiExec.exe /X{C5EC81D0-3DED-435D-A46E-E3F60F7DC8AD}
PaperPort --> MsiExec.exe /I{A17EABB6-D0C6-44E5-820C-72DC7F495064}
PCS Connection Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9123C204-4220-4584-82D1-79DCFE759F22}\Setup.exe" -l0x9
Pdf995 --> C:\Program Files\pdf995\setup.exe uninstall
Photosmart 130,230,7150,7345,7350,7550 (Remove only) --> C:\Program Files\HP Photosmart 11\Printer\hphuni04.exe
PicoZip Recovery Tool 1.02 --> C:\Apps\Internet\PICOZI~1\UNWISE.EXE C:\Apps\Internet\PICOZI~1\INSTALL.LOG
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PowerQuest PartitionMagic 8.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}
Printing Systems Manager --> C:\WINDOWS\uninst.exe -fc:\psm\DeIsL1.isu -cc:\psm\_ISREG32.DLL
Quicken 2003 Premier Home & Business --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2A3E87C5-ED9D-427F-9E0F-C06E8EAD6351} anything
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
Radio Toolbox --> C:\Program Files\Radio Toolbox\Uninstall.exe
SafeCast Shared Components --> C:\WINDOWS\CDAC13BA.EXE /uninstall
Sametime Client v1.5 --> C:\WINDOWS\IsUninst.exe -fC:\Apps\Lotus\Sametime\DeIsL2.isu
Sametime Client v3.0 --> C:\WINDOWS\IsUninst.exe -fC:\Apps\Lotus\Sametime\STCUnins.isu
SAPLogon Customizer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A7FC0422-8468-45B7-A409-0CED47F6590A}\setup.exe" -l0x9
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SHOUTcast DNAS (remove only) --> "C:\Program Files\SHOUTcast DNAS\uninst-dnas.exe"
SmartDraw 7 --> C:\PROGRA~1\SMARTD~1\UNWISE.EXE C:\PROGRA~1\SMARTD~1\INSTALL.LOG
SnagIt 6 --> C:\Apps\MultiMedia\TechSmith\SnagIt 6\SIUNINST.EXE
Sony Sound Forge 8.0 --> MsiExec.exe /X{767572FD-4D01-4FA3-B0A6-4B09FB2CFC37}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
SPSS 16.0 --> MsiExec.exe /X{9A657E90-E2B7-44DE-8929-055948162595}
Streamripper Plugin 1.61.27 (Remove only) --> C:\Program Files\Winamp5\streamripper_uninstall.exe
Support.com Software --> "C:\Program Files\Support.com\bin\tgfix.exe" /rm /nq
Symantec AntiVirus 10.1.0.401 --> MsiExec.exe /I{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}
Tag&Rename 3.2 --> "C:\Program Files\TagRename\unins000.exe"
Tectia SSH 3.2.9 (EOL Fall 2005) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{172AF3AC-9FA0-421E-A18E-9A4525A6F6F5}\Setup.exe" -l0x9
TextPad --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ADBBED4F-720B-460D-AA14-D85EBC4AEF97}\Setup.exe"
ThinkPad FullScreen Magnifier --> RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.inf
ThinkPad Software Installer --> _tpiu000.exe /U
Tivoli City --> C:\WINDOWS\Tivoli City Uninstaller.exe
TurboTax Premier Home & Business 2002 --> C:\apps\TurboTax02\TaxUnst.EXE "C:\apps\TurboTax02\Uninstall.log" -NoGui
TurboTax Ultimate 2003 --> C:\apps\TurboTax03\TaxUnst.EXE "C:\apps\TurboTax03\Uninstall.log" -NoGui
UltraVNC v1.0.1 --> "C:\Program Files\UltraVNC\unins000.exe"
Uninstall PC-Doctor --> C:\PROGRA~1\PC-DOC~1\AdminCheck.exe
VideoLAN VLC media player 0.8.5 --> C:\Program Files\VLC\uninstall.exe
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
VMware Workstation --> MsiExec.exe /I{98D1A713-438C-4A23-8AB6-41B37C4A2D47}
WD Backup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A351224F-533A-4EED-89F4-0BF3417FD31D}\setup.exe" -l0x9
WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
WD Firewire HID Driver --> MsiExec.exe /X{FD6C6B7F-5696-48C5-A601-2EE9E50C3D46}
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
Winamp (remove only) --> "C:\Program Files\Winamp5\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinSpeedUp --> MsiExec.exe /I{2A611511-AA7A-4D23-AF19-8735E799A134}
WinZip --> "C:\Apps\Internet\WinZip\WINZIP32.EXE" /uninstall
WordPerfect Family Pack 4 --> C:\WINDOWS\Corel\uninst32.exe
WordPerfect Family Pack 4 --> C:\WINDOWS\Corel\Uninst32.exe
XMLSPY 2004 Enterprise Edition --> MsiExec.exe /I{624C9AE0-6CD8-4166-9DFA-AE7DC07EC3EA}
XviD Video Codec 01082002-1 (Koepi's build with EPSZ ME) --> "C:\apps\Multimedia\XviD_KoepisBuild_010802\UninstXviD.exe"
Yahoo! Messenger --> C:\Apps\Internet\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\Apps\Internet\Yahoo!\MESSEN~1\INSTALL.LOG
ZapNotes --> C:\Apps\Lotus\ZapNotes\UNWISE.EXE C:\Apps\Lotus\ZapNotes\INSTALL.LOG
-- Application Event Log -------------------------------------------------------
Event Record #/Type22787 / Warning
Event Submitted/Written: 08/02/2008 00:05:41 PM
Event ID/Source: 2 / STCAgent
Event Description:
Termination reason code 23 [SYSTEM_SUSPEND]
Event Record #/Type22786 / Warning
Event Submitted/Written: 08/01/2008 08:13:14 PM
Event ID/Source: 2 / STCAgent
Event Description:
Termination reason code 23 [SYSTEM_SUSPEND]
Event Record #/Type22781 / Error
Event Submitted/Written: 08/01/2008 07:32:02 PM
Event ID/Source: 2 / STCAgent
Event Description:
Termination reason code 10 [FAST_USER_SWITCH]
Event Record #/Type22772 / Warning
Event Submitted/Written: 08/01/2008 07:03:18 PM
Event ID/Source: 2 / STCAgent
Event Description:
Termination reason code 9 [SYSTEM_SHUTDOWN]
Event Record #/Type22771 / Warning
Event Submitted/Written: 08/01/2008 07:03:06 PM
Event ID/Source: 2 / STCAgent
Event Description:
Termination reason code 5 [USER_LOGGING_OFF]
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type25126 / Warning
Event Submitted/Written: 08/02/2008 00:10:23 PM
Event ID/Source: 256 / PlugPlayManager
Event Description:
Timed out sending notification of device interface change to window of "\??\C:\WINDOWS\system32\winlogon.exe"
Event Record #/Type25125 / Error
Event Submitted/Written: 08/02/2008 00:09:52 PM
Event ID/Source: 111 / Removable Storage Service
Event Description:
RSM could not load media in drive Drive 0 of library Flash Drive SM_USB20 USB Device.
Event Record #/Type25124 / Error
Event Submitted/Written: 08/02/2008 00:09:48 PM
Event ID/Source: 111 / Removable Storage Service
Event Description:
RSM could not load media in drive Drive 0 of library Flash Drive SM_USB20 USB Device.
Event Record #/Type25123 / Warning
Event Submitted/Written: 08/02/2008 00:09:44 PM
Event ID/Source: 256 / PlugPlayManager
Event Description:
Timed out sending notification of device interface change to window of "\??\C:\WINDOWS\system32\winlogon.exe"
Event Record #/Type25122 / Warning
Event Submitted/Written: 08/02/2008 00:06:46 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.
-- End of Deckard's System Scanner: finished at 2008-08-02 12:25:34 ------------
----End DSS Extra Log----
Sorry for delay, I didn't get any email notification.
Please download Malwarebytes' Anti-Malware (http://www.malwaresupport.com/mbam/program/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.
Click Start and then Run to bring up the Run box.
Copy and paste the contents of this quote box into the run box:
"%userprofile%\desktop\dss.exe" /config
Close all other open windows.
Click OK.
A window will now open. Click Check All and then click Scan!.
When the scan is complete, two text files will open in Notepad: main.txt <- this one will be maximized
extra.txt <- this one will be minimized
If not, they both can be found in the C:\Deckard\System Scanner folder.
Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
Post:
- mbam report
- dss logs (taken after mbam run)
So, must I connect the infected computer to the internet to check for Malwarebytes' updates? The infected computer keeps trying to load IE windows. Is there any way to update Malwarebytes' without connecting it to the web (ie, similar to how you can download Spybot's updates as an executable)?
Thanks,
rg
Yes there is.
You can download database only from here (http://malwarebytes.gt500.org/database.jsp)
Sorry to be so ignorant of this software: How do I implement the "database.jsp" update file? Just copy it to the C:\Program Files\Malwarebytes' Anti-Malware directory? Double click it from the desktop? Just trying to do everything exactly right.
Thanks so much,
rg.
No, you should click green download button on page or this (http://malwarebytes.gt500.org/mbam-rules.exe)
MBAM needs to be closed when you run that file.
After MBAM finished, it said not everything could be removed, and the system needed to be rebooted. So, I rebooted; when Windows loaded, it gave that "The system has recovered from a serious error." message twice. I closed these and then ran DSS. Logs below. Extra log in next post. Thanks.
----Start MBAM Log----
Malwarebytes' Anti-Malware 1.24
Database version: 1028
Windows 5.1.2600 Service Pack 2
7:30:09 PM 8/6/2008
mbam-log-8-6-2008 (19-30-09).txt
Scan type: Full Scan (C:\|)
Objects scanned: 152849
Time elapsed: 1 hour(s), 51 minute(s), 2 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 12
Memory Processes Infected:
C:\WINDOWS\system32\vyxmpupk.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\system32\vyxmpupk.exe (Trojan.FakeAlert) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\system32\hkjmpsrm.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{c89435b0-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c8cb3870-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\xflock (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kcqtljfg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Installer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\autorun (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\webHancer (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs (Adware.Webhancer) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\hkjmpsrm.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\vyxmpupk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\"username"\LOCALS~1\Temp\106.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\"username"\LOCALS~1\Temp\soft.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\"username"\LOCALS~1\Temp\uigxlxlnmuuosde.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Deckard\System Scanner\backup\DOCUME~1\"username"\LOCALS~1\Temp\yroukzix.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\"username"\Local Settings\Temporary Internet Files\Content.IE5\0TCPA34H\leembldn[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wbem\csrss.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\license.txt (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\readme.txt (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\sporder.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Program Files\webHancer\Programs\whagent.ini (Adware.Webhancer) -> Quarantined and deleted successfully.
----End MBAM Log----
----Start DSS Main Log----
Deckard's System Scanner v20071014.68
Run by "username" on 2008-08-06 19:48:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 3 Restore Point(s) --
3: 2008-08-06 23:48:18 UTC - RP893 - Deckard's System Scanner Restore Point
2: 2008-08-06 23:04:21 UTC - RP892 - System Checkpoint
1: 2008-08-02 16:11:33 UTC - RP891 - Deckard's System Scanner Restore Point
Performed disk cleanup.
System Drive C: has 3.29 GiB (less than 15%) free.
-- HijackThis (run as "username".exe) ------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:31 PM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\Apps\Internet\Personal Communications\PCS_AGNT.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Apps\Internet\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TpChrSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\"username"\desktop\dss.exe
C:\PROGRA~1\HIJACK~1\"username".exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.sbank.uk.ibm.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;9.*;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "about:blank"); (C:\Documents and Settings\"username"\Application Data\Mozilla\Profiles\default\yrmv02l7.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CApps%5CInternet%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\"username"\Application Data\Mozilla\Profiles\default\yrmv02l7.slt\prefs.js)
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Apps\Internet\DAP\DAPBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - C:\WINDOWS\nupgxofi.dll (file missing)
O2 - BHO: (no name) - {DDE874FD-3D40-48B0-A30D-E2490AE0FA80} - C:\WINDOWS\system32\opnnnoNH.dll (file missing)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Apps\Internet\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Apps\MultiMedia\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [hpppta] C:\apps\multimedia\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Mouse.lnk = C:\WINDOWS\System32\main.cpl
O8 - Extra context menu item: &Download with &DAP - C:\Apps\Internet\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Apps\Internet\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Apps\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Apps\Internet\DAP\DAP.EXE
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://pix.sexyads.net:8080/java/cr.cab
O16 - DPF: IBM EA2000 - https://w3-1.ibm.com/tools/us/expenses/EA2000.cab
O16 - DPF: Sametime Meeting Room Client ST20 - https://d02db540.southbury.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Sametime Meeting Room Client ST20H3 - http://www-125.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Sametime Meeting Room Client ST31 - https://www-1.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: ST MRC ST31IF1 PMR-90722999000 - https://www-1.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: STCJava - https://152.133.32.53/CACHE/webvpn/stc/1/binaries/stcjava.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_4-2-1.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4300B272-3776-48D3-9A33-D4019924AB9E}: Domain = itso.ral.ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6ED1B95-34FC-407F-9B85-07FD942A7C54}: Domain = ibm.com
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: csiCNqCRDzQO - {88CA28BF-2260-8215-2110-EAAE8DFB1731} - C:\WINDOWS\system32\aeqy.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo Project\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: ISAM SMT Service (ISAMsmt) - IBM Global Services - C:\Program Files\C4ebreg\isamsmt.exe
O23 - Service: LocalSystem (ldlcserv) - Unknown owner - C:\WINDOWS\System32\drivers\ldlcserv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Apps\Internet\AT&TNE~1\NetCfgSv.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad PM (TpChrSrv) - Unknown owner - C:\WINDOWS\System32\TpChrSrv.exe
O23 - Service: TrcBoot - Unknown owner - C:\WINDOWS\System32\drivers\trcboot.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 12345 bytes
-- File Associations -----------------------------------------------------------
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys <Not Verified; VERITAS Software, Inc.; >
R0 TpPmPort - c:\windows\system32\drivers\tppmport.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R1 hpcd2k - c:\windows\system32\drivers\hpcd2k.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sys
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R1 Smapint - c:\windows\system32\drivers\smapint.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
R1 TDSMAPI - c:\windows\system32\drivers\tdsmapi.sys
R1 TPHKDRV - c:\windows\system32\drivers\tphkdrv.sys <Not Verified; IBM Corporation; ThinkPad OnScreenDisplay>
R1 TPPWR - c:\windows\system32\drivers\tppwr.sys <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R1 TSMAPIP - c:\windows\system32\drivers\tsmapip.sys
R2 AppnApi - c:\windows\system32\drivers\appnapi.sys
R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; WIDCOMM, Inc.; Bluetooth Software 1.4.2 Build 18>
R2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys
R2 NsTrcNT - c:\windows\system32\drivers\nstrcnt.sys
R2 PAR1284 - c:\windows\system32\drivers\par1284.sys <Not Verified; Warp Nine Engineering; IEEE 1284 Driver>
R2 pcscoax (3270 Coax Driver) - c:\windows\system32\drivers\pcscoax.sys
R2 pdlnctdl (Twinax CUT Adapter) - c:\windows\system32\drivers\pdlnctdl.sys
R2 pdlndldl (IBM Enterprise Extender (HPR/IP)) - c:\windows\system32\drivers\pdlndldl.sys
R2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
R2 PPNT - c:\windows\system32\drivers\ppnt.sys <Not Verified; Corex Technologies Corp.; CardScan>
R2 VMnetBridge (VMware Bridge Protocol) - c:\windows\system32\drivers\vmnetbridge.sys <Not Verified; VMware, Inc.; VMware Network Driver>
R2 VMnetuserif (VMware Network Application Interface) - c:\windows\system32\drivers\vmnetuserif.sys <Not Verified; VMware, Inc.; VMware Network Driver>
R2 VMparport (VMware VMparport) - c:\windows\system32\drivers\vmparport.sys <Not Verified; VMware, Inc.; VMware Workstation>
R2 vmx86 (VMware vmx86) - c:\windows\system32\drivers\vmx86.sys <Not Verified; VMware, Inc.; VMware Workstation>
R3 Anydlc - c:\windows\system32\drivers\anydlc.sys
R3 Appn - c:\windows\system32\drivers\appn.sys
R3 AppnBase - c:\windows\system32\drivers\appnbase.sys
R3 KLOGNT - c:\windows\system32\drivers\klognt.sys
R3 pdlnacom (PDLC Adapter -- COM) - c:\windows\system32\drivers\pdlnacom.sys
R3 pdlnafac (PDLC Adapter Factory) - c:\windows\system32\drivers\pdlnafac.sys
R3 pdlnampa (PDLC Adapter -- MultiProtocol Adapter) - c:\windows\system32\drivers\pdlnampa.sys
R3 pdlnatcm (Twinax Adapter Common) - c:\windows\system32\drivers\pdlnatcm.sys
R3 pdlnatdl (Twinax Adapter) - c:\windows\system32\drivers\pdlnatdl.sys
R3 pdlnatnm (Twinax Adapter Namakan) - c:\windows\system32\drivers\pdlnatnm.sys
R3 pdlnatsn (Twinax Adapter Snow) - c:\windows\system32\drivers\pdlnatsn.sys
R3 pdlnawac (PDLC Adapter -- WACType) - c:\windows\system32\drivers\pdlnawac.sys
R3 pdlncbas (PDLC CxM Classes) - c:\windows\system32\drivers\pdlncbas.sys
R3 pdlncfwk (PDLC Connection Manager) - c:\windows\system32\drivers\pdlncfwk.sys
R3 pdlndint (PDLC DLC Classes) - c:\windows\system32\drivers\pdlndint.sys
R3 pdlndlpb (PDLC LAPB) - c:\windows\system32\drivers\pdlndlpb.sys
R3 pdlndoem (PDLC OEM Interface) - c:\windows\system32\drivers\pdlndoem.sys
R3 pdlndqll (PDLC QLLC) - c:\windows\system32\drivers\pdlndqll.sys
R3 pdlndsdl (PDLC SDLC) - c:\windows\system32\drivers\pdlndsdl.sys
R3 pdlndtdl (Twinax DLC) - c:\windows\system32\drivers\pdlndtdl.sys
R3 pdlnebas (PDLC Environment) - c:\windows\system32\drivers\pdlnebas.sys
R3 pdlnecfg (PDLC Configuration) - c:\windows\system32\drivers\pdlnecfg.sys
R3 pdlnemap (PDLC Mapper) - c:\windows\system32\drivers\pdlnemap.sys
R3 pdlnemsg (PDLC Message Driver) - c:\windows\system32\drivers\pdlnemsg.sys
R3 pdlnepkt (PDLC Buffer Manager) - c:\windows\system32\drivers\pdlnepkt.sys
R3 pdlnshay (PDLC Hayes At signalling) - c:\windows\system32\drivers\pdlnshay.sys
R3 pdlnslea (PDLC SDLC Leased) - c:\windows\system32\drivers\pdlnslea.sys
R3 pdlnsv25 (PDLC V25bis signalling) - c:\windows\system32\drivers\pdlnsv25.sys
R3 pdlnsx25 (PDLC X.25) - c:\windows\system32\drivers\pdlnsx25.sys
S3 ANC - c:\windows\system32\drivers\anc.sys
S3 catchme - c:\windows\temp\catchme.sys (file missing)
S3 EGATHDRV (IBM Access Support) - c:\windows\system32\egathdrv.sys <Not Verified; IBM Corporation; IBM eGatherer>
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
S3 PRISM (Instant Wireless - Network PC CARD Driver) - c:\windows\system32\drivers\prismnds.sys <Not Verified; LINKSYS Corporation; Instant Wireless - Network PC Card>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 NetCfgSvr (Network Configuration Service) - c:\apps\internet\at&tne~1\netcfgsv.exe <Not Verified; AT&T; NetCfgSvr Module>
R2 TpChrSrv (ThinkPad PM) - c:\windows\system32\tpchrsrv.exe
R2 TrcBoot - c:\windows\system32\drivers\trcboot.exe
R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>
S2 Bonjour Service - c:\program files\gizmo project\mdnsresponder.exe <Not Verified; Apple Computer, Inc.; Bonjour>
S3 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe <Not Verified; Macrovision; SafeCast Windows NT>
S3 ISAMsmt (ISAM SMT Service) - c:\program files\c4ebreg\isamsmt.exe <Not Verified; IBM Global Services; >
S3 ldlcserv (LocalSystem) - c:\windows\system32\drivers\ldlcserv.exe
S4 Irmon (Infrared Monitor) - c:\windows\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S4 ISSIMon (ISSI EZUpdate) - c:\sdwork\issimsvc.exe (file missing)
S4 QCONSVC - system32\qconsvc.exe <Not Verified; IBM Corp.; IBM ThinkPad Utility>
S4 VMAuthdService (VMware Authorization Service) - c:\apps\vmware\vmware workstation\vmware-authd.exe (file missing)
S4 VMnetDHCP (VMware DHCP Service) - c:\windows\system32\vmnetdhcp.exe <Not Verified; VMware, Inc.; VMware Workstation>
S4 VMware NAT Service - c:\windows\system32\vmnat.exe <Not Verified; VMware, Inc.; VMware Workstation>
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: High Rate Wireless LAN Mini-PCI Adapter with Modem II
Device ID: PCI\VEN_1260&DEV_3873&SUBSYS_25138086&REV_01\4&139E449D&0&10F0
Manufacturer: Intel Corporation
Name: High Rate Wireless LAN Mini-PCI Adapter with Modem II
PNP Device ID: PCI\VEN_1260&DEV_3873&SUBSYS_25138086&REV_01\4&139E449D&0&10F0
Service: IMWEB51
Class GUID: {6BDD1FC5-810F-11D0-BEC7-08002BE2092F}
Description: IBM ThinkPad Fast Infrared Port
Device ID: ACPI\IBM0071\4&1D6F7EAE&0
Manufacturer: IBM
Name: IBM ThinkPad Fast Infrared Port
PNP Device ID: ACPI\IBM0071\4&1D6F7EAE&0
Service: NSCIRDA
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth LAN Access Server Driver
Device ID: ROOT\NET\0000
Manufacturer: WIDCOMM, Inc.
Name: Bluetooth LAN Access Server Driver
PNP Device ID: ROOT\NET\0000
Service: BTWDNDIS
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: AGN Virtual Network Adapter
Device ID: ROOT\NET\0001
Manufacturer: AT&T
Name: AGN Virtual Network Adapter
PNP Device ID: ROOT\NET\0001
Service: avpnnic
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems SSL VPN Adapter
Device ID: ROOT\NET\0002
Manufacturer: Cisco Systems
Name: Cisco Systems SSL VPN Adapter
PNP Device ID: ROOT\NET\0002
Service: CSVirtA
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VMware Virtual Ethernet Adapter for VMnet1
Device ID: ROOT\VMWARE\0000
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet1
PNP Device ID: ROOT\VMWARE\0000
Service: VMnetAdapter
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VMware Virtual Ethernet Adapter for VMnet8
Device ID: ROOT\VMWARE\0001
Manufacturer: VMware, Inc.
Name: VMware Virtual Ethernet Adapter for VMnet8
PNP Device ID: ROOT\VMWARE\0001
Service: VMnetAdapter
-- Process Modules -------------------------------------------------------------
C:\WINDOWS\system32\winlogon.exe (pid 632)
2003-10-09 01:02:00 1064960 --a------ C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.dll <Not Verified; Logitech Inc.; Bluetooth Services>
2003-10-09 01:02:00 65536 --a------ C:\Program Files\Common Files\Logitech\Bluetooth\lbtinte.dll <Not Verified; Logitech Inc.; Embedded Bluetooth API>
C:\WINDOWS\explorer.exe (pid 2360)
2004-02-05 02:36:00 106496 --a------ C:\Program Files\ThinkPad\Utilities\PWRMONIT.DLL <Not Verified; IBM Corp.; IBM ThinkPad Utility>
C:\WINDOWS\system32\rundll32.exe (pid 2760)
2004-02-05 02:36:00 106496 --a------ C:\Program Files\ThinkPad\Utilities\PWRMONIT.DLL <Not Verified; IBM Corp.; IBM ThinkPad Utility>
2004-02-05 02:36:00 125952 --a------ C:\Program Files\ThinkPad\Utilities\TPPWRW32.DLL <Not Verified; IBM Corp.; IBM ThinkPad Utility>
-- Scheduled Tasks -------------------------------------------------------------
2008-08-06 19:36:10 448 --a------ C:\WINDOWS\Tasks\SDMsgUpdate (SD).job
2008-08-06 19:29:55 440 --a------ C:\WINDOWS\Tasks\BMMTask.job
-- Files created between 2008-07-06 and 2008-08-06 -----------------------------
2008-08-06 16:36:27 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-06 15:17:47 0 d-------- C:\Documents and Settings\"username"\Application Data\Malwarebytes
2008-08-06 15:17:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 19:11:22 0 d-------- C:\WINDOWS\ERUNT
-- Find3M Report ---------------------------------------------------------------
2008-08-06 19:37:41 0 d-------- C:\Program Files\Symantec AntiVirus
2008-05-27 18:11:47 80910406 --a------ C:\badreg.reg
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b1f03258-1dd1-11b2-844a-d95ac99666f6}]
C:\WINDOWS\nupgxofi.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDE874FD-3D40-48B0-A30D-E2490AE0FA80}]
C:\WINDOWS\system32\opnnnoNH.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [09/04/2001 01:24 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [06/24/2003 03:34 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [06/24/2003 03:33 PM]
"TP4EX"="tp4ex.exe" [09/04/2002 02:05 AM C:\WINDOWS\system32\TP4EX.exe]
"Tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [11/07/2001 06:50 AM]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [01/24/2003 05:37 PM]
"AGRSMMSG"="AGRSMMSG.exe" [06/27/2003 08:53 AM C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [01/16/2003 11:52 AM]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [02/05/2004 02:36 AM]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [02/05/2004 02:36 AM]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [02/05/2004 02:36 AM]
"Share-to-Web Namespace Daemon"="C:\Apps\MultiMedia\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" []
"hpppta"="C:\apps\multimedia\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [09/19/2003 01:17 PM C:\WINDOWS\KHALMNPR.Exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [05/22/2006 05:13 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [03/24/2006 08:14 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [05/27/2006 04:40 AM]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [10/14/2003 10:22 AM]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [04/14/2004 02:46 PM]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [04/14/2004 03:04 PM]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe" [05/25/2004 09:16 AM]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [07/20/2004 09:34 AM]
"QCWLIcon"="C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe" [07/30/2003 03:07 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [07/31/2007 09:45 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"Aim6"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/13/2007 01:34 PM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"csiCNqCRDzQO"= {88CA28BF-2260-8215-2110-EAAE8DFB1731} - C:\WINDOWS\system32\aeqy.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTServ]
C:\Program Files\Common Files\Logitech\Bluetooth\lbtserv.dll 10/09/2003 01:02 AM 1064960 C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\opnnnoNH
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Configuration Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Configuration Utility.lnk
backup=C:\WINDOWS\pss\Configuration Utility.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus QuickStart.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lotus QuickStart.lnk
backup=C:\WINDOWS\pss\Lotus QuickStart.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C4EBReg]
"C:\Program Files\C4ebreg\c4ebreg.exe" /q
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CardScan AutoSync]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDBitSet]
"C:\Apps\MultiMedia\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\apps\internet\EarthLinkTotalAccess\TaskPanl.exe" -winstart
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Forbes]
C:\Program Files\Forbes\ForbesAlerts.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPCDTray]
"C:\Apps\MultiMedia\HP CD-DVD\Umbrella\hpcdtray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
C:\WINDOWS\System32\hphmon04.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
"C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMWEBSTA.EXE]
IMWEBSTA.EXE START
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Infuzer]
C:\Program Files\Infuzer\Infuzer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISAM SMT Service]
"C:\Program Files\C4ebreg\isamsmt.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISSI EZUpdate Service]
"c:\sdwork\issimsvc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobile Phone Suite]
C:\Apps\Logitech\Mobile Phone Suite\MobilePhoneSuite.exe -nogui
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]
"C:\Apps\Internet\Netscape\Netscape\Netscp.exe" -turbo
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCWLICON]
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Apps\MultiMedia\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Apps\MultiMedia\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
C:\Program Files\Support.com\bin\tgcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
WDBtnMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\Winampa.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"Messenger"=3 (0x3)
"ISSIMon"=3 (0x3)
"Irmon"=3 (0x3)
"cisvc"=3 (0x3)
"VMware NAT Service"=3 (0x3)
"VMnetDHCP"=3 (0x3)
"VMAuthdService"=3 (0x3)
"QCONSVC"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5ed7e116-50f6-11db-a75d-00096be0a136}]
AutoRun\command- explorer.exe http://www.cymbaltamd.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b1e1f4b-911f-11db-a763-00053c09d57c}]
AutoRun\command- F:\launch.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aaf9f9ac-bb10-11dc-a797-00053c09d57c}]
AutoRun\command- E:\LaunchU3.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aaf9f9ad-bb10-11dc-a797-00053c09d57c}]
Open(&O)\command- RECYCLED\appmgmt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7cd0237-f07c-11dc-a7a1-00096be0a136}]
AutoRun\command- E:\wd_windows_tools\WDEULA.exe
-- End of Deckard's System Scanner: finished at 2008-08-06 19:50:04 ------------
----End DSS Main Log----
----Start DSS Main Log----
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Pentium(R) 4 Mobile CPU 2.00GHz
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 1022.98 MiB / 555.74 MiB
Pagefile Memory (total/avail): 2457.98 MiB / 2115.25 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1930.18 MiB
C: is Fixed (NTFS) - 72.88 GiB total, 3.29 GiB free.
\\.\PHYSICALDRIVE0 - HTS541080G9AT00 - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 72.88 GiB - C:
\PARTITION1 - Unknown - 1683.28 MiB
-- Security Center -------------------------------------------------------------
AUOptions is set to notify before install.
Windows Internal Firewall is disabled.
AV: Symantec AntiVirus Corporate Edition v10.1.0.401 (Symantec Corporation) Outdated
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Gizmo Project\\mDNSResponder.exe"="C:\\Program Files\\Gizmo Project\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Gizmo Project\\Gizmo.exe"="C:\\Program Files\\Gizmo Project\\Gizmo.exe:*:Enabled:Gizmo Project"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Apps\\Internet\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Apps\\Internet\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Apps\\Internet\\Yahoo!\\Messenger\\YServer.exe"="C:\\Apps\\Internet\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\SPSS-16\\spss.com"="C:\\Program Files\\SPSS-16\\spss.com:*:Disabled:SPSS 16.0 (1033:com)"
"C:\\Program Files\\SPSS-16\\spss.exe"="C:\\Program Files\\SPSS-16\\spss.exe:*:Disabled:SPSS 16.0 (1033:exe)"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\"username"\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME="username"T30
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\"username"
LOGONSERVER=\\"username"T30
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRAM FILES\THINKPAD\UTILITIES;C:\Program Files\IBM\Trace Facility;C:\Apps\Internet\Personal Communications;C:\Notes;C:\"username"\util;c:\"username"\util\perl\bin;c:\"username"\util\unixutils\usr\local\wbin;C:\Program Files\ATI Technologies\ATI Control Panel;c:\PSM;C:\Apps\IBM\Infoprint;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PCOMM_Root=C:\Apps\Internet\Personal Communications
PDBASE=C:\Apps\IBM\Infoprint
PD_SOCKET=6874
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\WINDOWS\TEMP
TMP=C:\DOCUME~1\"username"\LOCALS~1\Temp
USERDOMAIN="username"T30
USERNAME="username"
USERPROFILE=C:\Documents and Settings\"username"
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
"username" (admin)
Administrator (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\Program Files\eBLVD\setup.exe
--> C:\WINDOWS\IsUninst.exe -f"C:\apps\internet\WS_FTP Pro\uninst.isu"
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ibm\gsk4\gsk4BUI.isu"
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {09DA4F91-2A09-4232-AB8C-6BC740096DE3}
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
--> MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
--> MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C8B3C093-5B66-471F-B508-5308A57855EC}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Access ThinkPad --> MsiExec.exe /X{B5599ECB-DA72-43EE-8A30-2C80396FF8BB}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Download Manager 2.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe FrameMaker v6.0 --> C:\WINDOWS\ISUNINST.EXE -fC:\apps\Adobe\FrameMaker6.0\Uninst.isu -cC:\apps\Adobe\FrameMaker6.0\Uninst.dll
Adobe Illustrator CS --> RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{91A4AD99-69CE-4745-97B7-0E0DFBECFDE5}\setup.exe"
Adobe Photoshop 6.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\apps\Adobe\Photoshop 6.0\Uninst.isu" -c"C:\apps\Adobe\Photoshop 6.0\Uninst.dll"
Adobe Product/Adobe Studio Update 10/2001 --> "C:\Program Files\InstallShield Installation Information\{73006B34-9743-4A39-AC37-38EDFCEB6DCE}\setup.exe"
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Agere Systems AC'97 Modem --> agrsmdel
AIM 6.0 --> C:\Program Files\AIM6\uninst.exe
AirPort --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BF943523-E0EF-4658-A3CC-D8AD0905E56F}
AT&T Network Client --> C:\Apps\Internet\AT&T Net Client\NetUN.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audio Record Wizard v3.99 --> "C:\Program Files\Audio Record Wizard\unins000.exe"
Brio Enterprise Client --> C:\WINDOWS\IsUninst.exe -f"C:\apps\Brio\BRIO Query\Uninst.isu"
Brother MFL-Pro Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{71FD03B5-E653-4CB8-9B56-A466ABC9FCA9}\Setup.exe" -l0x9 Brunin03.dllBrunin03.dll
CardScan 6.0.5 --> MsiExec.exe /X{DCB63CEC-C6A3-4963-A5D0-6C03EE0CC08F}
Cisco SSL VPN Client --> C:\Program Files\Cisco Systems\SSL VPN Client\uninstall.exe
Configuration Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C0D32BED-4EA6-11D5-AD9A-0050BA1AB546}\Setup.exe"
CorelDRAW 10 --> C:\WINDOWS\Corel\uninst32.exe
CorelDRAW 10 --> MsiExec.exe /I{9E50DEC9-081B-441F-B647-98DBEA8B01DD}
CueCard (remove only) --> "C:\Program Files\CueCard\uninst.exe"
Delta Flights Palm Conduit --> "C:\Apps\Palm\PalmCDI.exe" /u "\Software\U.S. Robotics\Pilot Desktop\Application2" InnD "C:\Apps\Palm\DeltaConduit.dll" "\Software\Microsoft\Windows\CurrentVersion\Uninstall\Delta Flights"
DivX 5.0.2 Bundle --> C:\WINDOWS\unvise32.exe C:\Apps\MultiMedia\DivX_5.0.2\uninstal.log
Download Accelerator Plus --> C:\Apps\Internet\DAP\UNWISE.EXE C:\Apps\Internet\DAP\INSTALL.LOG
EDIFECS EDI Standards Database (X12) --> MsiExec.exe /I{CA1965BF-B8A6-41BB-8848-FC5699296B98}
EDIFECS SpecBuilder 5.1 --> MsiExec.exe /I{5660552E-51BC-4A17-AEB1-DF29F5C05F9D}
File Recovery Tree 25 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\File Recovery Tree 25\DeIsL1.isu" -c"C:\Program Files\File Recovery Tree 25\_ISREG32.DLL"
FirstClass @ Emory 8.043 (EOL Fall 2005) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6CBD63C1-0CF2-49AF-8B4F-37614D60A7B4}\Setup.exe" -l0x9
FRED --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC4204C7-D7B8-4483-9651-BFDDBA97F7B0}\Setup.exe" -l0x9
FRED --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{64ED36E0-5EEE-462B-A807-C547950B25E1}\setup.exe" -l0x9 -removeonly
Generations® Millennium --> C:\WINDOWS\IsUninst.exe -fC:\apps\FamilyTree\Gen7m\Uninst.isu
GetDataBack for NTFS --> "C:\Program Files\GetDataBack\GetDataBack for NTFS\Uninstall.exe" "C:\Program Files\GetDataBack\GetDataBack for NTFS\install.log" -u
Gizmo Project 2.0 --> C:\Program Files\Gizmo Project\uninst.exe
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
High Rate Wireless LAN Mini-PCI Adapter with Modem II --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D75BEE78-1859-4616-9376-05550126EA60}\SETUP.EXE" -l0x9 -J -uninst
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Program Files\HijackThis\HijackThis.exe" /uninstall
hp dvd writer --> "C:\Apps\MultiMedia\HP CD-DVD\Support\Uninstall.exe"
hp instant support --> C:\Apps\MULTIM~1\HEWLET~1\HPINST~1\Uninstall.exe CeS
hp LaserJet 1010 Series --> MsiExec.exe /x {292C47B2-8DB7-47BF-896C-C3C5EE8108C4}
HP Photo and Imaging 1.0 - HP Photosmart Printer Series --> MsiExec.exe /I{0D396571-7BBD-44CE-ABB3-518BF86B72F7}
HP Photo and Imaging 1.2.1 - Scanjet 4500c Series --> MsiExec.exe /I{C0FC80E9-8172-4F02-87F5-7642DBFFEAB4}
HP PrecisionScan Pro --> C:\WINDOWS\IsUninst.exe -f"C:\apps\multimedia\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\Uninst.isu" -c"C:\apps\multimedia\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\HPUninstallIs.dll"
HP RecordNow --> MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
HP Scan-to-Web Wizard --> C:\WINDOWS\IsUninst.exe -f"C:\apps\multimedia\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\Scan-To-Web.isu"
HP Simple Backup 4.75 (OEM) --> C:\WINDOWS\IsUninst.exe -f"C:\Apps\MULTIM~1\HPCD-D~1\HP Simple Backup\DeIsL1.isu" -cC:\Apps\MULTIM~1\HPCD-D~1\HPSIMP~1\System\UNINST.DLL
IBM Access Connections --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{22B71A00-4DED-11D4-A5E5-0004AC564F43}\SETUP.EXE" -l0x9 anything
IBM Bluetooth Software --> MsiExec.exe /X{600C1577-3AB5-4E72-8F58-AC7F5A990A4C}
IBM Data Transfer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4D6494BE-0759-11D5-B504-000629B04E58}\Setup.exe"
IBM NotesBuddy --> C:\WINDOWS\IsUninst.exe -fC:\Apps\IBM\NotesBuddy\Uninst.isu
IBM Personal Communications --> C:\WINDOWS\PCSUNIST.EXE C:\WINDOWS\unisthook.exe C:\WINDOWS\ISUNINST.EXE -f"C:\Apps\Internet\Personal Communications\DeIsL1.isu" -y
IBM Rapid Restore PC Setup --> MsiExec.exe /X{3B7B3B4A-AF8C-4671-A92E-3E7E9ABCB22B}
IBM RecordNow Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
IBM ThinkPad Access Support --> wscript "C:\Program Files\Support.com\bin\uninstall.vbs" -uninstall -release1
IBM ThinkPad Battery MaxiMiser and Power Management Features --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\Unbmm.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsbmm.dll"
IBM ThinkPad Configuration --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNTPUN.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsnt.dll"
IBM ThinkPad Configuration --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNTPUW.ISU -c"C:\Program Files\ThinkPad\Utilities\Tpinswin.dll"
IBM ThinkPad EasyEject Utility --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\Unezej.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsej.dll"
IBM ThinkPad Power Management Driver --> RunDll32.exe tpinspm.dll,Uninstall
IBM ThinkPad Presentation Director --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNNPDR.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsnpd.dll"
IBM ThinkPad UltraNav Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
IBM ThinkPad UltraNav Wizard --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}\SETUP.EXE"
IBM TrackPoint Accessibility Features --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA664480-3844-11D5-8C25-444553540000}\setup.exe"
IBM Update Connector --> MsiExec.exe /X{31C2FBAC-67CF-4093-8F36-15A146613747}
IBM WBI Workbench --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FCCE1F6-E4AC-4EB3-BA09-1CC744C3ABD8}\Setup.exe" -l0x9 -uninst
Infoprint Select --> C:\WINDOWS\IsUninst.exe -fC:\Apps\IBM\Infoprint\Uninst.isu
Infuzer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchiSetup -ether"C:\Program Files\InstallShield Installation Information\{54FC2173-BF6C-45B9-A7F8-304FA966A856}"
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
Intellisync Desktop --> C:\WINDOWS\IsUninst.exe -fC:\APPS\PUMATECH\INTELLISYNC\Uninst.isu -c"C:\APPS\PUMATECH\INTELLISYNC\PtUninst.dll"
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
Ipswitch WS_FTP Pro --> C:\WINDOWS\ISUNINST.EXE -f"C:\apps\internet\WS_FTP Pro\uninst.isu" -c"C:\apps\internet\WS_FTP Pro\FTPInstUtils.dll"
ItsDeductible --> C:\WINDOWS\uninst.exe -fC:\Apps\ItsDeductible\DeIsL1.isu -cC:\Apps\ItsDeductible\_ISREG32.DLL
ItsDeductible7 --> C:\WINDOWS\uninst.exe -fC:\apps\ItsDeductible7\DeIsL1.isu -cC:\apps\ItsDeductible7\_ISREG32.DLL
ITSO FrameMaker Toolkit --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DAA98AD0-0911-11D5-A445-400054000037}\Setup.exe" -uninst
Java 2 Runtime Environment, SE v1.4.0_01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7CF31609-270B-11D6-9445-000102308676}\Setup.exe" Anytext
Java 2 Runtime Environment, SE v1.4.1_02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFCE5837-FC21-11D6-9D24-00010240CE95}\setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
Java(TM) SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Lenovo Battery Program --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B214C3C8-FC16-42EC-B7BB-703A1BB9C790}\Setup.exe" -l0x9
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Logitech SetPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9
Lotus Notes --> C:\WINDOWS\IsUninst.exe -fc:\apps\lotus\notes\Uninst.isu
Lotus NotesSQL 3.01 driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{113EECD6-9A04-11D4-811D-00805F923B86}\Setup.exe" -uninst
Lotus SmartSuite - English --> MsiExec.exe /I{536D6172-7453-7569-7465-392E38300409}
Macromedia Flash MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}\Setup.exe" -l0x9 UNINSTALL
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MetaFrame Presentation Server Client --> MsiExec.exe /I{E92B7A19-5FD5-4AEE-9FEF-7AD5DD3A675E}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 Standard --> MsiExec.exe /I{00020409-78E1-11D2-B60F-006097C998E7}
Microsoft Office XP Standard --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0050048383C9}
Microsoft Picture It! Publishing 2001 --> MsiExec.exe /I{15D9EB74-998E-4A04-B468-51C2E7B32182}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
Mobile Phone Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{36C91F9F-292E-4395-83B6-13B3C61FE93E}\setup.exe" -l0x9
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\"username"\Application Data\Move Networks\ie_bin\Uninst.exe
Mozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
MyDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5E835305-63BB-4E55-BBB7-EEBBE67774DB}\Setup.exe" -l0x9 -L0x9 /SMAINT
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Netscape (7.1) --> C:\WINDOWS\NSUninst.exe /ua "7.1b1 (en)"
Neverwinter Nights --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C503E58-B2BC-11D5-978A-0050BA84F5F7}\Setup.exe" -l0x9
Nimo Codecs Pack v5.0 (Remove Only) --> "C:\apps\MultiMedia\NimoCodecPack\uninstall.exe"
OLYMPUS CAMEDIA Master 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30BB4D60-81DB-11D5-BB77-00400536ABAC}\Setup.exe" CAMEDIA Master 4.03
Palm Desktop --> MsiExec.exe /X{C5EC81D0-3DED-435D-A46E-E3F60F7DC8AD}
PaperPort --> MsiExec.exe /I{A17EABB6-D0C6-44E5-820C-72DC7F495064}
PCS Connection Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9123C204-4220-4584-82D1-79DCFE759F22}\Setup.exe" -l0x9
Pdf995 --> C:\Program Files\pdf995\setup.exe uninstall
Photosmart 130,230,7150,7345,7350,7550 (Remove only) --> C:\Program Files\HP Photosmart 11\Printer\hphuni04.exe
PicoZip Recovery Tool 1.02 --> C:\Apps\Internet\PICOZI~1\UNWISE.EXE C:\Apps\Internet\PICOZI~1\INSTALL.LOG
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PowerQuest PartitionMagic 8.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}
Printing Systems Manager --> C:\WINDOWS\uninst.exe -fc:\psm\DeIsL1.isu -cc:\psm\_ISREG32.DLL
Quicken 2003 Premier Home & Business --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2A3E87C5-ED9D-427F-9E0F-C06E8EAD6351} anything
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
Radio Toolbox --> C:\Program Files\Radio Toolbox\Uninstall.exe
SafeCast Shared Components --> C:\WINDOWS\CDAC13BA.EXE /uninstall
Sametime Client v1.5 --> C:\WINDOWS\IsUninst.exe -fC:\Apps\Lotus\Sametime\DeIsL2.isu
Sametime Client v3.0 --> C:\WINDOWS\IsUninst.exe -fC:\Apps\Lotus\Sametime\STCUnins.isu
SAPLogon Customizer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A7FC0422-8468-45B7-A409-0CED47F6590A}\setup.exe" -l0x9
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SHOUTcast DNAS (remove only) --> "C:\Program Files\SHOUTcast DNAS\uninst-dnas.exe"
SmartDraw 7 --> C:\PROGRA~1\SMARTD~1\UNWISE.EXE C:\PROGRA~1\SMARTD~1\INSTALL.LOG
SnagIt 6 --> C:\Apps\MultiMedia\TechSmith\SnagIt 6\SIUNINST.EXE
Sony Sound Forge 8.0 --> MsiExec.exe /X{767572FD-4D01-4FA3-B0A6-4B09FB2CFC37}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
SPSS 16.0 --> MsiExec.exe /X{9A657E90-E2B7-44DE-8929-055948162595}
Streamripper Plugin 1.61.27 (Remove only) --> C:\Program Files\Winamp5\streamripper_uninstall.exe
Support.com Software --> "C:\Program Files\Support.com\bin\tgfix.exe" /rm /nq
Symantec AntiVirus 10.1.0.401 --> MsiExec.exe /I{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}
Tag&Rename 3.2 --> "C:\Program Files\TagRename\unins000.exe"
Tectia SSH 3.2.9 (EOL Fall 2005) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{172AF3AC-9FA0-421E-A18E-9A4525A6F6F5}\Setup.exe" -l0x9
TextPad --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ADBBED4F-720B-460D-AA14-D85EBC4AEF97}\Setup.exe"
ThinkPad FullScreen Magnifier --> RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.inf
ThinkPad Software Installer --> _tpiu000.exe /U
Tivoli City --> C:\WINDOWS\Tivoli City Uninstaller.exe
TurboTax Premier Home & Business 2002 --> C:\apps\TurboTax02\TaxUnst.EXE "C:\apps\TurboTax02\Uninstall.log" -NoGui
TurboTax Ultimate 2003 --> C:\apps\TurboTax03\TaxUnst.EXE "C:\apps\TurboTax03\Uninstall.log" -NoGui
UltraVNC v1.0.1 --> "C:\Program Files\UltraVNC\unins000.exe"
Uninstall PC-Doctor --> C:\PROGRA~1\PC-DOC~1\AdminCheck.exe
VideoLAN VLC media player 0.8.5 --> C:\Program Files\VLC\uninstall.exe
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
VMware Workstation --> MsiExec.exe /I{98D1A713-438C-4A23-8AB6-41B37C4A2D47}
WD Backup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A351224F-533A-4EED-89F4-0BF3417FD31D}\setup.exe" -l0x9
WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
WD Firewire HID Driver --> MsiExec.exe /X{FD6C6B7F-5696-48C5-A601-2EE9E50C3D46}
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
Winamp (remove only) --> "C:\Program Files\Winamp5\UninstWA.exe"
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinSpeedUp --> MsiExec.exe /I{2A611511-AA7A-4D23-AF19-8735E799A134}
WinZip --> "C:\Apps\Internet\WinZip\WINZIP32.EXE" /uninstall
WordPerfect Family Pack 4 --> C:\WINDOWS\Corel\Uninst32.exe
WordPerfect Family Pack 4 --> C:\WINDOWS\Corel\uninst32.exe
XMLSPY 2004 Enterprise Edition --> MsiExec.exe /I{624C9AE0-6CD8-4166-9DFA-AE7DC07EC3EA}
XviD Video Codec 01082002-1 (Koepi's build with EPSZ ME) --> "C:\apps\Multimedia\XviD_KoepisBuild_010802\UninstXviD.exe"
Yahoo! Messenger --> C:\Apps\Internet\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\Apps\Internet\Yahoo!\MESSEN~1\INSTALL.LOG
ZapNotes --> C:\Apps\Lotus\ZapNotes\UNWISE.EXE C:\Apps\Lotus\ZapNotes\INSTALL.LOG
-- Application Event Log -------------------------------------------------------
Event Record #/Type22808 / Error
Event Submitted/Written: 08/06/2008 07:37:41 PM
Event ID/Source: 62 / Symantec AntiVirus
Event Description:
Symantec AntiVirus communications layer failed to initialize. Remote manageability has been disabled. An error occurred while initializing SSL-based communication. Error code: 0x20000081.
Event Record #/Type22805 / Error
Event Submitted/Written: 08/06/2008 07:36:21 PM
Event ID/Source: 62 / Symantec AntiVirus
Event Description:
Symantec AntiVirus communications layer failed to initialize. Remote manageability has been disabled. An error occurred while initializing SSL-based communication. Error code: 0x20000081.
Event Record #/Type22803 / Error
Event Submitted/Written: 08/06/2008 07:35:45 PM
Event ID/Source: 2 / STCAgent
Event Description:
Termination reason code 10 [FAST_USER_SWITCH]
Event Record #/Type22795 / Warning
Event Submitted/Written: 08/06/2008 07:33:37 PM
Event ID/Source: 2 / STCAgent
Event Description:
Termination reason code 5 [USER_LOGGING_OFF]
Event Record #/Type22794 / Warning
Event Submitted/Written: 08/06/2008 07:33:21 PM
Event ID/Source: 2 / STCAgent
Event Description:
Termination reason code 5 [USER_LOGGING_OFF]
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type25181 / Error
Event Submitted/Written: 08/06/2008 07:42:59 PM
Event ID/Source: 1003 / System Error
Event Description:
Error code 1000000a, parameter1 00000016, parameter2 00000002, parameter3 00000000, parameter4 804dbda3.
Event Record #/Type25180 / Error
Event Submitted/Written: 08/06/2008 07:39:01 PM
Event ID/Source: 1003 / System Error
Event Description:
Error code 1000000a, parameter1 00000016, parameter2 00000002, parameter3 00000000, parameter4 804dbda3.
Event Record #/Type25170 / Error
Event Submitted/Written: 08/06/2008 07:36:25 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Automatic Updates service terminated with the following error:
%%2147952506
Event Record #/Type25168 / Error
Event Submitted/Written: 08/06/2008 07:36:25 PM
Event ID/Source: 7024 / Service Control Manager
Event Description:
The Bonjour Service service terminated with service-specific error 4294967295 (0xFFFFFFFF).
Event Record #/Type25158 / Warning
Event Submitted/Written: 08/06/2008 04:35:08 PM
Event ID/Source: 256 / PlugPlayManager
Event Description:
Timed out sending notification of device interface change to window of "\??\C:\WINDOWS\system32\winlogon.exe"
-- End of Deckard's System Scanner: finished at 2008-08-06 19:50:04 ------------
----End DSS Extra Log----
Does it still give that error message?
Haven't seen it since I rebooted after MBAM.
rg.
Nice to hear :)
Open HijackThis, click do a system scan only and checkmark these:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {b1f03258-1dd1-11b2-844a-d95ac99666f6} - C:\WINDOWS\nupgxofi.dll (file missing)
O2 - BHO: (no name) - {DDE874FD-3D40-48B0-A30D-E2490AE0FA80} - C:\WINDOWS\system32\opnnnoNH.dll (file missing)
O21 - SSODL: csiCNqCRDzQO - {88CA28BF-2260-8215-2110-EAAE8DFB1731} - C:\WINDOWS\system32\aeqy.dll (file missing)
Close all windows including browser and press fix checked.
Reboot.
Post back a fresh HijackThis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:30:51 PM, on 8/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\Apps\Internet\Personal Communications\PCS_AGNT.EXE
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Apps\Internet\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TpChrSrv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Java\jre1.6.0\bin\jucheck.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.sbank.uk.ibm.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;9.*;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "about:blank"); (C:\Documents and Settings\"username"\Application Data\Mozilla\Profiles\default\yrmv02l7.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CApps%5CInternet%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\"username"\Application Data\Mozilla\Profiles\default\yrmv02l7.slt\prefs.js)
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Apps\Internet\DAP\DAPBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Apps\Internet\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Apps\MultiMedia\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [hpppta] C:\apps\multimedia\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Mouse.lnk = C:\WINDOWS\System32\main.cpl
O8 - Extra context menu item: &Download with &DAP - C:\Apps\Internet\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Apps\Internet\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Apps\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Apps\Internet\DAP\DAP.EXE
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\webhancer\programs\webhdll.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://pix.sexyads.net:8080/java/cr.cab
O16 - DPF: IBM EA2000 - https://w3-1.ibm.com/tools/us/expenses/EA2000.cab
O16 - DPF: Sametime Meeting Room Client ST20 - https://d02db540.southbury.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Sametime Meeting Room Client ST20H3 - http://www-125.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Sametime Meeting Room Client ST31 - https://www-1.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: ST MRC ST31IF1 PMR-90722999000 - https://www-1.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: STCJava - https://152.133.32.53/CACHE/webvpn/stc/1/binaries/stcjava.cab
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_4-2-1.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4300B272-3776-48D3-9A33-D4019924AB9E}: Domain = itso.ral.ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6ED1B95-34FC-407F-9B85-07FD942A7C54}: Domain = ibm.com
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Gizmo Project\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: ISAM SMT Service (ISAMsmt) - IBM Global Services - C:\Program Files\C4ebreg\isamsmt.exe
O23 - Service: LocalSystem (ldlcserv) - Unknown owner - C:\WINDOWS\System32\drivers\ldlcserv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Apps\Internet\AT&TNE~1\NetCfgSv.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad PM (TpChrSrv) - Unknown owner - C:\WINDOWS\System32\TpChrSrv.exe
O23 - Service: TrcBoot - Unknown owner - C:\WINDOWS\System32\drivers\trcboot.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 11956 bytes
That looks good :)
Still problems?
Not sure (again, I've only been using it to execute your instructions). Should I play around with it? Shall I connect it to the internet?
We didn't need to use Combofix or something like that?
Thanks,
rg
No, combofix wasn't needed.
Sure, connect it to internet and test a bit and report back :)
Will do. I'll let you know.
Thanks,
rg.
Hmm, when I tried to connect back to the internet using either wired or wireless connections, I get the error meesage "An operation was attempted on something that is not a socket" when trying to renew the IP address.
Were my Windows sockets registry subkeys corrupted somewhere in the infection/disinfection process? Should I reinstall TCP/IP per the following instructions, or is the problem much deeper than that?
http://support.microsoft.com/kb/817571
Thanks,
rg.
Should not be unless malware has borked them.
Try to follow those instructions first, yes.
I followed those instructions, and now the wired and wireless internet connections work. I will "play around" with the web to see if anything acts funny.
I'm trying to install Spybot to scan the machine, and I get an error message during the installation process:
Error creating registry key:
HKEY_CLASSES_ROOT\.sbs
RegCreateKeyEx failed; code 5.
Access is denied.
Click Retry to try again, Ignore to proceed anyway, or Abort to cancel installation.Clicking retry gives the same message.
Any idea what that is?
Thanks,
rg.
Are you installing Spybot from account with admin rights?
Yes, my regular login, which has admin rights.
rg.
Then I suggest that you post about it here (http://forums.spybot.info/forumdisplay.php?f=4) as it seems to be spybot specific issue.
Any malware issues left?
This computer has a D drive that also has WinXP installed. I rarely boot from he D drive, but I'm concerned that something may have been "cross infected." When booting from the D drive, things seem ok, but the Symantec Antivirus AutoProtect won't stay enabled. When I click enable, it disables again a second later. Would you be willing to look at the HJT log from a D drive boot:
----Start D-drive HJT Log----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:28:38 PM, on 8/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Ad Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Apps\Internet\Personal Communications\PCS_AGNT.EXE
C:\Apps\Internet\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\TpChrSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\System32\IMWEBSTA.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.sbank.uk.ibm.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;9.*;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "about:blank"); (C:\Documents and Settings\"username"\Application Data\Mozilla\Profiles\default\yrmv02l7.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CApps%5CInternet%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\"username"\Application Data\Mozilla\Profiles\default\yrmv02l7.slt\prefs.js)
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Apps\Internet\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\apps\adobe\acrobat 5.1\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Apps\Internet\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [IMWEBSTA.EXE] IMWEBSTA.EXE START
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Apps\MultiMedia\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [hpppta] C:\apps\multimedia\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot Search & Destroy\TeaTimer.exe
O4 - Startup: Mouse.lnk = C:\WINDOWS\System32\main.cpl
O8 - Extra context menu item: &Download with &DAP - C:\Apps\Internet\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Apps\Internet\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Apps\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XMLSPY2004\spy.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Apps\Internet\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSPY2004\spy.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://pix.sexyads.net:8080/java/cr.cab
O16 - DPF: IBM EA2000 - https://w3-1.ibm.com/tools/us/expenses/EA2000.cab
O16 - DPF: Sametime Meeting Room Client ST20 - https://d02db540.southbury.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Sametime Meeting Room Client ST20H3 - http://www-125.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Sametime Meeting Room Client ST31 - https://www-1.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: ST MRC ST31IF1 PMR-90722999000 - https://www-1.ibm.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: {01118A01-3E00-11D2-8470-0060089874ED} (SupportSoft Script Runner Class) - http://autosupport.intuit.com/sdccommon/download/tgctlsr.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://extranet.lotus.com/qp2.cab
O16 - DPF: {0B9C9C7D-ED81-4594-AFCB-FC5588125382} (JNILoader Control) - https://d02db540.southbury.ibm.com/sametime/stmeetingroomclient/STJNILoader.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28177.cab
O16 - DPF: {2B9D3FB5-44D9-4063-A0E4-AF3F3CB15555} (JNILoader Control) - https://d02db541.southbury.ibm.com/sametime/stmeetingroomclient/STJNILoader.cab
O16 - DPF: {4E7D53BD-B8CF-426E-9D84-7A931C9CFC11} (ibmgpws.plugin) - http://w3-3.ibm.com/tools/print/plugin/ibmgpws.CAB
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - https://www-1.ibm.com/sametime/stmeetingroomclient/STJNILoader.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-306.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bluepages/scripts/lnwebassist.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab28177.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://www.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-3.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4300B272-3776-48D3-9A33-D4019924AB9E}: Domain = itso.ral.ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6ED1B95-34FC-407F-9B85-07FD942A7C54}: Domain = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFF7018B-9207-4862-A8F7-64F15EBE2F48}: Domain = ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Ad Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: ISAM SMT Service (ISAMsmt) - IBM Global Services - C:\Program Files\C4ebreg\isamsmt.exe
O23 - Service: LocalSystem (ldlcserv) - Unknown owner - C:\WINDOWS\System32\drivers\ldlcserv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Apps\Internet\AT&TNE~1\NetCfgSv.EXE
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad PM (TpChrSrv) - Unknown owner - C:\WINDOWS\System32\TpChrSrv.exe
O23 - Service: TrcBoot - Unknown owner - C:\WINDOWS\System32\drivers\trcboot.exe
--
End of file - 12452 bytes
----End D-drive HJT Log----
Any thoughts why Symantec Antivirus AutoProtect disables every time I try to enable it?
Thanks,
rg
Could be malware issue or just you need to re-install it.
To eliminate first issue:
* Download GMER from
here (http://www.gmer.net/gmer.zip):
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.
Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.
I'm sorry; I download GMER on the infected (C) drive or the D drive?
Thanks,
rg.
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-21 00:03:53
Windows 5.1.2600 Service Pack 1
---- Devices - GMER 1.0.14 ----
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
Device \Driver\usbhub \Device\000000c8 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\000000c9 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\000000ca hcmon.sys (VMware USB monitor/VMware, Inc.)
---- Threads - GMER 1.0.14 ----
Thread 4:680 F1297C44
---- EOF - GMER 1.0.14 ----
Yes that is clean.
I recommend that you uninstall and re-install Symantec and let me know if that helped.
Due to the lack of feedback this Topic is closed.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.