View Full Version : Please help unknown virus
I have recently been infected. Problems with google redirecting, computer shutting down, also very slow. I have installed and run Hijackthis. See log below. - thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:05 AM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\BK2622.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,
O1 - Hosts: 169.254.114.228 HP000D9D1E59D3
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: http://*.crm
O15 - Trusted Zone: http://crm.emergenow.com
O15 - Trusted Zone: http://esportal.emergenow.com
O15 - Trusted Zone: http://medinah.emergenow.com
O15 - Trusted Zone: http://portal.emergenow.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&6&04.00.09.13&unknown&unknown&http://www.toyota.com/fjcruiser/features.html
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - https://medinah.emergenow.com/tenterprise/download/ScriptX.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3E059DAB-6894-435C-B758-2977F014D734} (TClientProc.ClientSettings) - https://medinah.emergenow.com/tenterprise/download/TClientProc.CAB
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://itproject.navistar.com/projectserver/objects/pjclient.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://ridpath8532.viewnetcam.com:50000/bl_camera.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://itproject.navistar.com/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://my.nav-international.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emergenow.com
O17 - HKLM\Software\..\Telephony: DomainName = emergenow.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{43AB03B3-5649-4AD6-8B04-B69AD8996717}: NameServer = 10.2.1.32,10.2.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emergenow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = erp.local,rrea.infi,river-rock-casino.com,emergenow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emergenow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = erp.local,rrea.infi,river-rock-casino.com,emergenow.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = erp.local,rrea.infi,river-rock-casino.com,emergenow.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe
--
End of file - 15551 bytes
Hi
Is that your personal pc or some system at work?
I work at home and use the computer for business and personal. Please help, this seems to be getting worse.
Hi
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Thank you so much for helping me here. I really appreciate what you are doing.
I started to follow the combofix and recovery console instructions. I got to the part where I drag the file for recovery console to the combo fix icon. I can see that Combo fix starts running but then an error message pops up. The message says Rootkit !! Combofix has detected presence of rootkit activity and needs to reboot this machine.
The machine restarts but does not install the recovery console or start the scan process.
Hi
Could you check is there c:\ComboFix.txt file generated? If there is, please post its contents.
I could not find the file c:\ComboFix.txt
Hi
In that case run ComboFix again.
Hi, I got the same rootkit message and it rebooted the machine.
I noticed when the computer started again a window popped up and a program was running. oembios.exe. Then there was an error message - Windows cannot find C:\windows\system32\CF6795.exe.
Thanks again.
Hi
Please run ComboFix in safe mode (http://www.computerhope.com/issues/chsafe.htm#02).
Hi, I tried to run combofix in safe mode. I got the same error about rootkit activity and the machine rebooted. I looked for the combofix log file but did not find one again.
thank you for your assistance and patience. what can we do now?
Hi
Download OTViewIt (http://oldtimer.geekstogo.com/OTViewIt.exe) to the Desktop.
* Close all windows and double click on OTViewIt.exe
* Place a tick in the Scan all Users box
* In the File Age drop box, select 90 days
* Click Run Scan and let the program run uninterrupted
* Upon completion it produces two logs on the Desktop: OTViewIt.txt and Extras.txt. Post contents of both of these.
Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
Hi, Here are the logs from otviewit.
but I had trouble with the GMER program. It gave me the error message: Warning!!! Loaded GMER's driver version is incompatible with the currently running GMER application. You need to stop the driver with the command "net stop gmer" or restart your computer.
I tried the command but it said "the requested pause or stop is not valid for this service"
It did not work after the reboot either.
GMER did start but another message said "C:\WINDOWS\system32\config\system: The process cannot access the file because it is being used by another process"
I ran the scan anyway, but there were no results.
OTViewIT.txt
OTViewIt logfile created on: 9/1/2008 12:30:32 PM - Run 1
OTViewIt by OldTimer - Version 1.0.1.7 Folder = C:\Documents and Settings\snovosel\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1022.42 Mb Total Physical Memory | 503.80 Mb Available Physical Memory | 49.28% Memory free
2.40 Gb Paging File | 1.96 Gb Available in Paging File | 81.56% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 51.95 Gb Total Space | 9.11 Gb Free Space | 17.55% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: SNOVOSEL
Current User Name: snovosel
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
===== Processes - Non-Microsoft Only =====
[11/04/2004 11:47 AM | 00,040,547 | ---- | M] (UPEK Inc.) - C:\Program Files\Common Files\Virtual Token\vtserver.exe
[11/05/2004 03:30 AM | 00,057,344 | ---- | M] () - C:\WINDOWS\system32\ibmpmsvc.exe
[02/18/2005 09:03 AM | 00,086,016 | ---- | M] (Intel Corporation) - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
[02/18/2005 09:05 AM | 00,360,521 | ---- | M] (Intel Corporation ) - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
[04/09/2006 09:23 PM | 00,110,691 | ---- | M] (Check Point Software Technologies) - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
[04/09/2006 09:23 PM | 00,036,964 | ---- | M] (Check Point Software Technologies) - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
[09/06/2007 01:28 PM | 00,110,592 | ---- | M] (Apple, Inc.) - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[04/07/2005 05:26 PM | 01,421,336 | ---- | M] (Cisco Systems, Inc.) - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
[04/10/2007 09:17 PM | 00,407,136 | ---- | M] (Juniper Networks) - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
[12/16/2004 06:49 AM | 00,385,024 | ---- | M] () - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
[03/18/2005 05:07 AM | 00,077,824 | ---- | M] (IBM Corp.) - C:\WINDOWS\system32\QCONSVC.EXE
[02/18/2005 09:02 AM | 00,139,264 | ---- | M] (Intel Corporation) - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
[09/25/2007 11:33 AM | 00,867,328 | ---- | M] (TiVo Inc.) - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
[05/24/2004 12:25 PM | 00,077,824 | ---- | M] (IBM Corporation) - C:\WINDOWS\system32\TPHDEXLG.exe
[07/11/2003 08:19 PM | 00,032,768 | ---- | M] () - C:\WINDOWS\system32\TpKmpSvc.exe
[04/09/2006 09:24 PM | 02,695,263 | ---- | M] (Check Point Software Technologies) - C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
[11/08/2004 01:17 PM | 00,110,592 | ---- | M] (Synaptics, Inc.) - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[11/08/2004 01:17 PM | 00,512,000 | ---- | M] (Synaptics, Inc.) - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[10/27/2004 05:58 PM | 00,106,496 | ---- | M] (IBM Corp.) - C:\WINDOWS\system32\TpShocks.exe
[03/03/2005 07:10 PM | 00,094,208 | ---- | M] () - C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
[12/16/2004 05:41 AM | 00,090,112 | ---- | M] (IBM Corp.) - C:\IBMTOOLS\utils\ibmprc.exe
[09/06/2004 06:03 PM | 00,077,824 | ---- | M] () - C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
[03/18/2005 05:07 AM | 00,086,016 | ---- | M] (IBM Corp.) - C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
[01/10/2002 05:01 PM | 00,065,536 | ---- | M] (IBM Corporation) - C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
[08/06/2004 04:10 AM | 00,442,368 | ---- | M] (IBM) - C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
[04/02/2008 09:50 AM | 09,442,584 | ---- | M] (Uniblue Software) - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
===== Win32 Services - Non-Microsoft Only =====
(Apple Mobile Device) Apple Mobile Device [Auto | Running]
[09/06/2007 01:28 PM | 00,110,592 | ---- | M] (Apple, Inc.) - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
(CVPND) Cisco Systems, Inc. VPN Service [Auto | Running]
[04/07/2005 05:26 PM | 01,421,336 | ---- | M] (Cisco Systems, Inc.) - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
(dsNcService) Juniper Network Connect Service [Auto | Running]
[04/10/2007 09:17 PM | 00,407,136 | ---- | M] (Juniper Networks) - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
(EvtEng) EvtEng [Auto | Running]
[02/18/2005 09:03 AM | 00,086,016 | ---- | M] (Intel Corporation) - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
(IBM Rapid Restore Ultra Service) IBM Rapid Restore Ultra Service [Auto | Running]
[12/16/2004 06:49 AM | 00,385,024 | ---- | M] () - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
(IBMPMSVC) IBM PM Service [Auto | Running]
[11/05/2004 03:30 AM | 00,057,344 | ---- | M] () - C:\WINDOWS\system32\ibmpmsvc.exe
(PsaSrv) IBM PSA Access Driver Control [On_Demand | Stopped]
File not found - C:\WINDOWS\system32\PsaSrv.exe
(QCONSVC) QCONSVC [Auto | Running]
[03/18/2005 05:07 AM | 00,077,824 | ---- | M] (IBM Corp.) - C:\WINDOWS\system32\QCONSVC.EXE
(RegSrvc) RegSrvc [Auto | Running]
[02/18/2005 09:02 AM | 00,139,264 | ---- | M] (Intel Corporation) - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
(S24EventMonitor) Spectrum24 Event Monitor [Auto | Running]
[02/18/2005 09:05 AM | 00,360,521 | ---- | M] (Intel Corporation ) - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
(SR_Service) Check Point VPN-1 Securemote service [Auto | Running]
[04/09/2006 09:23 PM | 00,110,691 | ---- | M] (Check Point Software Technologies) - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
(SR_Watchdog) Check Point VPN-1 Securemote watchdog [Auto | Running]
[04/09/2006 09:23 PM | 00,036,964 | ---- | M] (Check Point Software Technologies) - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
(TivoBeacon2) TiVo Beacon [Auto | Running]
[09/25/2007 11:33 AM | 00,867,328 | ---- | M] (TiVo Inc.) - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
(TPHDEXLGSVC) IBM HDD APS Logging Service [Auto | Running]
[05/24/2004 12:25 PM | 00,077,824 | ---- | M] (IBM Corporation) - C:\WINDOWS\system32\TPHDEXLG.exe
(TpKmpSVC) IBM KCU Service [Auto | Running]
[07/11/2003 08:19 PM | 00,032,768 | ---- | M] () - C:\WINDOWS\system32\TpKmpSvc.exe
(vtserver) Protector Suite Virtual Token [Auto | Running]
[11/04/2004 11:47 AM | 00,040,547 | ---- | M] (UPEK Inc.) - C:\Program Files\Common Files\Virtual Token\vtserver.exe
===== Driver Services - Non-Microsoft Only =====
(ac97intc) Intel(r) 82801 Audio Driver Install Service (WDM) [On_Demand | Stopped]
[08/17/2001 02:20 PM | 00,096,256 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\ac97intc.sys
(ANC) ANC [System | Running]
[03/18/2005 05:07 AM | 00,011,520 | ---- | M] (IBM Corp.) - C:\WINDOWS\system32\drivers\ANC.sys
(catchme) catchme [On_Demand | Stopped]
File not found - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys
(CP_OMDRV) Check Point Office Mode Module [Auto | Running]
[04/09/2006 09:24 PM | 00,036,400 | ---- | M] (Check Point Software Technologies) - C:\WINDOWS\system32\drivers\omdrv.sys
(CVirtA) Cisco Systems VPN Adapter [On_Demand | Stopped]
[02/08/2005 10:27 AM | 00,005,185 | ---- | M] (Cisco Systems, Inc.) - C:\WINDOWS\system32\drivers\CVirtA.sys
(CVPNDRVA) Cisco Systems Inc. IPSec Driver [On_Demand | Running]
[04/07/2005 04:23 PM | 00,299,083 | ---- | M] (Cisco Systems, Inc.) - C:\WINDOWS\system32\drivers\CVPNDRVA.sys
(DNE) Deterministic Network Enhancer Miniport [On_Demand | Running]
[11/03/2004 12:07 PM | 00,146,888 | ---- | M] (Deterministic Networks, Inc.) - C:\WINDOWS\system32\drivers\dne2000.sys
(dsNcAdpt) Juniper Network Connect Adapter [On_Demand | Running]
[04/10/2007 06:05 PM | 00,023,552 | ---- | M] (Juniper Networks) - C:\WINDOWS\system32\drivers\dsNcAdpt.sys
(E100B) Intel(R) PRO Adapter Driver [On_Demand | Stopped]
[08/17/2001 02:12 PM | 00,117,760 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\e100b325.sys
(EGATHDRV) IBM Access Support [Auto | Running]
[12/16/2004 05:04 AM | 00,005,427 | ---- | M] (IBM Corporation) - C:\WINDOWS\system32\egathdrv.sys
(FW1) SecuRemote Miniport [On_Demand | Running]
[04/09/2006 09:24 PM | 02,234,320 | ---- | M] (Check Point Software Technologies) - C:\WINDOWS\system32\drivers\fw.sys
(ibmfilter) ibmfilter [Auto | Running]
[12/16/2004 06:12 AM | 00,063,616 | ---- | M] (IBM) - C:\WINDOWS\system32\drivers\ibmfilter.sys
(IBMPMDRV) IBMPMDRV [On_Demand | Running]
[11/05/2004 03:30 AM | 00,012,944 | ---- | M] (IBM Corp.) - C:\WINDOWS\system32\drivers\ibmpmdrv.sys
(IBMTPCHK) IBMTPCHK [System | Running]
[03/18/2005 05:07 AM | 00,002,432 | ---- | M] () - C:\WINDOWS\system32\drivers\IBMBLDID.SYS
(mraid35x) mraid35x [Disabled | Stopped]
[08/17/2001 03:52 PM | 00,017,280 | ---- | M] (American Megatrends Inc.) - C:\WINDOWS\system32\drivers\mraid35x.sys
(NSCIRDA) NSC Infrared Device Driver [On_Demand | Running]
[08/04/2004 01:00 AM | 00,028,672 | ---- | M] (National Semiconductor Corporation) - C:\WINDOWS\system32\drivers\nscirda.sys
(portio) TPM Service [On_Demand | Running]
[05/19/2004 03:41 PM | 00,013,757 | ---- | M] (National Semiconductor Corp.) - C:\WINDOWS\system32\drivers\NscTpmDD.sys
(psadd) IBM PSA Access Driver [On_Demand | Stopped]
[06/09/2005 02:22 AM | 00,013,184 | ---- | M] (IBM Corporation) - C:\WINDOWS\system32\drivers\psadd.sys
(PTDCBus) PANTECH PC Card Composite Device Driver (UDP) [On_Demand | Stopped]
[04/01/2007 05:45 AM | 00,027,520 | ---- | M] (DEVGURU Co,LTD.) - C:\WINDOWS\system32\drivers\PTDCBus.sys
(PTDCMdm) PANTECH PC Card Drivers (UDP) [On_Demand | Stopped]
[04/01/2007 05:45 AM | 00,041,728 | ---- | M] (DEVGURU Co,LTD.) - C:\WINDOWS\system32\drivers\PTDCMdm.sys
(PTDCVsp) PANTECH PC Card Diagnostic Serial Port (UDP) [On_Demand | Stopped]
[04/01/2007 05:45 AM | 00,039,808 | ---- | M] (DEVGURU Co,LTD.) - C:\WINDOWS\system32\drivers\PTDCVsp.sys
(PTDCWWAN) PANTECH PC Card WWAN Controller device driver [On_Demand | Stopped]
[04/30/2007 07:30 PM | 00,058,240 | ---- | M] (DEVGURU Co,LTD.) - C:\WINDOWS\system32\drivers\PTDCWWAN.sys
(QCNDISIF) QCNDISIF [On_Demand | Stopped]
[03/18/2005 05:07 AM | 00,012,288 | ---- | M] (IBM Corporation.) - C:\WINDOWS\system32\drivers\qcndisif.sys
(s24trans) WLAN Transport [Auto | Running]
[10/15/2004 12:20 PM | 00,011,354 | ---- | M] (Intel Corporation) - C:\WINDOWS\system32\drivers\s24trans.sys
(SbcpHid) SbcpHid [System | Running]
[08/23/2001 02:00 PM | 00,022,400 | ---- | M] () - C:\WINDOWS\system32\drivers\SbcpHid.sys
(ShockMgr) ShockMgr [System | Running]
[05/14/2004 02:59 PM | 00,004,608 | ---- | M] (IBM Corporation) - C:\WINDOWS\System32\drivers\ShockMgr.sys
(Shockprf) Shockprf [Boot | Running]
[05/14/2004 04:08 PM | 00,059,776 | ---- | M] (IBM Corporation) - C:\WINDOWS\System32\drivers\shockprf.sys
(Sparrow) Sparrow [Disabled | Stopped]
[08/17/2001 04:07 PM | 00,019,072 | ---- | M] (Adaptec, Inc.) - C:\WINDOWS\system32\drivers\sparrow.sys
(SynTP) Synaptics TouchPad Driver [On_Demand | Running]
[11/08/2004 01:12 PM | 00,177,504 | ---- | M] (Synaptics, Inc.) - C:\WINDOWS\system32\drivers\SynTP.sys
(TcUsb) TC USB Kernel Driver [On_Demand | Running]
[11/04/2004 11:52 AM | 00,024,832 | ---- | M] (UPEK Inc.) - C:\WINDOWS\system32\drivers\tcusb.sys
(TDSMAPI) TDSMAPI [System | Running]
[12/21/2004 03:40 AM | 00,009,340 | ---- | M] () - C:\WINDOWS\system32\drivers\TDSMAPI.SYS
(tmtdi) Trend Micro TDI Driver [System | Running]
[01/22/2008 06:45 PM | 00,085,392 | ---- | M] (Trend Micro Incorporated.) - C:\WINDOWS\system32\drivers\tmtdi.sys
(TPDiskPM) TPDiskPM [Boot | Running]
[12/02/2004 06:14 PM | 00,014,208 | ---- | M] (IBM Corporation) - C:\WINDOWS\System32\drivers\TPDiskPM.sys
(TPHKDRV) TPHKDRV [System | Running]
[09/06/2004 06:03 PM | 00,016,370 | ---- | M] (IBM Corporation) - C:\WINDOWS\System32\drivers\TPHKDRV.sys
(TPInput) TPInput [On_Demand | Running]
[12/02/2004 05:54 PM | 00,006,016 | ---- | M] (IBM Corporation) - C:\WINDOWS\system32\drivers\TPInput.sys
(TPPWRIF) TPPWRIF [System | Running]
[12/21/2004 03:00 AM | 00,004,442 | ---- | M] () - C:\WINDOWS\system32\drivers\TPPWRIF.SYS
(TSMAPIP) TSMAPIP [System | Running]
[12/01/2004 04:33 AM | 00,007,168 | ---- | M] () - C:\WINDOWS\system32\drivers\TSMAPIP.SYS
(VNASC) Check Point Virtual Network Adapter - SecureClient [Auto | Running]
[04/09/2006 09:24 PM | 00,109,072 | ---- | M] (Check Point Software Technologies) - C:\WINDOWS\system32\drivers\vnasc.sys
(VPN-1) VPN-1 Module [Auto | Running]
[04/09/2006 09:24 PM | 00,671,472 | ---- | M] (Check Point Software Technologies) - C:\WINDOWS\system32\drivers\vpn.sys
========== Run Keys ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"" = File not found
"Adobe Reader Speed Launcher" = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM | 00,039,792 | ---- | M] (Adobe Systems Incorporated)
"combofix" = "C:\WINDOWS\system32\CF6795.exe" /c "C:\327882R2FWJFW\C.bat" File not found
"ControlCenter" = "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup [11/04/2004 11:46 AM | 00,284,766 | ---- | M] (UPEK Inc.)
"dla" = C:\WINDOWS\system32\dla\tfswctrl.exe [09/02/2004 03:05 AM | 00,127,035 | ---- | M] (Sonic Solutions)
"IBMPRC" = C:\IBMTOOLS\UTILS\ibmprc.exe [12/16/2004 05:41 AM | 00,090,112 | ---- | M] (IBM Corp.)
"OfficeScanNT Monitor" = "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow [04/09/2008 08:38 PM | 00,710,000 | ---- | M] (Trend Micro Inc.)
"PWRMGRTR" = rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor [12/21/2004 03:00 AM | 00,135,168 | ---- | M] (IBM Corp.)
"QCWLICON" = C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE [03/18/2005 05:07 AM | 00,086,016 | ---- | M] (IBM Corp.)
"SynTPEnh" = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [11/08/2004 01:17 PM | 00,512,000 | ---- | M] (Synaptics, Inc.)
"SynTPLpr" = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [11/08/2004 01:17 PM | 00,110,592 | ---- | M] (Synaptics, Inc.)
"TP4EX" = tp4ex.exe [11/12/2004 03:07 AM | 00,040,960 | ---- | M] (IBM Corporation)
"TPHOTKEY" = C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe [03/03/2005 07:10 PM | 00,094,208 | ---- | M] ()
"TPKMAPHELPER" = C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper [02/04/2004 08:39 PM | 00,897,024 | ---- | M] (IBM Corp.)
"TpShocks" = TpShocks.exe [10/27/2004 05:58 PM | 00,106,496 | ---- | M] (IBM Corp.)
"UC_SMB" = File not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = Reg Error: Key does not exist or could not be opened.
"run" = Reg Error: Key does not exist or could not be opened.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages" = C:\Program Files\IBM\Messages By IBM\ibmmessages.exe [08/06/2004 04:10 AM | 00,442,368 | ---- | M] (IBM)
"Uniblue SpeedUpMyPC" = C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s [04/02/2008 09:50 AM | 09,442,584 | ---- | M] (Uniblue Software)
"YSearchProtection" = C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [06/08/2007 09:59 AM | 00,224,248 | ---- | M] (Yahoo! Inc.)
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.
[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.
[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.
[HKEY_USERS\S-1-5-21-606747145-448539723-1417001333-1700\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ibmmessages" = C:\Program Files\IBM\Messages By IBM\ibmmessages.exe [08/06/2004 04:10 AM | 00,442,368 | ---- | M] (IBM)
"Uniblue SpeedUpMyPC" = C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s [04/02/2008 09:50 AM | 09,442,584 | ---- | M] (Uniblue Software)
"YSearchProtection" = C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe [06/08/2007 09:59 AM | 00,224,248 | ---- | M] (Yahoo! Inc.)
[HKEY_USERS\S-1-5-21-606747145-448539723-1417001333-1700\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" =
"run" = Reg Error: Value run does not exist or could not be read.
========== Startup Folders ==========
[Administrator Startup Folder - C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
[All Users Startup Folder - C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
[10/29/2003 05:06 AM | 00,024,576 | ---- | M] (BVRP Software) - C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
[Default User Startup Folder - C:\Documents and Settings\Default User\Start Menu\Programs\Startup]
[jcurran Startup Folder - C:\Documents and Settings\jcurran\Start Menu\Programs\Startup]
[snovosel Startup Folder - C:\Documents and Settings\snovosel\Start Menu\Programs\Startup]
[WksAdmin Startup Folder - C:\Documents and Settings\WksAdmin\Start Menu\Programs\Startup]
========== BHO's ==========
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}]
HKLM CLSID: (HelperObject Class) - [06/20/2006 08:10 AM | 00,061,440 | ---- | M] (TechSmith Corporation) C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
HKLM CLSID: (&Yahoo! Toolbar Helper) - [10/19/2007 04:56 PM | 00,817,936 | ---- | M] (Yahoo! Inc.) C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
HKLM CLSID: (Adobe PDF Reader Link Helper) - [10/22/2006 11:08 PM | 00,062,080 | ---- | M] (Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
HKLM CLSID: (Skype add-on (mastermind)) - [05/28/2007 02:52 PM | 00,722,472 | ---- | M] (Skype Technologies S.A.) C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
HKLM CLSID: (DriveLetterAccess) - [09/02/2004 03:05 AM | 00,118,842 | ---- | M] (Sonic Solutions) C:\WINDOWS\system32\dla\tfswshx.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
HKLM CLSID: (SSVHelper Class) - [02/22/2008 04:25 AM | 00,509,328 | ---- | M] (Sun Microsystems, Inc.) C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
HKLM CLSID: (Google Toolbar Notifier BHO) - [07/08/2008 02:33 PM | 00,654,320 | ---- | M] (Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
========== Toolbars ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}"
HKLM CLSID: (SnagIt) - [06/20/2006 08:10 AM | 00,151,552 | ---- | M] (TechSmith Corporation) C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
HKLM CLSID: (Yahoo! Toolbar) - [10/19/2007 04:56 PM | 00,817,936 | ---- | M] (Yahoo! Inc.) C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}"
HKLM CLSID: (Reg Error: Key does not exist or could not be opened.) - File not found Reg Error: Key does not exist or could not be opened.
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
HKLM CLSID: (Yahoo! Toolbar) - [10/19/2007 04:56 PM | 00,817,936 | ---- | M] (Yahoo! Inc.) C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
[HKEY_USERS\S-1-5-21-606747145-448539723-1417001333-1700\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}"
HKLM CLSID: (Reg Error: Key does not exist or could not be opened.) - File not found Reg Error: Key does not exist or could not be opened.
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
HKLM CLSID: (Yahoo! Toolbar) - [10/19/2007 04:56 PM | 00,817,936 | ---- | M] (Yahoo! Inc.) C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
========== AppInit_Dlls ==========
========== HKLM Security Providers ==========
========== HKLM Winlogon Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell]
"Explorer.exe" - [06/13/2007 05:23 AM | 01,033,216 | ---- | M] (Microsoft Corporation) C:\WINDOWS\explorer.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit]
"C:\WINDOWS\system32\userinit.exe" - [08/04/2004 07:00 AM | 00,024,576 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\userinit.exe
"C:\WINDOWS\system32\oembios.exe" - [08/04/2004 07:00 AM | 00,538,112 | R--- | M] () C:\WINDOWS\system32\oembios.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\GinaDLL]
"vrlogon.dll" - [11/04/2004 11:50 AM | 00,149,600 | ---- | M] (UPEK Inc.) C:\WINDOWS\system32\vrlogon.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost]
"logonui.exe" - [08/04/2004 07:00 AM | 00,514,560 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\logonui.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet]
"rundll32 shell32" - [10/25/2007 10:34 PM | 08,460,288 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
"Control_RunDLL "sysdm.cpl"" - [08/04/2004 07:00 AM | 00,298,496 | ---- | M] (Microsoft Corporation) C:\WINDOWS\system32\sysdm.cpl
========== User's Winlogon Settings ==========
========== Winlogon Notify Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DllName" = C:\WINDOWS\system32\ati2evxx.dll [01/19/2005 09:21 PM | 00,061,440 | ---- | M] (ATI Technologies Inc.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ckpNotify]
"DllName" = C:\WINDOWS\system32\ckpNotify.dll [04/09/2006 09:24 PM | 00,024,674 | ---- | M] (Check Point Software Technologies)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\psfus]
"DllName" = C:\Program Files\IBM fingerprint software\psfus.dll [11/04/2004 11:51 AM | 00,108,636 | ---- | M] (UPEK Inc.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\QConGina]
"DllName" = C:\WINDOWS\system32\QConGina.dll [03/18/2005 05:07 AM | 00,262,144 | ---- | M] (IBM Corp.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]
"DllName" = C:\WINDOWS\system32\tphklock.dll [08/12/2004 10:11 PM | 00,024,576 | ---- | M] ()
========== Policies ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoRemoteRecursiveEvents" = 1
"NoCDBurning" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername" = 1
"legalnoticecaption" = Warning
"legalnoticetext" =
"shutdownwithoutlogon" = 1
"undockwithoutlogon" = 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145
"NoSaveSettings" = 0
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools" = 0
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Unable to open key or key not present!
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Unable to open key or key not present!
[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145
[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Unable to open key or key not present!
[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145
[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
Unable to open key or key not present!
[HKEY_USERS\S-1-5-21-606747145-448539723-1417001333-1700\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun" = 145
"NoSaveSettings" = 0
[HKEY_USERS\S-1-5-21-606747145-448539723-1417001333-1700\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"DisableRegistryTools" = 0
========== Lsa Authentication Packages ==========
========== Lsa Security Packages ==========
========== Desktop Components ==========
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"FriendlyName" = "My Current Home Page"
"Source" = "About:Home"
"SubscribedURL" = "About:Home"
========== Safeboot Options ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = cmd.exe
========== Disabled MsConfig Items ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
========== CDRom AutoRun Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1
========== Autorun Files on Drives ==========
AUTOEXEC.BAT []
[06/28/2005 01:02 AM | 00,000,000 | -H-- | M] () C:\AUTOEXEC.BAT [ NTFS ]
========== MountPoints2 ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0753ec43-4790-11dd-8f1c-00016ccb842d}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0753ec44-4790-11dd-8f1c-00016ccb842d}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2772fd24-2b6f-11da-ac52-545543445209}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5bfa5ae6-cd8b-11db-8e44-806d6172696f}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cf428dfe-efdd-11d9-ac3e-545543445209}\Shell]
"" = None
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e9b7e1aa-4d79-11da-ac5b-545543445209}\Shell]
"" = None
========== DNS Name Servers ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{43AB03B3-5649-4AD6-8B04-B69AD8996717}]
Servers: 10.2.1.32,10.2.1.5 | Description: Broadcom NetXtreme Gigabit Ethernet
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{52164E79-1F1A-4FBA-B61E-61B791FEC1A3}]
Servers: | Description:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{82B18938-BB1A-484D-9A8E-EFD2ED71EAEF}]
Servers: | Description:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{A98DAE7E-0229-4DC9-B4F1-EEE6F038E490}]
Servers: | Description:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{AC1C9247-9852-4D05-81FC-EF3EF2EFCE3C}]
Servers: | Description:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{E22B45FB-03CB-4D74-9C7C-9CD639F36FE5}]
Servers: | Description:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{F03C2B2B-70F7-45E6-A803-B2542DA60386}]
Servers: | Description: Intel(R) PRO/Wireless 2200BG Network Connection
========== Hosts File ==========
HOSTS File = (794 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
169.254.114.228 HP000D9D1E59D3
========== Files/Folders - Created Within 90 days ==========
[08/31/2008 05:26 PM | 10,721,56672 | -HS- | C] () - C:\hiberfil.sys
[08/29/2008 12:56 PM | 00,060,416 | ---- | C] () - C:\WINDOWS\System32\drivers\Combo-Fix.sys
[08/31/2008 04:28 PM | 00,060,416 | ---- | C] () - C:\WINDOWS\System32\drivers\Combo-Fix(2).sys
[1 C:\WINDOWS\System32\*.tmp files]
[08/19/2008 03:21 AM | ---D | C] - C:\WINDOWS\System32\CatRoot_bak
[08/22/2008 01:38 AM | -HSD | C] - C:\WINDOWS\System32\sysproc64
[06/17/2008 05:10 PM | 00,000,417 | ---- | C] () - C:\Documents and Settings\snovosel\My Documents\GIFT ACCT.CSV
[06/17/2008 05:13 PM | 00,013,824 | ---- | C] () - C:\Documents and Settings\snovosel\My Documents\GIFT ACCT.xls
[06/19/2008 05:37 PM | 00,056,320 | ---- | C] () - C:\Documents and Settings\snovosel\My Documents\reorder points.xls
[06/19/2008 06:59 PM | 00,040,960 | ---- | C] () - C:\Documents and Settings\snovosel\My Documents\INV Transaction accounts.xls
[06/27/2008 04:06 PM | 00,000,162 | -H-- | C] () - C:\Documents and Settings\snovosel\My Documents\~$y - Casino Industry.doc
[06/27/2008 04:06 PM | 00,024,576 | ---- | C] () - C:\Documents and Settings\snovosel\My Documents\Ray - Casino Industry.doc
[06/28/2008 03:09 PM | ---D | C] - C:\Documents and Settings\snovosel\My Documents\Fios
[07/01/2008 06:31 PM | 00,017,408 | ---- | C] () - C:\Documents and Settings\snovosel\My Documents\ITEM CATEGORIES.xls
[07/01/2008 07:02 PM | 00,094,720 | ---- | C] () - C:\Documents and Settings\snovosel\My Documents\updated quantities.xls
[07/01/2008 11:14 PM | 00,158,720 | ---- | C] () - C:\Documents and Settings\snovosel\My Documents\Transaction accounts from PRD.xls
[07/02/2008 04:38 PM | 00,158,720 | ---- | C] () - C:\Documents and Settings\snovosel\My Documents\Transaction accounts from PRD - update.xls
[08/22/2008 05:34 PM | 00,193,706 | ---- | C] () - C:\Documents and Settings\snovosel\My Documents\STOPzilla_Setup.exe
[08/23/2008 12:44 AM | 00,152,400 | ---- | C] () - C:\Documents and Settings\snovosel\My Documents\HJTInstall.exe
[08/25/2008 03:25 PM | 34,774,865 | ---- | C] () - C:\Documents and Settings\snovosel\My Documents\imtPlayback681207410206afternoon.exe
[06/18/2008 05:14 PM | 00,000,566 | ---- | C] () - C:\Documents and Settings\snovosel\Desktop\River Rock.lnk
[06/23/2008 12:00 PM | 00,000,162 | -H-- | C] () - C:\Documents and Settings\snovosel\Desktop\~$ott_Novosel_Resume 20080623.doc
[06/23/2008 12:00 PM | 00,069,632 | ---- | C] () - C:\Documents and Settings\snovosel\Desktop\Scott_Novosel_Resume 20080623.doc
[08/23/2008 01:14 AM | 00,001,745 | ---- | C] () - C:\Documents and Settings\snovosel\Desktop\HijackThis.lnk
[08/29/2008 12:27 PM | 02,840,086 | R--- | C] () - C:\Documents and Settings\snovosel\Desktop\ComboFix.exe
[09/01/2008 12:29 PM | 00,811,008 | ---- | C] () - C:\Documents and Settings\snovosel\Desktop\gmer.exe
[06/04/2008 05:14 PM | ---D | C] - C:\Program Files\MSECache
========== Files - Modified Within 90 days ==========
[254 C:\*.tmp files]
[06/19/2008 02:07 AM | 00,000,021 | ---- | M] () - C:\tmuninst.ini
[09/01/2008 12:24 PM | 10,721,56672 | -HS- | M] () - C:\hiberfil.sys
[08/31/2008 06:04 PM | 00,000,794 | ---- | M] () - C:\WINDOWS\System32\drivers\etc\hosts
[08/29/2008 12:56 PM | 00,060,416 | ---- | M] () - C:\WINDOWS\System32\drivers\Combo-Fix.sys
[08/31/2008 04:28 PM | 00,060,416 | ---- | M] () - C:\WINDOWS\System32\drivers\Combo-Fix(2).sys
[1 C:\WINDOWS\System32\*.tmp files]
[06/05/2008 08:28 AM | 00,140,440 | ---- | M] () - C:\WINDOWS\System32\FNTCACHE.DAT
[09/01/2008 12:27 PM | 00,002,278 | ---- | M] () - C:\WINDOWS\System32\wpa.dbl
[06/30/2008 06:28 PM | 00,000,156 | ---- | M] () - C:\WINDOWS\hpbafd.ini
[08/29/2008 11:00 AM | 00,001,809 | ---- | M] () - C:\WINDOWS\imsins.BAK
[09/01/2008 12:24 PM | 00,002,048 | --S- | M] () - C:\WINDOWS\bootstat.dat
[09/01/2008 12:30 PM | 00,013,755 | ---- | M] () - C:\WINDOWS\cfgall.ini
[08/27/2008 01:50 PM | 00,000,284 | ---- | M] () - C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[09/01/2008 12:24 PM | 00,000,006 | -H-- | M] () - C:\WINDOWS\tasks\SA.DAT
[09/01/2008 12:26 PM | 00,000,316 | ---- | M] () - C:\WINDOWS\tasks\PMTask.job
[09/01/2008 12:28 PM | 00,000,276 | ---- | M] () - C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
[06/06/2008 06:52 PM | 00,026,096 | ---- | M] () - C:\Documents and Settings\snovosel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[08/22/2008 01:47 AM | 00,082,944 | ---- | M] () - C:\Documents and Settings\snovosel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[08/31/2008 05:52 PM | 03,148,928 | -H-- | M] () - C:\Documents and Settings\snovosel\Local Settings\Application Data\IconCache.db
[06/17/2008 05:13 PM | 00,000,417 | ---- | M] () - C:\Documents and Settings\snovosel\My Documents\GIFT ACCT.CSV
[06/17/2008 05:13 PM | 00,013,824 | ---- | M] () - C:\Documents and Settings\snovosel\My Documents\GIFT ACCT.xls
[06/19/2008 05:37 PM | 00,056,320 | ---- | M] () - C:\Documents and Settings\snovosel\My Documents\reorder points.xls
[06/19/2008 07:23 PM | 00,040,960 | ---- | M] () - C:\Documents and Settings\snovosel\My Documents\INV Transaction accounts.xls
[06/27/2008 04:06 PM | 00,000,162 | -H-- | M] () - C:\Documents and Settings\snovosel\My Documents\~$y - Casino Industry.doc
[06/27/2008 04:06 PM | 00,024,576 | ---- | M] () - C:\Documents and Settings\snovosel\My Documents\Ray - Casino Industry.doc
[07/01/2008 06:31 PM | 00,017,408 | ---- | M] () - C:\Documents and Settings\snovosel\My Documents\ITEM CATEGORIES.xls
[07/01/2008 10:52 PM | 00,094,720 | ---- | M] () - C:\Documents and Settings\snovosel\My Documents\updated quantities.xls
[07/02/2008 04:42 PM | 00,158,720 | ---- | M] () - C:\Documents and Settings\snovosel\My Documents\Transaction accounts from PRD - update.xls
[07/02/2008 11:45 AM | 00,158,720 | ---- | M] () - C:\Documents and Settings\snovosel\My Documents\Transaction accounts from PRD.xls
[08/05/2008 03:06 PM | 00,001,160 | -H-- | M] () - C:\Documents and Settings\snovosel\My Documents\Default.rdp
[08/22/2008 05:34 PM | 00,193,706 | ---- | M] () - C:\Documents and Settings\snovosel\My Documents\STOPzilla_Setup.exe
[08/23/2008 12:44 AM | 00,152,400 | ---- | M] () - C:\Documents and Settings\snovosel\My Documents\HJTInstall.exe
[08/25/2008 09:22 PM | 34,774,865 | ---- | M] () - C:\Documents and Settings\snovosel\My Documents\imtPlayback681207410206afternoon.exe
[08/27/2008 05:54 PM | 00,002,257 | ---- | M] () - C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2 C:\Documents and Settings\snovosel\Desktop\*.tmp files]
[06/18/2008 05:14 PM | 00,000,566 | ---- | M] () - C:\Documents and Settings\snovosel\Desktop\River Rock.lnk
[06/23/2008 12:00 PM | 00,000,162 | -H-- | M] () - C:\Documents and Settings\snovosel\Desktop\~$ott_Novosel_Resume 20080623.doc
[06/23/2008 12:09 PM | 00,069,632 | ---- | M] () - C:\Documents and Settings\snovosel\Desktop\Scott_Novosel_Resume 20080623.doc
[08/23/2008 01:14 AM | 00,001,745 | ---- | M] () - C:\Documents and Settings\snovosel\Desktop\HijackThis.lnk
[08/29/2008 12:11 AM | 02,840,086 | R--- | M] () - C:\Documents and Settings\snovosel\Desktop\ComboFix.exe
< End of report >
Here is the extras.txt file
Extras.txt
OTViewIt Extras logfile created on: 9/1/2008 12:31:36 PM - Run 1
OTViewIt by OldTimer - Version 1.0.1.7 Folder = C:\Documents and Settings\snovosel\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
1022.42 Mb Total Physical Memory | 503.80 Mb Available Physical Memory | 49.28% Memory free
2.40 Gb Paging File | 1.96 Gb Available in Paging File | 81.56% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 51.95 Gb Total Space | 9.11 Gb Free Space | 17.55% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[08/04/2004 07:00 AM | 00,140,800 | ---- | M] (Microsoft Corporation)
"C:\Program Files\IBM\Updater\jre\bin\java.exe" = C:\Program Files\IBM\Updater\jre\bin\java.exe:*:Enabled:IBM Update Connector
[05/22/2003 08:06 AM | 00,042,072 | ---- | M] (IBM)
"C:\Program Files\IBM\Updater\jre\bin\javaw.exe" = C:\Program Files\IBM\Updater\jre\bin\javaw.exe:*:Enabled:IBM Update Connector
[05/22/2003 08:06 AM | 00,042,072 | ---- | M] (IBM)
"C:\Program Files\IBM\Updater\ucsmb.exe" = C:\Program Files\IBM\Updater\ucsmb.exe:*:Enabled:IBM Update Connector
[07/14/2004 06:34 PM | 00,356,352 | ---- | M] (IBM Corporation, Inc.)
"C:\Program Files\Yahoo!\Messenger\YPager.exe" = C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger
File not found
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
[08/30/2007 06:43 PM | 00,091,376 | ---- | M] (Yahoo! Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
[09/26/2007 02:41 PM | 15,997,240 | ---- | M] (Apple Inc.)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[10/10/2006 07:44 AM | 00,557,568 | ---- | M] (Microsoft Corporation)
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_SERVICE.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SR_SERVICE.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient service
[04/09/2006 09:23 PM | 00,110,691 | ---- | M] (Check Point Software Technologies)
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient application
[04/09/2006 09:24 PM | 02,695,263 | ---- | M] (Check Point Software Technologies)
"C:\Program Files\CheckPoint\SecuRemote\bin\SCC.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SCC.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient command line
[04/09/2006 09:24 PM | 00,045,148 | ---- | M] (Check Point Software Technologies)
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent
[04/09/2006 09:24 PM | 00,147,551 | ---- | M] (Check Point Software Technologies)
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_DIAGNOSTICS.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SR_DIAGNOSTICS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics
[04/09/2006 09:24 PM | 01,134,695 | ---- | M] ()
"\\LINCOLN\ESASSET\ClientCon.exe" = \\LINCOLN\ESASSET\ClientCon.exe:*:Enabled:Asset Tracker for Networks Agent
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[08/04/2004 07:00 AM | 00,140,800 | ---- | M] (Microsoft Corporation)
"C:\Program Files\IBM\Updater\jre\bin\java.exe" = C:\Program Files\IBM\Updater\jre\bin\java.exe:*:Enabled:IBM Update Connector
[05/22/2003 08:06 AM | 00,042,072 | ---- | M] (IBM)
"C:\Program Files\IBM\Updater\jre\bin\javaw.exe" = C:\Program Files\IBM\Updater\jre\bin\javaw.exe:*:Enabled:IBM Update Connector
[05/22/2003 08:06 AM | 00,042,072 | ---- | M] (IBM)
"C:\Program Files\IBM\Updater\ucsmb.exe" = C:\Program Files\IBM\Updater\ucsmb.exe:*:Enabled:IBM Update Connector
[07/14/2004 06:34 PM | 00,356,352 | ---- | M] (IBM Corporation, Inc.)
"D:\Setup\HPZnet01.exe" = D:\Setup\HPZnet01.exe:*:Enabled:ICE Network Plug in
File not found
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:HP Digital Imaging Monitor (CUE)
[05/28/2004 10:31 PM | 00,241,664 | ---- | M] (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:HP AiO Fax Manager
[06/21/2004 11:04 PM | 00,225,280 | ---- | M] (Hewlett-Packard Co.)
"C:\Program Files\Yahoo!\Messenger\YPager.exe" = C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger
File not found
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
[06/26/2006 08:11 PM | 00,043,008 | ---- | M] ()
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[10/10/2006 07:44 AM | 00,557,568 | ---- | M] (Microsoft Corporation)
"C:\Program Files\HP\Digital Imaging\bin\hpqcopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqcopy.exe:*:Disabled:
[05/28/2004 11:06 PM | 00,512,000 | ---- | M] (Hewlett-Packard Co.)
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_SERVICE.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SR_SERVICE.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient service
[04/09/2006 09:23 PM | 00,110,691 | ---- | M] (Check Point Software Technologies)
"C:\Program Files\CheckPoint\SecuRemote\bin\SCC.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SCC.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient command line
[04/09/2006 09:24 PM | 00,045,148 | ---- | M] (Check Point Software Technologies)
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent
[04/09/2006 09:24 PM | 00,147,551 | ---- | M] (Check Point Software Technologies)
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_DIAGNOSTICS.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SR_DIAGNOSTICS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics
[04/09/2006 09:24 PM | 01,134,695 | ---- | M] ()
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
[09/26/2007 02:41 PM | 15,997,240 | ---- | M] (Apple Inc.)
"C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" = C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe:LocalSubNet:Enabled:TiVo Beacon Service
[09/25/2007 11:33 AM | 00,867,328 | ---- | M] (TiVo Inc.)
"C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" = C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe:LocalSubNet:Enabled:TiVo Transfer Service
[09/25/2007 11:33 AM | 01,195,008 | ---- | M] (TiVo Inc.)
"C:\Program Files\TiVo\Desktop\TiVoServer.exe" = C:\Program Files\TiVo\Desktop\TiVoServer.exe:LocalSubNet:Enabled:TiVo Server Service
[09/25/2007 11:35 AM | 01,495,040 | ---- | M] (TiVo Inc.)
"C:\Program Files\TiVo\Desktop\TiVoDesktop.exe" = C:\Program Files\TiVo\Desktop\TiVoDesktop.exe:LocalSubNet:Enabled:TiVo Desktop User Interface
[09/25/2007 11:37 AM | 02,114,048 | ---- | M] (TiVo Inc.)
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient application
[04/09/2006 09:24 PM | 02,695,263 | ---- | M] (Check Point Software Technologies)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype
[05/28/2007 02:52 PM | 23,458,344 | R--- | M] (Skype Technologies S.A.)
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] - "%1" %*
.cmd [@ = cmdfile] - "%1" %*
.com [@ = comfile] - "%1" %*
.exe [@ = exefile] - "%1" %*
.pif [@ = piffile] - "%1" %*
.scr [@ = scrfile] - "%1" /S
========== Winsock2 Catalogs ==========
========== HKEY_LOCAL_MACHINE Protocol Defaults ==========
========== HKEY_CURRENT_USER Protocol Defaults ==========
========== HKEY_USERS Protocol Defaults ==========
========== HKEY_USERS Protocol Defaults ==========
========== HKEY_USERS Protocol Defaults ==========
========== HKEY_USERS Protocol Defaults ==========
========== HKEY_USERS Protocol Defaults ==========
========== Protocol Handlers ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
cetihpz:{CF184AD3-CDCB-4168-A3F7-8E447D129300} [HKLM - CZipHandler Object]
[05/12/2004 03:18 PM | 00,081,920 | ---- | M] (Hewlett-Packard Company) C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
ipp: [HKLM - No CLSID value]
msdaipp: [HKLM - No CLSID value]
skype4com:{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} [HKLM - IEProtocolHandler Class]
[05/28/2007 02:52 PM | 01,828,440 | R--- | M] (Skype Technologies) C:\Program Files\Common Files\Skype\Skype4COM.dll
========== Protocol Filters ==========
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02839FB6-C6E1-4D5A-B163-93504E36A5AD}" = Inventory 8.4 to 8.8 Delta
"{03CDDD00-BD57-4326-9480-4C74449AF597}" = PhotoStitch
"{04214FC6-598A-4819-A1BC-7AC88242C437}" = eFax Messenger 4.0
"{0873B1A3-00A9-40D6-BACE-3DB4BC5DA840}" = IBM SATA Power Management Driver
"{093625E3-7B87-49D3-AA53-AD0FCFABAF49}" = Camera Window
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0A2038E2-727E-4A3A-9749-0CDB077A09C1}" = APICS Illustrated Dictionary Version 11
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{1007F41F-7D69-468E-8017-3849A5A973C2}" = IBM ThinkVantage Technologies Welcome Message
"{11783F13-C3A9-44A8-929B-21A476F65272}" = IBM Rescue and Recovery with Rapid Restore
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = IBM DLA
"{121634B0-2F4A-11D3-ADA3-00C04F52DD53}" = Windows Installer Clean Up
"{1297C681-92D7-40EF-93BF-03F66EC5105C}" = IBM ThinkPad EasyEject Utility
"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}" = Scan
"{1F7CCFA3-D926-4882-B2A5-A0217ED25597}" = PC-Doctor for Windows
"{2111B23F-7FDA-4A41-8309-E5A1663CA296}" = IBM ThinkPad Keyboard Customizer Utility
"{21E75254-410E-49C4-8981-2E1A2A2221F2}" = HP Diagnostic Assistant
"{22B71A00-4DED-11D4-A5E5-0004AC564F43}" = IBM Access Connections
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{2405665A-16C9-4D3A-B70E-F006220E1472}" = Overland
"{2624B680-02BC-4CBC-839C-DA20DF6EF6EC}" = Citrix Presentation Server Client
"{267868CE-6DFF-40F7-9C58-C01119B7B117}" = Fax
"{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver
"{2BBC9458-07CA-4843-848B-5C8146E5EFA8}" = CreativeProjects
"{2D448D0B-20D5-4CD6-84F7-DB9868CB5F6C}" = Cisco Systems VPN Client 4.6.03.0021
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{3248F0A8-6813-11D6-A77B-00B0D0150010}" = J2SE Runtime Environment 5.0 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0150050}" = J2SE Runtime Environment 5.0 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{34A59AC3-6C5C-4A09-A7F5-369A37176C8A}" = AiOSoftware
"{34BFBF2A-06B9-4B5E-BB33-E78B67450ED7}" = IBM fingerprint software 4.5.3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{37477865-A3F1-4772-AD43-AAFC6BCFF99F}" = MSXML 4.0 SP2 (KB927978)
"{3AE681E0-4E8D-453F-950A-48534D3C0724}" = Copy
"{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}" = HPSystemDiagnostics
"{3D047C15-C859-45F7-81CE-F2681778069B}" = iPod for Windows 2006-01-10
"{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}" = ATI HYDRAVISION
"{3F05E128-CD09-4BC9-BC91-4861FA10882E}" = Payables 8.4 to 8.8 Delta
"{41254D7B-EADF-4078-AE4A-BD73B300EE86}" = Unload
"{4E839090-3B68-436A-B3CF-A2A08C38DD26}" = TiVo Desktop 2.5.1
"{524228C9-826F-4B58-9E47-4F2E5C7E9F45}" = SnagIt 8
"{597D73A8-5FDB-4bc1-9893-40B54459F1BC}" = ProductContext
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.2
"{6687607F-350F-43E2-8620-D8759E9F65E3}" = Instant Play Guitar Deluxe
"{6846389C-BAC0-4374-808E-B120F86AF5D7}" = Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
"{6AA003BF-73E5-4911-ADB7-71DD5674DDD4}" = Oracle Data Provider for .NET Help
"{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}" = Power Tab Editor 1.7
"{6CE96A14-61E2-48CC-837E-22710A953ADE}" = IBM Themes
"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
"{7279647E-8661-48DF-998E-E7DCC3E6955D}" = Microsoft Office Live Meeting 2005
"{72806716-7088-41B2-8FA6-717A2A164DAB}" = IBM Active Protection System
"{73775049-6F7D-4D8C-8D17-D44718892295}" = PeopleSoft 1.0 Using eProcurement
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7F22ADCE-3549-49C2-BC16-07B692F57EFF}" = 2600_Help
"{816DCC71-13D1-434B-874A-AA5546A6D7E6}" = Emerging Solutions Asset Discovery
"{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}" = IBM ThinkPad UltraNav Wizard
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8D815BF3-2399-459C-B121-49373FEFB9E8}" = IBM Update Connector
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{903B0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Project Professional 2003
"{90510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
"{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{91365923-A3E6-461A-9ADF-CC8B0EA645A3}" = Using PeopleSoft 8.4 Accounts Payable
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = IBM RecordNow!
"{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}" = QuickTime
"{981FB376-8418-4EA8-BBED-9DE5AA63E7D5}" = SkinsHP1
"{9CB2512B-3EC4-43DF-8002-46BDAB5EDD1B}" = QuickProjects
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9EEBF8D5-8712-4D1D-88F4-4CDC2D270BC3}" = PrintScreen
"{9F15F5AD-AA10-46d9-B34D-AF2945DC65A6}" = 2600Trb
"{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}" = IBM ThinkPad Power Manager
"{A1062847-0846-427A-92A1-BB8251A91E91}" = HP PSC & OfficeJet 4.2
"{A1DCC235-DACC-4E1F-8D11-D630634B4AEF}" = PhotoGallery
"{A2500497-FD32-493e-B8E5-28D6728DBEF5}" = Readme
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}" = AiO_Scan
"{A654A805-41D9-40C7-AA46-4AF04F044D61}" = Adobe® Photoshop® Album Starter Edition 3.2
"{AAE10BE5-F398-41C1-9AAF-A59EBF17DFDE}" = Norton Spyware Scan
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AC76BA86-7AD7-1033-7B44-A81200000003}_Adobe Reader 8.1.2" = Adobe Reader 8.1.2 Security Update 1 (KB403742)
"{B045B608-4A47-4C77-9EAD-06C394503306}" = iTunes
"{B214C3C8-FC16-42EC-B7BB-703A1BB9C790}" = Lenovo Battery Program
"{B32C75F2-7495-4D01-9431-C11E97D66F8C}" = DocProc
"{B3D5D4E0-E965-41C4-ABFD-A7B1AD0663C2}" = Director
"{B45D9FEE-1AF4-46F3-9A83-2545F81547F5}" = CreativeProjectsTemplates
"{B510A987-487E-4C66-9F4F-D386AC275715}" = TextPad 4.7
"{B56D5B09-C4FB-4EA0-8EAD-7BC3E2715A2D}" = DocumentViewer
"{B5C209B1-8DDB-4642-A573-375B951514CB}" = Apple Mobile Device Support
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{BCC992E5-5C81-4066-9B55-03DC10B24D21}" = InstantShare
"{BD57EA4D-026E-4F08-9B93-080E282B81FE}" = iPod for Windows 2006-06-28
"{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0}" = RemoteCapture 2.7.0
"{BF018D2F-C788-4AB1-AB95-1280EAB8F13E}" = TrayApp
"{C04E32E0-0416-434D-AFB9-6969D703A9EF}" = MSXML 4.0 SP2 (KB936181)
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon Utilities ZoomBrowser EX
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D8D8B308-B172-43DB-96F1-6A3F84851D61}" = iTunes Art Importer
"{DB6F07FF-A436-453a-B685-F6C1F4F09D22}" = PANTECH PC Card Software
"{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2
"{EA664480-3844-11D5-8C25-444553540000}" = IBM TrackPoint Accessibility Features
"{EC6AF20D-4376-4070-BEE4-D3A0DFF7E140}" = Access IBM
"{EC8673DA-F96B-497E-B2DB-BC7B029FD680}" = BufferChm
"{ED27A117-1F11-48B9-8503-3707FFA3552B}" = PeopleSoft 8: Using PeopleSoft Payables
"{EF0DD8B7-471C-463B-A298-6066C2FABAF5}" = File Viewer Utility 1.2
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F1608947-B8A4-4D65-A7B8-8B1D669C0E2C}" = SnagIt 7
"{F25BDABF-5489-43fb-AF7A-F67F0566A51A}" = 2700
"{F386C340-DF4B-4BBA-9503-420FB7EDB395}" = Wallpapers
"{F413B3A4-EE5D-457C-BAE5-6E58D9589ED5}" = Access IBM Message Center
"{F4F47155-5B4D-42AA-97F8-490BC52EA7F3}" = Destinations
"{F65787F3-B356-45EC-8DD0-0E6758EDBCEE}" = WebReg
"{f8d8ec09-4100-4d3c-aed6-f1fb71dc0a4c}" = Check Point VPN-1 SecuRemote/SecureClient NGX R60 HFA1
"{FC081D4D-DF1B-4CF1-B530-027E4118D846}" = IBM ThinkPad Configuration
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"{FE7A3FE1-AF76-44FD-BC70-09868A51887A}" = iPod for Windows 2005-06-26
"{FF26F7EA-BCEE-478C-9A1B-6B4F88717D73}" = CueTour
"{FFAC45CF-AB52-49B4-9391-F338C591D13F}" = Music Coach Player
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Adobe® Photoshop® Album Starter Edition 3.2" = Adobe® Photoshop® Album Starter Edition 3.2
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"BitTorrent" = BitTorrent 4.20.1
"CDCheck" = CDCheck
"CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_05591014" = IBM Integrated 56K Modem
"DraftDominator_is1" = DraftDominator Version 8.0n Full
"ESPN Java Check" = ESPN Java Check
"Four Winds" = Four Winds
"Google Desktop" = Google Desktop
"Google Updater" = Google Updater
"HijackThis" = HijackThis 2.0.2
"HP Photo & Imaging" = HP Image Zone 4.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{03CDDD00-BD57-4326-9480-4C74449AF597}" = Canon Utilities PhotoStitch 3.1
"InstallShield_{093625E3-7B87-49D3-AA53-AD0FCFABAF49}" = Canon Camera Window for ZoomBrowser EX
"InstallShield_{3D047C15-C859-45F7-81CE-F2681778069B}" = iPod for Windows 2006-01-10
"InstallShield_{BD57EA4D-026E-4F08-9B93-080E282B81FE}" = iPod for Windows 2006-06-28
"InstallShield_{BEB03A1A-1EB6-48EB-9985-8B97315EE5C0}" = Canon Utilities RemoteCapture 2.7
"InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}" = QuickTime
"InstallShield_{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2
"InstallShield_{EF0DD8B7-471C-463B-A298-6066C2FABAF5}" = Canon Utilities File Viewer Utility 1.2
"InstallShield_{FE7A3FE1-AF76-44FD-BC70-09868A51887A}" = iPod for Windows 2005-06-26
"Interwise Participant" = Interwise Participant
"Juniper Network Connect 5.5.0" = Juniper Networks Network Connect 5.5.0
"KB834707" = Windows XP Hotfix - KB834707
"KB873333" = Windows XP Hotfix - KB873333
"KB873339" = Windows XP Hotfix - KB873339
"KB883517" = Windows XP Hotfix - KB883517
"KB883523" = Windows XP Hotfix - KB883523
"KB883939" = Security Update for Windows XP (KB883939)
"KB884020" = Windows XP Hotfix - KB884020
"KB884868" = Windows XP Hotfix - KB884868
"KB885250" = Windows XP Hotfix - KB885250
"KB885835" = Windows XP Hotfix - KB885835
"KB885836" = Windows XP Hotfix - KB885836
"KB885894" = Windows XP Hotfix - KB885894
"KB886185" = Windows XP Hotfix - KB886185
"KB887472" = Windows XP Hotfix - KB887472
"KB887742" = Windows XP Hotfix - KB887742
"KB887797" = Windows XP Hotfix - KB887797
"KB888113" = Windows XP Hotfix - KB888113
"KB888239" = Windows XP Hotfix - KB888239
"KB888302" = Windows XP Hotfix - KB888302
"KB889673" = Windows XP Hotfix - KB889673
"KB890046" = Security Update for Windows XP (KB890046)
"KB890175" = Windows XP Hotfix - KB890175
"KB890859" = Windows XP Hotfix - KB890859
"KB891781" = Windows XP Hotfix - KB891781
"KB893066" = Security Update for Windows XP (KB893066)
"KB893086" = Windows XP Hotfix - KB893086
"KB893756" = Security Update for Windows XP (KB893756)
"KB893803v2" = Windows Installer 3.1 (KB893803)
"KB894391" = Update for Windows XP (KB894391)
"KB896344" = Hotfix for Windows XP (KB896344)
"KB896358" = Security Update for Windows XP (KB896358)
"KB896422" = Security Update for Windows XP (KB896422)
"KB896423" = Security Update for Windows XP (KB896423)
"KB896424" = Security Update for Windows XP (KB896424)
"KB896428" = Security Update for Windows XP (KB896428)
"KB896688" = Security Update for Windows XP (KB896688)
"KB896727" = Update for Windows XP (KB896727)
"KB898458" = Security Update for Step By Step Interactive Training (KB898458)
"KB898461" = Update for Windows XP (KB898461)
"KB899587" = Security Update for Windows XP (KB899587)
"KB899588" = Security Update for Windows XP (KB899588)
"KB899589" = Security Update for Windows XP (KB899589)
"KB899591" = Security Update for Windows XP (KB899591)
"KB900485" = Update for Windows XP (KB900485)
"KB900725" = Security Update for Windows XP (KB900725)
"KB901017" = Security Update for Windows XP (KB901017)
"KB901214" = Security Update for Windows XP (KB901214)
"KB902400" = Security Update for Windows XP (KB902400)
"KB903235" = Security Update for Windows XP (KB903235)
"KB904706" = Security Update for Windows XP (KB904706)
"KB904942" = Update for Windows XP (KB904942)
"KB905414" = Security Update for Windows XP (KB905414)
"KB905749" = Security Update for Windows XP (KB905749)
"KB905915" = Security Update for Windows XP (KB905915)
"KB908519" = Security Update for Windows XP (KB908519)
"KB908531" = Security Update for Windows XP (KB908531)
"KB910437" = Update for Windows XP (KB910437)
"KB911280" = Security Update for Windows XP (KB911280)
"KB911562" = Security Update for Windows XP (KB911562)
"KB911564" = Security Update for Windows Media Player (KB911564)
"KB911565" = Security Update for Windows Media Player 10 (KB911565)
"KB911567" = Security Update for Windows XP (KB911567)
"KB911927" = Security Update for Windows XP (KB911927)
"KB912812" = Security Update for Windows XP (KB912812)
"KB912919" = Security Update for Windows XP (KB912919)
"KB913446" = Security Update for Windows XP (KB913446)
"KB913580" = Security Update for Windows XP (KB913580)
"KB914388" = Security Update for Windows XP (KB914388)
"KB914389" = Security Update for Windows XP (KB914389)
"KB914440" = Hotfix for Windows XP (KB914440)
"KB915865" = Hotfix for Windows XP (KB915865)
"KB916281" = Security Update for Windows XP (KB916281)
"KB916595" = Update for Windows XP (KB916595)
"KB917159" = Security Update for Windows XP (KB917159)
"KB917344" = Security Update for Windows XP (KB917344)
"KB917422" = Security Update for Windows XP (KB917422)
"KB917734_WMP10" = Security Update for Windows Media Player 10 (KB917734)
"KB917953" = Security Update for Windows XP (KB917953)
"KB918118" = Security Update for Windows XP (KB918118)
"KB918439" = Security Update for Windows XP (KB918439)
"KB918899" = Security Update for Windows XP (KB918899)
"KB919007" = Security Update for Windows XP (KB919007)
"KB920213" = Security Update for Windows XP (KB920213)
"KB920214" = Security Update for Windows XP (KB920214)
"KB920670" = Security Update for Windows XP (KB920670)
"KB920683" = Security Update for Windows XP (KB920683)
"KB920685" = Security Update for Windows XP (KB920685)
"KB920872" = Update for Windows XP (KB920872)
"KB921398" = Security Update for Windows XP (KB921398)
"KB921503" = Security Update for Windows XP (KB921503)
"KB921883" = Security Update for Windows XP (KB921883)
"KB922582" = Update for Windows XP (KB922582)
"KB922616" = Security Update for Windows XP (KB922616)
"KB922760" = Security Update for Windows XP (KB922760)
"KB922819" = Security Update for Windows XP (KB922819)
"KB923191" = Security Update for Windows XP (KB923191)
"KB923414" = Security Update for Windows XP (KB923414)
"KB923689" = Security Update for Windows XP (KB923689)
"KB923694" = Security Update for Windows XP (KB923694)
"KB923723" = Security Update for Step By Step Interactive Training (KB923723)
"KB923980" = Security Update for Windows XP (KB923980)
"KB924191" = Security Update for Windows XP (KB924191)
"KB924270" = Security Update for Windows XP (KB924270)
"KB924496" = Security Update for Windows XP (KB924496)
"KB924667" = Security Update for Windows XP (KB924667)
"KB925398_WMP64" = Security Update for Windows Media Player 6.4 (KB925398)
"KB925454" = Security Update for Windows XP (KB925454)
"KB925486" = Security Update for Windows XP (KB925486)
"KB925902" = Security Update for Windows XP (KB925902)
"KB926239" = Hotfix for Windows XP (KB926239)
"KB926255" = Security Update for Windows XP (KB926255)
"KB926436" = Security Update for Windows XP (KB926436)
"KB927779" = Security Update for Windows XP (KB927779)
"KB927802" = Security Update for Windows XP (KB927802)
"KB927891" = Update for Windows XP (KB927891)
"KB928090" = Security Update for Windows XP (KB928090)
"KB928090-IE7" = Security Update for Windows Internet Explorer 7 (KB928090)
"KB928255" = Security Update for Windows XP (KB928255)
"KB928843" = Security Update for Windows XP (KB928843)
"KB929123" = Security Update for Windows XP (KB929123)
"KB929338" = Update for Windows XP (KB929338)
"KB929399" = Hotfix for Windows Media Format 11 SDK (KB929399)
"KB929969" = Security Update for Windows Internet Explorer 7 (KB929969)
"KB930178" = Security Update for Windows XP (KB930178)
"KB930916" = Update for Windows XP (KB930916)
"KB931261" = Security Update for Windows XP (KB931261)
"KB931768-IE7" = Security Update for Windows Internet Explorer 7 (KB931768)
"KB931784" = Security Update for Windows XP (KB931784)
"KB931836" = Update for Windows XP (KB931836)
"KB932168" = Security Update for Windows XP (KB932168)
"KB932823-v3" = Update for Windows XP (KB932823-v3)
"KB933360" = Update for Windows XP (KB933360)
"KB933566-IE7" = Security Update for Windows Internet Explorer 7 (KB933566)
"KB933729" = Security Update for Windows XP (KB933729)
"KB935839" = Security Update for Windows XP (KB935839)
"KB935840" = Security Update for Windows XP (KB935840)
"KB936021" = Security Update for Windows XP (KB936021)
"KB936357" = Update for Windows XP (KB936357)
"KB936782_WMP10" = Security Update for Windows Media Player 10 (KB936782)
"KB936782_WMP11" = Security Update for Windows Media Player 11 (KB936782)
"KB937143-IE7" = Security Update for Windows Internet Explorer 7 (KB937143)
"KB937894" = Security Update for Windows XP (KB937894)
"KB938127-IE7" = Security Update for Windows Internet Explorer 7 (KB938127)
"KB938828" = Update for Windows XP (KB938828)
"KB938829" = Security Update for Windows XP (KB938829)
"KB939653-IE7" = Security Update for Windows Internet Explorer 7 (KB939653)
"KB939683" = Hotfix for Windows Media Player 11 (KB939683)
"KB941202" = Security Update for Windows XP (KB941202)
"KB941568" = Security Update for Windows XP (KB941568)
"KB941569" = Security Update for Windows XP (KB941569)
"KB941644" = Security Update for Windows XP (KB941644)
"KB941693" = Security Update for Windows XP (KB941693)
"KB942615-IE7" = Security Update for Windows Internet Explorer 7 (KB942615)
"KB942763" = Update for Windows XP (KB942763)
"KB943055" = Security Update for Windows XP (KB943055)
"KB943460" = Security Update for Windows XP (KB943460)
"KB943485" = Security Update for Windows XP (KB943485)
"KB944533-IE7" = Security Update for Windows Internet Explorer 7 (KB944533)
"KB944653" = Security Update for Windows XP (KB944653)
"KB945553" = Security Update for Windows XP (KB945553)
"KB946026" = Security Update for Windows XP (KB946026)
"KB946648" = Security Update for Windows XP (KB946648)
"KB947864-IE7" = Hotfix for Windows Internet Explorer 7 (KB947864)
"KB948590" = Security Update for Windows XP (KB948590)
"KB948881" = Security Update for Windows XP (KB948881)
"KB950749" = Security Update for Windows XP (KB950749)
"KB950759-IE7" = Security Update for Windows Internet Explorer 7 (KB950759)
"KB950760" = Security Update for Windows XP (KB950760)
"KB950762" = Security Update for Windows XP (KB950762)
"KB950974" = Security Update for Windows XP (KB950974)
"KB951066" = Security Update for Windows XP (KB951066)
"KB951072-v2" = Update for Windows XP (KB951072-v2)
"KB951376-v2" = Security Update for Windows XP (KB951376-v2)
"KB951698" = Security Update for Windows XP (KB951698)
"KB951748" = Security Update for Windows XP (KB951748)
"KB952287" = Hotfix for Windows XP (KB952287)
"KB952954" = Security Update for Windows XP (KB952954)
"KB953838-IE7" = Security Update for Windows Internet Explorer 7 (KB953838)
"KB953839" = Security Update for Windows XP (KB953839)
"LineupDominator_is1" = LineupDominator Version 2.0b Full
"M928366" = Microsoft .NET Framework 1.1 Hotfix (KB928366)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft SQL Server 2000" = Microsoft SQL Server 2000
"Move Networks Player_is1" = Move Networks Player for Internet Explorer
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MWSnap 3" = MWSnap 3
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Norton Spyware Scan provided by Yahoo!" = Norton Spyware Scan provided by Yahoo!
"OfficeScanNT" = Trend Micro OfficeScan Client
"Owl and Mouse Europe Map Puzzle" = Owl and Mouse Europe Map Puzzle
"PhotoRecord" = Canon PhotoRecord
"Power Management Driver" = IBM ThinkPad Power Management Driver
"Presentation Director" = IBM ThinkPad Presentation Director
"ProInst" = Intel(R) PROSet/Wireless Software
"RarZilla Free Unrar 2.12" = RarZilla Free Unrar 2.12
"RealPlayer 6.0" = RealPlayer
"SBC Yahoo! Applications" = SBC Yahoo! Applications
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"SpeedUpMyPC_is1" = Uniblue SpeedUpMyPC 3
"SQLTools 1.42" = SQLTools 1.42 (remove only)
"SynTPDeinstKey" = IBM ThinkPad UltraNav Driver
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"ThinkPadSoftwareInstaller" = ThinkPad Software Installer
"Trillian" = Trillian
"VZAccess Manager" = VZAccess Manager
"WgaNotify" = Windows Genuine Advantage Notifications (KB905474)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinGimp-2.0_is1" = The GIMP 2.2.11
"WinGTK-2_is1" = GTK+ 2.8.9 runtime environment
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Toolbar" = Yahoo! Toolbar
"Yahoo! Widget Engine" = Yahoo! Widgets
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting/GoToWebinar 3.0.0.198
"Neoteris_Host_Checker" = Juniper Networks Host Checker
========== HKEY_USERS Uninstall List ==========
========== HKEY_USERS Uninstall List ==========
========== HKEY_USERS Uninstall List ==========
========== HKEY_USERS Uninstall List ==========
========== HKEY_USERS Uninstall List ==========
[HKEY_USERS\S-1-5-21-606747145-448539723-1417001333-1700\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting/GoToWebinar 3.0.0.198
"Neoteris_Host_Checker" = Juniper Networks Host Checker
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 8/31/2008 10:55:28 PM - Computer Name = SNOVOSEL - User Name = NT AUTHORITY\SYSTEM - Source = Userenv
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.
Error - 8/31/2008 10:56:22 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = AutoEnrollment
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.
Error - 8/31/2008 10:59:16 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = UserInit
Description = Could not execute the following script \\emergenow.com\sysvol\emergenow.com\scripts\logon.cmd.
The network path was not found. .
Error - 9/1/2008 5:25:08 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = cvpnd
Description =
Error - 9/1/2008 5:25:09 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = cvpnd
Description =
Error - 9/1/2008 5:25:09 PM - Computer Name = SNOVOSEL - User Name = NT AUTHORITY\SYSTEM - Source = Userenv
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.
Error - 9/1/2008 5:25:10 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = cvpnd
Description =
Error - 9/1/2008 5:25:12 PM - Computer Name = SNOVOSEL - User Name = NT AUTHORITY\SYSTEM - Source = Userenv
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.
Error - 9/1/2008 5:26:11 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = AutoEnrollment
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.
Error - 9/1/2008 5:29:14 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = UserInit
Description = Could not execute the following script \\emergenow.com\sysvol\emergenow.com\scripts\logon.cmd.
The network path was not found. .
[ Application Events ]
Error - 8/31/2008 10:55:28 PM - Computer Name = SNOVOSEL - User Name = NT AUTHORITY\SYSTEM - Source = Userenv
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.
Error - 8/31/2008 10:56:22 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = AutoEnrollment
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.
Error - 8/31/2008 10:59:16 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = UserInit
Description = Could not execute the following script \\emergenow.com\sysvol\emergenow.com\scripts\logon.cmd.
The network path was not found. .
Error - 9/1/2008 5:25:08 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = cvpnd
Description =
Error - 9/1/2008 5:25:09 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = cvpnd
Description =
Error - 9/1/2008 5:25:09 PM - Computer Name = SNOVOSEL - User Name = NT AUTHORITY\SYSTEM - Source = Userenv
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.
Error - 9/1/2008 5:25:10 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = cvpnd
Description =
Error - 9/1/2008 5:25:12 PM - Computer Name = SNOVOSEL - User Name = NT AUTHORITY\SYSTEM - Source = Userenv
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.
Error - 9/1/2008 5:26:11 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = AutoEnrollment
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.
Error - 9/1/2008 5:29:14 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = UserInit
Description = Could not execute the following script \\emergenow.com\sysvol\emergenow.com\scripts\logon.cmd.
The network path was not found. .
[ Security Events ]
[ System Events ]
Error - 8/31/2008 11:03:46 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = Service Control Manager
Description = The Windows Image Acquisition (WIA) service terminated unexpectedly.
It has done this 5 time(s).
Error - 8/31/2008 11:04:02 PM - Computer Name = SNOVOSEL - User Name = EMERGENOW\snovosel - Source = DCOM
Description = The server {A1F4E726-8CF1-11D1-BF92-0060081ED811} did not register
with DCOM within the required timeout.
Error - 9/1/2008 5:25:10 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = NETLOGON
Description = No Domain Controller is available for domain EMERGENOW due to the
following: %%1311. Make sure that the computer is connected to the network and try
again.
If the problem persists, please contact your domain administrator.
Error - 9/1/2008 5:25:55 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = W32Time
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.
Error - 9/1/2008 5:25:56 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = W32Time
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 15 minutes. NtpClient has no source of accurate
time.
Error - 9/1/2008 5:27:40 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = Service Control Manager
Description = The Windows Image Acquisition (WIA) service hung on starting.
Error - 9/1/2008 5:29:04 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = Service Control Manager
Description = The Windows Image Acquisition (WIA) service terminated unexpectedly.
It has done this 1 time(s).
Error - 9/1/2008 5:29:12 PM - Computer Name = SNOVOSEL - User Name = EMERGENOW\snovosel - Source = DCOM
Description = The server {A1F4E726-8CF1-11D1-BF92-0060081ED811} did not register
with DCOM within the required timeout.
Error - 9/1/2008 5:29:42 PM - Computer Name = SNOVOSEL - User Name = User SID not found - Source = Service Control Manager
Description = The Windows Image Acquisition (WIA) service terminated unexpectedly.
It has done this 2 time(s).
Error - 9/1/2008 5:29:49 PM - Computer Name = SNOVOSEL - User Name = EMERGENOW\snovosel - Source = DCOM
Description = The server {A1F4E726-8CF1-11D1-BF92-0060081ED811} did not register
with DCOM within the required timeout.
< End of report >
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
BitTorrent
I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Delete these folders afterwards:
C:\Program Files\BitTorrent
Empty Recycle Bin.
After that:
Download
SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe)
and save it to your desktop. (If you can't download with this computer try to get it downloaded on some other one.)
Please then reboot your computer in Safe Mode by doing the
following :
Restart your computer
After hearing your computer beep once during startup, but before the
Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press
Enter
.
Choose your usual account.
In Safe Mode, double click the SDFix.exe file. Click Install in appearing window,
Open the extracted folder and double click RunThis.bat to
start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the
registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool
will be running and removing files.
When the desktop loads the Fixtool will complete the removal and
display Finished, then press any key to end the script and load
your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the
contents of the results file Report.txt back onto the forum with
a new HijackThis log
Thank You so much.
It looks like stuff is getting removed. Here are the latest log files.
I could not log into safe mode with the user id I usually use. I had to log in using WksAdmin account. This is also the account I used when the machine rebooted during SDFix. I ran HijackThis with my usual account.
Report.txt
SDFix: Version 1.220
Run by WksAdmin on Tue 09/02/2008 at 01:30 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\ACRDB42.TMP - Deleted
C:\ACRDB43.TMP - Deleted
C:\ACRDB44.TMP - Deleted
C:\ACRDB45.TMP - Deleted
C:\ACRDB46.TMP - Deleted
C:\ACRDB47.TMP - Deleted
C:\ACRDB48.TMP - Deleted
C:\ACRDB49.TMP - Deleted
C:\ACRDB4A.TMP - Deleted
C:\ACRDB4B.TMP - Deleted
C:\ACRDB4C.TMP - Deleted
C:\ACRDB4D.TMP - Deleted
C:\ACRDB4E.TMP - Deleted
C:\ACRDB4F.TMP - Deleted
C:\ACRDB50.TMP - Deleted
C:\ACRDB51.TMP - Deleted
C:\ACRDB52.TMP - Deleted
C:\ACRDB53.TMP - Deleted
C:\ACRDB54.TMP - Deleted
C:\ACRDB55.TMP - Deleted
C:\ACRDB56.TMP - Deleted
C:\ACRDB57.TMP - Deleted
C:\ACRDB58.TMP - Deleted
C:\ACRDB59.TMP - Deleted
C:\ACRDB5A.TMP - Deleted
C:\ACRDB5B.TMP - Deleted
C:\ACRDB5C.TMP - Deleted
C:\ACRDB5D.TMP - Deleted
C:\ACRDB5E.TMP - Deleted
C:\ACRDB5F.TMP - Deleted
C:\ACRDB60.TMP - Deleted
C:\ACRDB61.TMP - Deleted
C:\ACRDB62.TMP - Deleted
C:\ACRDB63.TMP - Deleted
C:\ACRDB64.TMP - Deleted
C:\ACRDB65.TMP - Deleted
C:\ACRDB66.TMP - Deleted
C:\ACRDB67.TMP - Deleted
C:\ACRDB68.TMP - Deleted
C:\ACRDB69.TMP - Deleted
C:\ACRDB6A.TMP - Deleted
C:\ACRDB6B.TMP - Deleted
C:\ACRDB6C.TMP - Deleted
C:\ACRDB6D.TMP - Deleted
C:\ACRDB6E.TMP - Deleted
C:\ACRDB6F.TMP - Deleted
C:\ACRDB70.TMP - Deleted
C:\ACRDB71.TMP - Deleted
C:\ACRDB72.TMP - Deleted
C:\ACRDB74.TMP - Deleted
C:\ACRDB75.TMP - Deleted
C:\ACRDB76.TMP - Deleted
C:\ACRDB77.TMP - Deleted
C:\ACRDB78.TMP - Deleted
C:\ACRDB79.TMP - Deleted
C:\ACRDB7A.TMP - Deleted
C:\ACRDB7B.TMP - Deleted
C:\ACRDB7C.TMP - Deleted
C:\ACRDB7D.TMP - Deleted
C:\ACRDB7E.TMP - Deleted
C:\ACRDB7F.TMP - Deleted
C:\ACRDB80.TMP - Deleted
C:\ACRDB81.TMP - Deleted
C:\ACRDB82.TMP - Deleted
C:\ACRDB83.TMP - Deleted
C:\ACRDB84.TMP - Deleted
C:\ACRDB85.TMP - Deleted
C:\ACRDB86.TMP - Deleted
C:\ACRDB87.TMP - Deleted
C:\ACRDB88.TMP - Deleted
C:\ACRDB89.TMP - Deleted
C:\ACRDB8A.TMP - Deleted
C:\ACRDB8B.TMP - Deleted
C:\ACRDB8C.TMP - Deleted
C:\ACRDB8D.TMP - Deleted
C:\ACRDB8E.TMP - Deleted
C:\ACRDB8F.TMP - Deleted
C:\ACRDB90.TMP - Deleted
C:\ACRDB91.TMP - Deleted
C:\ACRDB92.TMP - Deleted
C:\ACRDB93.TMP - Deleted
C:\ACRDB94.TMP - Deleted
C:\ACRDB95.TMP - Deleted
C:\ACRDB96.TMP - Deleted
C:\ACRDB97.TMP - Deleted
C:\ACRDB98.TMP - Deleted
C:\ACRDB99.TMP - Deleted
C:\ACRDB9A.TMP - Deleted
C:\ACRDB9B.TMP - Deleted
C:\ACRDB9C.TMP - Deleted
C:\ACRDB9D.TMP - Deleted
C:\ACRDB9E.TMP - Deleted
C:\ACRDB9F.TMP - Deleted
C:\ACRDBA0.TMP - Deleted
C:\ACRDBA1.TMP - Deleted
C:\ACRDBA2.TMP - Deleted
C:\ACRDBA3.TMP - Deleted
C:\ACRDBA4.TMP - Deleted
C:\ACRDBA5.TMP - Deleted
C:\ACRDBA6.TMP - Deleted
C:\ACRDBA7.TMP - Deleted
C:\ACRDBA8.TMP - Deleted
C:\ACRDBA9.TMP - Deleted
C:\ACRDBAA.TMP - Deleted
C:\ACRDBAB.TMP - Deleted
C:\ACRDBAC.TMP - Deleted
C:\ACRDBAD.TMP - Deleted
C:\ACRDBAE.TMP - Deleted
C:\ACRDBAF.TMP - Deleted
C:\ACRDBB0.TMP - Deleted
C:\ACRDBB1.TMP - Deleted
C:\ACRDBB2.TMP - Deleted
C:\ACRDBB3.TMP - Deleted
C:\ACRDBB4.TMP - Deleted
C:\ACRDBB5.TMP - Deleted
C:\ACRDBB6.TMP - Deleted
C:\ACRDBB7.TMP - Deleted
C:\ACRDBB8.TMP - Deleted
C:\ACRDBB9.TMP - Deleted
C:\ACRDBBA.TMP - Deleted
C:\ACRDBBB.TMP - Deleted
C:\ACRDBBC.TMP - Deleted
C:\ACRDBBD.TMP - Deleted
C:\ACRDBBE.TMP - Deleted
C:\ACRDBBF.TMP - Deleted
C:\ACRDBC0.TMP - Deleted
C:\ACRDBC1.TMP - Deleted
C:\ACRDBC2.TMP - Deleted
C:\ACRDBC3.TMP - Deleted
C:\ACRDBC4.TMP - Deleted
C:\ACRDBC5.TMP - Deleted
C:\ACRDBC6.TMP - Deleted
C:\ACRDBC7.TMP - Deleted
C:\ACRDBC8.TMP - Deleted
C:\ACRDBC9.TMP - Deleted
C:\ACRDBCA.TMP - Deleted
C:\ACRDBCB.TMP - Deleted
C:\ACRDBCC.TMP - Deleted
C:\ACRDBCD.TMP - Deleted
C:\ACRDBCE.TMP - Deleted
C:\ACRDBCF.TMP - Deleted
C:\ACRDBD0.TMP - Deleted
C:\ACRDBD1.TMP - Deleted
C:\ACRDBD2.TMP - Deleted
C:\ACRDBD3.TMP - Deleted
C:\ACRDBD4.TMP - Deleted
C:\ACRDBD5.TMP - Deleted
C:\ACRDBD6.TMP - Deleted
C:\ACRDBD7.TMP - Deleted
C:\ACRDBD8.TMP - Deleted
C:\ACRDBD9.TMP - Deleted
C:\ACRDBDA.TMP - Deleted
C:\ACRDBDB.TMP - Deleted
C:\ACRDBDC.TMP - Deleted
C:\ACRDBDD.TMP - Deleted
C:\ACRDBDE.TMP - Deleted
C:\ACRDBDF.TMP - Deleted
C:\ACRDBE0.TMP - Deleted
C:\ACRDBE1.TMP - Deleted
C:\ACRDBE2.TMP - Deleted
C:\ACRDBE3.TMP - Deleted
C:\ACRDBE4.TMP - Deleted
C:\ACRDBE5.TMP - Deleted
C:\ACRDBE6.TMP - Deleted
C:\ACRDBE7.TMP - Deleted
C:\ACRDBE8.TMP - Deleted
C:\ACRDBE9.TMP - Deleted
C:\ACRDBEA.TMP - Deleted
C:\ACRDBEB.TMP - Deleted
C:\ACRDBEC.TMP - Deleted
C:\ACRDBED.TMP - Deleted
C:\ACRDBEE.TMP - Deleted
C:\ACRDBEF.TMP - Deleted
C:\ACRDBF0.TMP - Deleted
C:\ACRDBF1.TMP - Deleted
C:\ACRDBF2.TMP - Deleted
C:\ACRDBF3.TMP - Deleted
C:\ACRDBF4.TMP - Deleted
C:\ACRDBF5.TMP - Deleted
C:\ACRDBF6.TMP - Deleted
C:\ACRDBF7.TMP - Deleted
C:\ACRDBF8.TMP - Deleted
C:\ACRDBF9.TMP - Deleted
C:\ACRDBFA.TMP - Deleted
C:\ACRDBFB.TMP - Deleted
C:\ACRDBFC.TMP - Deleted
C:\ACRDBFD.TMP - Deleted
C:\ACRDBFE.TMP - Deleted
C:\ACRDBFF.TMP - Deleted
C:\ACRDC00.TMP - Deleted
C:\ACRDC01.TMP - Deleted
C:\ACRDC02.TMP - Deleted
C:\ACRDC03.TMP - Deleted
C:\ACRDC04.TMP - Deleted
C:\ACRDC05.TMP - Deleted
C:\ACRDC06.TMP - Deleted
C:\ACRDC07.TMP - Deleted
C:\ACRDC08.TMP - Deleted
C:\ACRDC09.TMP - Deleted
C:\ACRDC0A.TMP - Deleted
C:\ACRDC0B.TMP - Deleted
C:\ACRDC0C.TMP - Deleted
C:\ACRDC0D.TMP - Deleted
C:\ACRDC0E.TMP - Deleted
C:\ACRDC10.TMP - Deleted
C:\ACRDC11.TMP - Deleted
C:\ACRDC12.TMP - Deleted
C:\ACRDC13.TMP - Deleted
C:\ACRDC14.TMP - Deleted
C:\ACRDC15.TMP - Deleted
C:\ACRDC16.TMP - Deleted
C:\ACRDC17.TMP - Deleted
C:\ACRDC18.TMP - Deleted
C:\ACRDC19.TMP - Deleted
C:\ACRDC1A.TMP - Deleted
C:\ACRDC1B.TMP - Deleted
C:\ACRDC1C.TMP - Deleted
C:\ACRDC1D.TMP - Deleted
C:\ACRDC1E.TMP - Deleted
C:\ACRDC1F.TMP - Deleted
C:\ACRDC20.TMP - Deleted
C:\ACRDC21.TMP - Deleted
C:\ACRDC22.TMP - Deleted
C:\ACRDC23.TMP - Deleted
C:\ACRDC24.TMP - Deleted
C:\ACRDC25.TMP - Deleted
C:\ACRDC26.TMP - Deleted
C:\ACRDC27.TMP - Deleted
C:\ACRDC28.TMP - Deleted
C:\ACRDC29.TMP - Deleted
C:\ACRDC2A.TMP - Deleted
C:\ACRDC2B.TMP - Deleted
C:\ACRDC2C.TMP - Deleted
C:\ACRDC2D.TMP - Deleted
C:\ACRDC2E.TMP - Deleted
C:\ACRDC2F.TMP - Deleted
C:\ACRDC30.TMP - Deleted
C:\ACRDC31.TMP - Deleted
C:\ACRDC32.TMP - Deleted
C:\ACRDC33.TMP - Deleted
C:\ACRDC34.TMP - Deleted
C:\ACRDC35.TMP - Deleted
C:\ACRDC36.TMP - Deleted
C:\ACRDC37.TMP - Deleted
C:\ACRDC38.TMP - Deleted
C:\ACRDC39.TMP - Deleted
C:\ACRDC3A.TMP - Deleted
C:\ACRDC3B.TMP - Deleted
C:\ACRDC3C.TMP - Deleted
C:\ACRDC3D.TMP - Deleted
C:\ACRDC3E.TMP - Deleted
C:\ACRDC3F.TMP - Deleted
C:\ACRDC40.TMP - Deleted
C:\WINDOWS\browser.exe - Deleted
C:\WINDOWS\system32\drivers\tdssserv.sys - Deleted
C:\WINDOWS\system32\tdssinit.dll - Deleted
C:\WINDOWS\system32\tdssl.dll - Deleted
C:\WINDOWS\system32\tdsslog.dll - Deleted
C:\WINDOWS\system32\tdssmain.dll - Deleted
C:\WINDOWS\system32\tdssservers.dat - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 02:05:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\tdssserv.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tdssserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"LoadAppInit_DLLs"=dword:00000001
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"="C:\\Program Files\\IBM\\Updater\\ucsmb.exe:*:Enabled:IBM Update Connector"
"D:\\Setup\\HPZnet01.exe"="D:\\Setup\\HPZnet01.exe:*:Enabled:ICE Network Plug in"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:HP Digital Imaging Monitor (CUE)"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:HP AiO Fax Manager"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe:*:Disabled: "
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient service"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient command line"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Common Files\\TiVo Shared\\Beacon\\TiVoBeacon.exe"="C:\\Program Files\\Common Files\\TiVo Shared\\Beacon\\TiVoBeacon.exe:LocalSubNet:Enabled:TiVo Beacon Service"
"C:\\Program Files\\Common Files\\TiVo Shared\\Transfer\\TiVoTransfer.exe"="C:\\Program Files\\Common Files\\TiVo Shared\\Transfer\\TiVoTransfer.exe:LocalSubNet:Enabled:TiVo Transfer Service"
"C:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe"="C:\\Program Files\\TiVo\\Desktop\\TiVoServer.exe:LocalSubNet:Enabled:TiVo Server Service"
"C:\\Program Files\\TiVo\\Desktop\\TiVoDesktop.exe"="C:\\Program Files\\TiVo\\Desktop\\TiVoDesktop.exe:LocalSubNet:Enabled:TiVo Desktop User Interface"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient application"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"="C:\\Program Files\\IBM\\Updater\\ucsmb.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient service"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient application"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient command line"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent"
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"="C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics"
"\\\\LINCOLN\\ESASSET\\ClientCon.exe"="\\\\LINCOLN\\ESASSET\\ClientCon.exe:*:Enabled:Asset Tracker for Networks Agent"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Mon 23 Jun 2008 69,120 ...H. --- "C:\Documents and Settings\snovosel\Desktop\~WRL1048.tmp"
Mon 5 Nov 2007 30,208 ...H. --- "C:\Documents and Settings\snovosel\Desktop\~WRL1411.tmp"
Wed 31 Jan 2007 44,032 ...H. --- "C:\Backup2\_ESData\ES Admin\Client Abstract\~WRL1410.tmp"
Wed 14 Mar 2007 76,288 ...H. --- "C:\Backup2\_ESData\ES Admin\Review\~WRL3638.tmp"
Thu 20 Oct 2005 23,552 A..H. --- "C:\Backup2\_ESData\Presentations\DMUG 05\~WRL0005.tmp"
Thu 3 Jul 2008 29,696 ...H. --- "C:\Backup2\_ESData\Projects\Formax\~WRL3658.tmp"
Tue 12 Aug 2008 605,184 ...H. --- "C:\Backup2\_ESData\Projects\Formax\~WRL3660.tmp"
Wed 5 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 8 Jul 2008 425,984 ...H. --- "C:\Backup2\_ESData\Projects\- River Rock\50. Training\~WRL0342.tmp"
Thu 12 Jun 2008 358,400 ...H. --- "C:\Backup2\_ESData\Projects\- River Rock\50. Training\~WRL2096.tmp"
Thu 10 Apr 2008 451,072 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\~WRL0966.tmp"
Thu 10 Apr 2008 761,856 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\~WRL1244.tmp"
Thu 10 Apr 2008 765,952 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\~WRL1603.tmp"
Thu 10 Apr 2008 556,032 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\~WRL2155.tmp"
Thu 10 Apr 2008 24,064 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\~WRL2185.tmp"
Thu 10 Apr 2008 761,856 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\~WRL3194.tmp"
Thu 10 Apr 2008 451,072 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\~WRL3794.tmp"
Tue 3 Jul 2007 28,672 ...H. --- "C:\Backup2\_ESData\Projects\ITE\01. Admin\~WRL2262.tmp"
Wed 31 Oct 2007 0 A..H. --- "C:\Documents and Settings\snovosel\Application Data\Microsoft\Excel\Excel11.xlb~RF244df2f.TMP"
Tue 26 Jun 2007 92,160 ...H. --- "C:\Documents and Settings\snovosel\Application Data\Microsoft\Word\~WRL0148.tmp"
Mon 17 Dec 2007 207,872 ...H. --- "C:\Documents and Settings\snovosel\Application Data\Microsoft\Word\~WRL2351.tmp"
Mon 17 Dec 2007 180,224 ...H. --- "C:\Documents and Settings\snovosel\Application Data\Microsoft\Word\~WRL2590.tmp"
Wed 23 Jul 2008 30,208 ...H. --- "C:\Documents and Settings\snovosel\Application Data\Microsoft\Word\~WRL3435.tmp"
Wed 12 Sep 2007 320,512 ...H. --- "C:\Documents and Settings\snovosel\Application Data\Microsoft\Word\~WRL3808.tmp"
Tue 11 Sep 2007 148,480 ...H. --- "C:\Documents and Settings\snovosel\Application Data\Microsoft\Word\~WRL3930.tmp"
Mon 17 Dec 2007 207,872 ...H. --- "C:\Documents and Settings\snovosel\Application Data\Microsoft\Word\~WRL4072.tmp"
Mon 18 Feb 2008 149,504 ...H. --- "C:\Backup2\_ESData\Projects\- River Rock\01. Admin\b. Status Reports\~WRL0531.tmp"
Fri 2 May 2008 149,504 ...H. --- "C:\Backup2\_ESData\Projects\- River Rock\01. Admin\b. Status Reports\~WRL2682.tmp"
Wed 27 Feb 2008 207,360 ...H. --- "C:\Backup2\_ESData\Projects\- River Rock\02. Design\b. Fit Gap\~WRL1652.tmp"
Wed 27 Feb 2008 261,632 ...H. --- "C:\Backup2\_ESData\Projects\- River Rock\02. Design\b. Fit Gap\~WRL2950.tmp"
Mon 10 Mar 2008 582,144 ...H. --- "C:\Backup2\_ESData\Projects\- River Rock\02. Design\c. Design Doc\~WRL2198.tmp"
Mon 3 Mar 2008 715,264 ...H. --- "C:\Backup2\_ESData\Projects\- River Rock\02. Design\c. Design Doc\~WRL3567.tmp"
Tue 8 Jul 2008 320,512 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\Pass 3\~WRL0028.tmp"
Tue 8 Jul 2008 320,512 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\Pass 3\~WRL0420.tmp"
Tue 8 Jul 2008 314,368 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\Pass 3\~WRL0570.tmp"
Tue 8 Jul 2008 314,368 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\Pass 3\~WRL0740.tmp"
Tue 8 Jul 2008 313,856 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\Pass 3\~WRL0925.tmp"
Tue 8 Jul 2008 321,024 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\Pass 3\~WRL1694.tmp"
Tue 8 Jul 2008 317,952 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\Pass 3\~WRL2129.tmp"
Wed 9 Jul 2008 189,440 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\Pass 3\~WRL2631.tmp"
Tue 8 Jul 2008 317,952 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\Pass 3\~WRL2739.tmp"
Tue 8 Jul 2008 315,392 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\Pass 3\~WRL3085.tmp"
Tue 8 Jul 2008 311,808 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\Pass 3\~WRL3122.tmp"
Tue 8 Jul 2008 315,904 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\Pass 3\~WRL3217.tmp"
Tue 8 Jul 2008 320,000 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\Pass 3\~WRL3288.tmp"
Tue 8 Jul 2008 317,440 ...H. --- "C:\Backup2\_ESData\Projects\- Star Tribune\03. Develop\Pass 3\~WRL3773.tmp"
Thu 26 Oct 2006 960,000 A..H. --- "C:\Backup2\_ESData\Projects\Enesco\- Enesco\6. Receipt accrual reconciliation\~WRL0004.tmp"
Thu 28 Jun 2007 100,352 ...H. --- "C:\Backup2\_ESData\Projects\ITE\01. Admin\Status Report\~WRL0755.tmp"
Fri 14 Dec 2007 96,256 ...H. --- "C:\Backup2\_ESData\Projects\ITE\01. Admin\Status Report\~WRL0868.tmp"
Thu 11 Oct 2007 421,376 ...H. --- "C:\Backup2\_ESData\Projects\ITE\03. Design\Custom\~WRL3404.tmp"
Tue 14 Feb 2006 79,360 A..H. --- "C:\Backup2\_ESData\Projects\Richardson\- Rell 3\03. Fit Gap\~WRL2340.tmp"
Wed 15 Feb 2006 179,200 A..H. --- "C:\Backup2\_ESData\Projects\Richardson\- Rell 3\03. Fit Gap\~WRL2346.tmp"
Wed 15 Feb 2006 163,840 A..H. --- "C:\Backup2\_ESData\Projects\Richardson\- Rell 3\03. Fit Gap\~WRL3087.tmp"
Mon 17 Apr 2006 292,864 A..H. --- "C:\Backup2\_ESData\Projects\Richardson\- Rell 3\04. CSD\~WRL1678.tmp"
Mon 17 Apr 2006 250,880 A..H. --- "C:\Backup2\_ESData\Projects\Richardson\- Rell 3\04. CSD\~WRL2326.tmp"
Thu 13 Apr 2006 265,216 A..H. --- "C:\Backup2\_ESData\Projects\Richardson\- Rell 3\04. CSD\~WRL2363.tmp"
Wed 12 Apr 2006 245,248 A..H. --- "C:\Backup2\_ESData\Projects\Richardson\- Rell 3\04. CSD\~WRL3444.tmp"
Tue 10 Apr 2007 24,646 ..SHR --- "C:\Documents and Settings\snovosel\Local Settings\Temp\Juniper Networks\setup\NeoterisSetupApp.exe"
Mon 4 Aug 2003 816,640 A..H. --- "C:\Backup2\_ESData\ES Admin\Committee\Internal Communications\Newsletter\2003 Q3\~WRL2472.tmp"
Thu 31 Jul 2003 19,456 A..H. --- "C:\Backup2\_ESData\ES Admin\Committee\Internal Communications\Newsletter\2003 Q3\~WRL3100.tmp"
Sun 15 Feb 2004 25,088 A..H. --- "C:\Backup2\_ESData\ES Admin\Committee\Internal Communications\Newsletter\2004 Q1\~WRL1243.tmp"
Sun 15 Feb 2004 25,088 A..H. --- "C:\Backup2\_ESData\ES Admin\Committee\Internal Communications\Newsletter\2004 Q1\~WRL1347.tmp"
Mon 18 Jun 2007 24,576 ...H. --- "C:\Backup2\_ESData\Projects\ITE\03. Design\OM\returns\~WRL2989.tmp"
Tue 25 Apr 2006 368,640 A..H. --- "C:\Backup2\_ESData\Projects\Richardson\- Rell 3\D1.9.0.0.2 - Conceptual Solution Design\Fulfillment to Cash\~WRL1642.tmp"
Wed 26 Apr 2006 333,312 A..H. --- "C:\Backup2\_ESData\Projects\Richardson\- Rell 3\D1.9.0.0.2 - Conceptual Solution Design\Source to Settle\~WRL1594.tmp"
Tue 29 Jun 2004 47,104 A..H. --- "C:\Backup2\_ESData\Projects\Richardson\Backup from SCM\Scott\1 Design\~WRL1075.tmp"
Wed 29 Sep 2004 273,408 A..H. --- "C:\Backup2\_ESData\Projects\Richardson\Backup from SCM\Scott\8 PS\~WRL0981.tmp"
Wed 28 Nov 2007 249,856 ...H. --- "C:\Backup2\_ESData\Projects\ITE\05. Test\Test Scripts\Order Management Scripts\Cycle 1 completed\~WRL0331.tmp"
Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:50 AM, on 9/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\TEMP\LA400F.EXE
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\CF6795.exe" /c "C:\327882R2FWJFW\C.bat"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: http://crm.emergenow.com
O15 - Trusted Zone: http://esportal.emergenow.com
O15 - Trusted Zone: http://medinah.emergenow.com
O15 - Trusted Zone: http://portal.emergenow.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&6&04.00.09.13&unknown&unknown&http://www.toyota.com/fjcruiser/features.html
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - https://medinah.emergenow.com/tenterprise/download/ScriptX.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3E059DAB-6894-435C-B758-2977F014D734} (TClientProc.ClientSettings) - https://medinah.emergenow.com/tenterprise/download/TClientProc.CAB
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://itproject.navistar.com/projectserver/objects/pjclient.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://ridpath8532.viewnetcam.com:50000/bl_camera.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://itproject.navistar.com/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://my.nav-international.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emergenow.com
O17 - HKLM\Software\..\Telephony: DomainName = emergenow.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{43AB03B3-5649-4AD6-8B04-B69AD8996717}: NameServer = 10.2.1.32,10.2.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emergenow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = emergenow.com,river-rock-casino.com,rrea.infi,erp.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emergenow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = erp.local,rrea.infi,river-rock-casino.com,emergenow.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = emergenow.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = erp.local,rrea.infi,river-rock-casino.com,emergenow.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = erp.local,rrea.infi,river-rock-casino.com,emergenow.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe
--
End of file - 13960 bytes
Hi
Please see if you can run ComboFix now by running instructions below:
1. Ensure that combofix.exe is on your desktop.
2. Make sure you save and close ALL open windows and programs that you are running in the taskbar as combofix will attempt to end all non-windows processes for a faster and more successful cleaning.
Click start > run > copy and paste:
"%userprofile%\desktop\combofix.exe" /killall
Yeah! it worked. I will paste the log.
ComboFix 08-09-01.01 - snovosel 2008-09-02 4:09:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.650 [GMT -5:00]
Running from: C:\Documents and Settings\snovosel\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\LocalService\Application Data\sysproc64
C:\Documents and Settings\LocalService\Application Data\sysproc64\sysproc32.sys
C:\Documents and Settings\NetworkService\Application Data\sysproc64
C:\Documents and Settings\NetworkService\Application Data\sysproc64\sysproc32.sys
C:\Documents and Settings\snovosel\Application Data\Awola
C:\Documents and Settings\snovosel\Application Data\Awola\Awola.exe
C:\Documents and Settings\snovosel\Application Data\Awola\Awola001.bas
C:\Documents and Settings\snovosel\Application Data\Awola\settings.ini
C:\Documents and Settings\snovosel\Application Data\macromedia\Flash Player\#SharedObjects\6USB2J44\bin.clearspring.com
C:\Documents and Settings\snovosel\Application Data\macromedia\Flash Player\#SharedObjects\6USB2J44\interclick.com
C:\Documents and Settings\snovosel\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\snovosel\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\snovosel\load.exe
C:\Documents and Settings\snovosel\Start Menu\Programs\Awola
C:\Documents and Settings\snovosel\Start Menu\Programs\Awola\Awola Anti-Spyware 6.0.lnk
C:\Documents and Settings\snovosel\Start Menu\Programs\Awola\Uninstall Awola Anti-Spyware 6.0.lnk
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\oembios.exe
C:\WINDOWS\system32\REGOBJ.DLL
C:\WINDOWS\system32\sysproc64
C:\WINDOWS\system32\sysproc64\sysproc32.sys
C:\WINDOWS\system32\sysproc64\sysproc86.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV
-------\Service_tdssserv
((((((((((((((((((((((((( Files Created from 2008-08-02 to 2008-09-02 )))))))))))))))))))))))))))))))
.
2008-09-02 01:19 . 2008-09-02 01:19 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-02 01:16 . 2008-09-02 02:10 <DIR> d-------- C:\SDFix
2008-09-01 12:35 . 2008-09-01 12:55 250 --a------ C:\WINDOWS\gmer.ini
2008-08-31 16:28 . 2008-08-31 16:28 60,416 --a------ C:\WINDOWS\system32\drivers\Combo-Fix(2).sys
2008-08-22 01:40 . 2008-08-22 01:40 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
2008-08-19 03:21 . 2008-08-21 19:12 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-18 07:51 . 2008-05-01 09:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-31 07:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-29 15:49 --------- d-----w C:\Documents and Settings\snovosel\Application Data\Skype
2008-08-23 06:14 --------- d-----w C:\Program Files\Trend Micro
2008-08-22 21:43 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-08 19:35 --------- d-----w C:\Program Files\Google
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet(2).dll
2008-06-23 16:57 267,776 ----a-w C:\WINDOWS\system32\iertutil(2).dll
2008-06-23 16:57 105,984 ----a-w C:\WINDOWS\system32\url(2).dll
2008-06-23 16:57 1,159,680 ----a-w C:\WINDOWS\system32\urlmon(2).dll
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:36 245,248 ----a-w C:\WINDOWS\system32\mswsock(2).dll
2008-06-20 17:36 147,968 ----a-w C:\WINDOWS\system32\dnsapi(2).dll
2008-03-07 04:23 0 -csha-w C:\Documents and Settings\snovosel\Application Data\b925c42d065d8e1156d9ea3f01bd73b90ba1e2bc.dat
2007-11-29 17:38 12,800 -c--a-w C:\Documents and Settings\snovosel\Application Data\wjoxy.exe
2007-11-29 17:38 12,800 -c--a-w C:\Documents and Settings\snovosel\Application Data\vvusxoqigij.exe
2007-11-29 17:38 12,800 -c--a-w C:\Documents and Settings\snovosel\Application Data\vjq.exe
2007-11-29 17:38 12,800 -c--a-w C:\Documents and Settings\snovosel\Application Data\ssgrjiypnv.exe
2007-11-29 17:38 12,800 -c--a-w C:\Documents and Settings\snovosel\Application Data\rexdbqceoed.exe
2007-11-29 17:38 12,800 -c--a-w C:\Documents and Settings\snovosel\Application Data\iodnorzqljib.exe
2007-11-29 17:38 12,800 -c--a-w C:\Documents and Settings\snovosel\Application Data\imfedyu.exe
2007-06-07 13:32 56,912 ----a-w C:\Documents and Settings\snovosel\g2mdlhlpx.exe
2008-02-08 02:46 13,624 ----a-w C:\Program Files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:46 87,360 ----a-w C:\Program Files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:46 91,448 ----a-w C:\Program Files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:46 21,824 ----a-w C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:46 206,136 ----a-w C:\Program Files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:46 31,544 ----a-w C:\Program Files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:46 40,248 ----a-w C:\Program Files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:27 479,232 ----a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:27 548,864 ----a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:27 626,688 ----a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 17:47 981,170 ----a-w C:\Program Files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:46 24,384 ----a-w C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 04:10 442368]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2008-04-02 09:50 9442584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 13:17 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 13:17 512000]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 20:39 897024]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-03 19:10 94208]
"ControlCenter"="C:\Program Files\IBM fingerprint software\ctlcntr.exe" [2004-11-04 11:46 284766]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 03:05 127035]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2004-12-16 05:41 90112]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 05:07 86016]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2004-12-21 03:00 135168]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-04-09 20:38 710000]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"TpShocks"="TpShocks.exe" [2004-10-27 17:58 106496 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2004-11-12 03:07 40960 C:\WINDOWS\system32\TP4EX.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-06-09 02:07:29 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2004-11-04 11:51 108636 C:\Program Files\IBM fingerprint software\psfus.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2006-04-09 21:24 24674 C:\WINDOWS\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 05:07 262144 C:\WINDOWS\system32\QConGina.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-12 22:11 24576 C:\WINDOWS\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-448539723-1417001333-1700\Scripts\Logon\0\0]
"Script"=\\emergenow.com\sysvol\emergenow.com\scripts\logon.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-448539723-1417001333-3363\Scripts\Logon\0\0]
"Script"=\\emergenow.com\sysvol\emergenow.com\scripts\logon.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2004-05-14 16:08]
R0 TPDiskPM;TPDiskPM;C:\WINDOWS\system32\drivers\TPDiskPM.sys [2004-12-02 18:14]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-03-18 05:07]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-03-18 05:07]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2004-05-14 14:59]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2004-12-21 03:00]
R2 CP_OMDRV;Check Point Office Mode Module;C:\WINDOWS\system32\drivers\omdrv.sys [2006-04-09 21:24]
R2 ibmfilter;ibmfilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2004-12-16 06:12]
R2 TivoBeacon2;TiVo Beacon;C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [2007-09-25 11:33]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;C:\WINDOWS\system32\DRIVERS\vnasc.sys [2006-04-09 21:24]
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2006-04-09 21:24]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-04-10 18:05]
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2006-04-09 21:24]
R3 portio;TPM Service;C:\WINDOWS\system32\DRIVERS\NscTpmDD.sys [2004-05-19 15:41]
R3 TPInput;TPInput;C:\WINDOWS\system32\DRIVERS\TPInput.sys [2004-12-02 17:54]
S3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDCBus.sys [2007-04-01 05:45]
S3 PTDCMdm;PANTECH PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys [2007-04-01 05:45]
S3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys [2007-04-01 05:45]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;C:\WINDOWS\system32\DRIVERS\PTDCWWAN.sys [2007-04-30 19:30]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-03-18 05:07]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-UC_SMB - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R0 -: HKLM-Main,Start Page = hxxp://www.yahoo.com/
R0 -: HKLM-Main,Search Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1
R1 -: HKCU-SearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O17 -: HKLM\CCS\Interface\{43AB03B3-5649-4AD6-8B04-B69AD8996717}: NameServer = 10.2.1.32,10.2.1.5
O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
- C:\WINDOWS\Downloaded Program Files\ScriptX.inf
O16 -: {3E059DAB-6894-435C-B758-2977F014D734} - hxxps://medinah.emergenow.com/tenterprise/download/TClientProc.CAB
C:\WINDOWS\Downloaded Program Files\TClientProc.INF
C:\WINDOWS\system32\OLEAUT32.DLL
C:\WINDOWS\system32\OLEPRO32.DLL
C:\WINDOWS\system32\ASYCFILT.DLL
C:\WINDOWS\system32\STDOLE2.TLB
C:\WINDOWS\system32\COMCAT.DLL
C:\WINDOWS\Downloaded Program Files\TClientProc.dll
O16 -: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} - hxxp://itproject.navistar.com/projectserver/objects/pjclient.cab
C:\WINDOWS\Downloaded Program Files\PJClient11.inf
C:\WINDOWS\Downloaded Program Files\pjupdate11.ocx
C:\WINDOWS\Downloaded Program Files\pjtextconv11.dll
C:\WINDOWS\Downloaded Program Files\pjres11c.dll
C:\WINDOWS\Downloaded Program Files\pjquery11.ocx
C:\WINDOWS\Downloaded Program Files\pjoutlook11.ocx
C:\WINDOWS\Downloaded Program Files\pjoffline11.ocx
C:\WINDOWS\Downloaded Program Files\pjgrid11.ocx
C:\WINDOWS\Downloaded Program Files\pjcalendar11.ocx
C:\WINDOWS\Downloaded Program Files\pjprint11.dll
O16 -: {AF9A1421-E128-4D5F-A37E-039F305867B9} - hxxp://itproject.navistar.com/projectserver/objects/1033/pjcintl.cab
C:\WINDOWS\Downloaded Program Files\LangCabENU11.inf
C:\WINDOWS\Downloaded Program Files\Pj11enuC.dll
O16 -: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://my.nav-international.com/dana-cached/setup/JuniperSetupSP1.cab
C:\WINDOWS\Downloaded Program Files\JuniperSetup.INF
C:\WINDOWS\Downloaded Program Files\string_zh_cn.properties
C:\WINDOWS\Downloaded Program Files\string_zh.properties
C:\WINDOWS\Downloaded Program Files\string_ko.properties
C:\WINDOWS\Downloaded Program Files\string_ja.properties
C:\WINDOWS\Downloaded Program Files\string_fr.properties
C:\WINDOWS\Downloaded Program Files\string_es.properties
C:\WINDOWS\Downloaded Program Files\string_de.properties
C:\WINDOWS\Downloaded Program Files\string_en.properties
C:\WINDOWS\Downloaded Program Files\JuniperSetup.ocx
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 04:25:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe
C:\WINDOWS\system32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINDOWS\Temp\EG422.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
.
**************************************************************************
.
Completion time: 2008-09-02 4:41:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-02 09:40:36
Pre-Run: 9,457,278,976 bytes free
Post-Run: 11,299,991,552 bytes free
274 --- E O F --- 2008-09-02 08:04:50
Hi
Upload following file to http://www.virustotal.com (if found) and post back the results:
C:\WINDOWS\Temp\EG422.EXE
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6 Update 7 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
Open notepad and copy/paste the text in the quotebox below into it:
KILLALL::
File::
C:\Documents and Settings\snovosel\Application Data\wjoxy.exe
C:\Documents and Settings\snovosel\Application Data\vvusxoqigij.exe
C:\Documents and Settings\snovosel\Application Data\vjq.exe
C:\Documents and Settings\snovosel\Application Data\ssgrjiypnv.exe
C:\Documents and Settings\snovosel\Application Data\rexdbqceoed.exe
C:\Documents and Settings\snovosel\Application Data\iodnorzqljib.exe
C:\Documents and Settings\snovosel\Application Data\imfedyu.exe
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) (scan whole 'my computer'). Post back its report, a fresh hjt log and above meantioned ComboFix resultant log.
Hi
Here is link to EG422 results. I will continue with the other steps and post when completed.
http://www.virustotal.com/analisis/f112de6f950dbed39c689808218afcfd
Here is the combofix log
ComboFix 08-09-01.01 - snovosel 2008-09-02 13:35:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.652 [GMT -5:00]
Running from: C:\Documents and Settings\snovosel\Desktop\combofix.exe
Command switches used :: C:\Documents and Settings\snovosel\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Documents and Settings\snovosel\Application Data\imfedyu.exe
C:\Documents and Settings\snovosel\Application Data\iodnorzqljib.exe
C:\Documents and Settings\snovosel\Application Data\rexdbqceoed.exe
C:\Documents and Settings\snovosel\Application Data\ssgrjiypnv.exe
C:\Documents and Settings\snovosel\Application Data\vjq.exe
C:\Documents and Settings\snovosel\Application Data\vvusxoqigij.exe
C:\Documents and Settings\snovosel\Application Data\wjoxy.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\snovosel\Application Data\imfedyu.exe
C:\Documents and Settings\snovosel\Application Data\iodnorzqljib.exe
C:\Documents and Settings\snovosel\Application Data\rexdbqceoed.exe
C:\Documents and Settings\snovosel\Application Data\ssgrjiypnv.exe
C:\Documents and Settings\snovosel\Application Data\vjq.exe
C:\Documents and Settings\snovosel\Application Data\vvusxoqigij.exe
C:\Documents and Settings\snovosel\Application Data\wjoxy.exe
C:\Documents and Settings\snovosel\Cookies\snovosel@ehg-verizon.hitbox[2].txt
.
((((((((((((((((((((((((( Files Created from 2008-08-02 to 2008-09-02 )))))))))))))))))))))))))))))))
.
2008-09-02 01:19 . 2008-09-02 01:19 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-02 01:16 . 2008-09-02 02:10 <DIR> d-------- C:\SDFix
2008-09-01 12:35 . 2008-09-01 12:55 250 --a------ C:\WINDOWS\gmer.ini
2008-08-31 16:28 . 2008-08-31 16:28 60,416 --a------ C:\WINDOWS\system32\drivers\Combo-Fix(2).sys
2008-08-22 01:40 . 2008-08-22 01:40 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
2008-08-19 03:21 . 2008-08-21 19:12 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-18 07:51 . 2008-05-01 09:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 18:28 --------- d-----w C:\Program Files\Java
2008-08-31 07:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-29 15:49 --------- d-----w C:\Documents and Settings\snovosel\Application Data\Skype
2008-08-23 06:14 --------- d-----w C:\Program Files\Trend Micro
2008-08-22 21:43 --------- d-----w C:\Program Files\PC-Doctor for Windows
2008-07-08 19:35 --------- d-----w C:\Program Files\Google
2008-03-07 04:23 0 -csha-w C:\Documents and Settings\snovosel\Application Data\b925c42d065d8e1156d9ea3f01bd73b90ba1e2bc.dat
2007-06-07 13:32 56,912 ----a-w C:\Documents and Settings\snovosel\g2mdlhlpx.exe
2008-02-08 02:46 13,624 ----a-w C:\Program Files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:46 87,360 ----a-w C:\Program Files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:46 91,448 ----a-w C:\Program Files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:46 21,824 ----a-w C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:46 206,136 ----a-w C:\Program Files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:46 31,544 ----a-w C:\Program Files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:46 40,248 ----a-w C:\Program Files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:27 479,232 ----a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:27 548,864 ----a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:27 626,688 ----a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 17:47 981,170 ----a-w C:\Program Files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:46 24,384 ----a-w C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
.
((((((((((((((((((((((((((((( snapshot@2008-09-02_ 4.39.52.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-02-22 06:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 06:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 06:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 06:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 07:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 07:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-04-10 01:38:22 300,392 ----a-w C:\WINDOWS\Temp\FC7F3F.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2004-08-06 04:10 442368]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59 224248]
"Uniblue SpeedUpMyPC"="C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2008-04-02 09:50 9442584]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 13:17 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 13:17 512000]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 20:39 897024]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-03 19:10 94208]
"ControlCenter"="C:\Program Files\IBM fingerprint software\ctlcntr.exe" [2004-11-04 11:46 284766]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 03:05 127035]
"IBMPRC"="C:\IBMTOOLS\UTILS\ibmprc.exe" [2004-12-16 05:41 90112]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 05:07 86016]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2004-12-21 03:00 135168]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2008-04-09 20:38 710000]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"TpShocks"="TpShocks.exe" [2004-10-27 17:58 106496 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2004-11-12 03:07 40960 C:\WINDOWS\system32\TP4EX.exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-06-09 02:07:29 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2004-11-04 11:51 108636 C:\Program Files\IBM fingerprint software\psfus.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2006-04-09 21:24 24674 C:\WINDOWS\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 05:07 262144 C:\WINDOWS\system32\QConGina.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-12 22:11 24576 C:\WINDOWS\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-448539723-1417001333-1700\Scripts\Logon\0\0]
"Script"=\\emergenow.com\sysvol\emergenow.com\scripts\logon.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-448539723-1417001333-3363\Scripts\Logon\0\0]
"Script"=\\emergenow.com\sysvol\emergenow.com\scripts\logon.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2004-05-14 16:08]
R0 TPDiskPM;TPDiskPM;C:\WINDOWS\system32\drivers\TPDiskPM.sys [2004-12-02 18:14]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-03-18 05:07]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-03-18 05:07]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2004-05-14 14:59]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2004-12-21 03:00]
R2 CP_OMDRV;Check Point Office Mode Module;C:\WINDOWS\system32\drivers\omdrv.sys [2006-04-09 21:24]
R2 ibmfilter;ibmfilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2004-12-16 06:12]
R2 TivoBeacon2;TiVo Beacon;C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [2007-09-25 11:33]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;C:\WINDOWS\system32\DRIVERS\vnasc.sys [2006-04-09 21:24]
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2006-04-09 21:24]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-04-10 18:05]
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2006-04-09 21:24]
R3 portio;TPM Service;C:\WINDOWS\system32\DRIVERS\NscTpmDD.sys [2004-05-19 15:41]
R3 TPInput;TPInput;C:\WINDOWS\system32\DRIVERS\TPInput.sys [2004-12-02 17:54]
S3 PTDCBus;PANTECH PC Card Composite Device Driver (UDP);C:\WINDOWS\system32\DRIVERS\PTDCBus.sys [2007-04-01 05:45]
S3 PTDCMdm;PANTECH PC Card Drivers (UDP);C:\WINDOWS\system32\DRIVERS\PTDCMdm.sys [2007-04-01 05:45]
S3 PTDCVsp;PANTECH PC Card Diagnostic Serial Port (UDP);C:\WINDOWS\system32\DRIVERS\PTDCVsp.sys [2007-04-01 05:45]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;C:\WINDOWS\system32\DRIVERS\PTDCWWAN.sys [2007-04-30 19:30]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-03-18 05:07]
.
Contents of the 'Scheduled Tasks' folder
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 13:47:12
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe
C:\WINDOWS\system32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINDOWS\Temp\FC7F3F.EXE
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-09-02 14:02:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-02 19:02:16
ComboFix2.txt 2008-09-02 09:41:03
Pre-Run: 11,099,435,008 bytes free
Post-Run: 11,122,241,536 bytes free
209 --- E O F --- 2008-09-02 08:04:50
Hi
I'll get back to this after you've got Kaspersky report & a fresh hjt log ready :)
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, September 3, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, September 02, 2008 18:50:05
Records in database: 1182121
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
P:\
R:\
S:\
T:\
U:\
Scan statistics:
Files scanned: 146179
Threat name: 18
Infected objects: 62
Suspicious objects: 0
Duration of the scan: 06:11:12
File name / Threat name / Threats count
C:\Backup2\_ESData\Scott\FFB\2008\adpforvbd.csv Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Backup2\_ESData\Scott\FFB\2008\adpforvbd2.csv Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Backup2\_ESData\Scott\FFB\2008\projfordd.csv Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Backup2\_ESData\Scott\FFB\2008\ProjForDD2.csv Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Program Files\Mozilla Firefox\load.exe Infected: not-a-virus:FraudTool.Win32.Avola.c 1
C:\Program Files\Trend Micro\OfficeScan Client\Backup\classload.jar-50757294-18c37ae7.RB0 Infected: Trojan.Java.ClassLoader.c 1
C:\Program Files\Trend Micro\OfficeScan Client\Backup\classload.jar-50757294-18c37ae7.RB0 Infected: Exploit.Java.ByteVerify 1
C:\Program Files\Trend Micro\OfficeScan Client\Backup\classload.jar-50757294-18c37ae7.RB0 Infected: Trojan.Java.ClassLoader.Dummy.a 1
C:\Program Files\Trend Micro\OfficeScan Client\Backup\classload.jar-50757294-18c37ae7.RB0 Infected: Trojan-Downloader.Java.OpenConnection.v 1
C:\Program Files\Trend Micro\OfficeScan Client\Backup\count.jar-dfe9eaa-3cd2f3fe.RB0 Infected: Exploit.Java.ByteVerify 2
C:\Program Files\Trend Micro\OfficeScan Client\Backup\count.jar-dfe9eaa-3cd2f3fe.RB0 Infected: Trojan-Downloader.Java.OpenConnection.aa 1
C:\Program Files\Trend Micro\OfficeScan Client\Backup\count.jar-dfe9eaa-3cd2f3fe.RB1 Infected: Exploit.Java.ByteVerify 2
C:\Program Files\Trend Micro\OfficeScan Client\Backup\loaderadv637.jar-4c1bbbd6-73c5f238.RB0 Infected: Trojan-Downloader.Java.OpenStream.c 1
C:\Program Files\Trend Micro\OfficeScan Client\Backup\loaderadv637.jar-4c1bbbd6-73c5f238.RB0 Infected: Trojan.Java.ClassLoader.h 1
C:\Program Files\Trend Micro\OfficeScan Client\Backup\loaderadv637.jar-4c1bbbd6-73c5f238.RB0 Infected: Trojan.Java.ClassLoader.d 1
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\._file[1].EXE Infected: Backdoor.Win32.Agent.poh 1
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\a.EXE Infected: Backdoor.Win32.Agent.poh 1
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\A0003012.dll Infected: Rootkit.Win32.Clbd.jg 1
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\A0003024.dll Infected: Trojan-Downloader.Win32.Small.acpi 1
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\lphcnerj0eg4e.EXE Infected: Trojan-Downloader.Win32.FraudLoad.cta 1
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\tdss7a19.TMP Infected: Backdoor.Win32.Agent.qbo 1
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\tdssa187.TMP Infected: Trojan.Win32.Pakes.kek 1
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\TDSSADW.DLL Infected: Rootkit.Win32.Clbd.jg 1
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\tdssl.dll Infected: Trojan-Downloader.Win32.Small.acpi 1
C:\QooBox\Quarantine\C\Documents and Settings\snovosel\Application Data\Awola\Awola.exe.vir Infected: not-a-virus:FraudTool.Win32.Avola.c 1
C:\QooBox\Quarantine\C\Documents and Settings\snovosel\Application Data\imfedyu.exe.vir Infected: Trojan-Downloader.Win32.Small.gud 1
C:\QooBox\Quarantine\C\Documents and Settings\snovosel\Application Data\iodnorzqljib.exe.vir Infected: Trojan-Downloader.Win32.Small.gud 1
C:\QooBox\Quarantine\C\Documents and Settings\snovosel\Application Data\rexdbqceoed.exe.vir Infected: Trojan-Downloader.Win32.Small.gud 1
C:\QooBox\Quarantine\C\Documents and Settings\snovosel\Application Data\ssgrjiypnv.exe.vir Infected: Trojan-Downloader.Win32.Small.gud 1
C:\QooBox\Quarantine\C\Documents and Settings\snovosel\Application Data\vjq.exe.vir Infected: Trojan-Downloader.Win32.Small.gud 1
C:\QooBox\Quarantine\C\Documents and Settings\snovosel\Application Data\vvusxoqigij.exe.vir Infected: Trojan-Downloader.Win32.Small.gud 1
C:\QooBox\Quarantine\C\Documents and Settings\snovosel\Application Data\wjoxy.exe.vir Infected: Trojan-Downloader.Win32.Small.gud 1
C:\QooBox\Quarantine\C\Documents and Settings\snovosel\load.exe.vir Infected: not-a-virus:FraudTool.Win32.Avola.c 1
C:\QooBox\Quarantine\C\WINDOWS\system32\oembios.exe.vir Infected: Trojan-Spy.Win32.Zbot.egv 1
C:\RIosPF.exe Infected: Trojan-Downloader.Win32.Small.gud 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\acCA5WH0IZ.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\acCA7X4MMC.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\acCA9GVUZS.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\acCAHOD9LA.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\acCAN37LY1.htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\ac[11].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\search[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\ac[6].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\ac[7].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\ac[8].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\ac[9].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\search[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\search[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\search[3].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\ac[7].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\ac[8].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\ac[9].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\search[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\search[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\search[3].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\ac[10].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\ac[7].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\ac[8].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\ac[9].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\search[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
The selected area was scanned.
Ok, last file from your most recent request. Thank you for spending so much time on this. I am very greatful.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:57, on 2008-09-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\TEMP\FC7F3F.EXE
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: http://crm.emergenow.com
O15 - Trusted Zone: http://esportal.emergenow.com
O15 - Trusted Zone: http://medinah.emergenow.com
O15 - Trusted Zone: http://portal.emergenow.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - https://medinah.emergenow.com/tenterprise/download/ScriptX.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3E059DAB-6894-435C-B758-2977F014D734} (TClientProc.ClientSettings) - https://medinah.emergenow.com/tenterprise/download/TClientProc.CAB
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://itproject.navistar.com/projectserver/objects/pjclient.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://ridpath8532.viewnetcam.com:50000/bl_camera.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://itproject.navistar.com/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://my.nav-international.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emergenow.com
O17 - HKLM\Software\..\Telephony: DomainName = emergenow.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{43AB03B3-5649-4AD6-8B04-B69AD8996717}: NameServer = 10.2.1.32,10.2.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emergenow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = emergenow.com,river-rock-casino.com,rrea.infi,erp.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emergenow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = erp.local,rrea.infi,river-rock-casino.com,emergenow.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = emergenow.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = erp.local,rrea.infi,river-rock-casino.com,emergenow.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = erp.local,rrea.infi,river-rock-casino.com,emergenow.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe
--
End of file - 13004 bytes
You're welcome :)
There's still something left to do though.
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
C:\Backup2\_ESData\Scott\FFB\2008\adpforvbd.csv
C:\Backup2\_ESData\Scott\FFB\2008\adpforvbd2.csv
C:\Backup2\_ESData\Scott\FFB\2008\projfordd.csv
C:\Backup2\_ESData\Scott\FFB\2008\ProjForDD2.csv
C:\Program Files\Mozilla Firefox\load.exe
C:\Program Files\Trend Micro\OfficeScan Client\Backup\classload.jar-50757294-18c37ae7.RB0
C:\Program Files\Trend Micro\OfficeScan Client\Backup\classload.jar-50757294-18c37ae7.RB0
C:\Program Files\Trend Micro\OfficeScan Client\Backup\classload.jar-50757294-18c37ae7.RB0
C:\Program Files\Trend Micro\OfficeScan Client\Backup\classload.jar-50757294-18c37ae7.RB0
C:\Program Files\Trend Micro\OfficeScan Client\Backup\count.jar-dfe9eaa-3cd2f3fe.RB0
C:\Program Files\Trend Micro\OfficeScan Client\Backup\count.jar-dfe9eaa-3cd2f3fe.RB0
C:\Program Files\Trend Micro\OfficeScan Client\Backup\count.jar-dfe9eaa-3cd2f3fe.RB1
C:\Program Files\Trend Micro\OfficeScan Client\Backup\loaderadv637.jar-4c1bbbd6-73c5f238.RB0
C:\Program Files\Trend Micro\OfficeScan Client\Backup\loaderadv637.jar-4c1bbbd6-73c5f238.RB0
C:\Program Files\Trend Micro\OfficeScan Client\Backup\loaderadv637.jar-4c1bbbd6-73c5f238.RB0
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\._file[1].EXE
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\a.EXE
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\A0003012.dll
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\A0003024.dll
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\lphcnerj0eg4e.EXE
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\tdss7a19.TMP
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\tdssa187.TMP
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\TDSSADW.DLL
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\tdssl.dll
C:\RIosPF.exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\acCA5WH0IZ.htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\acCA7X4MMC.htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\acCA9GVUZS.htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\acCAHOD9LA.htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\acCAN37LY1.htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\ac[11].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\search[1].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\ac[6].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\ac[7].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\ac[8].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\ac[9].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\search[1].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\search[2].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\search[3].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\ac[7].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\ac[8].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\ac[9].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\search[1].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\search[2].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\search[3].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\ac[10].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\ac[7].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\ac[8].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\ac[9].htm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\search[1].htm
Return to OTMoveIt2, right click in the
Paste Standard List of Files/Folders to Move
window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document & a fresh hjt log back here in your next post.
here are the results from OTMoveIt.
C:\Backup2\_ESData\Scott\FFB\2008\adpforvbd.csv moved successfully.
C:\Backup2\_ESData\Scott\FFB\2008\adpforvbd2.csv moved successfully.
C:\Backup2\_ESData\Scott\FFB\2008\projfordd.csv moved successfully.
C:\Backup2\_ESData\Scott\FFB\2008\ProjForDD2.csv moved successfully.
C:\Program Files\Mozilla Firefox\load.exe moved successfully.
C:\Program Files\Trend Micro\OfficeScan Client\Backup\classload.jar-50757294-18c37ae7.RB0 moved successfully.
File/Folder C:\Program Files\Trend Micro\OfficeScan Client\Backup\classload.jar-50757294-18c37ae7.RB0 not found.
File/Folder C:\Program Files\Trend Micro\OfficeScan Client\Backup\classload.jar-50757294-18c37ae7.RB0 not found.
File/Folder C:\Program Files\Trend Micro\OfficeScan Client\Backup\classload.jar-50757294-18c37ae7.RB0 not found.
C:\Program Files\Trend Micro\OfficeScan Client\Backup\count.jar-dfe9eaa-3cd2f3fe.RB0 moved successfully.
File/Folder C:\Program Files\Trend Micro\OfficeScan Client\Backup\count.jar-dfe9eaa-3cd2f3fe.RB0 not found.
C:\Program Files\Trend Micro\OfficeScan Client\Backup\count.jar-dfe9eaa-3cd2f3fe.RB1 moved successfully.
C:\Program Files\Trend Micro\OfficeScan Client\Backup\loaderadv637.jar-4c1bbbd6-73c5f238.RB0 moved successfully.
File/Folder C:\Program Files\Trend Micro\OfficeScan Client\Backup\loaderadv637.jar-4c1bbbd6-73c5f238.RB0 not found.
File/Folder C:\Program Files\Trend Micro\OfficeScan Client\Backup\loaderadv637.jar-4c1bbbd6-73c5f238.RB0 not found.
< C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\._file[1].EXE >
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\._file[1].EXE moved successfully.
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\a.EXE moved successfully.
LoadLibrary failed for C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\A0003012.dll
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\A0003012.dll NOT unregistered.
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\A0003012.dll moved successfully.
LoadLibrary failed for C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\A0003024.dll
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\A0003024.dll NOT unregistered.
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\A0003024.dll moved successfully.
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\lphcnerj0eg4e.EXE moved successfully.
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\tdss7a19.TMP moved successfully.
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\tdssa187.TMP moved successfully.
LoadLibrary failed for C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\TDSSADW.DLL
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\TDSSADW.DLL NOT unregistered.
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\TDSSADW.DLL moved successfully.
LoadLibrary failed for C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\tdssl.dll
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\tdssl.dll NOT unregistered.
C:\Program Files\Trend Micro\OfficeScan Client\SUSPECT\tdssl.dll moved successfully.
C:\RIosPF.exe moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\acCA5WH0IZ.htm moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\acCA7X4MMC.htm moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\acCA9GVUZS.htm moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\acCAHOD9LA.htm moved successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\acCAN37LY1.htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\ac[11].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\ac[11].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\search[1].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\29V72R6V\search[1].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\ac[6].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\ac[6].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\ac[7].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\ac[7].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\ac[8].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\ac[8].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\ac[9].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\ac[9].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\search[1].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\search[1].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\search[2].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\search[2].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\search[3].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\A8MXPG7L\search[3].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\ac[7].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\ac[7].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\ac[8].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\ac[8].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\ac[9].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\ac[9].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\search[1].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\search[1].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\search[2].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\search[2].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\search[3].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CBIKZ7IV\search[3].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\ac[10].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\ac[10].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\ac[7].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\ac[7].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\ac[8].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\ac[8].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\ac[9].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\ac[9].htm moved successfully.
< C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\search[1].htm >
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LFC3A1ON\search[1].htm moved successfully.
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 09032008_040440
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:10, on 2008-09-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\TEMP\FC7F3F.EXE
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: http://crm.emergenow.com
O15 - Trusted Zone: http://esportal.emergenow.com
O15 - Trusted Zone: http://medinah.emergenow.com
O15 - Trusted Zone: http://portal.emergenow.com
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - https://medinah.emergenow.com/tenterprise/download/ScriptX.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3E059DAB-6894-435C-B758-2977F014D734} (TClientProc.ClientSettings) - https://medinah.emergenow.com/tenterprise/download/TClientProc.CAB
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://itproject.navistar.com/projectserver/objects/pjclient.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://ridpath8532.viewnetcam.com:50000/bl_camera.cab
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://itproject.navistar.com/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://my.nav-international.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emergenow.com
O17 - HKLM\Software\..\Telephony: DomainName = emergenow.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{43AB03B3-5649-4AD6-8B04-B69AD8996717}: NameServer = 10.2.1.32,10.2.1.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emergenow.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = emergenow.com,river-rock-casino.com,rrea.infi,erp.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = emergenow.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = erp.local,rrea.infi,river-rock-casino.com,emergenow.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = emergenow.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = erp.local,rrea.infi,river-rock-casino.com,emergenow.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = erp.local,rrea.infi,river-rock-casino.com,emergenow.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe
--
End of file - 12971 bytes
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Next we remove all used tools.
Double-click OTMoveIt2.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Download Spybot
Spybot is a scanner like adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and pretection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
To see how to set this up as well as more spybot features, see here (http://www.bleepingcomputer.com/forums/index.php?showtutorial=43)
Spybot can be downloaded at this location (http://www.download.com/Spybot-Search-Destroy/3000-8022-10122137.html?part=dl-spybot&subj=dl&tag=but)
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Everything looks good. Thank you so much for all your help. I really cannot express how grateful I am. My computer was such a mess it was almost unusable. You have brought it back from the brink of death. You are the best.
I am following your final instructions to the letter and I have some questions.
Should I remove ATF cleaner and Hijackthis?
For the windows updates, is it acceptable to use the automatic updates feature or should I do this manually?
Hi
I'd keep ATF Cleaner and run it occasionally to get rid of temporary items. You can uninstall hjt though.
For Windows updates automatic update setting is acceptable.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.