Rootkit.tdss [Solved] - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

Rootkit.tdss [Solved] Can't get rid of it

#1 bort8

  • Group: Member
  • Posts: 4
  • Joined: 01-September 09

Posted 01 September 2009 - 01:21 AM

Hello,

I seem to have gotten a Rootkit.tdss virus yesterday. I have followed every step of your process, and seem to have gotten rid of the majority of the virus except for one last piece. Whenever I run malwarebytes, it says that it finds the virus, and I'll tell it to remove it, but after restarting and rescanning it pops right back up (even though the log says it was successfully quarantined and removed). Any help in getting rid of this would be massively appreciated!!!

Here are all the requested Logs:
OTL
OTL logfile created on: 9/1/2009 12:06:44 AM - Run 2
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Nick\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.97 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 50.65% Memory free
3.81 Gb Paging File | 2.98 Gb Available in Paging File | 78.09% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 142.34 Gb Total Space | 30.06 Gb Free Space | 21.12% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LENOVO-E8EC189A
Current User Name: Nick
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2007/05/31 03:02:06 | 00,036,400 | ---- | M] (Lenovo) -- C:\WINDOWS\System32\ibmpmsvc.exe
PRC - [2007/02/27 17:35:04 | 00,266,295 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
PRC - [2007/04/16 11:21:20 | 00,983,040 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2009/07/03 07:49:06 | 01,029,456 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2007/01/29 20:05:02 | 00,108,080 | ---- | M] (Lenovo Group Limited) -- C:\WINDOWS\System32\IPSSVC.EXE
PRC - [2007/07/05 15:05:04 | 00,065,536 | ---- | M] (Lenovo ) -- C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
PRC - [2008/02/18 09:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/01/11 15:50:16 | 00,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/07/24 13:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2006/05/23 21:08:06 | 00,622,700 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2007/04/16 11:33:18 | 00,647,168 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007/01/04 19:48:52 | 00,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/08/30 20:30:20 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
PRC - [2007/12/09 21:03:00 | 00,155,717 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2007/04/16 11:14:24 | 00,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2008/11/24 22:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/11/24 22:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2007/08/03 16:10:46 | 00,644,408 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
PRC - [2007/10/16 18:33:00 | 00,037,424 | ---- | M] (Lenovo.) -- C:\WINDOWS\System32\TPHDEXLG.exe
PRC - [2007/08/03 16:19:08 | 00,722,232 | ---- | M] (IBM) -- C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
PRC - [2007/02/08 13:11:32 | 00,569,344 | ---- | M] () -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
PRC - [2007/02/08 13:09:58 | 00,950,272 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
PRC - [2008/03/04 08:34:12 | 01,122,304 | ---- | M] (Lenovo Group Limited) -- c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
PRC - [2007/02/08 11:40:16 | 00,045,056 | ---- | M] () -- C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
PRC - [2007/02/08 13:00:06 | 00,022,016 | ---- | M] () -- C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
PRC - [2008/12/12 12:41:02 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ZuneBusEnum.exe
PRC - [2007/07/05 15:03:32 | 00,184,320 | ---- | M] (Lenovo ) -- C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
PRC - [2009/02/06 03:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2008/05/16 08:52:12 | 00,032,768 | ---- | M] (Lenovo Group Limited) -- c:\program files\lenovo\system update\suservice.exe
PRC - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe
PRC - [2004/08/04 05:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\unsecapp.exe
PRC - [2009/02/06 03:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2007/07/05 15:04:18 | 00,114,688 | ---- | M] (Lenovo ) -- C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
PRC - [2009/08/30 20:30:20 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
PRC - [2008/04/13 17:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2006/05/18 16:24:06 | 00,196,696 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
PRC - [2007/04/16 11:17:58 | 00,487,424 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2007/07/05 03:07:42 | 00,110,592 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2007/07/05 03:07:14 | 00,512,000 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2007/11/29 11:04:00 | 00,059,168 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
PRC - [2007/03/08 22:49:42 | 00,066,176 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
PRC - [2007/11/22 15:09:26 | 00,181,536 | ---- | M] (Lenovo.) -- C:\WINDOWS\System32\TpShocks.exe
PRC - [2007/03/07 21:16:48 | 00,073,776 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
PRC - [2007/03/28 10:32:00 | 00,243,248 | ---- | M] (Lenovo Group Ltd.) -- C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
PRC - [2006/09/06 00:39:10 | 00,091,688 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\Zoom\TpScrex.exe
PRC - [2007/04/09 00:23:56 | 01,015,808 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2008/03/04 08:34:20 | 00,487,424 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
PRC - [2006/02/02 05:20:00 | 00,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLACTRLW.EXE
PRC - [2004/07/27 16:50:18 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2006/11/07 03:51:40 | 00,091,688 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
PRC - [2007/04/26 10:10:00 | 00,120,368 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
PRC - [2007/02/01 11:00:01 | 00,419,376 | ---- | M] (LENOVO) -- C:\Program Files\ThinkVantage\AMSG\Amsg.exe
PRC - [2007/07/05 14:51:48 | 00,126,976 | ---- | M] (Lenovo ) -- C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
PRC - [2007/08/03 16:35:38 | 02,630,968 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
PRC - [2008/12/12 12:41:06 | 00,157,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
PRC - [2009/07/25 05:23:12 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2008/10/25 11:44:34 | 00,031,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2006/10/18 21:05:26 | 00,204,288 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNSCFG.exe
PRC - [2007/08/03 16:42:08 | 00,927,032 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\Client Security Solution\tvtpwm_tray.exe
PRC - [2006/11/03 18:02:14 | 00,050,688 | ---- | M] (Avanquest Software ) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2009/08/27 20:27:42 | 26,784,939 | ---- | M] () -- C:\Documents and Settings\Nick\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2009/07/03 07:49:06 | 00,520,024 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/08/04 16:12:08 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/08/31 19:26:20 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nick\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/07/05 15:05:04 | 00,065,536 | ---- | M] (Lenovo ) -- C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe -- (AcPrfMgrSvc [Auto | Running])
SRV - [2007/07/05 15:03:32 | 00,184,320 | ---- | M] (Lenovo ) -- C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe -- (AcSvc [Auto | Running])
SRV - [2008/02/18 09:16:30 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/01/11 15:50:16 | 00,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc [Auto | Running])
SRV - [2007/07/24 13:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2007/02/27 17:35:04 | 00,266,295 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe -- (btwdins [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2006/05/23 21:08:06 | 00,622,700 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper [Auto | Running])
SRV - [2007/04/16 11:33:18 | 00,647,168 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng [Auto | Running])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2007/01/03 18:40:21 | 00,136,120 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/04/13 17:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/01/02 20:46:54 | 00,225,280 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08 [On_Demand | Running])
SRV - [2006/12/10 21:29:24 | 00,131,072 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc [Auto | Running])
SRV - [2007/05/31 03:02:06 | 00,036,400 | ---- | M] (Lenovo) -- C:\WINDOWS\System32\ibmpmsvc.exe -- (IBMPMSVC [Auto | Running])
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/03/30 08:36:30 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2007/01/29 20:05:02 | 00,108,080 | ---- | M] (Lenovo Group Limited) -- C:\WINDOWS\System32\IPSSVC.EXE -- (IPSSVC [Auto | Running])
SRV - [2007/01/04 19:48:52 | 00,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr [Auto | Running])
SRV - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/07/03 07:49:06 | 01,029,456 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Running])
SRV - [2008/10/25 11:44:08 | 00,065,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand | Stopped])
SRV - [2008/11/24 22:31:10 | 29,263,712 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ [On_Demand | Stopped])
SRV - [2008/11/24 22:31:08 | 00,045,408 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper [Disabled | Stopped])
SRV - [2009/08/30 20:30:20 | 00,115,560 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe -- (N360 [Auto | Running])
SRV - [2006/11/08 14:35:36 | 00,043,520 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\System32\HPZinw12.dll -- (Net Driver HPZ12 [Auto | Running])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/12/09 21:03:00 | 00,155,717 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/11/08 14:35:38 | 00,053,248 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\System32\HPZipm12.dll -- (Pml Driver HPZ12 [Auto | Running])
SRV - [2007/04/16 11:14:24 | 00,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc [Auto | Running])
SRV - [2007/04/16 11:21:20 | 00,983,040 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor [Auto | Running])
SRV - [2009/01/07 12:40:56 | 00,348,752 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService [On_Demand | Stopped])
SRV - [2009/07/22 22:44:48 | 01,097,096 | ---- | M] (PC Tools) -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService [On_Demand | Stopped])
SRV - [2008/11/24 22:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser [Auto | Running])
SRV - [2008/11/24 22:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter [Auto | Running])
SRV - [2008/05/16 08:52:12 | 00,032,768 | ---- | M] (Lenovo Group Limited) -- c:\program files\lenovo\system update\suservice.exe -- (SUService [Auto | Running])
SRV - [2007/08/03 16:10:46 | 00,644,408 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service [Auto | Running])
SRV - [2007/10/16 18:33:00 | 00,037,424 | ---- | M] (Lenovo.) -- C:\WINDOWS\System32\TPHDEXLG.exe -- (TPHDEXLGSVC [Auto | Running])
SRV - [2007/08/03 16:19:08 | 00,722,232 | ---- | M] (IBM) -- C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe -- (TSSCoreService [Auto | Running])
SRV - [2007/02/08 13:11:32 | 00,569,344 | ---- | M] () -- C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe -- (TVT Backup Protection Service [Auto | Running])
SRV - [2007/02/08 13:09:58 | 00,950,272 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe -- (TVT Backup Service [Auto | Running])
SRV - [2008/03/04 08:34:12 | 01,122,304 | ---- | M] (Lenovo Group Limited) -- c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe -- (TVT Scheduler [Auto | Running])
SRV - [2007/02/08 11:40:16 | 00,045,056 | ---- | M] () -- C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe -- (tvtnetwk [Auto | Running])
SRV - [2006/10/18 21:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [Auto | Running])
SRV - [2008/12/12 12:41:02 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ZuneBusEnum.exe -- (ZuneBusEnum [Auto | Running])
SRV - [2008/12/12 12:41:18 | 05,117,568 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc [On_Demand | Stopped])
SRV - [2008/12/12 12:41:08 | 00,243,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SE...S01?FORM=TOOLBR
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.go.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig"
FF - prefs.js..extensions.enabledItems: {77b819fa-95ad-4f2c-ac7c-486b356188a9}:1.5.20090525
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.071303000006
FF - prefs.js..extensions.enabledItems: {8545daff-ad1e-493f-a37e-eed1ac79682b}:1.0
FF - prefs.js..extensions.enabledItems: {7BA52691-1876-45ce-9EE6-54BCB3B04BBC}:3.5
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.13
FF - prefs.js..network.proxy.autoconfig_url: "http://www.anderson.ucla.edu/proxy/proxy.pac"
FF - prefs.js..network.proxy.type: 2

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/06/30 09:44:14 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/31 20:55:43 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/01/18 13:33:45 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/28 19:56:26 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/04 16:12:15 | 00,000,000 | ---D | M]

[2008/08/27 10:45:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\mozilla\Extensions
[2008/08/27 10:45:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/08/31 21:20:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\mozilla\Firefox\Profiles\gjbmz6ac.default\extensions
[2009/08/31 21:20:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\mozilla\Firefox\Profiles\gjbmz6ac.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/06/03 23:29:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\mozilla\Firefox\Profiles\gjbmz6ac.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2009/03/20 00:10:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\mozilla\Firefox\Profiles\gjbmz6ac.default\extensions\moveplayer@movenetworks.com
[2008/05/26 00:34:39 | 00,000,891 | ---- | M] () -- C:\Documents and Settings\Nick\Application Data\Mozilla\FireFox\Profiles\gjbmz6ac.default\searchplugins\dictionarycom.xml
[2009/08/06 22:05:52 | 00,000,930 | ---- | M] () -- C:\Documents and Settings\Nick\Application Data\Mozilla\FireFox\Profiles\gjbmz6ac.default\searchplugins\facebook.xml
[2009/03/29 19:10:31 | 00,001,504 | ---- | M] () -- C:\Documents and Settings\Nick\Application Data\Mozilla\FireFox\Profiles\gjbmz6ac.default\searchplugins\imdb.xml
[2009/06/15 00:42:44 | 00,001,632 | ---- | M] () -- C:\Documents and Settings\Nick\Application Data\Mozilla\FireFox\Profiles\gjbmz6ac.default\searchplugins\weathercom.xml
[2009/08/31 23:48:31 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/04 16:12:15 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/05/14 05:26:34 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
[2008/08/19 19:44:46 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/01/18 13:34:00 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/08/31 00:19:06 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009/08/04 16:12:08 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/08/04 16:12:08 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2007/04/10 16:21:08 | 00,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\np-mswmp.dll
[2009/07/25 05:23:01 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/08/04 16:12:10 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2006/10/26 20:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL
[2007/03/22 17:23:30 | 00,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL
[2008/10/14 22:33:30 | 00,095,600 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2008/06/30 09:44:11 | 00,144,984 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nppl3260.dll
[2008/06/01 11:41:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2008/06/01 11:41:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2008/06/01 11:41:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2008/06/01 11:41:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2008/06/01 11:41:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2008/06/01 11:41:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2008/06/01 11:41:46 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2008/06/30 09:44:16 | 00,008,192 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprjplug.dll
[2008/06/30 09:44:07 | 00,094,208 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprpjplug.dll
[2009/03/22 17:30:22 | 00,221,184 | ---- | M] (CNN) -- C:\Program Files\mozilla firefox\plugins\NPTURNMED.dll
[2008/11/14 09:44:23 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2008/11/14 09:44:23 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008/11/14 09:44:23 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008/11/14 09:44:23 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2008/11/14 09:44:23 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/08/30 20:31:06 | 00,002,221 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\SafeSearch.xml
[2008/11/14 09:44:23 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008/11/14 09:44:23 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL (Symantec Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (CPwmIEBrowserHelper Object) - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe (Lenovo )
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe (LENOVO)
O4 - HKLM..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE (Lenovo Group Limited)
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BATLOGEX.DLL ()
O4 - HKLM..\Run: [cssauth] C:\Program Files\Lenovo\Client Security Solution\cssauth.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [EZEJMNAP] C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE (Lenovo Group Ltd.)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\Installshield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [LPManager] C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE (Lenovo Group Limited)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [TpShocks] C:\WINDOWS\System32\TpShocks.exe (Lenovo.)
O4 - HKLM..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [Zune Launcher] c:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
O4 - Startup: C:\Documents and Settings\Nick\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Nick\Application Data\Dropbox\bin\Dropbox.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NofolderOptions = 0
O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra 'Tools' menuitem : ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} http://mobileapps.bl...re/AxLoader.cab (AxLoaderPassword Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll (Symantec Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ACNotify: DllName - ACNotify.dll - C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll (Lenovo )
O20 - Winlogon\Notify\psfus: DllName - C:\WINDOWS\system32\psqlpwd.dll - C:\WINDOWS\System32\psqlpwd.dll (UPEK Inc.)
O20 - Winlogon\Notify\tpfnf2: DllName - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - C:\Program Files\Lenovo\HOTKEY\tphklock.dll - C:\Program Files\Lenovo\HOTKEY\tphklock.dll ()
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/04/30 00:13:35 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

NetSvcs: 6to4 - Service key not found. File not found
NetSvcs: Ias - Service key not found. File not found
NetSvcs: Iprip - Service key not found. File not found
NetSvcs: Irmon - Service key not found. File not found
NetSvcs: NWCWorkstation - Service key not found. File not found
NetSvcs: Nwsapagent - Service key not found. File not found
NetSvcs: WmdmPmSp - Service key not found. File not found
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[2009/08/31 22:00:23 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/08/31 21:59:37 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/08/31 21:57:02 | 00,021,504 | ---- | C] (Doug Knox) -- C:\Documents and Settings\Nick\Desktop\SysRestorePoint.exe
[2009/08/31 21:52:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2009/08/31 21:42:39 | 00,272,384 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Nick\Desktop\TFC.exe
[2009/08/31 21:02:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/08/31 21:00:10 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/08/31 20:56:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2009/08/31 20:56:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2009/08/31 20:56:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2009/08/31 20:56:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2009/08/31 20:56:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2009/08/31 20:56:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2009/08/31 20:56:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2009/08/31 20:56:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2009/08/31 20:56:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2009/08/31 20:56:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2009/08/31 20:56:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2009/08/31 20:56:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2009/08/31 20:56:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2009/08/31 20:56:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2009/08/31 20:56:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2009/08/31 20:56:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2009/08/31 20:56:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2009/08/31 20:11:04 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/08/31 19:51:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/08/31 19:51:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2009/08/31 19:51:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2009/08/31 19:51:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2009/08/31 19:45:33 | 00,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
[2009/08/31 19:40:08 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2009/08/31 19:26:26 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Nick\Desktop\OTL.exe
[2009/08/31 18:26:02 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\settings.dat
[2009/08/31 18:25:31 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Nick\Desktop\RootRepeal.exe
[2009/08/31 18:13:02 | 00,159,600 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2009/08/31 18:12:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/08/31 18:12:53 | 00,130,936 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2009/08/31 18:12:52 | 00,073,840 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2009/08/31 18:12:49 | 00,001,644 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2009/08/31 18:12:44 | 00,064,392 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2009/08/31 18:12:44 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2009/08/31 18:12:33 | 00,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2009/08/31 18:12:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nick\Application Data\PC Tools
[2009/08/31 18:12:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2009/08/31 00:31:56 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/08/31 00:26:42 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/08/31 00:26:27 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/08/31 00:25:30 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
[2009/08/31 00:25:28 | 00,000,874 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/08/31 00:25:17 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/08/31 00:25:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/08/30 23:59:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nick\Application Data\Malwarebytes
[2009/08/30 23:59:47 | 00,000,703 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/30 23:59:45 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/08/30 23:59:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/08/30 23:59:43 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/08/30 23:59:43 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/08/30 22:24:49 | 00,117,124 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\0910_SP4_PrkAppeal_R1.pdf
[2009/08/30 22:14:55 | 00,019,617 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\alarmcancel06.pdf
[2009/08/30 21:41:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\N360_BACKUP
[2009/08/30 20:41:29 | 00,000,000 | R--D | C] -- C:\Program Files\Norton Support
[2009/08/30 20:41:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nick\Local Settings\Application Data\Symantec
[2009/08/30 20:31:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nick\My Documents\Symantec
[2009/08/30 20:30:56 | 02,497,102 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\Cat.DB
[2009/08/30 20:30:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
[2009/08/30 20:30:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nick\Local Settings\Application Data\Downloaded Installations
[2009/08/30 20:30:34 | 00,036,400 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymIM.sys
[2009/08/30 20:30:32 | 00,124,464 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/08/30 20:30:32 | 00,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/08/30 20:30:32 | 00,007,386 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/08/30 20:30:32 | 00,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/08/30 20:30:32 | 00,000,000 | ---D | C] -- C:\Program Files\Symantec
[2009/08/30 20:30:24 | 00,001,916 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton 360.LNK
[2009/08/30 20:30:23 | 00,482,352 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\cchpx86.sys
[2009/08/30 20:30:23 | 00,310,320 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymEFA.sys
[2009/08/30 20:30:23 | 00,307,760 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtsp.sys
[2009/08/30 20:30:23 | 00,217,392 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symtdi.sys
[2009/08/30 20:30:23 | 00,089,776 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symfw.sys
[2009/08/30 20:30:23 | 00,043,696 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtspx.sys
[2009/08/30 20:30:23 | 00,039,984 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symndisv.sys
[2009/08/30 20:30:23 | 00,037,296 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symndis.sys
[2009/08/30 20:30:23 | 00,034,736 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symids.sys
[2009/08/30 20:30:22 | 00,258,608 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\BHDrvx86.sys
[2009/08/30 20:30:03 | 00,003,373 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymEFA.inf
[2009/08/30 20:30:03 | 00,001,753 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\ccHPx86.inf
[2009/08/30 20:30:03 | 00,001,528 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymNet.inf
[2009/08/30 20:30:03 | 00,001,389 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtspx.inf
[2009/08/30 20:30:03 | 00,001,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtsp.inf
[2009/08/30 20:30:03 | 00,000,640 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\BHDrvx86.inf
[2009/08/30 20:30:03 | 00,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\isolate.ini
[2009/08/30 20:29:47 | 00,009,423 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymNet.cat
[2009/08/30 20:29:47 | 00,007,410 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymEFA.cat
[2009/08/30 20:29:47 | 00,007,372 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtspx.cat
[2009/08/30 20:29:47 | 00,007,364 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\BHDrvx86.CAT
[2009/08/30 20:29:47 | 00,007,355 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtsp.cat
[2009/08/30 20:29:47 | 00,007,347 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\ccHPx86.cat
[2009/08/30 20:29:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\N360\0300000.087
[2009/08/30 20:29:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\N360
[2009/08/30 20:29:43 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
[2009/08/30 20:29:43 | 00,000,000 | ---D | C] -- C:\Program Files\Norton 360
[2009/08/30 20:17:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2009/08/30 20:17:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2009/08/30 20:17:00 | 00,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2009/08/30 20:17:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2009/08/30 17:41:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Nick\Application Data\Mp3tag
[2009/08/30 17:39:54 | 00,000,661 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mp3tag.lnk
[2009/08/30 17:39:53 | 00,000,000 | ---D | C] -- C:\Program Files\Mp3tag
[2009/08/30 17:24:05 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
[2009/08/30 17:24:05 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01007.Wdf
[2009/08/30 17:23:05 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_user_01_07_00.Wdf
[2009/08/30 17:10:03 | 00,000,717 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\Magic MP3 Tagger.lnk
[2009/08/30 17:10:01 | 00,000,000 | ---D | C] -- C:\Program Files\Magic MP3 Tagger
[2009/08/30 16:35:17 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_zumbus_01007.Wdf
[2009/08/30 16:35:06 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
[2009/08/30 16:33:51 | 00,000,635 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Zune.lnk
[2009/08/30 16:33:16 | 00,000,000 | ---D | C] -- C:\Program Files\Zune
[2009/08/26 17:13:46 | 00,009,901 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\War Room Budget.xlsx
[2009/08/25 13:06:17 | 01,627,333 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\Student Directory Class of 2011.pdf
[2009/08/25 13:06:13 | 00,016,216 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\Class of 2011 Section Assignments.xlsx
[2009/08/25 10:28:41 | 00,384,000 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\Jul-Sep_League(3).xls
[2009/08/25 09:04:29 | 57,966,3799 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\Wall-Ay TCC.zip
[2009/08/25 09:02:34 | 05,277,321 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\The KNUX - Roxxanne (192 Kbps).mp3
[2009/08/25 09:02:10 | 04,691,663 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\The Knux - Bang! Bang!.mp3
[2009/08/25 09:00:44 | 04,877,160 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\The Knux - The Train.mp3
[2009/08/25 09:00:23 | 05,800,064 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\The Knux - Hard Days Night.mp3
[2009/08/25 08:38:19 | 03,586,422 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\Islands - No You Don't.mp3
[2009/08/25 08:37:01 | 03,214,799 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\Islands - Vapours.mp3
[2009/08/19 11:47:11 | 00,000,779 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\mfl Front Office.lnk
[2009/08/19 11:47:09 | 00,000,000 | ---D | C] -- C:\Program Files\myfantasyleague
[2009/08/19 10:56:20 | 00,015,858 | ---- | C] () -- C:\Documents and Settings\Nick\Desktop\LXF - 2008.xlsx

========== Files - Modified Within 14 Days ==========

[2009/08/31 23:53:14 | 00,512,890 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/08/31 23:53:13 | 00,621,756 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/08/31 23:53:13 | 00,097,424 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/08/31 23:50:32 | 00,000,316 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2009/08/31 23:50:16 | 00,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/08/31 23:49:20 | 00,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/31 23:48:56 | 00,025,269 | ---- | M] () -- C:\WINDOWS\System32\PROCDB.INI
[2009/08/31 23:48:26 | 00,000,380 | ---- | M] () -- C:\WINDOWS\System32\IPSCtrl.INI
[2009/08/31 23:48:25 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/08/31 23:48:21 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/08/31 23:48:13 | 21,121,39264 | -HS- | M] () -- C:\hiberfil.sys
[2009/08/31 23:22:09 | 00,000,252 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2009/08/31 21:57:02 | 00,021,504 | ---- | M] (Doug Knox) -- C:\Documents and Settings\Nick\Desktop\SysRestorePoint.exe
[2009/08/31 21:42:40 | 00,272,384 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nick\Desktop\TFC.exe
[2009/08/31 21:06:58 | 00,069,232 | ---- | M] () -- C:\Documents and Settings\Nick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/08/31 21:06:42 | 00,267,800 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/31 21:03:34 | 02,497,102 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\Cat.DB
[2009/08/31 21:03:21 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/08/31 20:48:22 | 00,000,712 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/08/31 20:44:36 | 00,000,422 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2009/08/31 19:45:06 | 00,250,048 | RHS- | M] () -- C:\NTLDR
[2009/08/31 19:26:20 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nick\Desktop\OTL.exe
[2009/08/31 18:26:02 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\settings.dat
[2009/08/31 18:12:49 | 00,001,644 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2009/08/31 12:18:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/08/31 00:26:43 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/08/31 00:25:28 | 00,000,874 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/08/30 23:59:47 | 00,000,703 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/08/30 22:24:49 | 00,117,124 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\0910_SP4_PrkAppeal_R1.pdf
[2009/08/30 22:14:55 | 00,019,617 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\alarmcancel06.pdf
[2009/08/30 20:30:32 | 00,124,464 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/08/30 20:30:32 | 00,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/08/30 20:30:32 | 00,007,386 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/08/30 20:30:32 | 00,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/08/30 20:30:24 | 00,001,916 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton 360.LNK
[2009/08/30 20:30:23 | 00,482,352 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\cchpx86.sys
[2009/08/30 20:30:23 | 00,310,320 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymEFA.sys
[2009/08/30 20:30:23 | 00,307,760 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtsp.sys
[2009/08/30 20:30:23 | 00,217,392 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symtdi.sys
[2009/08/30 20:30:23 | 00,089,776 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symfw.sys
[2009/08/30 20:30:23 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtspx.sys
[2009/08/30 20:30:23 | 00,039,984 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symndisv.sys
[2009/08/30 20:30:23 | 00,037,296 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symndis.sys
[2009/08/30 20:30:23 | 00,036,400 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymIM.sys
[2009/08/30 20:30:23 | 00,034,736 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\symids.sys
[2009/08/30 20:30:22 | 00,258,608 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0300000.087\BHDrvx86.sys
[2009/08/30 20:30:03 | 00,003,373 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymEFA.inf
[2009/08/30 20:30:03 | 00,001,753 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\ccHPx86.inf
[2009/08/30 20:30:03 | 00,001,528 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymNet.inf
[2009/08/30 20:30:03 | 00,001,389 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtspx.inf
[2009/08/30 20:30:03 | 00,001,383 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtsp.inf
[2009/08/30 20:30:03 | 00,000,640 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\BHDrvx86.inf
[2009/08/30 20:30:03 | 00,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\isolate.ini
[2009/08/30 20:29:47 | 00,009,423 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymNet.cat
[2009/08/30 20:29:47 | 00,007,410 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\SymEFA.cat
[2009/08/30 20:29:47 | 00,007,372 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtspx.cat
[2009/08/30 20:29:47 | 00,007,364 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\BHDrvx86.CAT
[2009/08/30 20:29:47 | 00,007,355 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\srtsp.cat
[2009/08/30 20:29:47 | 00,007,347 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0300000.087\ccHPx86.cat
[2009/08/30 17:39:54 | 00,000,661 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mp3tag.lnk
[2009/08/30 17:24:05 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
[2009/08/30 17:24:05 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01007.Wdf
[2009/08/30 17:23:05 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_user_01_07_00.Wdf
[2009/08/30 17:10:03 | 00,000,717 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\Magic MP3 Tagger.lnk
[2009/08/30 16:35:17 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_zumbus_01007.Wdf
[2009/08/30 16:35:06 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
[2009/08/30 16:33:51 | 00,000,635 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Zune.lnk
[2009/08/30 15:31:58 | 00,038,912 | ---- | M] () -- C:\Documents and Settings\Nick\My Documents\Concert List.xls
[2009/08/29 20:24:18 | 00,021,581 | ---- | M] () -- C:\Documents and Settings\Nick\Application Data\Cabos.plist
[2009/08/28 19:41:30 | 00,001,010 | ---- | M] () -- C:\Documents and Settings\Nick\Start Menu\Programs\Startup\Dropbox.lnk
[2009/08/26 17:15:07 | 00,009,901 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\War Room Budget.xlsx
[2009/08/25 13:06:19 | 01,627,333 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\Student Directory Class of 2011.pdf
[2009/08/25 13:06:13 | 00,016,216 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\Class of 2011 Section Assignments.xlsx
[2009/08/25 10:28:37 | 00,384,000 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\Jul-Sep_League(3).xls
[2009/08/25 09:29:24 | 57,966,3799 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\Wall-Ay TCC.zip
[2009/08/25 09:02:40 | 05,277,321 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\The KNUX - Roxxanne (192 Kbps).mp3
[2009/08/25 09:02:16 | 04,691,663 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\The Knux - Bang! Bang!.mp3
[2009/08/25 09:00:52 | 04,877,160 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\The Knux - The Train.mp3
[2009/08/25 09:00:27 | 05,800,064 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\The Knux - Hard Days Night.mp3
[2009/08/25 08:38:28 | 03,586,422 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\Islands - No You Don't.mp3
[2009/08/25 08:37:20 | 03,214,799 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\Islands - Vapours.mp3
[2009/08/19 11:47:11 | 00,000,779 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\mfl Front Office.lnk
[2009/08/19 10:56:20 | 00,015,858 | ---- | M] () -- C:\Documents and Settings\Nick\Desktop\LXF - 2008.xlsx
[2009/08/19 09:17:02 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn

========== LOP Check ==========

[2009/08/31 21:52:33 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2008/04/03 14:07:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
[2009/03/08 23:30:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2009/08/30 20:30:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
[2009/08/31 00:25:30 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
[2009/02/02 02:55:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ashampoo
[2008/12/16 19:48:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Digsby
[2008/04/03 13:34:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Intel
[2008/04/19 13:49:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lenovo
[2009/08/30 20:31:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Norton
[2009/08/30 20:29:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2008/04/03 13:53:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2009/08/30 20:17:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2009/06/08 17:16:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2008/04/03 13:12:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2009/08/31 18:26:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/04/03 13:59:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UIB
[2008/07/29 23:52:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
[2009/08/31 18:12:33 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Nick\Application Data
[2009/01/11 15:44:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\ADDINSOFT
[2009/02/02 02:58:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\Ashampoo
[2008/05/17 13:40:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\Cabos
[2009/08/19 09:10:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\Digsby
[2009/08/31 23:51:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\Dropbox
[2009/08/30 22:41:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\Image Zone Express
[2008/04/10 07:20:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\Intel
[2008/07/15 17:50:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\InterVideo
[2009/02/04 16:56:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\Leadertech
[2008/04/19 13:49:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\Lenovo
[2009/03/29 14:42:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\Move Networks
[2009/08/30 17:41:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\Mp3tag
[2008/06/30 21:21:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\Opera
[2008/07/09 13:58:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\Printer Info Cache
[2009/04/29 12:23:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\Research In Motion
[2008/08/26 00:25:54 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Nick\Application Data\SecuROM
[2008/10/20 15:26:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\Windows Desktop Search
[2008/11/09 10:51:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Nick\Application Data\Windows Search
[2009/08/31 00:26:43 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2009/08/31 12:18:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2009/08/31 23:22:09 | 00,000,252 | ---- | M] () -- C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
[2004/08/04 05:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/08/31 23:50:32 | 00,000,316 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job
[2009/08/31 23:48:25 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/08/31 23:50:16 | 00,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %systemroot%\system32\eventlog.dll >
[2008/04/13 17:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\eventlog.dll

< %systemroot%\system32\scecli.dll >
[2008/04/13 17:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\netlogon.dll >

< %systemroot%\system32\cngaudit.dll >

< %systemroot%\system32\sceclt.dll >

< %systemroot%\ntelogon.dll >

< %systemroot%\system32\logevent.dll >

========== Alternate Data Streams ==========

@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

MBAM
Malwarebytes' Anti-Malware 1.40
Database version: 2720
Windows 5.1.2600 Service Pack 3

9/1/2009 12:01:19 AM
mbam-log-2009-09-01 (00-01-19).txt

Scan type: Quick Scan
Objects scanned: 109583
Time elapsed: 8 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmitbdyonl (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

RootRepeal Log
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/01 00:03
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA9630000 Size: 778240 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA5C36000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xB9D8B000 Size: 323584 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x89b2c128

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x89b1f128

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x89ddd008

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x89e26268

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x89fd4648

#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xb9df2514

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x89df3988

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9de1282

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xb9de1474

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x89de44f0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8a1227d8

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x89e02930

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xb9df2d00

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9df2fb8

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x8a0beea0

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x89ddd0f8

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x89f48780

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8a140c08

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x8ab5db50

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x89e0ee58

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x89e27778

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xb9df13fa

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x8a0befc0

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x89dd45b8

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x87170120

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x8a0bef30

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x89de45c0

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xb9df3422

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x89e34b00

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x899f74b8

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x89e96620

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x89fcf0e8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9df27d8

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x89ed6de8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x899fb128

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9de0f32

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x89f112e0

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x89dd6680

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x89ddd188

Hidden Services
-------------------
Service Name: kbiwkmitbdyonl
Image Path: C:\WINDOWS\system32\drivers\kbiwkmskkyfyyv.sys

==EOF==


Please let me know what I need to do! Thank you very much!

#2 bort8

  • Group: Member
  • Posts: 4
  • Joined: 01-September 09

Posted 01 September 2009 - 01:31 AM

Oh, and I forgot the OTL Extras Log:
OTL Extras logfile created on: 8/31/2009 7:27:10 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Nick\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.97 Gb Total Physical Memory | 0.68 Gb Available Physical Memory | 34.34% Memory free
3.81 Gb Paging File | 2.62 Gb Available in Paging File | 68.62% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 142.34 Gb Total Space | 32.31 Gb Free Space | 22.70% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LENOVO-E8EC189A
Current User Name: Nick
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"56097:TCP" = 56097:TCP:*:Enabled:PandoRest Listening Port

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\java.exe" = C:\WINDOWS\system32\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\OpenCase\OpenCASE Media Agent\PandoBinaries\NBCPandoREST.exe" = C:\Program Files\OpenCase\OpenCASE Media Agent\PandoBinaries\NBCPandoREST.exe:*:Enabled:PandoRest Application Name -- File not found
"C:\Program Files\Digsby\lib\digsby-app.exe" = C:\Program Files\Digsby\lib\digsby-app.exe:*:Enabled:Digsby IM -- (dotSyntax, LLC)
"C:\Documents and Settings\Nick\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe" = C:\Documents and Settings\Nick\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe:*:Enabled:Octoshape add-in for Adobe Flash Player -- (Octoshape ApS)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{075473F5-846A-448B-BCB3-104AA1760205}" = RecordNow Data
"{1007F41F-7D69-468E-8017-3849A5A973C2}" = ThinkVantage Technologies Welcome Message
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{1219497F-FA96-4D8E-9571-9C27A2A66B38}" = Opera 9.51
"{1297C681-92D7-40EF-93BF-03F66EC5105C}" = ThinkPad EasyEject Utility
"{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan
"{179C56A4-F57F-4561-8BBF-F911D26EB435}" = WebReg
"{17CBC505-D1AE-459D-B445-3D2000A85842}" = ThinkPad UltraNav Utility
"{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}" = QuickTime
"{206FD69B-F9FE-4164-81BD-D52552BC9C23}" = GearDrvs
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 15
"{2877881B-0736-42AB-B312-D4457D57E56D}" = BlackBerry Device Software Updater
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{2EA45803-BEB7-46C4-9ADC-46A5F9E7BB77}" = GEAR driver installer for x86 and x64
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{399C37FB-08AF-493B-BFED-20FBD85EDF7F}" = Integrated Camera
"{3C43EAE7-22C0-4b33-ABFB-3757ECA5FD7B}" = HP Officejet All-In-One Series
"{40724630-C95F-449d-B71D-777CFDE9EA21}" = J5700
"{40BA976E-38B8-4C63-990C-50999C8C3521}" = BPD_Scan
"{41894269-0DD1-4C85-B3DD-1EB41B07621D}" = ThinkVantage Fingerprint Software 5.6
"{41A96655-19FB-473c-AAB7-429E372527C8}" = ProductContext
"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support
"{46A84694-59EC-48F0-964C-7E76E9F8A2ED}" = ThinkVantage Active Protection System
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour
"{49F2B650-2D7B-4F59-B33D-346F63776BD3}" = DocProc
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}" = iTunes
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02
"{5D0F0C1F-46B0-4AA2-B8DC-02E5FE777C19}" = 5700_Help
"{65706020-7B6F-41F2-8047-FC69579E386A}" = Presentation Director
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{67D3F1A0-A1F2-49b7-B9EE-011277B170CD}" = HPProductAssistant
"{68B36FA5-E276-4C03-A56C-EC25717E1668}" = XLSTAT 2008
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{796E076A-82F7-4D49-98C8-DEC0C3BC733A}" = Diskeeper Lite
"{7A7DC702-DEDE-42A8-8722-B3BA724D546F}" = Fax
"{7CCEBC24-62DB-4280-A8EC-BFA49F167920}" = Software Update for Web Folders
"{7EB114D8-207F-45AE-BABD-1669715F2630}" = ThinkVantage Access Connections
"{7FC3BBEC-5A91-41B0-9CB8-960EC4421411}" = InterVideo WinDVD Creator 3
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = ThinkPad Bluetooth with Enhanced Data Rate Software
"{8675339C-128C-44DD-83BF-0A5D6ABD8297}" = System Update
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ULTIMATER_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ULTIMATER_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ULTIMATER_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ULTIMATER_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ULTIMATER_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ULTIMATER_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{91120000-002E-0000-0000-0000000FF1CE}" = Microsoft Office Ultimate 2007
"{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{95D08F4E-DFC2-4ce3-ACB7-8C8E206217E9}" = MarketResearch
"{978C25EE-5777-46e4-8988-732C297CBDBD}" = Status
"{986F64DC-FF15-449D-998F-EE3BCEC6666A}" = Help Center
"{9B1FD9CE-0776-4f0b-A6F5-C6AB7B650CDF}" = Destinations
"{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}" = ThinkPad Power Manager
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A2CC286B-BFE9-4D1F-9EDA-AA3E8289CA12}" = BPDSoftware_Ini
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A36CD345-625C-4d6c-B3E2-76E1248CB451}" = SolutionCenter
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = RecordNow Copy
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP1
"{B334D9AE-1393-423E-97C0-3BDC3360E692}" = Sonic Icons for Lenovo
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{BE77A81F-B315-4666-9BF3-AE70C0ADB057}" = BufferChm
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C54ED2B6-1AF2-416F-BBA8-5E2B8CDCB5C4}" = XP Themes
"{C6876FE6-A314-4628-B0D7-F3EE5E35C4B4}" = Windows Live Toolbar
"{C6FA39A7-26B1-480A-BC74-6D17531AC222}" = Access Help
"{C716522C-3731-4667-8579-40B098294500}" = Toolbox
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB84F0F2-927B-458D-9DC5-87832E3DC653}" = GearDrvs
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF5737AF-8550-4546-A69B-0EA9EF5A9B55}" = ThinkVantage Productivity Center
"{D728E945-256D-4477-B377-6BBA693714AC}" = Productivity Center Supplement for ThinkPad
"{DB71210F-8314-4AE3-B7A7-EBAF85BD30E9}" = Wallpapers
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
"{E6D752B9-A029-47B3-A633-4818C61DE551}" = TreePlan and Regress
"{E7E836B8-4BDD-454F-82E6-5FEA17C83AD4}" = Message Center
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{EB21A812-671B-4D08-B974-2A347F0D8F70}" = HP Photosmart Essential
"{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}" = HPSSupply
"{ECAD4F6A-0BF3-4028-9C81-E5D9F9606CBA}" = BPDSoftware
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)
"{F055E1B2-8A05-4D87-8039-1BE979BA4193}" = Client Security Solution
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F151F2B3-0C32-44D3-90E2-E639B8024622}" = Rescue and Recovery
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F490BD2C-F21B-4F1F-B116-322387DC0393}" = Cabos
"{F705E3E1-A471-426B-9A09-73429F3418EE}" = System Migration Assistant
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"{FF075778-6E50-47ed-991D-3B07FD4E3250}" = TrayApp
"{FF70513F-E3A7-402F-84FB-B7810A064BE2}" = Zune
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Ashampoo Burning Studio 8_is1" = Ashampoo Burning Studio 8.04
"AwayTask" = Maintenance Manager
"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP1
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588" = ThinkPad Modem
"Episode 1 - Homestar Ruiner" = Strong Bad - Strong Bad Episode 1 - Homestar Ruiner
"HP Imaging Device Functions" = HP Imaging Device Functions 8.0
"HP Solution Center & Imaging Support Tools" = HP Solution Center 8.0
"HPExtendedCapabilities" = HP Customer Participation Program 8.0
"HPOCR" = HP OCR Software 8.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"Lenovo Registration" = Lenovo Registration
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"mflFrontOffice_is1" = myfantasyleague.com Front Office 2009
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox (3.0.13)" = Mozilla Firefox (3.0.13)
"Mp3tag" = Mp3tag v2.44
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"My Journal_is1" = My Journal 1.0
"N360" = Norton 360
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"OnScreenDisplay" = On Screen Display
"PC-Doctor 5 for Windows" = PC-Doctor 5 for Windows
"PCMCIAPW" = ThinkPad PC Card Power Policy
"Picasa2" = Picasa 2
"Power Management Driver" = ThinkPad Power Management Driver
"ProInst" = Intel® PROSet/Wireless Software
"PROSet" = Intel® PRO Network Connections Drivers
"RealPlayer 6.0" = RealPlayer
"Remove Multimedia Center" = Remove Multimedia Center
"Songkick iTunes" = Songkicker iTunes Plug-in
"Songkick Winamp" = Songkicker Winamp Plug-in
"Songkick WMP" = Songkicker Windows Media Player Plug-in
"Spyware Doctor" = Spyware Doctor 6.1
"SynTPDeinstKey" = ThinkPad UltraNav Driver
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"ULTIMATER" = Microsoft Office Ultimate 2007
"uniquemagicmp3taggerappid_is1" = Magic MP3 Tagger 2.2.4f
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WIC" = Windows Imaging Component
"Winamp" = Winamp
"Windows Live Toolbar" = Windows Live Toolbar
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"winusb0100" = Microsoft WinUsb 1.0
"WMCSetup" = Windows Media Connect
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7
"Xvid_is1" = Xvid 1.1.3 final uninstall
"Zune" = Zune

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Adobe Acrobat Connect Add-in" = Adobe Acrobat Connect Add-in
"Dropbox" = Dropbox
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/19/2009 3:46:32 AM | Computer Name = LENOVO-E8EC189A | Source = nview_info | ID = 11141121
Description =

Error - 8/29/2009 4:50:55 AM | Computer Name = LENOVO-E8EC189A | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3498, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/30/2009 7:38:19 PM | Computer Name = LENOVO-E8EC189A | Source = Application Hang | ID = 1002
Description = Hanging application EXCEL.EXE, version 12.0.6504.5001, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/30/2009 8:29:41 PM | Computer Name = LENOVO-E8EC189A | Source = WPDMTPDriver | ID = 80836
Description =

Error - 8/30/2009 8:30:06 PM | Computer Name = LENOVO-E8EC189A | Source = WPDMTPDriver | ID = 80836
Description =

Error - 8/30/2009 11:35:22 PM | Computer Name = LENOVO-E8EC189A | Source = ZuneDriver | ID = 80837
Description =

Error - 8/31/2009 3:06:29 AM | Computer Name = LENOVO-E8EC189A | Source = nview_info | ID = 11141121
Description =

Error - 8/31/2009 3:06:31 AM | Computer Name = LENOVO-E8EC189A | Source = nview_info | ID = 11141121
Description =

Error - 8/31/2009 3:25:42 AM | Computer Name = LENOVO-E8EC189A | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

Error - 8/31/2009 5:31:07 PM | Computer Name = LENOVO-E8EC189A | Source = nview_info | ID = 11141121
Description =

[ OSession Events ]
Error - 9/11/2008 1:34:29 AM | Computer Name = LENOVO-E8EC189A | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 122141
seconds with 360 seconds of active time. This session ended with a crash.

Error - 9/14/2008 1:10:50 AM | Computer Name = LENOVO-E8EC189A | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6323.5000, Microsoft Office Version: 12.0.4518.1014. This session lasted 213682
seconds with 8640 seconds of active time. This session ended with a crash.

Error - 6/18/2009 11:02:26 AM | Computer Name = LENOVO-E8EC189A | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 4
seconds with 0 seconds of active time. This session ended with a crash.

Error - 6/18/2009 11:02:32 AM | Computer Name = LENOVO-E8EC189A | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 5
seconds with 0 seconds of active time. This session ended with a crash.

Error - 6/18/2009 11:02:37 AM | Computer Name = LENOVO-E8EC189A | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 2
seconds with 0 seconds of active time. This session ended with a crash.

Error - 6/18/2009 11:02:42 AM | Computer Name = LENOVO-E8EC189A | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1
seconds with 0 seconds of active time. This session ended with a crash.

Error - 6/18/2009 11:02:45 AM | Computer Name = LENOVO-E8EC189A | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1
seconds with 0 seconds of active time. This session ended with a crash.

Error - 6/18/2009 11:02:53 AM | Computer Name = LENOVO-E8EC189A | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 21
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 8/27/2009 12:50:11 AM | Computer Name = LENOVO-E8EC189A | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.33 for the Network Card with network
address 001F3B2DE4A3 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 8/28/2009 10:38:59 PM | Computer Name = LENOVO-E8EC189A | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.4 for the Network Card with network
address 001F3B2DE4A3 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 8/30/2009 5:56:39 PM | Computer Name = LENOVO-E8EC189A | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.100 for the Network Card with network
address 001F3B2DE4A3 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 8/31/2009 3:07:03 AM | Computer Name = LENOVO-E8EC189A | Source = DCOM | ID = 10010
Description = The server {E85062FB-914A-40A2-8801-5DD803045204} did not register
with DCOM within the required timeout.

Error - 8/31/2009 3:14:02 AM | Computer Name = LENOVO-E8EC189A | Source = System Error | ID = 1003
Description = Error code 1000000a, parameter1 bad0b0c8, parameter2 00000002, parameter3
00000000, parameter4 804f458c.

Error - 8/31/2009 10:18:58 AM | Computer Name = LENOVO-E8EC189A | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the N360 service.

Error - 8/31/2009 12:41:31 PM | Computer Name = LENOVO-E8EC189A | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.4 for the Network Card with network
address 001F3B2DE4A3 has been denied by the DHCP server 1.1.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 8/31/2009 8:57:12 PM | Computer Name = LENOVO-E8EC189A | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 164.67.164.93 on
the Network Card with network address 001F3B2DE4A3.

Error - 8/31/2009 8:57:16 PM | Computer Name = LENOVO-E8EC189A | Source = PSched | ID = 14107
Description = QoS [Adapter {B19539AA-3BF7-4D63-B827-4FE3BFE880A9}]: The Packet Scheduler
could not initialize the virtual miniport with NDIS.

Error - 8/31/2009 10:21:49 PM | Computer Name = LENOVO-E8EC189A | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Internet Explorer 8 for Windows XP.


< End of report >

#3 Transience

  • Group: Retired Staff
  • Posts: 2,448
  • Joined: 11-July 07

Posted 01 September 2009 - 09:58 AM

Hello and welcome to Geeks to Go! I'm Dave and I'll be helping you out. Let's get started:

Please go to the GMER Rootkit Scanner Download Site.
  • Click on the Download EXE button.
  • The file you are downloading will have a random name in order to circumvent the attempts of malware to block it from running.
  • Take note of the name of the file (please don't change it), and then save it directly to your desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click on the file you downloaded (Vista users please right-click it and select Run as Administrator). The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure that the "Show all" box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity, don't worry.
  • Click Ok.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it to a location where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.

Then:

Please visit this webpage for download links and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

Click on any of the links at that website to download ComboFix. At the window that appears, please change the name of the file from ComboFix to svchost. This name is important and must be exactly as I have given it to you here. Once you have changed the name, save the renamed file directly to your desktop.

Return to the above link and continue with the instructions provided there for running ComboFix. Be sure that you read ALL of the instructions on that page carefully and follow them exactly. It is particularly important to disable all your protection programs before running ComboFix. If you need further help figuring out how to disable a specific program look here for instructions. Installing the recovery console if you're running an XP machine is another critical step. Although these prelimiary steps may seem unnecessary, by following the directions in that guide closely you give ComboFix the best possible chance at a successful run and minimize the likelihood of having serious problems occur after an attempted removal of malware.

Once the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Please post the log's contents in your next reply.

Cheers,
Dave

#4 bort8

  • Group: Member
  • Posts: 4
  • Joined: 01-September 09

Posted 01 September 2009 - 10:04 PM

Alrighty, thanks so much for the response!

So here is the GMER log:

GMER 1.0.15.15077 [zhqgbt7m.exe] - http://www.gmer.net
Rootkit scan 2009-09-01 15:42:08
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 89B2C128 ZwAlertResumeThread
SSDT 89B1F128 ZwAlertThread
SSDT 89DDD008 ZwAllocateVirtualMemory
SSDT 89E26268 ZwAssignProcessToJobObject
SSDT 89FD4648 ZwConnectPort
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xB9DF2514] <-- ROOTKIT !!!
SSDT 89DF3988 ZwCreateMutant
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xB9DE1282] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xB9DE1474] <-- ROOTKIT !!!
SSDT 89DE44F0 ZwCreateSymbolicLinkObject
SSDT 8A1227D8 ZwCreateThread
SSDT 89E02930 ZwDebugActiveProcess
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xB9DF2D00] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xB9DF2FB8] <-- ROOTKIT !!!
SSDT 8A0BEEA0 ZwDuplicateObject
SSDT 89DDD0F8 ZwFreeVirtualMemory
SSDT 89F48780 ZwImpersonateAnonymousToken
SSDT 8A140C08 ZwImpersonateThread
SSDT 8AB5DB50 ZwLoadDriver
SSDT 89E0EE58 ZwMapViewOfSection
SSDT 89E27778 ZwOpenEvent
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB9DF13FA] <-- ROOTKIT !!!
SSDT 8A0BEFC0 ZwOpenProcess
SSDT 89DD45B8 ZwOpenProcessToken
SSDT 87170120 ZwOpenSection
SSDT 8A0BEF30 ZwOpenThread
SSDT 89DE45C0 ZwProtectVirtualMemory
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xB9DF3422] <-- ROOTKIT !!!
SSDT 89E34B00 ZwResumeThread
SSDT 899F74B8 ZwSetContextThread
SSDT 89E96620 ZwSetInformationProcess
SSDT 89FCF0E8 ZwSetSystemInformation
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xB9DF27D8] <-- ROOTKIT !!!
SSDT 89ED6DE8 ZwSuspendProcess
SSDT 899FB128 ZwSuspendThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xB9DE0F32] <-- ROOTKIT !!!
SSDT 89F112E0 ZwTerminateThread
SSDT 89DD6680 ZwUnmapViewOfSection
SSDT 89DDD188 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2F84 80504820 4 Bytes CALL 98DA4515
.text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504854 8 Bytes CALL A8DA35C6
? SYMEFA.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2812] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Fastfat \Fat A3C94D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Services - GMER 1.0.15 ----

Service system32\drivers\kbiwkmskkyfyyv.sys (*** hidden *** ) [SYSTEM] kbiwkmitbdyonl <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmitbdyonl@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmitbdyonl@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmitbdyonl@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmitbdyonl@imagepath \systemroot\system32\drivers\kbiwkmskkyfyyv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmitbdyonl\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmitbdyonl\main@aid 10438
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmitbdyonl\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmitbdyonl\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmitbdyonl\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmitbdyonl\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmitbdyonl\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmitbdyonl\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmitbdyonl\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmitbdyonl\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmskkyfyyv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmitbdyonl\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmppfefkaj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmitbdyonl\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmxrddfpyl.dat
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmitbdyonl\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmveatdejg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmitbdyonl\modules@kbiwkm.dat \systemroot\system32\kbiwkmdkvvkmpk.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmitbdyonl@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmitbdyonl@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmitbdyonl@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmitbdyonl@imagepath \systemroot\system32\drivers\kbiwkmskkyfyyv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmitbdyonl\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmitbdyonl\main@aid 10438
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmitbdyonl\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmitbdyonl\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmitbdyonl\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmitbdyonl\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmitbdyonl\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmitbdyonl\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmitbdyonl\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmitbdyonl\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmskkyfyyv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmitbdyonl\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmppfefkaj.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmitbdyonl\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmxrddfpyl.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmitbdyonl\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmveatdejg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmitbdyonl\modules@kbiwkm.dat \systemroot\system32\kbiwkmdkvvkmpk.dat
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmitbdyonl@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmitbdyonl@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmitbdyonl@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmitbdyonl@imagepath \systemroot\system32\drivers\kbiwkmskkyfyyv.sys
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmitbdyonl\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmitbdyonl\main@aid 10438
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmitbdyonl\main@sid 0
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmitbdyonl\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmitbdyonl\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmitbdyonl\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmitbdyonl\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmitbdyonl\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmitbdyonl\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmitbdyonl\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmskkyfyyv.sys
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmitbdyonl\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmppfefkaj.dll
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmitbdyonl\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmxrddfpyl.dat
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmitbdyonl\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmveatdejg.dll
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmitbdyonl\modules@kbiwkm.dat \systemroot\system32\kbiwkmdkvvkmpk.dat

---- Files - GMER 1.0.15 ----

File C:\RRbackups\C 0 bytes
File C:\RRbackups\common 0 bytes
File C:\RRbackups\common\backups.dat 8192 bytes
File C:\RRbackups\common\css.dat 12288 bytes
File C:\RRbackups\common\hints.dat 8192 bytes
File C:\RRbackups\common\mnd.dat 8192 bytes
File C:\RRbackups\common\regcerts.dat 8192 bytes
File C:\RRbackups\common\restore.log 110 bytes
File C:\RRbackups\common\rr.log 97260 bytes
File C:\RRbackups\common\SAM 262144 bytes
File C:\RRbackups\common\seccache.dat 8192 bytes
File C:\RRbackups\common\secpolicy.dat 61440 bytes
File C:\RRbackups\common\settings.dat 24576 bytes
File C:\RRbackups\common\system.dat 12288 bytes
File C:\RRbackups\common\tvtcmn.dat 8192 bytes
File C:\RRbackups\common\tvtns.bin 0 bytes
File C:\RRbackups\common\usersids.dat 18720 bytes
File C:\RRbackups\Documents and Settings 0 bytes
File C:\RRbackups\Documents and Settings\Administrator 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1488597686-1028518619-1434389369-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1488597686-1028518619-1434389369-500\bb4ea5d6-3538-4788-9f54-37055186009a 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-1488597686-1028518619-1434389369-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2308768734-1723015767-1346455043-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2308768734-1723015767-1346455043-500\82e59b56-0c1c-4d33-b083-ba3b53093ec6 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2308768734-1723015767-1346455043-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3912221171-2665696597-2556413286-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3912221171-2665696597-2556413286-500\709260ee-4e58-4af4-8c69-78cde8bfd44a 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-3912221171-2665696597-2556413286-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\All Users 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution\cspContainer.dat 332 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution\encobject.dat 1608 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution\hwkeys.dat 4248 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Lenovo\Client Security Solution\symkeys.dat 656 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\42e7e898003fbdeb9585806ee1664b51_efdaf656-a7e8-4a43-9b64-4acfdd32f050 57 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_efdaf656-a7e8-4a43-9b64-4acfdd32f050 47 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_efdaf656-a7e8-4a43-9b64-4acfdd32f050 54 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\b973ec0ff915c48a18fe09064ce3a22d_efdaf656-a7e8-4a43-9b64-4acfdd32f050 56 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_efdaf656-a7e8-4a43-9b64-4acfdd32f050 893 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\e52f73ea1e6d8fb5afd750e25de6c8fa_efdaf656-a7e8-4a43-9b64-4acfdd32f050 46 bytes
File C:\RRbackups\Documents and Settings\Default User 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1488597686-1028518619-1434389369-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1488597686-1028518619-1434389369-500\bb4ea5d6-3538-4788-9f54-37055186009a 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-1488597686-1028518619-1434389369-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2308768734-1723015767-1346455043-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2308768734-1723015767-1346455043-500\82e59b56-0c1c-4d33-b083-ba3b53093ec6 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2308768734-1723015767-1346455043-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3912221171-2665696597-2556413286-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3912221171-2665696597-2556413286-500\709260ee-4e58-4af4-8c69-78cde8bfd44a 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3912221171-2665696597-2556413286-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\RSA\S-1-5-20 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Crypto\RSA\S-1-5-20\94498385663a229a93d423c6d144ae0b_efdaf656-a7e8-4a43-9b64-4acfdd32f050 2519 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20\07448a36-50f7-4ea4-ac46-9b3e6315e40c 388 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20\535d1bfd-a127-4b64-81d1-b93189ab9999 388 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20\9d3543c8-5d30-4c4f-8e32-18ef7cd805d7 388 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20\c7a74b0c-21d2-480f-9f9d-b85d3c73c23b 388 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\Protect\S-1-5-20\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Nick 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Lenovo\Client Security Solution\config.ini 61 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Lenovo\Client Security Solution\cspContainer.dat 332 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Lenovo\Client Security Solution\cssversion.dat 1908 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Lenovo\Client Security Solution\encobject.dat 14472 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Lenovo\Client Security Solution\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Lenovo\Client Security Solution\hwkeys.dat 8496 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Lenovo\Client Security Solution\Nick.pwm 13416 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Lenovo\Client Security Solution\Nick.pwm.bak 12150 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Lenovo\Client Security Solution\pwmaction.dat 720 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Lenovo\Client Security Solution\symkeys.dat 1968 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1242826438-80370768-1588662702-1008 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1242826438-80370768-1588662702-1008\49ac1cf87687c5a4c794042acbff288e_efdaf656-a7e8-4a43-9b64-4acfdd32f050 2075 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1242826438-80370768-1588662702-1008\533145ef011ddf5ca3983e2545a902b4_efdaf656-a7e8-4a43-9b64-4acfdd32f050 2075 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1242826438-80370768-1588662702-1008\6b29ae44e85efac3c72ff4d1865d73f1_efdaf656-a7e8-4a43-9b64-4acfdd32f050 53 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1242826438-80370768-1588662702-1008\77c801062705c345c5fc91387818cf0b_efdaf656-a7e8-4a43-9b64-4acfdd32f050 45 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1242826438-80370768-1588662702-1008\83aa4cc77f591dfc2374580bbd95f6ba_efdaf656-a7e8-4a43-9b64-4acfdd32f050 45 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1242826438-80370768-1588662702-1008\8f71098770f72c7a67cd8f1151619865_efdaf656-a7e8-4a43-9b64-4acfdd32f050 54 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1242826438-80370768-1588662702-1008\dd508fb67e3df5d722d6ce98ff404371_efdaf656-a7e8-4a43-9b64-4acfdd32f050 63 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect\CREDHIST 296 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect\S-1-5-21-1242826438-80370768-1588662702-1008 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect\S-1-5-21-1242826438-80370768-1588662702-1008\5e2d1472-cbe9-4f30-80f3-e0bf9358e64f 388 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect\S-1-5-21-1242826438-80370768-1588662702-1008\6a80ba51-229c-4f3c-806d-903d60b5bf05 388 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect\S-1-5-21-1242826438-80370768-1588662702-1008\a2cec35d-fe66-44f8-a5e3-8bd1908b535d 388 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect\S-1-5-21-1242826438-80370768-1588662702-1008\a9289f79-513b-4998-b2b2-f82e4605ef76 388 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect\S-1-5-21-1242826438-80370768-1588662702-1008\c2fe04ec-1b62-4e14-bae4-27d799223b96 388 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect\S-1-5-21-1242826438-80370768-1588662702-1008\d4e49ac6-3457-41a2-8a0b-135e5dfcdd4f 388 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect\S-1-5-21-1242826438-80370768-1588662702-1008\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect\S-1-5-21-1488597686-1028518619-1434389369-500 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect\S-1-5-21-1488597686-1028518619-1434389369-500\bb4ea5d6-3538-4788-9f54-37055186009a 388 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect\S-1-5-21-1488597686-1028518619-1434389369-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect\S-1-5-21-2308768734-1723015767-1346455043-500 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect\S-1-5-21-2308768734-1723015767-1346455043-500\82e59b56-0c1c-4d33-b083-ba3b53093ec6 388 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect\S-1-5-21-2308768734-1723015767-1346455043-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect\S-1-5-21-3912221171-2665696597-2556413286-500 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect\S-1-5-21-3912221171-2665696597-2556413286-500\709260ee-4e58-4af4-8c69-78cde8bfd44a 388 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\Protect\S-1-5-21-3912221171-2665696597-2556413286-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\SystemCertificates\Request 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\SystemCertificates\Request\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\SystemCertificates\Request\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Nick\Application Data\Microsoft\SystemCertificates\Request\CTLs 0 bytes
File C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 0 bytes

---- EOF - GMER 1.0.15 ----


And here is the ComboFix log:
ComboFix 09-09-01.04 - Nick 09/01/2009 20:46.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1225 [GMT -7:00]
Running from: c:\documents and settings\Nick\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2308768734-1723015767-1346455043-500
c:\windows\AegisP.inf
c:\windows\Installer\30df8ff.msp
c:\windows\Installer\41dcc8a.msi

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmitbdyonl
-------\Service_kbiwkmitbdyonl


((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-09-02 03:53 . 2009-08-31 03:30 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-09-02 01:53 . 2009-08-31 16:13 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090901.023\NAVENG.SYS
2009-09-02 01:53 . 2009-08-31 16:13 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090901.023\EECTRL.SYS
2009-09-02 01:53 . 2009-08-31 16:13 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090901.023\CCERASER.DLL
2009-09-02 01:53 . 2009-08-31 16:13 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090901.023\ECMSVR32.DLL
2009-09-02 01:53 . 2009-08-31 16:13 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090901.023\NAVENG32.DLL
2009-09-02 01:53 . 2009-08-31 16:13 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090901.023\NAVEX32A.DLL
2009-09-02 01:53 . 2009-08-31 16:13 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090901.023\NAVEX15.SYS
2009-09-02 01:53 . 2009-08-31 16:13 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090901.023\ERASER.SYS
2009-09-02 00:21 . 2009-09-02 00:48 -------- d-----w- c:\program files\ZillaTube
2009-09-01 06:38 . 2009-09-01 06:38 -------- d-sh--w- c:\documents and settings\Nick\IECompatCache
2009-09-01 04:59 . 2009-09-01 04:59 -------- d-----w- c:\program files\ERUNT
2009-09-01 04:52 . 2009-09-01 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-09-01 04:21 . 2009-09-01 04:21 -------- d-sh--w- c:\documents and settings\Nick\PrivacIE
2009-09-01 04:08 . 2009-09-01 04:08 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-01 04:08 . 2009-09-01 04:08 -------- d-sh--w- c:\documents and settings\Nick\IETldCache
2009-09-01 04:03 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-01 04:02 . 2009-09-01 04:03 -------- d-----w- c:\windows\ie8updates
2009-09-01 04:02 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-01 04:02 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-01 04:00 . 2009-09-01 04:02 -------- dc-h--w- c:\windows\ie8
2009-09-01 02:51 . 2009-09-01 02:51 -------- d-----w- c:\windows\system32\scripting
2009-09-01 02:51 . 2009-09-01 02:51 -------- d-----w- c:\windows\l2schemas
2009-09-01 02:51 . 2009-09-01 02:51 -------- d-----w- c:\windows\system32\en
2009-09-01 02:51 . 2009-09-01 02:51 -------- d-----w- c:\windows\system32\bits
2009-09-01 01:13 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-01 01:12 . 2009-09-01 01:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-01 01:12 . 2009-04-03 17:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-01 01:12 . 2008-12-18 18:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-01 01:12 . 2009-09-01 01:14 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-01 01:12 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-01 01:12 . 2009-09-01 01:14 -------- d-----w- c:\program files\Spyware Doctor
2009-09-01 01:12 . 2009-09-01 01:12 -------- d-----w- c:\documents and settings\Nick\Application Data\PC Tools
2009-09-01 01:12 . 2009-09-01 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-31 07:31 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-31 07:26 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-31 07:25 . 2009-08-31 07:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-31 07:25 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-08-31 07:25 . 2009-08-31 07:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-31 07:25 . 2009-08-31 07:25 -------- d-----w- c:\program files\Lavasoft
2009-08-31 07:18 . 2009-08-31 07:18 152576 ----a-w- c:\documents and settings\Nick\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-31 06:59 . 2009-08-31 06:59 -------- d-----w- c:\documents and settings\Nick\Application Data\Malwarebytes
2009-08-31 06:59 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 06:59 . 2009-08-31 06:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-31 06:59 . 2009-08-31 06:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 06:59 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-31 04:41 . 2009-08-31 04:41 -------- d-----w- c:\windows\system32\N360_BACKUP
2009-08-31 04:32 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSXpx86.sys
2009-08-31 04:32 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSvix86.sys
2009-08-31 04:32 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\Scxpx86.dll
2009-08-31 04:32 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSxpx86.dll
2009-08-31 04:32 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSviA64.sys
2009-08-31 03:41 . 2009-08-31 03:41 -------- d-----r- c:\program files\Norton Support
2009-08-31 03:41 . 2009-08-31 03:41 -------- d-----w- c:\documents and settings\Nick\Local Settings\Application Data\Symantec
2009-08-31 03:31 . 2009-08-31 03:30 554352 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2009-08-31 03:30 . 2009-08-31 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-08-31 03:30 . 2009-08-31 03:30 -------- d-----w- c:\documents and settings\Nick\Local Settings\Application Data\Downloaded Installations
2009-08-31 03:30 . 2009-08-31 03:30 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-08-31 03:30 . 2009-08-31 03:30 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-31 03:30 . 2009-08-31 03:30 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-31 03:30 . 2009-08-31 03:30 -------- d-----w- c:\program files\Symantec
2009-08-31 03:30 . 2009-08-31 03:30 1290592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2009-08-31 03:30 . 2009-08-31 03:30 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2009-08-31 03:30 . 2009-08-31 03:30 796016 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2009-08-31 03:29 . 2009-08-31 03:29 -------- d-----w- c:\windows\system32\drivers\N360
2009-08-31 03:29 . 2009-08-31 03:30 -------- d-----w- c:\program files\Norton 360
2009-08-31 03:29 . 2009-08-31 03:29 -------- d-----w- c:\program files\Windows Sidebar
2009-08-31 03:17 . 2009-08-31 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-08-31 03:17 . 2009-08-31 03:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-31 03:17 . 2009-08-31 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-31 03:17 . 2009-08-31 03:17 -------- d-----w- c:\program files\NortonInstaller
2009-08-31 03:15 . 2009-08-31 03:15 -------- d-----w- c:\documents and settings\All Users\Symantec Temporary Files
2009-08-31 00:41 . 2009-08-31 00:41 -------- d-----w- c:\documents and settings\Nick\Application Data\Mp3tag
2009-08-31 00:39 . 2009-08-31 00:39 -------- d-----w- c:\program files\Mp3tag
2009-08-31 00:10 . 2009-08-31 00:33 -------- d-----w- c:\program files\Magic MP3 Tagger
2009-08-30 23:34 . 2008-03-21 20:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-08-30 23:33 . 2009-08-30 23:36 -------- d-----w- c:\program files\Zune
2009-08-30 23:31 . 2008-05-02 13:25 465920 ------w- c:\windows\system32\imapi2fs.dll
2009-08-30 23:31 . 2008-05-02 13:25 465920 ------w- c:\windows\system32\dllcache\imapi2fs.dll
2009-08-30 23:31 . 2008-05-02 13:25 317952 ------w- c:\windows\system32\imapi2.dll
2009-08-30 23:31 . 2008-05-02 13:25 317952 ------w- c:\windows\system32\dllcache\imapi2.dll
2009-08-30 23:31 . 2008-05-02 10:49 62976 ------w- c:\windows\system32\dllcache\cdrom.sys
2009-08-29 02:41 . 2009-08-29 02:41 91663 ----a-w- c:\documents and settings\Nick\Application Data\Dropbox\bin\Uninstall.exe
2009-08-29 02:41 . 2009-04-01 08:15 499712 ----a-w- c:\documents and settings\Nick\Application Data\Dropbox\bin\msvcp71.dll
2009-08-29 02:41 . 2009-04-01 08:15 348160 ----a-w- c:\documents and settings\Nick\Application Data\Dropbox\bin\msvcr71.dll
2009-08-29 02:41 . 2009-08-28 03:27 26784939 ----a-w- c:\documents and settings\Nick\Application Data\Dropbox\bin\Dropbox.exe
2009-08-29 02:41 . 2009-04-29 20:12 2121728 ----a-w- c:\documents and settings\Nick\Application Data\Dropbox\bin\Python25.dll
2009-08-29 02:41 . 2009-08-29 02:41 14623184 ----a-w- c:\documents and settings\Nick\Application Data\Dropbox\cache\Dropbox-update-0.6.556.exe
2009-08-19 18:47 . 2009-08-19 20:44 -------- d-----w- c:\program files\myfantasyleague
2009-08-12 05:01 . 2009-09-01 02:48 -------- d-----w- c:\windows\ServicePackFiles
2009-08-11 21:58 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 21:58 . 2009-06-10 16:19 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-08-10 05:07 . 2009-08-10 05:07 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-10 05:07 . 2009-08-10 05:07 -------- d-----w- c:\program files\Reference Assemblies
2009-08-10 05:06 . 2009-08-10 05:06 -------- d-----w- C:\c86e64760980027590
2009-08-10 05:06 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-10 05:06 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-10 05:06 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-10 05:06 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-10 05:06 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-10 05:06 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-10 05:06 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-10 05:06 . 2009-08-10 05:19 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 22:07 . 2009-08-03 22:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 22:07 . 2009-08-03 22:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 22:07 . 2009-08-03 22:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 03:59 . 2009-07-24 05:05 -------- d-----w- c:\documents and settings\Nick\Application Data\Dropbox
2009-09-01 17:21 . 2009-07-02 06:40 56532 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-01 04:13 . 2008-04-03 21:09 69232 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-01 04:06 . 2008-04-10 14:13 69232 ----a-w- c:\documents and settings\Nick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-01 03:54 . 2008-04-03 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-01 03:51 . 2008-09-09 18:35 -------- d-----w- c:\program files\Microsoft Works
2009-09-01 02:55 . 2006-04-30 07:12 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-08-31 09:31 . 2008-04-03 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-31 07:19 . 2008-04-03 20:45 -------- d-----w- c:\program files\Java
2009-08-31 05:41 . 2008-07-09 20:57 -------- d-----w- c:\documents and settings\Nick\Application Data\Image Zone Express
2009-08-31 03:46 . 2008-04-03 20:59 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-31 03:30 . 2009-08-31 03:30 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-31 03:30 . 2009-08-31 03:30 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-31 00:24 . 2009-08-31 00:24 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-08-31 00:24 . 2009-08-31 00:24 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-08-31 00:23 . 2009-08-31 00:23 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-08-30 23:35 . 2009-08-30 23:35 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-08-30 23:35 . 2009-08-30 23:35 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-08-29 08:45 . 2008-05-05 02:02 -------- d-----w- c:\program files\Digsby
2009-08-19 16:10 . 2008-05-05 02:05 -------- d-----w- c:\documents and settings\Nick\Application Data\Digsby
2009-08-10 05:07 . 2008-09-09 18:35 -------- d-----w- c:\program files\MSBuild
2009-08-05 09:01 . 2006-04-30 06:55 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 14:16 . 2008-08-11 15:49 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-25 12:23 . 2009-01-18 20:33 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2006-04-30 06:55 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2006-04-30 06:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 19:34 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-07-11 19:34 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-07-11 19:34 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-07-11 19:34 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-07-11 19:34 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-07-03 17:09 . 2006-04-30 06:56 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-27 03:02 . 2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Nick\Application Data\Dropbox\bin\DropboxExt.3.dll
2009-06-25 18:36 . 2006-04-30 06:55 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2006-04-30 06:55 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2006-04-30 06:55 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2006-04-30 06:55 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2006-04-30 06:55 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2006-04-30 06:55 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2006-04-30 06:55 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2006-04-30 06:55 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2006-04-30 06:55 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2006-04-30 06:55 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2006-04-30 06:55 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2006-04-30 06:55 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:25 . 2006-04-30 06:56 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2006-04-30 06:55 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2006-04-30 06:55 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2006-04-30 06:55 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2006-04-30 06:55 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2006-04-30 06:55 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2006-04-30 06:55 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-22 11:49 . 2006-04-30 06:55 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2006-04-30 06:55 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2006-04-30 06:55 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2006-04-30 06:55 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-16 14:36 . 2006-04-30 06:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-04-30 06:55 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2006-04-30 06:56 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2006-04-30 06:55 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-12 02:52 . 2009-06-09 01:24 25 ----a-w- c:\windows\popcinfot.dat
2009-06-10 16:19 . 2006-04-30 07:09 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2006-04-30 06:55 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2006-04-30 06:56 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Nick\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Nick\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Nick\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-12-06 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-12-06 208896]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2007-07-05 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-05 512000]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2007-11-29 59168]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2007-03-28 243248]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-10 8495104]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-10 81920]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-11-07 91688]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-04-26 120368]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2007-02-01 419376]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2007-07-05 126976]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2007-08-03 2630968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2007-11-22 181536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-10 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]

c:\documents and settings\Nick\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Nick\Application Data\Dropbox\bin\Dropbox.exe [2009-8-28 26784939]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-3 50688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-03-15 05:17 89600 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 07:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 02:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2007-07-05 21:52 32768 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Digsby\\lib\\digsby-app.exe"=
"c:\\Documents and Settings\\Nick\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56097:TCP"= 56097:TCP:PandoRest Listening Port

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/31/2009 12:26 AM 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/31/2009 6:12 PM 130936]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\ApsX86.sys [10/16/2007 6:33 PM 103472]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys [8/30/2009 8:30 PM 310320]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [10/16/2007 6:32 PM 19504]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys [8/30/2009 8:30 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys [8/30/2009 8:30 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSXpx86.sys [8/30/2009 9:32 PM 276344]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [4/3/2008 1:34 PM 4442]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [1/11/2008 3:50 PM 30312]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1029456]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [8/30/2009 8:30 PM 115560]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys [3/14/2007 10:10 PM 11152]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2/8/2007 1:11 PM 569344]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2009 8:44 PM 102448]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [5/22/2007 3:59 PM 30336]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 10:31 PM 29263712]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/31/2009 6:12 PM 348752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

2009-09-02 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]

2009-09-02 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-04-03 16:22]

2009-09-02 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.espn.go.com/
uInternet Settings,ProxyOverride = *.local
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\gjbmz6ac.default\
FF - prefs.js: browser.search.selectedEngine - IMDB
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\gjbmz6ac.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Opera\program\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 20:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1242826438-80370768-1588662702-1008\Software\SecuROM\License information*]
"datasecu"=hex:ea,ff,b1,eb,2f,64,5d,ee,75,78,8a,cb,6e,0c,50,de,7b,35,25,c9,45,
5f,b2,40,66,73,aa,c9,f8,c1,63,4e,48,07,3d,d5,0f,b4,da,66,f2,24,ca,ca,8d,81,\
"rkeysecu"=hex:8b,84,b0,98,87,f4,70,61,51,67,e2,e9,5f,8d,c5,82
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1884)
c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll

- - - - - - - > 'lsass.exe'(1940)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\windows\system32\WININET.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll

- - - - - - - > 'explorer.exe'(5064)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\program files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dll
c:\program files\Lenovo\Client Security Solution\tvt_passwordmanager.dll
c:\program files\Lenovo\Client Security Solution\css_banner.dll
c:\program files\Lenovo\Client Security Solution\csswait.dll
c:\windows\system32\cssuserdatadispatcher.dll
c:\program files\Lenovo\Client Security Solution\css_dlgcustompolicy.dll
c:\windows\system32\tvttsp.dll
c:\windows\system32\tcsrpc.dll
c:\program files\Common Files\Lenovo\tvt_think_res.dll
c:\program files\Lenovo\Client Security Solution\css_think_res.dll
c:\documents and settings\Nick\Application Data\Dropbox\bin\DropboxExt.3.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\windows\system32\searchindexer.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Lenovo\Client Security Solution\tvtpwm_tray.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-09-02 21:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-02 04:02

Pre-Run: 32,168,505,344 bytes free
Post-Run: 32,007,360,512 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
482 --- E O F --- 2009-09-01 04:35

#5 Transience

  • Group: Retired Staff
  • Posts: 2,448
  • Joined: 11-July 07

Posted 02 September 2009 - 01:09 PM

CF log looks good let's run some final checks.

First we'll clean out your unnecessary temp files to speed up the scans:

1. TFC
  • Please download TFC to your desktop.
  • Save any work, then close all open windows.
  • Double-click TFC to run it, and allow the process to complete, which should not take more than a couple minutes.
  • You may or may not be prompted to reboot, if you are click "Yes" and allow the computer to reboot.
  • Close TFC when it has completed.
2. Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware from here.

Doubleclick (Vista users please right-click Run as Administrator) on mbam-setup.exe to install the program.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware at the end of setup, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Full Scan, then click Scan.
  • The scan is different from the quick scan and will take a fairly long time to finish (you can leave it to run and go do something else), please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab.
  • Copy & Paste the entire report in your next reply.
3. Kaspersky Online Scan

Kaspersky online scanner uses Java technology to perform the scan. Because your Java is out of date, we need to update it first so that the scan will run without issues.

Update Java

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts. A log will appear (JavaRa.log), DO NOT post this log, I have no need for it.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
Scan
  • Follow this link to the Kaspersky WebScanner
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
So post back with the logs from MBAM and Kaspersky when you have them and give me an update on how the PC is running, and we should have you on your way :).

- Dave

#6 bort8

  • Group: Member
  • Posts: 4
  • Joined: 01-September 09

Posted 04 September 2009 - 02:48 AM

Awesome!

Here's the MWB:
Malwarebytes' Anti-Malware 1.40
Database version: 2720
Windows 5.1.2600 Service Pack 3

9/3/2009 6:48:05 PM
mbam-log-2009-09-03 (18-48-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 256225
Time elapsed: 1 hour(s), 52 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And the Kaspersky:

Friday, September 4, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, September 04, 2009 04:14:03
Records in database: 2744451
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Objects scanned 139087
Threats found 0
Infected objects found 0
Suspicious objects found 0
Scan duration 03:04:37

No threats found. Scanned area is clean.
Selected area has been scanned.


It's looking clean and running pretty well. Let me know! Thank you sooooooo much!

#7 Transience

  • Group: Retired Staff
  • Posts: 2,448
  • Joined: 11-July 07

Posted 04 September 2009 - 04:55 PM

Congratulations! Your logs are clean :)

We have a couple last things to take care of and then you're good to go.

Uninstall ComboFix from your computer:
  • Click on Start > Run
  • Type Combofix /u in the run box and click Ok. Note the space between the x and the /u, it needs to be there.
    Posted Image

Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTC is a small program that removes all the leftover tools and logs from cleanup of malware.

Please download OTC to your desktop.
  • Double-click OTC to run it. (Vista users, please right click on OTC and select "Run as an Administrator")
  • Click on the CleanUp! button and follow the prompts.
  • You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
  • After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Here are some tips to reduce the potential for malware infection in the future; I strongly that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, and if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're still clean. Once a week works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

If you don't have a firewall, some great free options you can test out are: Online Armor, Outpost, and Sunbelt. I'd highly recommend that you install one of those. If you do decide to use a 3rd party firewall program, please be sure to disable the Windows firewall as per these instructions so they don't conflict:
  • Please click on Start -> Control Panel
  • Double click Windows Firewall
  • Click Change Settings
  • Choose Off to disable Windows Firewall.
Finally, for a great tutorial on how to get the best protection out of your firewall, take a look at this guide.

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives: Firefox, Opera, and Google Chrome. All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here which will help you to make IE much safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones: Green to go, Yellow for caution, and Red to stop. Available for Firefox and Internet Explorer.

NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing. Available for Firefox only.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at this article.

Exercise common sense

Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to look before you leap. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully and look at the file extensions to make sure that you know what you're getting. Using peer-to-peer file sharing programs or downloading cracks and keygens is something else to avoid - the files you will be downloading are infected in the vast majority of cases, and the benefits simply aren't worth the risk to your computer.

Keep up on Windows updates

Along with keeping all of the security programs that you choose to use updated, it is also important to keep up on system updates from Microsoft, as these patch critical security vulnerabilities and help to keep you safe. Typically the windows update icon will appear in your taskbar when new updates are available, whenever you see it you should open the menu up and install the updates that are available. Although it may be an annoyance, that little bit of extra time it takes to stay updated is very well worth it instead of getting infected from an exploit and having to clean your PC again.

Slow computer?

If your computer begins to slow down again in the future for no particular reason, your first step should not be to come back to the malware forum. As your computer ages and is used, its parts wear, files and programs accumulate, and its performance speed can decrease. To restore your computer's performance to its best possible level, follow the steps in this guide written by tech expert Artellos.

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,
Dave

#8 Transience

  • Group: Retired Staff
  • Posts: 2,448
  • Joined: 11-July 07

Posted 06 September 2009 - 06:57 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Share this topic:


Page 1 of 1