Hidden Drivers / Rootkit - Post Virus Removal
Hello.
I recently found the virus 17pholmes1535
and spybot found and tried to remove:
zlob.downloader.vdt
Virtuomonde.dll
trojandownloader.win32.small
Obviously, since two of the above pieces of software work by downloading even more virus'/trojans/malware, I'm unsure if I managed to remove everything. I've run AVG-free version, which found and removed two or three more trojans, and now avg-rootkit detector has found a driver hidden in the system32\driver folder that is invisible to the regular win32api, changes names after every reboot, and causes windows to give the excuse "need permission to do that" when creating a file of the same name in the system32\driver folder to test if it is there.
The previous name of the driver was a6bgdov3.SYS
and the name this start up is aps7pdl2.SYS
I'm taking a small leap by assuming they are the same driver with different names, because the rootkit finder did not find the first one on the second check, but it found aps7pdl2.SYS instead.
I was unable to run the panda scan with either Firefox or IE, the popup remained blank no matter what popup-blocking settings I choose (I disabled blocking obviously).
Here is the DSS scan.
Deckard's System Scanner v20071014.68
Run by tayloj8 on 2008-03-26 17:42:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as tayloj8.exe) ---------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:54 PM, on 3/26/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Windows\System32\TpShocks.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Downloads\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\DOWNLO~1\tayloj8.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7000D2A9-99E1-4F80-960E-F21AD2F70C0B} - C:\Windows\system32\sockinet.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [IaNvSrv] C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: AfsLogon - C:\Windows\SYSTEM32\afslogon.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O21 - SSODL: Biohost - {B8DE2930-3D4E-46E0-AB7A-911E696CA562} - C:\Windows\system32\raswsock.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CYGWIN cygserver (cygserver) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: O&O Defrag - O&O Software GmbH - C:\Windows\system32\oodag.exe
O23 - Service: OpcEnum - Unknown owner - C:\Windows\system32\OpcEnum.exe (file missing)
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: OpenAFS Client Service (TransarcAFSDaemon) - OpenAFS Project - C:\Program Files\OpenAFS\Client\Program\afsd_service.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: WJTHJ - Unknown owner - C:\Users\tayloj8\AppData\Local\Temp\WJTHJ.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 11991 bytes
-- File Associations -----------------------------------------------------------
.scr - unable to read key
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R2 CrackTcpip (Crack Tcpip) - c:\windows\system32\drivers\cracktcpip.sys
R2 cvintdrv - c:\windows\system32\drivers\cvintdrv.sys
S3 TVICHW32 - \??\c:\windows\system32\drivers\tvichw32.sys
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 AsiServer (Automated Software Installer Server) - c:\asi\asiserver\asiserver.exe <Not Verified; Microsoft; WTT>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
R2 SUService (System Update) - "c:\program files\lenovo\system update\suservice.exe" <Not Verified; Lenovo Group Limited; ThinkVantage System Update Service>
R2 TVT Scheduler - "c:\program files\common files\lenovo\scheduler\tvtsched.exe" <Not Verified; Lenovo Group Limited; tvtsched Module>
S3 cygserver (CYGWIN cygserver) - c:\cygwin\bin\cygrunsrv.exe
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 OpcEnum - c:\windows\system32\opcenum.exe (file missing)
S3 WJTHJ - c:\users\tayloj8\appdata\local\temp\wjthj.exe (file missing)
S4 MSSQL$MSSMLBIZ (SQL Server (MSSMLBIZ)) - "c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe" -smssmlbiz (file missing)
S4 MSSQL$SQLEXPRESS (SQL Server (SQLEXPRESS)) - "c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe" -ssqlexpress (file missing)
S4 MSSQLServerADHelper (SQL Server Active Directory Helper) - "c:\program files\microsoft sql server\90\shared\sqladhlp90.exe" (file missing)
S4 SQLBrowser (SQL Server Browser) - "c:\program files\microsoft sql server\90\shared\sqlbrowser.exe" (file missing)
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
-- Files created between 2008-02-26 and 2008-03-26 -----------------------------
2008-03-26 16:57:41 0 d-------- C:\Program Files\Trend Micro
2008-03-25 19:37:48 0 --a------ C:\Windows\system32\MDX
2008-03-25 18:50:32 0 d-------- C:\Program Files\Digital Line Detect
2008-03-25 18:50:20 0 d-------- C:\Program Files\NetWaiting
2008-03-25 07:55:59 0 dr-h----- C:\$VAULT$.AVG
2008-03-25 07:30:04 9565 --ahs---- C:\Windows\system32\wwyay.ini2
2008-03-25 05:06:26 0 d-------- C:\Program Files\IMMonitor
2008-03-25 04:56:40 1519616 --a------ C:\Windows\system32\mxpvct25.dat <Not Verified; Chilkat Software, Inc.; Chilkat Mail>
2008-03-25 04:28:46 0 d-------- C:\Program Files\Cisco
2008-03-25 03:49:50 229376 --a------ C:\Windows\system32\BtwRSupport.dll <Not Verified; Broadcom Corporation.; Bluetooth Software>
2008-03-25 03:49:45 0 d-------- C:\Windows\system32\es-MX
2008-03-25 03:49:45 0 d-------- C:\Windows\system32\es-AR
2008-03-25 00:16:59 23600 --a------ C:\Windows\system32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2008-03-25 00:16:58 1532 --a------ C:\Windows\mozver.dat
2008-03-24 19:07:13 27992 --a----c- C:\Users\tayloj8\RouterConfigBackup.bin
2008-03-21 23:56:31 0 d-------- C:\ToBurn
2008-03-20 22:47:03 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-20 22:29:35 0 d-------- C:\Windows\system32\vgaman
2008-03-20 22:29:35 806912 --a------ C:\Windows\system32\sockinet.dll
2008-03-20 22:29:35 806912 --a------ C:\Windows\system32\raswsock.dll
2008-03-20 22:29:35 147456 --a------ C:\Windows\system32\monmac.dll
2008-03-20 22:29:35 139828 --a------ C:\Windows\system32\hostdhcp32.dll
2008-03-20 22:29:35 1996 --a------ C:\Windows\system32\decigexc32.dll
2008-03-20 21:48:15 0 d-------- C:\Program Files\MSECache
2008-03-12 04:43:47 0 d-------- C:\IN5
2008-03-11 13:55:25 0 d------c- C:\Program Files\odbg110
2008-03-09 13:14:43 0 d------c- C:\Test_Code
2008-03-04 15:59:27 0 d-------- C:\Program Files\iPod
2008-03-04 15:58:26 0 d-------- C:\Program Files\Bonjour
2008-03-04 15:57:43 0 d-------- C:\Program Files\QuickTime
2008-03-04 15:48:47 0 d-------- C:\Program Files\Cygnus FREE EDITION
2008-03-04 00:05:32 0 d-------- C:\Program Files\PuTTY
2008-03-03 21:17:06 0 d-------- C:\Program Files\rec22
2008-03-03 18:39:20 7882 --a------ C:\Windows\system32\GTKCMOS.sys <Not Verified; Gteko Ltd.; Gteko Diagnostics>
2008-03-03 18:39:20 5120 --a------ C:\Windows\system32\GTKCMO64.sys <Not Verified; Gteko Ltd.; Gteko Diagnostics>
2008-03-03 18:39:20 7626 --a------ C:\Windows\system32\GPCIEnum.sys <Not Verified; Gteko Ltd.; Gteko Diagnostics>
2008-03-03 18:39:20 5632 --a------ C:\Windows\system32\GPCIEn64.sys <Not Verified; Gteko Ltd.; Gteko Diagnostics>
2008-03-03 18:39:20 1900681 --a------ C:\Windows\system32\gdql_ls.dll <Not Verified; Gteko Ltd.; QDiagLib Module>
2008-03-03 18:39:20 7168 --a------ C:\Windows\system32\DLPT64.sys <Not Verified; Gteko Ltd.; QDiag>
2008-03-03 18:39:20 4608 --a------ C:\Windows\system32\DDMI64.sys <Not Verified; Gteko Ltd.; DDMI>
2008-03-03 18:26:27 0 d-------- C:\Program Files\Microsoft Silverlight
-- Find3M Report ---------------------------------------------------------------
2008-03-26 17:04:17 0 d------c- C:\Users\tayloj8\AppData\Roaming\uTorrent
2008-03-26 16:39:31 12 --a------ C:\Windows\bthservsdp.dat
2008-03-26 08:00:03 0 d------c- C:\Users\tayloj8\AppData\Roaming\AVG7
2008-03-25 06:21:38 0 d-------- C:\Program Files\Google
2008-03-25 06:16:58 4224 --a----c- C:\Users\tayloj8\AppData\Roaming\.googlewebacchosts
2008-03-25 05:06:41 0 d-------- C:\Program Files\WinPcap
2008-03-25 04:56:28 0 d------c- C:\Users\tayloj8\AppData\Roaming\Download Manager
2008-03-25 04:46:59 0 d-------- C:\Program Files\Lenovo
2008-03-25 04:46:23 0 d-------- C:\Program Files\Analog Devices
2008-03-25 03:58:03 0 d------c- C:\Users\tayloj8\AppData\Roaming\Lenovo
2008-03-25 03:50:48 0 d-------- C:\Program Files\ThinkVantage
2008-03-25 03:50:48 0 d--h---c- C:\Program Files\InstallShield Installation Information
2008-03-25 03:46:44 0 d-------- C:\Program Files\PCDR5
2008-03-25 03:11:15 0 d-------- C:\Program Files\Common Files\Lenovo
2008-03-24 19:45:12 0 d-------- C:\Program Files\BOINC
2008-03-24 19:21:31 0 d-------- C:\Program Files\Java
2008-03-24 19:14:49 0 d--h---c- C:\Users\tayloj8\AppData\Roaming\GTek
2008-03-24 19:13:34 0 d-------- C:\Program Files\Easy Duplicate Finder
2008-03-24 17:07:23 0 d-------- C:\Program Files\Common Files\PGP Corporation
2008-03-22 22:43:23 80319 --a----c- C:\Users\tayloj8\AppData\Roaming\PyScripter.ini
2008-03-22 16:47:15 0 d------c- C:\Users\tayloj8\AppData\Roaming\Mozilla
2008-03-20 23:16:51 174 --ahs---- C:\Program Files\desktop.ini
2008-03-20 23:07:20 0 d-------- C:\Program Files\Windows Sidebar
2008-03-20 23:07:20 0 d-------- C:\Program Files\Windows Calendar
2008-03-20 23:07:19 0 d-------- C:\Program Files\Windows Mail
2008-03-20 23:07:19 0 d-------- C:\Program Files\Windows Collaboration
2008-03-20 23:07:19 0 d-------- C:\Program Files\Movie Maker
2008-03-20 23:07:18 0 d-------- C:\Program Files\Windows Photo Gallery
2008-03-20 23:07:18 0 d-------- C:\Program Files\Windows Journal
2008-03-20 23:07:17 0 d-------- C:\Program Files\Windows Defender
2008-03-20 22:04:13 0 d------c- C:\Users\tayloj8\AppData\Roaming\Free Download Manager
2008-03-20 21:21:06 0 d------c- C:\Users\tayloj8\AppData\Roaming\Orbit
2008-03-20 18:24:04 0 d-------- C:\Program Files\emule0.48a-Xtreme6.1
2008-03-14 22:09:56 0 d-------- C:\Program Files\PyScripter
2008-03-13 00:56:07 0 d------c- C:\Users\tayloj8\AppData\Roaming\mIRC
2008-03-13 00:54:27 0 d-------- C:\Program Files\mIRC
2008-03-11 16:32:36 0 d-------- C:\Program Files\uTorrent
2008-03-11 14:00:48 0 d------c- C:\Users\tayloj8\AppData\Roaming\PE Explorer
2008-03-09 11:11:46 0 d------c- C:\Users\tayloj8\AppData\Roaming\OpenOffice.org2
2008-03-05 13:07:41 0 d-------- C:\Program Files\National Instruments
2008-03-05 13:07:02 0 d-------- C:\Program Files\Common Files\Merge Modules
2008-03-04 15:59:31 0 d-------- C:\Program Files\iTunes
2008-03-04 15:48:27 0 d------c- C:\Users\tayloj8\AppData\Roaming\Notepad++
2008-03-04 15:43:11 0 d-------- C:\Program Files\DAEMON Tools
2008-02-28 17:33:48 0 d-------- C:\Program Files\Orbitdownloader
2008-02-27 16:31:11 97153 --a----c- C:\Users\tayloj8\AppData\Roaming\nvModes.001
2008-02-19 07:06:53 0 d-------- C:\Program Files\ImgBurn
2008-02-17 22:51:41 0 d------c- C:\Users\tayloj8\AppData\Roaming\Talkback
2008-02-17 14:54:24 0 d-------- C:\Program Files\NBC Direct
2008-02-17 14:52:46 0 d-------- C:\Program Files\OpenCASE
2008-02-13 16:50:16 0 d-------- C:\Program Files\wxCRP
2008-02-09 23:07:56 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-05 05:41:34 0 d------c- C:\Program Files\StepMania
2008-02-04 08:49:33 0 d-------- C:\Program Files\Blaze Media Pro
2008-01-30 00:12:03 0 d------c- C:\Users\tayloj8\AppData\Roaming\Amazon
2008-01-29 23:29:03 0 d-------- C:\Program Files\Amazon
2008-01-21 00:31:29 7383842 --a------ C:\Program Files\DialogBlocks-4.21-Setup.exe
2008-01-20 22:19:11 4924327 --a------ C:\Program Files\CB_20080117_rev4830_win32.7z
2008-01-14 15:54:29 180232 --ah----- C:\Windows\system32\mlfcache.dat
2008-01-04 15:13:58 73728 --a------ C:\Windows\system32\DEVMAN.DLL <Not Verified; ; DEVMAN.DLL>
2008-01-03 16:10:28 253284 --a------ C:\Windows\system32\PGPlspRollback.reg
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7000D2A9-99E1-4F80-960E-F21AD2F70C0B}]
01/18/2008 11:34 PM 806912 --a------ C:\Windows\system32\sockinet.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [08/08/2007 05:53 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/21/2007 06:08 PM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 05:22 PM]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [01/24/2008 10:21 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 02:10 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [03/04/2008 10:34 AM]
"IaNvSrv"="C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [10/24/2007 10:02 AM]
"LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [01/11/2008 02:21 AM]
"TpShocks"="TpShocks.exe" [11/22/2007 03:09 PM C:\Windows\System32\TpShocks.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [12/07/2007 10:13 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [03/25/2008 07:46 AM]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [11/07/2006 07:51 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/18/2008 11:33 PM]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [12/15/2007 6:06:34 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)
"DisableCAD"=1 (0x1)
"EnableUIADesktopToggle"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}"= C:\Windows\system32\urqpmml.dll [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Biohost"= {B8DE2930-3D4E-46E0-AB7A-911E696CA562} - C:\Windows\system32\raswsock.dll [01/18/2008 11:34 PM 806912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AfsLogon]
afslogon.dll 05/17/2007 02:36 PM 87664 C:\Windows\System32\afslogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 03/25/2008 07:44 AM 9216 C:\Windows\System32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Windows\system32\psqlpwd.dll 08/14/2007 03:54 PM 89600 C:\Windows\System32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli ACGina psqlpwd
"Authentication Packages"= msv1_0 C:\Windows\system32\yayww.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\Windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\Windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=C:\Windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray]
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
"C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AwaySch]
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
C:\Windows\ehome\ehTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IaNvSrv]
C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LenovoOobeOffers]
c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
C:\Windows\system32\oodtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWMTRV]
rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPHELPER]
C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
TpShocks.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"C:\Program Files\Unlocker\UnlockerAssistant.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
bthsvcs BthServ
AxInstSVGroup AxInstSV
iissvcs w3svc was
apphost apphostsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b3af8c9-a4ed-11dc-afdf-001c25107969}]
AutoRun\command- G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4376f2e-e3d4-11dc-92c2-f48f37e410c5}]
AutoRun\command- F:\JDSecure\Windows\JDSecure20.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- Hosts -----------------------------------------------------------------------
10.254.254.253 AFS
127.0.0.1 hityou.com
127.0.0.1 www.hityou.com
127.0.0.1 180searchassistant.com
127.0.0.1 www.180searchassistant.com
127.0.0.1 180solutions.com
127.0.0.1 www.180solutions.com
127.0.0.1 bis.180solutions.com
127.0.0.1 config.180solutions.com
127.0.0.1 cts.180solutions.com
8083 more entries in hosts file.
-- End of Deckard's System Scanner: finished at 2008-03-26 17:48:54 ------------
I recently found the virus 17pholmes1535
and spybot found and tried to remove:
zlob.downloader.vdt
Virtuomonde.dll
trojandownloader.win32.small
Obviously, since two of the above pieces of software work by downloading even more virus'/trojans/malware, I'm unsure if I managed to remove everything. I've run AVG-free version, which found and removed two or three more trojans, and now avg-rootkit detector has found a driver hidden in the system32\driver folder that is invisible to the regular win32api, changes names after every reboot, and causes windows to give the excuse "need permission to do that" when creating a file of the same name in the system32\driver folder to test if it is there.
The previous name of the driver was a6bgdov3.SYS
and the name this start up is aps7pdl2.SYS
I'm taking a small leap by assuming they are the same driver with different names, because the rootkit finder did not find the first one on the second check, but it found aps7pdl2.SYS instead.
I was unable to run the panda scan with either Firefox or IE, the popup remained blank no matter what popup-blocking settings I choose (I disabled blocking obviously).
Here is the DSS scan.
Deckard's System Scanner v20071014.68
Run by tayloj8 on 2008-03-26 17:42:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as tayloj8.exe) ---------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:54 PM, on 3/26/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Windows\System32\TpShocks.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Downloads\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\DOWNLO~1\tayloj8.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7000D2A9-99E1-4F80-960E-F21AD2F70C0B} - C:\Windows\system32\sockinet.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [IaNvSrv] C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: AfsLogon - C:\Windows\SYSTEM32\afslogon.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O21 - SSODL: Biohost - {B8DE2930-3D4E-46E0-AB7A-911E696CA562} - C:\Windows\system32\raswsock.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: CYGWIN cygserver (cygserver) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\Windows\system32\IPSSVC.EXE
O23 - Service: O&O Defrag - O&O Software GmbH - C:\Windows\system32\oodag.exe
O23 - Service: OpcEnum - Unknown owner - C:\Windows\system32\OpcEnum.exe (file missing)
O23 - Service: OpenCASE Media Agent - ExtendMedia Inc. - C:\Program Files\OpenCASE\OpenCASE Media Agent\MediaAgent.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - C:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: OpenAFS Client Service (TransarcAFSDaemon) - OpenAFS Project - C:\Program Files\OpenAFS\Client\Program\afsd_service.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: WJTHJ - Unknown owner - C:\Users\tayloj8\AppData\Local\Temp\WJTHJ.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 11991 bytes
-- File Associations -----------------------------------------------------------
.scr - unable to read key
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R2 CrackTcpip (Crack Tcpip) - c:\windows\system32\drivers\cracktcpip.sys
R2 cvintdrv - c:\windows\system32\drivers\cvintdrv.sys
S3 TVICHW32 - \??\c:\windows\system32\drivers\tvichw32.sys
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 AsiServer (Automated Software Installer Server) - c:\asi\asiserver\asiserver.exe <Not Verified; Microsoft; WTT>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
R2 SUService (System Update) - "c:\program files\lenovo\system update\suservice.exe" <Not Verified; Lenovo Group Limited; ThinkVantage System Update Service>
R2 TVT Scheduler - "c:\program files\common files\lenovo\scheduler\tvtsched.exe" <Not Verified; Lenovo Group Limited; tvtsched Module>
S3 cygserver (CYGWIN cygserver) - c:\cygwin\bin\cygrunsrv.exe
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 OpcEnum - c:\windows\system32\opcenum.exe (file missing)
S3 WJTHJ - c:\users\tayloj8\appdata\local\temp\wjthj.exe (file missing)
S4 MSSQL$MSSMLBIZ (SQL Server (MSSMLBIZ)) - "c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe" -smssmlbiz (file missing)
S4 MSSQL$SQLEXPRESS (SQL Server (SQLEXPRESS)) - "c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe" -ssqlexpress (file missing)
S4 MSSQLServerADHelper (SQL Server Active Directory Helper) - "c:\program files\microsoft sql server\90\shared\sqladhlp90.exe" (file missing)
S4 SQLBrowser (SQL Server Browser) - "c:\program files\microsoft sql server\90\shared\sqlbrowser.exe" (file missing)
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
-- Files created between 2008-02-26 and 2008-03-26 -----------------------------
2008-03-26 16:57:41 0 d-------- C:\Program Files\Trend Micro
2008-03-25 19:37:48 0 --a------ C:\Windows\system32\MDX
2008-03-25 18:50:32 0 d-------- C:\Program Files\Digital Line Detect
2008-03-25 18:50:20 0 d-------- C:\Program Files\NetWaiting
2008-03-25 07:55:59 0 dr-h----- C:\$VAULT$.AVG
2008-03-25 07:30:04 9565 --ahs---- C:\Windows\system32\wwyay.ini2
2008-03-25 05:06:26 0 d-------- C:\Program Files\IMMonitor
2008-03-25 04:56:40 1519616 --a------ C:\Windows\system32\mxpvct25.dat <Not Verified; Chilkat Software, Inc.; Chilkat Mail>
2008-03-25 04:28:46 0 d-------- C:\Program Files\Cisco
2008-03-25 03:49:50 229376 --a------ C:\Windows\system32\BtwRSupport.dll <Not Verified; Broadcom Corporation.; Bluetooth Software>
2008-03-25 03:49:45 0 d-------- C:\Windows\system32\es-MX
2008-03-25 03:49:45 0 d-------- C:\Windows\system32\es-AR
2008-03-25 00:16:59 23600 --a------ C:\Windows\system32\drivers\TVICHW32.SYS <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
2008-03-25 00:16:58 1532 --a------ C:\Windows\mozver.dat
2008-03-24 19:07:13 27992 --a----c- C:\Users\tayloj8\RouterConfigBackup.bin
2008-03-21 23:56:31 0 d-------- C:\ToBurn
2008-03-20 22:47:03 152576 --a------ C:\Windows\system32\SPWizUI.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-20 22:29:35 0 d-------- C:\Windows\system32\vgaman
2008-03-20 22:29:35 806912 --a------ C:\Windows\system32\sockinet.dll
2008-03-20 22:29:35 806912 --a------ C:\Windows\system32\raswsock.dll
2008-03-20 22:29:35 147456 --a------ C:\Windows\system32\monmac.dll
2008-03-20 22:29:35 139828 --a------ C:\Windows\system32\hostdhcp32.dll
2008-03-20 22:29:35 1996 --a------ C:\Windows\system32\decigexc32.dll
2008-03-20 21:48:15 0 d-------- C:\Program Files\MSECache
2008-03-12 04:43:47 0 d-------- C:\IN5
2008-03-11 13:55:25 0 d------c- C:\Program Files\odbg110
2008-03-09 13:14:43 0 d------c- C:\Test_Code
2008-03-04 15:59:27 0 d-------- C:\Program Files\iPod
2008-03-04 15:58:26 0 d-------- C:\Program Files\Bonjour
2008-03-04 15:57:43 0 d-------- C:\Program Files\QuickTime
2008-03-04 15:48:47 0 d-------- C:\Program Files\Cygnus FREE EDITION
2008-03-04 00:05:32 0 d-------- C:\Program Files\PuTTY
2008-03-03 21:17:06 0 d-------- C:\Program Files\rec22
2008-03-03 18:39:20 7882 --a------ C:\Windows\system32\GTKCMOS.sys <Not Verified; Gteko Ltd.; Gteko Diagnostics>
2008-03-03 18:39:20 5120 --a------ C:\Windows\system32\GTKCMO64.sys <Not Verified; Gteko Ltd.; Gteko Diagnostics>
2008-03-03 18:39:20 7626 --a------ C:\Windows\system32\GPCIEnum.sys <Not Verified; Gteko Ltd.; Gteko Diagnostics>
2008-03-03 18:39:20 5632 --a------ C:\Windows\system32\GPCIEn64.sys <Not Verified; Gteko Ltd.; Gteko Diagnostics>
2008-03-03 18:39:20 1900681 --a------ C:\Windows\system32\gdql_ls.dll <Not Verified; Gteko Ltd.; QDiagLib Module>
2008-03-03 18:39:20 7168 --a------ C:\Windows\system32\DLPT64.sys <Not Verified; Gteko Ltd.; QDiag>
2008-03-03 18:39:20 4608 --a------ C:\Windows\system32\DDMI64.sys <Not Verified; Gteko Ltd.; DDMI>
2008-03-03 18:26:27 0 d-------- C:\Program Files\Microsoft Silverlight
-- Find3M Report ---------------------------------------------------------------
2008-03-26 17:04:17 0 d------c- C:\Users\tayloj8\AppData\Roaming\uTorrent
2008-03-26 16:39:31 12 --a------ C:\Windows\bthservsdp.dat
2008-03-26 08:00:03 0 d------c- C:\Users\tayloj8\AppData\Roaming\AVG7
2008-03-25 06:21:38 0 d-------- C:\Program Files\Google
2008-03-25 06:16:58 4224 --a----c- C:\Users\tayloj8\AppData\Roaming\.googlewebacchosts
2008-03-25 05:06:41 0 d-------- C:\Program Files\WinPcap
2008-03-25 04:56:28 0 d------c- C:\Users\tayloj8\AppData\Roaming\Download Manager
2008-03-25 04:46:59 0 d-------- C:\Program Files\Lenovo
2008-03-25 04:46:23 0 d-------- C:\Program Files\Analog Devices
2008-03-25 03:58:03 0 d------c- C:\Users\tayloj8\AppData\Roaming\Lenovo
2008-03-25 03:50:48 0 d-------- C:\Program Files\ThinkVantage
2008-03-25 03:50:48 0 d--h---c- C:\Program Files\InstallShield Installation Information
2008-03-25 03:46:44 0 d-------- C:\Program Files\PCDR5
2008-03-25 03:11:15 0 d-------- C:\Program Files\Common Files\Lenovo
2008-03-24 19:45:12 0 d-------- C:\Program Files\BOINC
2008-03-24 19:21:31 0 d-------- C:\Program Files\Java
2008-03-24 19:14:49 0 d--h---c- C:\Users\tayloj8\AppData\Roaming\GTek
2008-03-24 19:13:34 0 d-------- C:\Program Files\Easy Duplicate Finder
2008-03-24 17:07:23 0 d-------- C:\Program Files\Common Files\PGP Corporation
2008-03-22 22:43:23 80319 --a----c- C:\Users\tayloj8\AppData\Roaming\PyScripter.ini
2008-03-22 16:47:15 0 d------c- C:\Users\tayloj8\AppData\Roaming\Mozilla
2008-03-20 23:16:51 174 --ahs---- C:\Program Files\desktop.ini
2008-03-20 23:07:20 0 d-------- C:\Program Files\Windows Sidebar
2008-03-20 23:07:20 0 d-------- C:\Program Files\Windows Calendar
2008-03-20 23:07:19 0 d-------- C:\Program Files\Windows Mail
2008-03-20 23:07:19 0 d-------- C:\Program Files\Windows Collaboration
2008-03-20 23:07:19 0 d-------- C:\Program Files\Movie Maker
2008-03-20 23:07:18 0 d-------- C:\Program Files\Windows Photo Gallery
2008-03-20 23:07:18 0 d-------- C:\Program Files\Windows Journal
2008-03-20 23:07:17 0 d-------- C:\Program Files\Windows Defender
2008-03-20 22:04:13 0 d------c- C:\Users\tayloj8\AppData\Roaming\Free Download Manager
2008-03-20 21:21:06 0 d------c- C:\Users\tayloj8\AppData\Roaming\Orbit
2008-03-20 18:24:04 0 d-------- C:\Program Files\emule0.48a-Xtreme6.1
2008-03-14 22:09:56 0 d-------- C:\Program Files\PyScripter
2008-03-13 00:56:07 0 d------c- C:\Users\tayloj8\AppData\Roaming\mIRC
2008-03-13 00:54:27 0 d-------- C:\Program Files\mIRC
2008-03-11 16:32:36 0 d-------- C:\Program Files\uTorrent
2008-03-11 14:00:48 0 d------c- C:\Users\tayloj8\AppData\Roaming\PE Explorer
2008-03-09 11:11:46 0 d------c- C:\Users\tayloj8\AppData\Roaming\OpenOffice.org2
2008-03-05 13:07:41 0 d-------- C:\Program Files\National Instruments
2008-03-05 13:07:02 0 d-------- C:\Program Files\Common Files\Merge Modules
2008-03-04 15:59:31 0 d-------- C:\Program Files\iTunes
2008-03-04 15:48:27 0 d------c- C:\Users\tayloj8\AppData\Roaming\Notepad++
2008-03-04 15:43:11 0 d-------- C:\Program Files\DAEMON Tools
2008-02-28 17:33:48 0 d-------- C:\Program Files\Orbitdownloader
2008-02-27 16:31:11 97153 --a----c- C:\Users\tayloj8\AppData\Roaming\nvModes.001
2008-02-19 07:06:53 0 d-------- C:\Program Files\ImgBurn
2008-02-17 22:51:41 0 d------c- C:\Users\tayloj8\AppData\Roaming\Talkback
2008-02-17 14:54:24 0 d-------- C:\Program Files\NBC Direct
2008-02-17 14:52:46 0 d-------- C:\Program Files\OpenCASE
2008-02-13 16:50:16 0 d-------- C:\Program Files\wxCRP
2008-02-09 23:07:56 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-05 05:41:34 0 d------c- C:\Program Files\StepMania
2008-02-04 08:49:33 0 d-------- C:\Program Files\Blaze Media Pro
2008-01-30 00:12:03 0 d------c- C:\Users\tayloj8\AppData\Roaming\Amazon
2008-01-29 23:29:03 0 d-------- C:\Program Files\Amazon
2008-01-21 00:31:29 7383842 --a------ C:\Program Files\DialogBlocks-4.21-Setup.exe
2008-01-20 22:19:11 4924327 --a------ C:\Program Files\CB_20080117_rev4830_win32.7z
2008-01-14 15:54:29 180232 --ah----- C:\Windows\system32\mlfcache.dat
2008-01-04 15:13:58 73728 --a------ C:\Windows\system32\DEVMAN.DLL <Not Verified; ; DEVMAN.DLL>
2008-01-03 16:10:28 253284 --a------ C:\Windows\system32\PGPlspRollback.reg
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7000D2A9-99E1-4F80-960E-F21AD2F70C0B}]
01/18/2008 11:34 PM 806912 --a------ C:\Windows\system32\sockinet.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cssauth"="C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" [08/08/2007 05:53 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/21/2007 06:08 PM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/01/2007 05:22 PM]
"TPHOTKEY"="C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe" [01/24/2008 10:21 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 02:10 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"TVT Scheduler Proxy"="C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [03/04/2008 10:34 AM]
"IaNvSrv"="C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [10/24/2007 10:02 AM]
"LPManager"="C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe" [01/11/2008 02:21 AM]
"TpShocks"="TpShocks.exe" [11/22/2007 03:09 PM C:\Windows\System32\TpShocks.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [12/07/2007 10:13 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [03/25/2008 07:46 AM]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [11/07/2006 07:51 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [01/18/2008 11:33 PM]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe [12/15/2007 6:06:34 AM]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)
"DisableCAD"=1 (0x1)
"EnableUIADesktopToggle"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}"= C:\Windows\system32\urqpmml.dll [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Biohost"= {B8DE2930-3D4E-46E0-AB7A-911E696CA562} - C:\Windows\system32\raswsock.dll [01/18/2008 11:34 PM 806912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AfsLogon]
afslogon.dll 05/17/2007 02:36 PM 87664 C:\Windows\System32\afslogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 03/25/2008 07:44 AM 9216 C:\Windows\System32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Windows\system32\psqlpwd.dll 08/14/2007 03:54 PM 89600 C:\Windows\System32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli ACGina psqlpwd
"Authentication Packages"= msv1_0 C:\Windows\system32\yayww.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\Windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\Windows\pss\Digital Line Detect.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=C:\Windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray]
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACWLIcon]
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
"C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AwaySch]
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
C:\Windows\ehome\ehTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IaNvSrv]
C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LenovoOobeOffers]
c:\SWTOOLS\LenovoWelcome\LenovoOobeOffers.exe /filePath="c:\swshare\firstrun.txt"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
C:\Windows\system32\oodtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWMTRV]
rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPHELPER]
C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
TpShocks.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"C:\Program Files\Unlocker\UnlockerAssistant.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
bthsvcs BthServ
AxInstSVGroup AxInstSV
iissvcs w3svc was
apphost apphostsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b3af8c9-a4ed-11dc-afdf-001c25107969}]
AutoRun\command- G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4376f2e-e3d4-11dc-92c2-f48f37e410c5}]
AutoRun\command- F:\JDSecure\Windows\JDSecure20.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
-- Hosts -----------------------------------------------------------------------
10.254.254.253 AFS
127.0.0.1 hityou.com
127.0.0.1 www.hityou.com
127.0.0.1 180searchassistant.com
127.0.0.1 www.180searchassistant.com
127.0.0.1 180solutions.com
127.0.0.1 www.180solutions.com
127.0.0.1 bis.180solutions.com
127.0.0.1 config.180solutions.com
127.0.0.1 cts.180solutions.com
8083 more entries in hosts file.
-- End of Deckard's System Scanner: finished at 2008-03-26 17:48:54 ------------
Attachments
-
26.3 KB Views: 63
- Status
- Not open for further replies.
1 - 1 of 1 Posts
1 - 1 of 1 Posts
- Status
- Not open for further replies.
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Top Contributors this Month
View All
spunk.funk
139 Replies
SpywareDr
56 Replies
wolfen1086
43 Replies
Recommended Communities
