Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect /website blocking virus?


  • This topic is locked This topic is locked
8 replies to this topic

#1 Weihao

Weihao

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 24 November 2008 - 05:21 AM

Hi, it's my first post on this forum! I will thank you guys in advance! :thumbsup:

I picked up this virus when I searched for winrar in google and downloaded it from what I thought was www.download.com (it looks like the real site but it had a different url). After installing the download, both Windows Defender and my antivirus (McAfee VirusScan Enterprise 8.5i) informed me that it was a virus and was removed. Except that it wasn't!

The symptoms of the virus are when I try to access google it will always redirect me to a suspicious looking "Microsoft Security Center" telling me this:

Alert : Your computer have been attacked by spyware or viruses!
Please download AntiSpyware to fix.
Download AntiSpyware Now (Hyperlink)

(Although I've never clicked on the download link, it links to www.antispy.com)

Also, the virus appears to block certain popular web addresses including www.bbc.co.uk, www.amazon.com, www.facebook.com etc. Whenever I attempt to access these sites the page displayed showing "Bad Request (Invalid Hostname)". This affects both Firefox (my default browser) and Internet Explorer. Curiously, this blocking appear to only affect pagess with specific addresses e.g. I can access http://news.bbc.co.uk/ but not its home page.

I've performed full scan using Windows Defender and McAfee Antivirus, but they found nothing. I used Microsoft OneCare safety scanner online and it told me my pc has been infected by Trojan:Win32/Exhost, but it was unable to clean it. After creating a system restore point, I manually deleted two files detected by the scan, yet the problem persists.

Here are the RSIT reports:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Weihao at 2008-11-24 09:38:50
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 75 GB (51%) free of 148 GB
Total RAM: 1519 MB (54% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:39:02, on 24/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Weihao\Desktop\RSIT.exe
C:\Program Files\Hijackthis\Weihao.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.meshcomputers.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.meshcomputers.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: 204.16.197.121 www.yahoo.com
O1 - Hosts: 204.16.197.121 www.google.com
O1 - Hosts: 204.16.197.121 www.myspace.com
O1 - Hosts: 204.16.197.121 www.youtube.com
O1 - Hosts: 204.16.197.121 www.facebook.com
O1 - Hosts: 204.16.197.121 www.live.com
O1 - Hosts: 204.16.197.121 www.msn.com
O1 - Hosts: 204.16.197.121 www.wikipedia.org
O1 - Hosts: 204.16.197.121 www.ebay.com
O1 - Hosts: 204.16.197.121 www.aol.com
O1 - Hosts: 204.16.197.121 www.craigslist.org
O1 - Hosts: 204.16.197.121 www.blogger.com
O1 - Hosts: 204.16.197.121 www.go.com
O1 - Hosts: 204.16.197.121 www.amazon.com
O1 - Hosts: 204.16.197.121 www.cnn.com
O1 - Hosts: 204.16.197.121 espn.go.com
O1 - Hosts: 204.16.197.121 www.espn.com
O1 - Hosts: 204.16.197.121 www.photobucket.com
O1 - Hosts: 204.16.197.121 www.comcast.net
O1 - Hosts: 204.16.197.121 www.imdb.com
O1 - Hosts: 204.16.197.121 www.wordpress.com
O1 - Hosts: 204.16.197.121 www.nytimes.com
O1 - Hosts: 204.16.197.121 www.weather.com
O1 - Hosts: 204.16.197.121 www.ask.com
O1 - Hosts: 204.16.197.121 www.aim.com
O1 - Hosts: 204.16.197.121 www.apple.com
O1 - Hosts: 204.16.197.121 www.mapquest.com
O1 - Hosts: 204.16.197.121 www.youporn.com
O1 - Hosts: 204.16.197.121 www.fastclick.com
O1 - Hosts: 204.16.197.121 www.pornhub.com
O1 - Hosts: 204.16.197.121 www.rapidshare.com
O1 - Hosts: 204.16.197.121 www.pogo.com
O1 - Hosts: 204.16.197.121 www.redtube.com
O1 - Hosts: 204.16.197.121 www.doubleclick.com
O1 - Hosts: 204.16.197.121 www.att.com
O1 - Hosts: 204.16.197.121 www.adobe.com
O1 - Hosts: 204.16.197.121 www.vnn.com
O1 - Hosts: 204.16.197.121 www.sportsline.com
O1 - Hosts: 204.16.197.121 www.netflix.com
O1 - Hosts: 204.16.197.121 www.dell.com
O1 - Hosts: 204.16.197.121 www.google.co.uk
O1 - Hosts: 204.16.197.121 www.bbc.co.uk
O1 - Hosts: 204.16.197.121 www.ebay.co.uk
O1 - Hosts: 204.16.197.121 www.bebo.com
O1 - Hosts: 204.16.197.121 www.amazon.co.uk
O1 - Hosts: 204.16.197.121 www.sky.com
O1 - Hosts: 204.16.197.121 www.virginmedia.com
O1 - Hosts: 204.16.197.121 www.aol.co.uk
O1 - Hosts: 204.16.197.121 www.hsbc.co.uk
O1 - Hosts: 204.16.197.121 www.antispyware.com
O1 - Hosts: 204.16.197.121 www.antispy.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

--
End of file - 11368 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-05-22 308856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll [2006-11-30 67136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-07-28 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"=C:\WINDOWS\system32\ptipbmf.dll [2003-06-20 118784]
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAShCut.exe [2004-10-27 61952]
"ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2006-11-30 112216]
"McAfeeUpdaterUI"=C:\Program Files\McAfee\Common Framework\UdaterUI.exe [2006-11-17 136768]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2005-05-20 925696]
"SoundMAX"=C:\Program Files\Analog Devices\SoundMAX\smax4.exe [2005-09-07 716800]
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2008-08-29 61440]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-10-18 204288]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\Program Files\Kontiki\KHost.exe [2008-02-27 1032376]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WG111v2 Smart Wizard Wireless Setting.lnk]
C:\PROGRA~1\NETGEAR\WG111V~1\RtlWake.exe [2005-04-15 745472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-07-23 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-10-29 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\CyberLink\PowerCinema\PowerCinema.exe"="C:\Program Files\CyberLink\PowerCinema\PowerCinema.exe:*:Enabled:PowerCinema"
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\THQ\Company of Heroes\RelicCOH.exe"="C:\Program Files\THQ\Company of Heroes\RelicCOH.exe:*:Enabled:Company of Heroes - Opposing Fronts"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\Real\RealOne Player\realplay.exe"="C:\Program Files\Real\RealOne Player\realplay.exe:*:Enabled:RealOne Player"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Kontiki\KService.exe"="C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service"
"C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe"="C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\Documents and Settings\Weihao\Desktop\Nick's stuff\utorrent-1.8-beta-10198.upx.exe"="C:\Documents and Settings\Weihao\Desktop\Nick's stuff\utorrent-1.8-beta-10198.upx.exe:*:Enabled:µTorrent"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======List of files/folders created in the last 1 months======

2008-11-24 09:38:49 ----D---- C:\rsit
2008-11-23 01:09:38 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-23 01:09:30 ----D---- C:\Program Files\SUPERAntiSpyware
2008-11-23 01:09:30 ----D---- C:\Documents and Settings\Weihao\Application Data\SUPERAntiSpyware.com
2008-11-22 14:31:44 ----D---- C:\Program Files\Windows Live Safety Center
2008-11-21 20:36:28 ----D---- C:\Program Files\SEGA
2008-11-21 20:34:55 ----D---- C:\Documents and Settings\Weihao\Application Data\InstallShield
2008-11-21 13:26:10 ----D---- C:\Documents and Settings\All Users\Application Data\ATI
2008-11-21 13:23:57 ----D---- C:\Program Files\ATI
2008-11-21 13:22:01 ----N---- C:\WINDOWS\system32\ati2sgag.exe
2008-11-20 23:21:38 ----D---- C:\WINDOWS\system32\XPSViewer
2008-11-20 23:21:25 ----D---- C:\Program Files\Reference Assemblies
2008-11-20 23:20:39 ----N---- C:\WINDOWS\system32\prntvpt.dll
2008-11-20 23:20:38 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2008-11-20 23:20:38 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2008-11-20 23:20:38 ----D---- C:\c204096a78a6996e0be056
2008-11-20 23:20:22 ----D---- C:\WINDOWS\SxsCaPendDel
2008-11-20 22:22:59 ----D---- C:\Documents and Settings\Weihao\Application Data\WinRAR
2008-11-20 22:22:14 ----D---- C:\Program Files\WinRAR
2008-11-16 17:03:20 ----D---- C:\Program Files\Mozilla Sunbird
2008-11-13 00:24:37 ----D---- C:\Documents and Settings\Weihao\Application Data\Mozilla
2008-11-02 17:48:52 ----D---- C:\Program Files\Common Files\Scanner
2008-11-02 17:48:45 ----D---- C:\Program Files\CA Yahoo! Anti-Spy
2008-11-02 00:23:24 ----D---- C:\Documents and Settings\Weihao\Application Data\Yahoo!
2008-11-01 21:27:02 ----D---- C:\Program Files\Hijackthis
2008-11-01 21:21:27 ----D---- C:\Program Files\Trend Micro
2008-11-01 21:04:30 ----D---- C:\!KillBox
2008-10-29 02:23:22 ----A---- C:\WINDOWS\system32\ATIDEMGX.dll
2008-10-29 02:11:35 ----A---- C:\WINDOWS\system32\atipdlxx.dll
2008-10-29 02:11:21 ----A---- C:\WINDOWS\system32\Oemdspif.dll
2008-10-29 02:11:12 ----A---- C:\WINDOWS\system32\Ati2mdxx.exe
2008-10-29 02:11:03 ----A---- C:\WINDOWS\system32\ati2edxx.dll
2008-10-29 02:10:59 ----A---- C:\WINDOWS\system32\atioglxx.dll
2008-10-29 02:10:45 ----A---- C:\WINDOWS\system32\ati2evxx.dll
2008-10-29 02:09:10 ----A---- C:\WINDOWS\system32\ati2evxx.exe
2008-10-29 02:07:44 ----A---- C:\WINDOWS\system32\ATIDDC.DLL
2008-10-29 01:49:31 ----A---- C:\WINDOWS\system32\atiiiexx.dll
2008-10-29 01:25:31 ----A---- C:\WINDOWS\system32\amdpcom32.dll
2008-10-29 01:21:21 ----A---- C:\WINDOWS\system32\atikvmag.dll
2008-10-29 01:19:50 ----A---- C:\WINDOWS\system32\atiadlxx.dll
2008-10-29 01:19:40 ----A---- C:\WINDOWS\system32\atitvo32.dll
2008-10-29 01:18:30 ----A---- C:\WINDOWS\system32\atiok3x2.dll
2008-10-27 19:35:08 ----D---- C:\Documents and Settings\All Users\Application Data\Documents
2008-10-26 10:18:23 ----D---- C:\Program Files\iPod
2008-10-26 10:18:20 ----D---- C:\Program Files\iTunes
2008-10-26 10:18:20 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

======List of files/folders modified in the last 1 months======

2008-11-24 09:38:47 ----D---- C:\WINDOWS\Prefetch
2008-11-24 09:34:49 ----D---- C:\Documents and Settings\All Users\Application Data\Kontiki
2008-11-24 09:23:21 ----D---- C:\WINDOWS\Temp
2008-11-24 09:23:14 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-24 09:23:10 ----SD---- C:\WINDOWS\Tasks
2008-11-24 09:22:48 ----D---- C:\Program Files\Mozilla Firefox
2008-11-24 09:20:13 ----A---- C:\WINDOWS\ModemLog_PCI SoftV92 Modem.txt
2008-11-24 00:32:01 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-23 22:08:44 ----SHD---- C:\WINDOWS\Installer
2008-11-23 21:20:42 ----AD---- C:\WINDOWS
2008-11-23 19:58:40 ----D---- C:\WINDOWS\system32\LogFiles
2008-11-23 01:24:24 ----D---- C:\WINDOWS\Debug
2008-11-23 01:09:34 ----SHD---- C:\Config.Msi
2008-11-23 01:09:30 ----RD---- C:\Program Files
2008-11-23 01:08:22 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-11-23 01:06:25 ----D---- C:\WINDOWS\system32\FxsTmp
2008-11-23 00:22:36 ----D---- C:\WINDOWS\Minidump
2008-11-22 17:00:30 ----HD---- C:\WINDOWS\inf
2008-11-22 14:31:45 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-21 21:46:16 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-21 21:19:54 ----D---- C:\WINDOWS\system32\DirectX
2008-11-21 21:19:53 ----RSD---- C:\WINDOWS\assembly
2008-11-21 15:54:12 ----D---- C:\WINDOWS\Microsoft.NET
2008-11-21 13:23:39 ----D---- C:\Program Files\ATI Technologies
2008-11-21 13:23:25 ----D---- C:\WINDOWS\WinSxS
2008-11-21 13:22:01 ----D---- C:\WINDOWS\system32
2008-11-21 13:22:00 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-21 13:21:45 ----D---- C:\WINDOWS\system32\drivers
2008-11-21 13:21:44 ----D---- C:\WINDOWS\system32\CatRoot
2008-11-21 13:04:06 ----A---- C:\WINDOWS\WININIT.INI
2008-11-20 23:39:44 ----A---- C:\WINDOWS\system32\CmdLineExt.dll
2008-11-20 23:22:16 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-20 23:21:33 ----D---- C:\Program Files\MSBuild
2008-11-20 23:21:31 ----D---- C:\WINDOWS\system32\en-US
2008-11-20 23:21:30 ----RSD---- C:\WINDOWS\Fonts
2008-11-20 23:21:02 ----D---- C:\WINDOWS\system32\spool
2008-11-20 23:18:33 ----D---- C:\Program Files\Internet Explorer
2008-11-20 22:28:42 ----D---- C:\QUARANTINE
2008-11-17 11:16:08 ----D---- C:\Program Files\Steam
2008-11-12 11:10:00 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-11-12 11:02:59 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-09 13:31:56 ----D---- C:\Documents and Settings\Weihao\Application Data\LimeWire
2008-11-06 16:31:26 ----D---- C:\Program Files\Common Files\Adobe
2008-11-06 16:31:19 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-11-06 16:31:05 ----D---- C:\Program Files\Adobe
2008-11-03 16:10:26 ----A---- C:\WINDOWS\system32\MRT.exe
2008-11-02 17:48:52 ----D---- C:\Program Files\Common Files
2008-11-02 00:23:24 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-11-01 20:26:22 ----D---- C:\WINDOWS\system32\config
2008-11-01 20:25:58 ----D---- C:\WINDOWS\system32\wbem
2008-11-01 20:25:58 ----D---- C:\WINDOWS\Registration
2008-11-01 20:25:14 ----D---- C:\WINDOWS\system32\Restore
2008-11-01 16:00:26 ----SD---- C:\Documents and Settings\Weihao\Application Data\Microsoft
2008-10-30 14:09:02 ----D---- C:\Program Files\LimeWire
2008-10-29 02:22:02 ----A---- C:\WINDOWS\system32\ati2dvag.dll
2008-10-29 01:57:58 ----A---- C:\WINDOWS\system32\ati3duag.dll
2008-10-29 01:41:13 ----A---- C:\WINDOWS\system32\ativvaxx.dll
2008-10-29 01:12:51 ----A---- C:\WINDOWS\system32\ati2cqag.dll
2008-10-26 10:16:27 ----DC---- C:\WINDOWS\system32\DRVSTORE

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-05-10 36864]
R1 mferkdk;VSCore mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys []
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2006-11-30 52136]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 EAPPkt;Realtek EAPPkt Protocol; C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2005-04-01 66048]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2005-10-05 141312]
R3 AEAudioService;AEAudio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2005-03-04 127872]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-10-29 3341824]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-09-29 1036928]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2004-09-29 219136]
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2006-11-30 64360]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2006-11-30 72264]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2006-11-30 34152]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2006-11-30 168776]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2005-07-29 34048]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2005-07-29 12928]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter; C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-06-16 176128]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2005-08-11 393088]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-09-29 702592]
S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.sys []
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2004-10-27 145920]
S3 SjyPkt;SjyPkt; \??\C:\WINDOWS\System32\Drivers\SjyPkt.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 fasttx2k;fasttx2k; C:\WINDOWS\system32\DRIVERS\fasttx2k.sys [2003-08-06 159744]
S4 iaStor;Intel AHCI Controller; C:\WINDOWS\system32\DRIVERS\iaStor.sys [2004-04-20 472960]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 m5287;m5287; C:\WINDOWS\system32\DRIVERS\m5287.sys [2005-02-05 85888]
S4 m5289;m5289; C:\WINDOWS\system32\DRIVERS\m5289.sys [2004-12-01 51840]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]
S4 viamraid;viamraid; C:\WINDOWS\system32\DRIVERS\viamraid.sys [2004-03-29 73600]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-07 611664]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-10-29 585728]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 CLCapSvc;CyberLink Background Capture Service (CBCS); C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe [2005-01-14 172153]
R2 CLSched;CyberLink Task Scheduler (CTS); C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe [2005-01-14 110711]
R2 CyberLink Media Library Service;CyberLink Media Library Service; C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe [2005-01-14 24576]
R2 KService;KService; C:\Program Files\Kontiki\KService.exe [2008-02-27 3072184]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2006-11-17 104000]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R2 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2008-10-28 593920]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.04 2008-11-24 09:39:04

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Apple Mobile Device Support-->MsiExec.exe /I{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
BBC iPlayer Download Manager-->MsiExec.exe /I {D466F3D9-510C-4729-B7D4-2E70490E4CDF}
BioShock-->C:\Program Files\InstallShield Installation Information\{E280923D-C5D9-4728-8C79-AC9A0DC75875}\Setup.exe -runfromtemp -l0x0009 -removeonly
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
CA Yahoo! Anti-Spy (remove only)-->"C:\Program Files\CA Yahoo! Anti-Spy\uninstall.exe"
Call of Duty 2-->"C:\Program Files\Steam\steam.exe" steam://uninstall/2630
Catalyst Control Center - Branding-->MsiExec.exe /I{D3B1C799-CB73-42DE-BA0F-2344793A095C}
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Company of Heroes - FAKEMSI-->MsiExec.exe /I{14574B7F-75D1-4718-B7F2-EBF6E2862A35}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{199E6632-EB28-4F73-AECB-3E192EB92D18}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{25724802-CC14-4B90-9F3B-3D6955EE27B1}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{32C4A4EB-C97D-414E-99C5-38F8DFD31D5D}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{50193078-F553-4EBA-AA77-64C9FAA12F98}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{51D718D1-DA81-4FAD-919F-5C1CE3C33379}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{66F78C51-D108-4F0C-A93C-1CBE74CE338F}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{7F4B1592-222F-4E5F-A100-E5AFD61A0BB3}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{80D03817-7943-4839-8E96-B9F924C5E67D}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{97E5205F-EA4F-438F-B211-F1846419F1C1}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{99A7722D-9ACB-43F3-A222-ABC7133F159E}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{BA801B94-C28D-46EE-B806-E1E021A3D519}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{D4D244D1-05E0-4D24-86A2-B2433C435671}
Company of Heroes - FAKEMSI-->MsiExec.exe /I{EAF636A9-F664-4703-A659-85A894DA264F}
Company of Heroes-->"C:\Program Files\THQ\Company of Heroes\Uninstall_English.exe"
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Fraps-->"C:\Fraps\uninstall.exe"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard-->MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2-->"C:\Program Files\Hijackthis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}
Java™ 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LimeWire 4.18.8-->"C:\Program Files\LimeWire\uninstall.exe"
McAfee VirusScan Enterprise-->MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
MediaShow 3.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5A9B7C0-8751-11D8-9D75-000129760D75}\setup.exe" -uninstall
Medieval II Total War : Kingdoms : Americas-->C:\Program Files\InstallShield Installation Information\{75983B66-804C-40D1-BA13-64DAF652A6F1}\setup.exe -runfromtemp -l0x0009 -removeonly
Medieval II Total War : Kingdoms : Britannia-->C:\Program Files\InstallShield Installation Information\{CEDDEE73-3D36-41C2-AA40-29355D9FBD63}\setup.exe -runfromtemp -l0x0009 -removeonly
Medieval II Total War : Kingdoms : Crusades-->C:\Program Files\InstallShield Installation Information\{02A10468-2F1C-447C-AD8E-4DEDDEA25AE2}\setup.exe -runfromtemp -l0x0009 -removeonly
Medieval II Total War : Kingdoms : Teutonic-->C:\Program Files\InstallShield Installation Information\{7AEE1963-7001-4C37-BC20-2FAEB74AA41C}\setup.exe -runfromtemp -l0x0009 -removeonly
Medieval II Total War-->C:\Program Files\InstallShield Installation Information\{C0698BDA-0D29-40EE-8570-A31106DF9AB1}\setup.exe -runfromtemp -l0x0009 -removeonly
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual J# .NET Redistributable Package 1.1-->MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
MobileMe Control Panel-->MsiExec.exe /I{6DA9102E-199F-43A0-A36B-6EF48081A658}
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Sunbird (0.9)-->C:\Program Files\Mozilla Sunbird\uninstall\uninst.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
NJStar Chinese WP-->C:\Program Files\NJStar Chinese WP\uninst.exe
NVIDIA Drivers-->C:\WINDOWS\system32\nvunrm.exe UninstallGUI
Oblivion-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonly
PCI SoftV92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F30&SUBSYS_205514F1\HXFSETUP.EXE -U -IPSCRCTR5K.INF
PhotoNow! 1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D36DD326-7280-11D8-97C8-000129760CBE}\setup.exe" -uninstall
Power2Go 4.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerBackup 1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ADD5DB49-72CF-11D8-9D75-000129760D75}\setup.exe" -uninstall
PowerCinema 4.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\Setup.exe" -uninstall
PowerDirector Express-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EDE721EC-870A-11D8-9D75-000129760D75}\setup.exe" -uninstall
PowerDVD Copy 1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3D04529-6EDB-11D8-A372-0050BAE317E1}\setup.exe" -uninstall
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PowerProducer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
PowerStarter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rome - Total War - Gold Edition-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E97F7E8-ABDE-4E0D-B0AD-B6B4BAD89E24}\setup.exe" -l0x9 -removeonly
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB955936)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {1D94099C-2BBA-440E-BD5E-093BBDF8F028}
Security Update for Microsoft Office Excel 2007 (KB955470)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6E8637D8-10D6-4568-AA06-E2706F31685E}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office Publisher 2007 (KB950114)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office Word 2007 (KB950113)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Visio 2007 (KB947590)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Sibelius Scorch Plugin-->"C:\Program Files\Musicnotes\uninstsc.exe"
Sid Meier's Civilization 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}\setup.exe" -l0x9 -removeonly
Skype™ 3.6-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
TuxGuitar 1.0-->C:\Program Files\tuxguitar-1.0-jet\Uninstall.exe
Update for Microsoft Office Outlook 2007 (KB952142)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Office 2007 (KB946691)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb957829)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {07A1F6B6-4F1C-418C-A605-755A121C4A16}
WG111v2 Configuration Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E0F252A6-DE85-4E93-A93B-DFC3537B3965}\setup.exe" -l0x9 REMOVE -removeonly
Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Live Sign-in Assistant-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
World of Warcraft FREE Trial-->MsiExec.exe /X{02EBDBB9-4600-41D3-B566-40CB861511D2}
Yahoo! Install Manager-->C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE

=====HijackThis Backups=====

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

======Hosts File======

204.16.197.121 www.yahoo.com
204.16.197.121 www.google.com
204.16.197.121 www.myspace.com
204.16.197.121 www.youtube.com
204.16.197.121 www.facebook.com
204.16.197.121 www.live.com
204.16.197.121 www.msn.com
204.16.197.121 www.wikipedia.org
204.16.197.121 www.ebay.com
204.16.197.121 www.aol.com

======Security center information======

AV: McAfee VirusScan Enterprise

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=2f02
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"VSEDEFLOGDIR"=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
"DEFLOGDIR"=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:13 PM

Posted 01 December 2008 - 06:38 PM

Hello, Weihao
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
In your next reply, please include the following:
  • OTViewIt.txt
  • Extra.txt
  • GMER's Log


Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Weihao

Weihao
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 02 December 2008 - 06:10 AM

Hey Bill,

Thanks for your help! :thumbsup:

The three reports you've requested are here:

OTViewIt.txt

OTViewIt logfile created on: 02/12/2008 10:47:37 - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Weihao\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.48 Gb Total Physical Memory | 0.77 Gb Available Physical Memory | 51.96% Memory free
3.34 Gb Paging File | 2.61 Gb Available in Paging File | 78.13% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.65 Gb Total Space | 71.80 Gb Free Space | 49.64% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DEEPTHOUGHT
Current User Name: Weihao
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2008/10/29 02:09:10 | 00,585,728 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
[2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
[2008/10/29 02:09:10 | 00,585,728 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
[2008/07/07 07:15:18 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
[2008/10/01 13:06:14 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
[2005/01/14 18:22:24 | 00,172,153 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
[2005/01/14 18:22:26 | 00,110,711 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
[2005/01/14 18:22:50 | 00,024,576 | ---- | M] (Cyberlink) -- C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
[2005/01/14 18:22:52 | 00,737,379 | ---- | M] (Cyberlink) -- C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
[2008/02/27 16:56:54 | 03,072,184 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KService.exe
[2006/11/17 13:37:44 | 00,104,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
[2006/11/30 08:50:00 | 00,144,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
[2006/11/30 08:50:00 | 00,054,872 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
[2006/11/17 13:40:56 | 00,136,768 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
[2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe
[2006/11/30 08:50:00 | 00,112,216 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
[2006/11/17 13:39:58 | 00,136,768 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
[2006/11/03 19:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
[2008/06/10 03:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
[2007/08/24 06:00:48 | 00,033,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[2005/05/20 08:11:06 | 00,925,696 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
[2008/09/02 10:48:12 | 00,049,152 | ---- | M] (Advanced Micro Devices Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
[2006/11/17 03:06:00 | 00,086,016 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\Mctray.exe
[2006/10/18 19:05:26 | 00,204,288 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
[2008/09/02 10:40:46 | 00,049,152 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
[2008/10/31 21:51:58 | 00,307,712 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2008/10/01 18:57:04 | 14,258,472 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe
[2008/10/01 18:57:00 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
[2008/12/02 10:46:24 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Weihao\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/07/07 07:15:18 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])
[2008/10/01 13:06:14 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
[2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2008/10/29 02:09:10 | 00,585,728 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
[2008/10/28 21:05:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
[2005/01/14 18:22:24 | 00,172,153 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe -- (CLCapSvc [Auto | Running])
[2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2005/01/14 18:22:26 | 00,110,711 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe -- (CLSched [Auto | Running])
[2005/01/14 18:22:50 | 00,024,576 | ---- | M] (Cyberlink) -- C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe -- (CyberLink Media Library Service [Auto | Running])
[2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2008/10/01 18:57:00 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
[2008/02/27 16:56:54 | 03,072,184 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KService.exe -- (KService [Auto | Running])
[2006/11/17 13:37:44 | 00,104,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework [Unknown | Running])
[2006/11/30 08:50:00 | 00,144,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield [Unknown | Running])
[2006/11/30 08:50:00 | 00,054,872 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager [Unknown | Running])
[2007/08/24 05:59:20 | 00,068,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand | Stopped])
[2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2007/08/24 02:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
[2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007/10/18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
[2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Running])
[2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
[2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [Auto | Running])

========== Driver Services ==========

[2005/10/05 16:21:10 | 00,141,312 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService [On_Demand | Running])
[2005/03/04 19:53:00 | 00,127,872 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (AEAudioService [On_Demand | Running])
[2001/08/17 13:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\drivers\aliide.sys -- (AliIde [Disabled | Stopped])
[2008/04/13 18:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\drivers\amdagp.sys -- (amdagp [Disabled | Stopped])
[2006/05/10 10:27:00 | 00,036,864 | ---- | M] (Advanced Micro Devices) -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8 [System | Running])
[2001/08/17 13:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\drivers\asc.sys -- (asc [Disabled | Stopped])
[2001/08/17 13:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\drivers\asc3550.sys -- (asc3550 [Disabled | Stopped])
[2008/10/29 03:10:58 | 03,341,824 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
[2001/08/17 13:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\drivers\cmdide.sys -- (CmdIde [Disabled | Stopped])
[2001/08/17 13:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\drivers\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
[2005/04/01 10:42:20 | 00,066,048 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\system32\drivers\EAPPkt.sys -- (EAPPkt [Auto | Running])
[2007/09/07 13:55:04 | 00,027,672 | ---- | M] (EnTech Taiwan) -- C:\WINDOWS\system32\drivers\Entech.sys -- (ENTECH [On_Demand | Stopped])
[2003/08/06 09:43:00 | 00,159,744 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\drivers\Fasttx2k.sys -- (fasttx2k [Disabled | Stopped])
[2008/04/17 12:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2004/10/27 14:21:30 | 00,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService [On_Demand | Stopped])
[2008/04/13 16:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2004/09/29 22:35:30 | 00,219,136 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2 [On_Demand | Running])
[2004/09/29 22:33:50 | 01,036,928 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP [On_Demand | Running])
[2004/04/20 10:13:00 | 00,472,960 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor [Disabled | Stopped])
[2005/02/05 07:00:00 | 00,085,888 | ---- | M] (ULi Electronics Inc.) -- C:\WINDOWS\system32\drivers\m5287.sys -- (m5287 [Disabled | Stopped])
[2004/12/01 10:49:00 | 00,051,840 | ---- | M] (ULi Electronics Inc.) -- C:\WINDOWS\system32\drivers\m5289.sys -- (m5289 [Disabled | Stopped])
[2004/03/17 19:04:14 | 00,013,059 | ---- | M] (Conexant) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2006/11/30 08:50:00 | 00,064,360 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk [On_Demand | Running])
[2006/11/30 08:50:00 | 00,072,264 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Running])
[2006/11/30 08:50:00 | 00,034,152 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Running])
[2006/11/30 08:50:00 | 00,168,776 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk [On_Demand | Running])
[2006/11/30 08:50:00 | 00,031,944 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk [System | Running])
[2006/11/30 08:50:00 | 00,052,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik [System | Running])
[2001/08/17 12:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
[2004/07/09 03:26:38 | 00,015,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE [On_Demand | Stopped])
[2001/08/17 13:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\drivers\mraid35x.sys -- (mraid35x [Disabled | Stopped])
[2005/07/29 16:11:02 | 00,034,048 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD [On_Demand | Running])
[2005/07/29 16:11:04 | 00,012,928 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus [On_Demand | Running])
[2004/08/04 12:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2001/08/17 13:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql1080.sys -- (ql1080 [Disabled | Stopped])
[2001/08/17 13:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql12160.sys -- (ql12160 [Disabled | Stopped])
[2001/08/17 13:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql1280.sys -- (ql1280 [Disabled | Stopped])
[2006/06/16 07:30:16 | 00,176,128 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\drivers\RTL8187.sys -- (RTLWUSB [On_Demand | Running])
[2008/11/17 15:11:06 | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV [System | Running])
[2008/11/17 15:11:08 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Running])
[2008/11/17 15:11:04 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL [System | Running])
[2007/11/13 10:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2005/08/11 12:49:28 | 00,393,088 | ---- | M] (Sensaura) -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService [On_Demand | Running])
[2008/04/13 18:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\drivers\sisagp.sys -- (sisagp [Disabled | Stopped])
[2002/10/02 08:57:12 | 00,013,532 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\system32\drivers\SjyPkt.sys -- (SjyPkt [On_Demand | Stopped])
[2001/08/17 14:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\drivers\sparrow.sys -- (Sparrow [Disabled | Stopped])
[2001/08/17 14:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\drivers\symc810.sys -- (symc810 [Disabled | Stopped])
[2001/08/17 14:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\symc8xx.sys -- (symc8xx [Disabled | Stopped])
[2001/08/17 14:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_hi.sys -- (sym_hi [Disabled | Stopped])
[2001/08/17 14:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
[2001/08/17 13:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\drivers\ultra.sys -- (ultra [Disabled | Stopped])
[2006/08/09 10:10:12 | 00,291,200 | ---- | M] (eMPIA Technology, Inc.) -- C:\WINDOWS\system32\drivers\emBDA.sys -- (USB28xxBGA [On_Demand | Stopped])
[2006/08/09 10:10:12 | 00,028,160 | ---- | M] (eMPIA Technology, Inc.) -- C:\WINDOWS\system32\drivers\emOEM.sys -- (USB28xxOEM [On_Demand | Stopped])
[2004/03/29 12:45:00 | 00,073,600 | ---- | M] (VIA Technologies inc,.ltd) -- C:\WINDOWS\system32\drivers\viamraid.sys -- (viamraid [Disabled | Stopped])
[2004/09/29 22:34:24 | 00,702,592 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.meshcomputers.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://www.meshcomputers.com

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://www.meshcomputers.com

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://www.meshcomputers.com

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://www.meshcomputers.com

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-385581006-951137195-734082779-1006\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.meshcomputers.com

[HKEY_USERS\S-1-5-21-385581006-951137195-734082779-1006\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-385581006-951137195-734082779-1006\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-385581006-951137195-734082779-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

========== (O1) Hosts File ==========

HOSTS File = (1380 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
204.16.197.121 www.wikipedia.org
204.16.197.121 www.ebay.com
204.16.197.121 www.aol.com
204.16.197.121 www.craigslist.org
204.16.197.121 www.blogger.com
204.16.197.121 www.go.com
204.16.197.121 www.amazon.com
204.16.197.121 www.cnn.com
204.16.197.121 espn.go.com
204.16.197.121 www.espn.com
204.16.197.121 www.photobucket.com
204.16.197.121 www.comcast.net
204.16.197.121 www.imdb.com
204.16.197.121 www.wordpress.com
204.16.197.121 www.nytimes.com
204.16.197.121 www.weather.com
204.16.197.121 www.ask.com
204.16.197.121 www.aim.com
204.16.197.121 www.apple.com
204.16.197.121 www.mapquest.com
204.16.197.121 www.youporn.com
204.16.197.121 www.fastclick.com
204.16.197.121 www.pornhub.com
204.16.197.121 www.rapidshare.com
204.16.197.121 www.pogo.com
19 more lines...

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{3049C3E9-B461-4BC5-8870-4C09146192CA} (HKLM) -- C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} (HKLM) -- C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} (HKLM) -- C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll (McAfee, Inc.)
{7E853D72-626A-48EC-A868-BA8D5E23E045} (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found
{9030D464-4C02-4ABF-8ECC-5164760863C6} (HKLM) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" (Microsoft Corporation)
"High Definition Audio Property Page Shortcut"=HDAShCut.exe (Windows ® Server 2003 DDK provider)
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey (McAfee, Inc.)
"Ptipbmf"=rundll32.exe ptipbmf.dll,SetWriteCacheMode (Promise Technology, Inc.)
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE (McAfee, Inc.)
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray (Analog Devices, Inc.)
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun (Advanced Micro Devices, Inc.)
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"=C:\Program Files\Kontiki\KHost.exe -all (Kontiki Inc.)
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-385581006-951137195-734082779-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"=C:\Program Files\Kontiki\KHost.exe -all (Kontiki Inc.)
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)

========== (O4) Startup Folders ==========


========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-385581006-951137195-734082779-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\Office12\EXCEL.EXE [2008/07/30 02:25:02 | 17,930,264 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-385581006-951137195-734082779-1006\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\Office12\EXCEL.EXE [2008/07/30 02:25:02 | 17,930,264 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [2008/06/10 03:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{2670000A-7350-4f3c-8081-5663EE0C6C49}: Button: Send to OneNote -- %ProgramFiles%\Microsoft Office\Office12\ONBttnIE.dll [2007/12/13 01:20:58 | 00,606,288 | ---- | M] (Microsoft Corporation)
{2670000A-7350-4f3c-8081-5663EE0C6C49}: Menu: S&end to OneNote -- %ProgramFiles%\Microsoft Office\Office12\ONBttnIE.dll [2007/12/13 01:20:58 | 00,606,288 | ---- | M] (Microsoft Corporation)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [2006/10/26 20:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> [2008/06/10 03:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{2670000A-7350-4f3c-8081-5663EE0C6C49} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\ONBttnIE.dll [Send to OneNote] -> [2007/12/13 01:20:58 | 00,606,288 | ---- | M] (Microsoft Corporation)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [Research] -> [2006/10/26 20:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [Research] -> [2006/10/26 20:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [Research] -> [2006/10/26 20:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-385581006-951137195-734082779-1006\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> [2008/06/10 03:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{2670000A-7350-4f3c-8081-5663EE0C6C49} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\ONBttnIE.dll [Send to OneNote] -> [2007/12/13 01:20:58 | 00,606,288 | ---- | M] (Microsoft Corporation)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [Research] -> [2006/10/26 20:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}: -- Reg Error: Key does not exist or could not be opened.
{5ED80217-570B-4DA9-BF44-BE107C0EC166}: http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab -- Windows Live Safety Center Base Module
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_05
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07

========== (O17) DNS Name Servers ==========

{2A329BA3-C935-49BE-8228-B884F776D848} (Servers: | Description: Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter)
{36162AF2-FC0C-41B2-9545-584D0A128474} (Servers: | Description: )
{4AC70ECF-53FD-4341-A091-BC8C5ADA030D} (Servers: | Description: NVIDIA nForce Networking Controller)
{7C9CD6B0-5208-4DFB-952A-DFEF92444849} (Servers: | Description: Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter)

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
!SASWinLogon: "DllName" = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll -- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
AtiExtEvent: "DllName" = Ati2evxx.dll -- C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" (HKLM) -- C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" (HKLM) -- C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2005/11/25 09:00:41 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[3 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2008/12/02 10:45:59 | 00,422,400 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Weihao\Desktop\OTViewIt.exe
[2008/12/01 20:49:06 | 73,425,1008 | ---- | C] () -- C:\Documents and Settings\Weihao\Desktop\In.Bruges.DVDRip.XviD-DiAMOND.avi
[2008/11/30 17:58:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\Local Settings\Application Data\IsolatedStorage
[2008/11/30 17:44:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\My Documents\InstantCDDVD
[2008/11/30 14:23:54 | 00,061,440 | ---- | C] (eMPIA Technology, Inc.) -- C:\WINDOWS\emMON.exe
[2008/11/30 14:23:13 | 00,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vfwwdm32.dll
[2008/11/30 14:23:13 | 00,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\vfwwdm32.dll
[2008/11/30 14:22:55 | 00,291,200 | ---- | C] (eMPIA Technology, Inc.) -- C:\WINDOWS\System32\drivers\emBDA.sys
[2008/11/30 14:22:55 | 00,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\emPRP.ax
[2008/11/30 14:22:55 | 00,028,160 | ---- | C] (eMPIA Technology, Inc.) -- C:\WINDOWS\System32\drivers\emOEM.sys
[2008/11/30 14:20:14 | 00,446,464 | ---- | C] (eHelp Corporation.) -- C:\WINDOWS\System32\HHActiveX.dll
[2008/11/30 14:20:07 | 01,060,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MFC71.dll
[2008/11/30 14:20:07 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\atl71.dll
[2008/11/30 14:20:05 | 00,000,000 | ---D | C] -- C:\Program Files\Pinnacle
[2008/11/30 14:19:30 | 00,000,349 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\PCLECHAL.INI
[2008/11/30 14:18:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2008/11/29 22:52:48 | 73,426,1248 | ---- | C] () -- C:\Documents and Settings\Weihao\Desktop\Shanghai Noon.DVDRIP.XViD.Helloween.avi
[2008/11/28 02:24:09 | 00,045,138 | ---- | C] () -- C:\Documents and Settings\Weihao\Desktop\Careers.pdf
[2008/11/28 02:23:50 | 02,008,416 | ---- | C] () -- C:\Documents and Settings\Weihao\Desktop\view.pdf
[2008/11/26 20:59:14 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\Weihao\Desktop\Feeding timetable.xls
[2008/11/25 10:56:55 | 00,776,807 | ---- | C] () -- C:\Documents and Settings\Weihao\Desktop\Zhongfu et al. (2008).pdf
[2008/11/24 09:38:49 | 00,000,000 | ---D | C] -- C:\rsit
[2008/11/24 09:37:51 | 00,305,705 | ---- | C] () -- C:\Documents and Settings\Weihao\Desktop\RSIT.exe
[2008/11/23 16:48:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\Desktop\Antivirus
[2008/11/23 01:09:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2008/11/23 01:09:30 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2008/11/23 01:09:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\Application Data\SUPERAntiSpyware.com
[2008/11/22 14:31:44 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2008/11/21 21:48:19 | 00,001,817 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War Teutonic.lnk
[2008/11/21 21:45:36 | 00,001,817 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War Crusades.lnk
[2008/11/21 21:43:18 | 00,001,827 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War Britannia.lnk
[2008/11/21 21:41:14 | 00,001,817 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War Americas.lnk
[2008/11/21 20:46:54 | 00,001,759 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War.lnk
[2008/11/21 20:36:28 | 00,000,000 | ---D | C] -- C:\Program Files\SEGA
[2008/11/21 20:34:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\Application Data\InstallShield
[2008/11/21 20:23:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\Desktop\saves
[2008/11/21 13:26:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ATI
[2008/11/21 13:23:57 | 00,000,000 | ---D | C] -- C:\Program Files\ATI
[2008/11/21 13:22:01 | 00,593,920 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2008/11/21 10:40:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\Desktop\Total_War_Kingdoms_EnFrItGeSp
[2008/11/20 23:21:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2008/11/20 23:21:25 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2008/11/20 23:20:39 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2008/11/20 23:20:39 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2008/11/20 23:20:39 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2008/11/20 23:20:38 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2008/11/20 23:20:38 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2008/11/20 23:20:38 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsshhdr.dll
[2008/11/20 23:20:38 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2008/11/20 23:20:38 | 00,000,000 | ---D | C] -- C:\c204096a78a6996e0be056
[2008/11/20 23:20:22 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2008/11/20 22:22:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\Application Data\WinRAR
[2008/11/20 22:22:14 | 00,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2008/11/19 17:09:41 | 00,022,927 | ---- | C] () -- C:\Documents and Settings\Weihao\My Documents\Booking Summary.docx
[2008/11/19 12:36:09 | 00,125,440 | ---- | C] () -- C:\Documents and Settings\Weihao\My Documents\KB BTP 19112008 1 - Zhong - First Letter.doc
[2008/11/16 17:03:25 | 00,001,609 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Sunbird.lnk
[2008/11/16 17:03:20 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Sunbird
[2008/11/13 00:24:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\Application Data\Mozilla
[2008/11/13 00:24:31 | 00,001,609 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008/11/12 10:38:50 | 00,455,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2008/11/12 10:38:35 | 01,106,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml3.dll
[2008/11/02 17:48:52 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Scanner
[2008/11/02 17:48:45 | 00,000,000 | ---D | C] -- C:\Program Files\CA Yahoo! Anti-Spy

========== Files - Modified Within 30 Days ==========

[3 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2008/12/02 10:46:24 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Weihao\Desktop\OTViewIt.exe
[2008/12/02 09:41:45 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2008/12/02 09:38:20 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/12/02 09:38:10 | 00,060,452 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2008/12/02 09:38:10 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/12/01 20:48:49 | 00,039,424 | ---- | M] () -- C:\Documents and Settings\Weihao\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/01 16:34:55 | 00,000,588 | ---- | M] () -- C:\Documents and Settings\Weihao\My Documents\My Sharing Folders.lnk
[2008/12/01 16:03:07 | 00,085,736 | ---- | M] () -- C:\Documents and Settings\Weihao\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/12/01 16:01:38 | 00,306,008 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/12/01 09:57:42 | 00,000,592 | ---- | M] () -- C:\WINDOWS\win.ini
[2008/12/01 09:50:22 | 00,000,349 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\PCLECHAL.INI
[2008/11/29 11:56:54 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/11/28 02:24:09 | 00,045,138 | ---- | M] () -- C:\Documents and Settings\Weihao\Desktop\Careers.pdf
[2008/11/28 02:23:50 | 02,008,416 | ---- | M] () -- C:\Documents and Settings\Weihao\Desktop\view.pdf
[2008/11/26 20:59:31 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\Weihao\Desktop\Feeding timetable.xls
[2008/11/25 10:56:55 | 00,776,807 | ---- | M] () -- C:\Documents and Settings\Weihao\Desktop\Zhongfu et al. (2008).pdf
[2008/11/24 09:37:52 | 00,305,705 | ---- | M] () -- C:\Documents and Settings\Weihao\Desktop\RSIT.exe
[2008/11/22 12:26:10 | 00,004,096 | ---- | M] () -- C:\WINDOWS\System32\crash
[2008/11/21 21:48:19 | 00,001,817 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War Teutonic.lnk
[2008/11/21 21:45:37 | 00,001,817 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War Crusades.lnk
[2008/11/21 21:43:18 | 00,001,827 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War Britannia.lnk
[2008/11/21 21:41:14 | 00,001,817 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War Americas.lnk
[2008/11/21 21:19:54 | 00,001,759 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War.lnk
[2008/11/21 13:04:06 | 00,000,010 | ---- | M] () -- C:\WINDOWS\WININIT.INI
[2008/11/20 23:39:44 | 00,107,888 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2008/11/20 23:22:16 | 00,525,268 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/11/20 23:22:16 | 00,445,066 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2008/11/20 23:22:16 | 00,072,654 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2008/11/19 17:15:19 | 00,022,927 | ---- | M] () -- C:\Documents and Settings\Weihao\My Documents\Booking Summary.docx
[2008/11/19 12:36:12 | 00,125,440 | ---- | M] () -- C:\Documents and Settings\Weihao\My Documents\KB BTP 19112008 1 - Zhong - First Letter.doc
[2008/11/16 17:03:25 | 00,001,609 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Sunbird.lnk
[2008/11/13 00:24:31 | 00,001,609 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008/11/08 19:33:22 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2008/11/03 16:10:26 | 17,318,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
< End of report >

Extra.txt

OTViewIt Extras logfile created on: 02/12/2008 10:47:37 - Run
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Weihao\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.48 Gb Total Physical Memory | 0.77 Gb Available Physical Memory | 51.96% Memory free
3.34 Gb Paging File | 2.61 Gb Available in Paging File | 78.13% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.65 Gb Total Space | 71.80 Gb Free Space | 49.64% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DEEPTHOUGHT
Current User Name: Weihao
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Reg Error: Value does not exist or could not be read.] -- Reg Error: Key does not exist or could not be opened. File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/14 00:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 17:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/14 00:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2005/01/14 18:21:44 | 00,045,056 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerCinema\PowerCinema.exe:*:Enabled:PowerCinema
[2006/11/17 13:37:44 | 00,104,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service
[2008/05/08 11:02:13 | 11,202,368 | ---- | M] (THQ Canada Inc.) -- C:\Program Files\THQ\Company of Heroes\RelicCOH.exe:*:Enabled:Company of Heroes - Opposing Fronts
[2008/05/21 03:37:24 | 12,844,576 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook
[2007/08/28 23:23:36 | 00,340,856 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove
[2008/05/21 04:54:40 | 01,022,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote
[2008/04/13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008/10/31 21:51:58 | 00,307,712 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox
File not found -- C:\Program Files\Real\RealOne Player\realplay.exe:*:Enabled:RealOne Player
[2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 17:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)
[2008/02/27 16:56:54 | 03,072,184 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service
[2005/10/18 15:35:32 | 11,691,000 | ---- | M] (Firaxis Games) -- C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4
[2008/05/22 19:51:30 | 00,214,560 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer
File not found -- C:\Documents and Settings\Weihao\Desktop\Nick's stuff\utorrent-1.8-beta-10198.upx.exe:*:Enabled:µTorrent
[2007/12/12 15:25:46 | 21,686,568 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath
[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
[2008/09/18 18:50:21 | 00,147,456 | ---- | M] (Lime Wire, LLC) -- C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
[2008/10/01 18:57:04 | 14,258,472 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
File not found -- C:\Program Files\Pinnacle\MediaCenter\PMC.exe:LocalSubNet:Enabled:Pmc.exe
File not found -- C:\Program Files\Pinnacle\MediaCenter\PSST.exe:LocalSubNet:Enabled:PSST.exe
File not found -- C:\Program Files\Pinnacle\MediaCenter\PMSInstallInit.exe:LocalSubNet:Enabled:PMSInstallInit.exe
File not found -- C:\Program Files\Pinnacle\MediaCenter\PMC.Tvtv.Wizard.exe:LocalSubNet:Enabled:PMC.Tvtv.Wizard.exe
File not found -- C:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe:LocalSubNet:Disabled:PMCService

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -- C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/08/24 06:01:46 | 00,224,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (grooveLocalGWS:{88FED34C-F0CA-4636-A375-3CB6248B04CD} (HKLM) [Local Groove Web Services Protocol])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2007/08/28 22:55:14 | 01,014,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/10/18 11:31:54 | 00,066,072 | ---- | M] (Microsoft Corporation) C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (livecall:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2007/08/28 22:55:14 | 01,014,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2007/08/28 22:55:14 | 01,014,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2006/10/26 13:45:02 | 00,873,216 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (ms-help:{314111c7-a502-11d2-bbca-00c04f8ec294} (HKLM) [HxProtocol Class])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/10/18 11:31:54 | 00,066,072 | ---- | M] (Microsoft Corporation) C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (msnim:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2006/10/26 21:41:48 | 00,044,344 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL text/xml:{807563E5-5146-11D5-A672-00B0D022E945} (HKLM) [Microsoft Office InfoPath XML Mime Filter]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00E15D21-B68B-D7C4-574B-636E2D1ECEBE}"=Catalyst Control Center HydraVision Full
"{02A10468-2F1C-447C-AD8E-4DEDDEA25AE2}"=Medieval II Total War : Kingdoms : Crusades
"{02EBDBB9-4600-41D3-B566-40CB861511D2}"=World of Warcraft FREE Trial
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}"=Steam
"{055EE59D-217B-43A7-ABFF-507B966405D8}"=ATI Catalyst Control Center
"{1170F665-2359-E439-5BC5-932B87423EF1}"=ccc-utility
"{14574B7F-75D1-4718-B7F2-EBF6E2862A35}"=Company of Heroes - FAKEMSI
"{18D10072035C4515918F7E37EAFAACFC}"=AutoUpdate
"{199E6632-EB28-4F73-AECB-3E192EB92D18}"=Company of Heroes - FAKEMSI
"{1A655D51-1423-48A3-B748-8F5A0BE294C8}"=Microsoft Visual J# .NET Redistributable Package 1.1
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}"=PowerStarter
"{21A127AE-2DAF-40B7-8374-34C3E629521C}"=Far Cry (Patch 1.3)
"{25724802-CC14-4B90-9F3B-3D6955EE27B1}"=Company of Heroes - FAKEMSI
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}"=PowerCinema 4.0
"{2E97F7E8-ABDE-4E0D-B0AD-B6B4BAD89E24}"=Rome - Total War - Gold Edition
"{3248F0A8-6813-11D6-A77B-00B0D0160030}"=Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}"=Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java™ 6 Update 7
"{32C4A4EB-C97D-414E-99C5-38F8DFD31D5D}"=Company of Heroes - FAKEMSI
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{35C03C04-3F1F-42C2-A989-A757EE691F65}"=McAfee VirusScan Enterprise
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}"=Oblivion
"{39D74E81-5DED-C7EE-8807-91A8800212FA}"=ccc-core-preinstall
"{3C662203-292F-4E9D-AE02-281071C06903}"=Far Cry (Patch 1.33)
"{40BF1E83-20EB-11D8-97C5-0009C5020658}"=Power2Go 4.0
"{41C01225-45FD-7BCE-1EDA-F7E50945ADD7}"=Catalyst Control Center Core Implementation
"{4377F918-E6C9-4ECA-A7F5-754B310B7ED8}"=Sid Meier's Civilization 4
"{50193078-F553-4EBA-AA77-64C9FAA12F98}"=Company of Heroes - FAKEMSI
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}"=Windows Live Messenger
"{51D718D1-DA81-4FAD-919F-5C1CE3C33379}"=Company of Heroes - FAKEMSI
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}"=Skype™ 3.6
"{5E8E1294-7951-6DA9-10F1-C877871346F3}"=Skins
"{66F78C51-D108-4F0C-A93C-1CBE74CE338F}"=Company of Heroes - FAKEMSI
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}"=PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}"=Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}"=Windows Media Player Firefox Plugin
"{6DA9102E-199F-43A0-A36B-6EF48081A658}"=MobileMe Control Panel
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}"=MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{75983B66-804C-40D1-BA13-64DAF652A6F1}"=Medieval II Total War : Kingdoms : Americas
"{7AEE1963-7001-4C37-BC20-2FAEB74AA41C}"=Medieval II Total War : Kingdoms : Teutonic
"{7B63B2922B174135AFC0E1377DD81EC2}"=DivX
"{7F4B1592-222F-4E5F-A100-E5AFD61A0BB3}"=Company of Heroes - FAKEMSI
"{80D03817-7943-4839-8E96-B9F924C5E67D}"=Company of Heroes - FAKEMSI
"{826F3B4F-C597-AF1D-4CB1-2F441BE8E2BF}"=ccc-core-static
"{87B20692-9E9D-FAE0-76C7-E75E3CC7B0D1}"=Catalyst Control Center Graphics Full Existing
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}"=Bonjour
"{8DC42D05-680B-41B0-8878-6C14D24602DB}"=QuickTime
"{90120000-0010-0409-0000-0000000FF1CE}"=Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}"=Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}"=Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}"=Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}"=Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}"=Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}"=Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}"=Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{3EC77D26-799B-4CD8-914F-C1565E796173}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}"=Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{430971B1-C31E-45DA-81E0-72C095BAB72C}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}"=Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}"=Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}"=Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0044-0409-0000-0000000FF1CE}"=Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}"=Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0409-0000-0000000FF1CE}"=Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00BA-0409-0000-0000000FF1CE}"=Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0114-0409-0000-0000000FF1CE}"=Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}"=Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}"=Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}"=Apple Mobile Device Support
"{97E5205F-EA4F-438F-B211-F1846419F1C1}"=Company of Heroes - FAKEMSI
"{99A7722D-9ACB-43F3-A222-ABC7133F159E}"=Company of Heroes - FAKEMSI
"{A06275F4-324B-4E85-95E6-87B2CD729401}"=Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}"=Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}"=Microsoft Visual C++ 2005 Redistributable
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}"=Windows Live installer
"{AC76BA86-7AD7-1033-7B44-A81300000003}"=Adobe Reader 8.1.3
"{AC76BA86-7AD7-5464-3428-800000000003}"=Spelling Dictionaries Support For Adobe Reader 8
"{ADD5DB49-72CF-11D8-9D75-000129760D75}"=PowerBackup 1.0
"{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}"=Windows Live Sign-in Assistant
"{B7050CBDB2504B34BC2A9CA0A692CC29}"=DivX Web Player
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}"=PowerProducer
"{BA801B94-C28D-46EE-B806-E1E021A3D519}"=Company of Heroes - FAKEMSI
"{C0698BDA-0D29-40EE-8570-A31106DF9AB1}"=Medieval II Total War
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}"=Microsoft .NET Framework 2.0 Service Pack 2
"{C29769BE-BEDF-DC9E-67A9-5E7AEFF039CF}"=CCC Help English
"{C740289B-FC90-D938-8317-1FFEBF7C04DB}"=Catalyst Control Center Graphics Previews Common
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}"=SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}"=Microsoft .NET Framework 3.5 SP1
"{CEDDEE73-3D36-41C2-AA40-29355D9FBD63}"=Medieval II Total War : Kingdoms : Britannia
"{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}"=Sid Meier's Civilization 4
"{D36DD326-7280-11D8-97C8-000129760CBE}"=PhotoNow! 1.0
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}"=Catalyst Control Center - Branding
"{D466F3D9-510C-4729-B7D4-2E70490E4CDF}"=BBC iPlayer Download Manager
"{D4D244D1-05E0-4D24-86A2-B2433C435671}"=Company of Heroes - FAKEMSI
"{D5A9B7C0-8751-11D8-9D75-000129760D75}"=MediaShow 3.0
"{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}"=iTunes
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}"=Ad-Aware
"{E0F252A6-DE85-4E93-A93B-DFC3537B3965}"=WG111v2 Configuration Utility
"{E280923D-C5D9-4728-8C79-AC9A0DC75875}"=BioShock
"{E3D04529-6EDB-11D8-A372-0050BAE317E1}"=PowerDVD Copy 1.0
"{EAF636A9-F664-4703-A659-85A894DA264F}"=Company of Heroes - FAKEMSI
"{EDE721EC-870A-11D8-9D75-000129760D75}"=PowerDirector Express
"{EE8592F6-FC2B-4AFD-B527-109D127C039F}"=Far Cry (Patch 1.31)
"{F0A37341-D692-11D4-A984-009027EC0A9C}"=SoundMAX
"{F30A8BF7-288C-57C0-357E-6D67BB694682}"=Catalyst Control Center Graphics Full New
"{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}"=Pinnacle MediaCenter
"{F54543CF-EC73-D847-1780-84A6420EA229}"=Catalyst Control Center Graphics Light
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}"=HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"All ATI Software"=ATI - Software Uninstall Utility
"ATI Display Driver"=ATI Display Driver
"Audacity_is1"=Audacity 1.2.6
"BBC iPlayer Download Manager"=BBC iPlayer Download Manager
"cayahooantispy"=CA Yahoo! Anti-Spy (remove only)
"CCleaner"=CCleaner (remove only)
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F30&SUBSYS_205514F1"=PCI SoftV92 Modem
"Company of Heroes"=Company of Heroes
"ENTERPRISE"=Microsoft Office Enterprise 2007
"Fraps"=Fraps
"HijackThis"=HijackThis 2.0.2
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"LimeWire"=LimeWire 4.18.8
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1"=Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.4)"=Mozilla Firefox (3.0.4)
"Mozilla Sunbird (0.9)"=Mozilla Sunbird (0.9)
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"NJStar Chinese WP"=NJStar Chinese WP
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers"=NVIDIA Drivers
"RealPlayer 6.0"=RealPlayer
"Sibelius Scorch Plugin"=Sibelius Scorch Plugin
"Steam App 2630"=Call of Duty 2
"SystemRequirementsLab"=System Requirements Lab
"TuxGuitar_0"=TuxGuitar 1.0
"Windows Live OneCare safety scanner"=Windows Live OneCare safety scanner
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"Windows XP Service Pack"=Windows XP Service Pack 3
"WinRAR archiver"=WinRAR archiver
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion"=Yahoo! Toolbar
"YInstHelper"=Yahoo! Install Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 01/11/2008 19:35:43 | Computer Name = DEEPTHOUGHT | Source = Application Hang | ID = 1002
Description = Hanging application Ad-Aware.exe, version 7.1.0.11, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/11/2008 07:18:49 | Computer Name = DEEPTHOUGHT | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80240016, P2 begininstall, P3 install, P4
1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 NIL,
P10 NIL.

Error - 14/11/2008 19:54:14 | Computer Name = DEEPTHOUGHT | Source = | ID = 0
Description =

Error - 14/11/2008 19:54:14 | Computer Name = DEEPTHOUGHT | Source = | ID = 0
Description =

Error - 14/11/2008 20:19:08 | Computer Name = DEEPTHOUGHT | Source = | ID = 0
Description =

Error - 14/11/2008 20:19:08 | Computer Name = DEEPTHOUGHT | Source = | ID = 0
Description =

Error - 15/11/2008 18:04:33 | Computer Name = DEEPTHOUGHT | Source = | ID = 0
Description =

Error - 15/11/2008 18:04:33 | Computer Name = DEEPTHOUGHT | Source = | ID = 0
Description =

Error - 21/11/2008 07:04:25 | Computer Name = DEEPTHOUGHT | Source = Application Hang | ID = 1002
Description = Hanging application kingdoms.exe, version 1.5.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 21/11/2008 07:04:30 | Computer Name = DEEPTHOUGHT | Source = Application Hang | ID = 1001
Description = Fault bucket 722508169.

[ System Events ]
Error - 21/11/2008 09:16:02 | Computer Name = DEEPTHOUGHT | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 21/11/2008 09:16:02 | Computer Name = DEEPTHOUGHT | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 21/11/2008 09:16:02 | Computer Name = DEEPTHOUGHT | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 21/11/2008 09:59:57 | Computer Name = DEEPTHOUGHT | Source = ati2mtag | ID = 262252
Description = The driver ati2dvag for the display device \Device\Video0 got stuck
in an infinite loop. This usually indicates a problem with the device itself or
with the device driver programming the hardware incorrectly. Please check with your
hardware
device vendor for any driver updates.

Error - 21/11/2008 16:16:46 | Computer Name = DEEPTHOUGHT | Source = ati2mtag | ID = 262252
Description = The driver ati2dvag for the display device \Device\Video0 got stuck
in an infinite loop. This usually indicates a problem with the device itself or
with the device driver programming the hardware incorrectly. Please check with your
hardware
device vendor for any driver updates.

Error - 21/11/2008 21:12:54 | Computer Name = DEEPTHOUGHT | Source = ati2mtag | ID = 262252
Description = The driver ati2dvag for the display device \Device\Video0 got stuck
in an infinite loop. This usually indicates a problem with the device itself or
with the device driver programming the hardware incorrectly. Please check with your
hardware
device vendor for any driver updates.

Error - 22/11/2008 06:21:14 | Computer Name = DEEPTHOUGHT | Source = System Error | ID = 1003
Description = Error code 000000ea, parameter1 88d3eb30, parameter2 893c0148, parameter3
8a42fd58, parameter4 00000001.

Error - 22/11/2008 10:04:36 | Computer Name = DEEPTHOUGHT | Source = System Error | ID = 1003
Description = Error code 1000007e, parameter1 c0000005, parameter2 04e618b0, parameter3
ba4d38a0, parameter4 ba4d359c.

Error - 24/11/2008 05:21:46 | Computer Name = DEEPTHOUGHT | Source = Service Control Manager | ID = 7022
Description = The CyberLink Task Scheduler (CTS) service hung on starting.

Error - 30/11/2008 13:45:26 | Computer Name = DEEPTHOUGHT | Source = Service Control Manager | ID = 7022
Description = The CyberLink Task Scheduler (CTS) service hung on starting.


< End of report >

GMER's Log

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-02 11:02:51
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xACCC5F20]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA9C8E35B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA9C8E2DB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA9C8E385]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA9C8E2EF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA9C8E31B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA9C8E3AF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA9C8E2C7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA9C8E36F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA9C8E305]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA9C8E331]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA9C8E347]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA9C8E3C5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA9C8E399]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A9C8E39D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A9C8E35F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP A9C8E3B3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP A9C8E3C9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP A9C8E373 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP A9C8E389 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP A9C8E34B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D18 7 Bytes JMP A9C8E335 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP A9C8E309 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80623792 5 Bytes JMP A9C8E2DF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP A9C8E2F3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP A9C8E31F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B64 5 Bytes JMP A9C8E2CB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F30000
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F30F9E
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F30089
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F30078
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F30FAF
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F30FC0
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F30F63
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F300B5
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F30F48
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F300D7
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F300FC
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F30047
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F30FDB
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F300A4
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F30022
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F30011
.text C:\WINDOWS\System32\svchost.exe[400] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F300C6
.text C:\WINDOWS\System32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F20FC0
.text C:\WINDOWS\System32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F20062
.text C:\WINDOWS\System32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F20011
.text C:\WINDOWS\System32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F20FE5
.text C:\WINDOWS\System32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F20047
.text C:\WINDOWS\System32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F20000
.text C:\WINDOWS\System32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F20FAF
.text C:\WINDOWS\System32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 12, 89 ]
.text C:\WINDOWS\System32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F2002C
.text C:\WINDOWS\System32\svchost.exe[400] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F00000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01CF0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01CF0071
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01CF0056
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01CF0F7C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01CF0039
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01CF0F9E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01CF0F46
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01CF0F57
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01CF00CE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01CF00B3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01CF00E9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01CF0F8D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01CF000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01CF0082
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01CF0FC3
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01CF0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01CF0F35
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01CE0FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01CE0047
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01CE001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01CE0FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01CE0F94
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01CE0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 01CE0036
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01CE0FAF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[732] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01CC0FE5
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F66
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F77
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F3A
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070082
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070EFD
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F18
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 000700B1
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00070F4B
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070F29
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060FDB
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060F8A
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060FA5
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00060047
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060FC0
.text C:\WINDOWS\system32\services.exe[832] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E80F55
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E80F66
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E80F83
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E80040
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E80FB9
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E80F16
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E80F33
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E80ECF
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E80EE0
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E8008D
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E80F9E
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E80FE5
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E80F44
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E80FCA
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E8001B
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E80EFB
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E70FDE
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E70065
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E70025
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E7004A
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E7000A
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00E70FB2
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 07, 89 ]
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E70FCD
.text C:\WINDOWS\system32\lsass.exe[844] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A9000A
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A900B8
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A9009D
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A90080
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A9006F
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A90FCD
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A900D3
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A90F8D
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A90F66
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A900FF
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00A90F55
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00A9005E
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A90FEF
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00A90FA8
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00A9002F
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00A90FDE
.text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00A900E4
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00A80025
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00A80076
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00A80FCA
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00A8005B
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00A80FAF
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ C8, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00A80040
.text C:\WINDOWS\system32\svchost.exe[1004] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A60000
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C40098
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C40087
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C40FAD
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C40076
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C40040
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C40F7E
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C400C6
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C400F2
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C400E1
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C40F48
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C4005B
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C400A9
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C40025
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C40FD4
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C40F63
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C30FA8
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C30047
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C30FC3
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C30FD4
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C30036
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00C30025
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C30014
.text C:\WINDOWS\system32\svchost.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10000
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 028C0FEF
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 028C0F7E
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 028C007D
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 028C0FA3
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 028C0FC0
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 028C0051
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 028C0F59
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 028C00AB
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 028C0F1C
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 028C0F2D
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 028C0F01
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 028C0062
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 028C0014
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 028C008E
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 028C0036
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 028C0025
.text C:\WINDOWS\System32\svchost.exe[1200] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 028C0F3E
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02890FC3
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02890F6B
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02890FD4
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02890000
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02890F7C
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02890FE5
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02890F97
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ A9, 8A ]
.text C:\WINDOWS\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02890FB2
.text C:\WINDOWS\System32\svchost.exe[1200] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02870000
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 028A0000
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 028A0011
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 028A0022
.text C:\WINDOWS\System32\svchost.exe[1200] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 028A0033
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0065009A
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00650FA5
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00650073
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00650058
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00650036
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00650F8A
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006500C6
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006500FE
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessA 7C80236B 1 Byte [ E9 ]
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateProcessA + 2 7C80236D 3 Bytes [ EB, E4, 83 ]
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00650F54
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00650047
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00650FE5
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 006500B5
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0065001B
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00650FCA
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 006500ED
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00640FC3
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00640054
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00640FD4
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0064000A
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00640F97
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00640FA8
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 84, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00640025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FB0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FB0068
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FB0F73
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FB004D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FB0F90
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FB0FA1
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FB00A0
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FB008F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FB0F0E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FB0F29
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FB0EF3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FB0028
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FB0FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FB0F58
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FB0FB2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FB0FC3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!WinExec 7C8623AD 1 Byte [ E9 ]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] kernel32.dll!WinExec + 2 7C8623AF 3 Bytes [ DC, 74, 84 ]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 008C001E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 008C006C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 008C0FC3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 008C0FDE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 008C0051
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 008C0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 008C0040
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 008C002F
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1344] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008A0FEF
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00770F41
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00770036
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0077001B
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00770F5E
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00770F94
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0077005D
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00770F15
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00770078
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00770EDF
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00770089
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00770F6F
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00770FD4
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00770F26
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00770FAF
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00770EF0
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00760FC3
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00760040
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00760014
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00760FDE
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00760F8D
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00760FEF
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00760F9E
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 96, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0076002F
.text C:\WINDOWS\system32\svchost.exe[1360] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00740FEF
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01060000
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0106006A
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01060F75
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0106004D
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01060F9A
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01060FBC
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01060F2C
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01060F49
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01060EF6
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01060F11
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 010600AA
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01060FAB
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01060FEF
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01060F5A
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01060FCD
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01060FDE
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 0106008F
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FF0F97
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FF0FA8
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00FF004A
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FF0FC3
.text C:\WINDOWS\system32\svchost.exe[1404] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\svchost.exe[1404] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 0105000A
.text C:\WINDOWS\system32\svchost.exe[1404] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01050FEF
.text C:\WINDOWS\system32\svchost.exe[1404] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01050025
.text C:\WINDOWS\system32\svchost.exe[1404] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 01050036
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00260FE5
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00260F43
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00260038
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0026001B
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00260F68
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00260F9E
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00260064
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00260F1C
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0026009A
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00260089
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 002600AB
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00260F83
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00260000
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00260053
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00260FAF
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 3260531D C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00260FCA
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00260F0B
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 003A0FD4
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 003A0F83
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 003A0025
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 003A0FEF
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 003A0F9E
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 003A000A
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 003A0FB9
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 5A, 88 ]
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3396] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 003A0040
.text C:\WINDOWS\Explorer.EXE[3900] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A000A
.text C:\WINDOWS\Explorer.EXE[3900] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A007F
.text C:\WINDOWS\Explorer.EXE[3900] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F8A
.text C:\WINDOWS\Explorer.EXE[3900] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0062
.text C:\WINDOWS\Explorer.EXE[3900] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0047
.text C:\WINDOWS\Explorer.EXE[3900] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0036
.text C:\WINDOWS\Explorer.EXE[3900] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00BC
.text C:\WINDOWS\Explorer.EXE[3900] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00A1
.text C:\WINDOWS\Explorer.EXE[3900] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F45
.text C:\WINDOWS\Explorer.EXE[3900] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00DE
.text C:\WINDOWS\Explorer.EXE[3900] kernel32.dll!GetProcAddress 7C80AE30 1 Byte [ E9 ]
.text C:\WINDOWS\Explorer.EXE[3900] kernel32.dll!GetProcAddress + 2 7C80AE32 3 Bytes [ 60, 99, 83 ]
.text C:\WINDOWS\Explorer.EXE[3900] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\Explorer.EXE[3900] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A001B
.text C:\WINDOWS\Explorer.EXE[3900] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0090
.text C:\WINDOWS\Explorer.EXE[3900] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\Explorer.EXE[3900] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\Explorer.EXE[3900] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A00CD
.text C:\WINDOWS\Explorer.EXE[3900] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290FC3
.text C:\WINDOWS\Explorer.EXE[3900] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290039
.text C:\WINDOWS\Explorer.EXE[3900] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290FD4
.text C:\WINDOWS\Explorer.EXE[3900] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290FE5
.text C:\WINDOWS\Explorer.EXE[3900] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290F7C
.text C:\WINDOWS\Explorer.EXE[3900] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290000
.text C:\WINDOWS\Explorer.EXE[3900] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290F8D
.text C:\WINDOWS\Explorer.EXE[3900] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 49, 88 ]
.text C:\WINDOWS\Explorer.EXE[3900] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290FA8
.text C:\WINDOWS\Explorer.EXE[3900] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\Explorer.EXE[3900] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 002C0FDE
.text C:\WINDOWS\Explorer.EXE[3900] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 002C0FC3
.text C:\WINDOWS\Explorer.EXE[3900] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 002C0FB2
.text C:\WINDOWS\Explorer.EXE[3900] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01F30000

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat A946ED20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x7A 0x45 0x05 0xFD ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}@t!s!s!d!t!s!d!t!s!r!y!s!s!t!\30!c! 71230
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- EOF - GMER 1.0.14 ----

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:13 PM

Posted 02 December 2008 - 07:33 PM

Hello, Weihao
We need to repair your Hosts file
  • Download HostsXpert.zip
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click "Restore Microsoft's Hosts file" and then click "OK".
  • Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :reg
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
    :commands
    [EmptyTemp]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
In your next reply, please include the following:
  • OTMoveIt3's Log
  • A New OTVIewIt Main.txt
  • A New OTViewIt Extra.txt

Billy3

Edited by Billy O'Neal, 02 December 2008 - 07:33 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Weihao

Weihao
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 03 December 2008 - 05:46 AM

Hi Bill,

Here are the new files. I will be going away for a few days, should be back on Sunday. I will do my best to reply as soon as I get back.

Thanks again :thumbsup:

OTMoveIt3 Log

========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\\ deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Weihao\LOCALS~1\Temp\NAILogs\UpdaterUI_DEEPTHOUGHT.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Weihao\LOCALS~1\Temp\etilqs_5eU7iMhtxlBZ0ABjJXLj scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Weihao\LOCALS~1\Temp\etilqs_RtTwNo6Hdrbr7V5ACvmd scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Weihao\LOCALS~1\Temp\etilqs_RtTwNo6Hdrbr7V5ACvmd-journal scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_4dc.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\WFV2.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Weihao\Local Settings\Application Data\Mozilla\Firefox\Profiles\1p0x4tt7.default\OfflineCache\index.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Weihao\Local Settings\Application Data\Mozilla\Firefox\Profiles\1p0x4tt7.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Weihao\Local Settings\Application Data\Mozilla\Firefox\Profiles\1p0x4tt7.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Weihao\Local Settings\Application Data\Mozilla\Firefox\Profiles\1p0x4tt7.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Weihao\Local Settings\Application Data\Mozilla\Firefox\Profiles\1p0x4tt7.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Weihao\Local Settings\Application Data\Mozilla\Firefox\Profiles\1p0x4tt7.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 12032008_102457

Files moved on Reboot...
C:\DOCUME~1\Weihao\LOCALS~1\Temp\NAILogs\UpdaterUI_DEEPTHOUGHT.log moved successfully.
File C:\DOCUME~1\Weihao\LOCALS~1\Temp\etilqs_5eU7iMhtxlBZ0ABjJXLj not found!
File C:\DOCUME~1\Weihao\LOCALS~1\Temp\etilqs_RtTwNo6Hdrbr7V5ACvmd not found!
File C:\DOCUME~1\Weihao\LOCALS~1\Temp\etilqs_RtTwNo6Hdrbr7V5ACvmd-journal not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_4dc.dat not found!
File move failed. C:\WINDOWS\temp\WFV2.tmp scheduled to be moved on reboot.
C:\Documents and Settings\Weihao\Local Settings\Application Data\Mozilla\Firefox\Profiles\1p0x4tt7.default\OfflineCache\index.sqlite moved successfully.
C:\Documents and Settings\Weihao\Local Settings\Application Data\Mozilla\Firefox\Profiles\1p0x4tt7.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Weihao\Local Settings\Application Data\Mozilla\Firefox\Profiles\1p0x4tt7.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Weihao\Local Settings\Application Data\Mozilla\Firefox\Profiles\1p0x4tt7.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Weihao\Local Settings\Application Data\Mozilla\Firefox\Profiles\1p0x4tt7.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Weihao\Local Settings\Application Data\Mozilla\Firefox\Profiles\1p0x4tt7.default\urlclassifier3.sqlite moved successfully.

OTViewIt.txt

OTViewIt logfile created on: 03/12/2008 10:35:49 - Run 2
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Weihao\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.50 Gb Total Physical Memory | 0.86 Gb Available Physical Memory | 57.29% Memory free
3.35 Gb Paging File | 2.79 Gb Available in Paging File | 83.14% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.65 Gb Total Space | 71.80 Gb Free Space | 49.64% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DEEPTHOUGHT
Current User Name: Weihao
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2008/10/29 02:09:10 | 00,585,728 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
[2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
[2008/10/29 02:09:10 | 00,585,728 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
[2008/07/07 07:15:18 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
[2008/10/01 13:06:14 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
[2005/01/14 18:22:24 | 00,172,153 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
[2005/01/14 18:22:26 | 00,110,711 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
[2005/01/14 18:22:50 | 00,024,576 | ---- | M] (Cyberlink) -- C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
[2005/01/14 18:22:52 | 00,737,379 | ---- | M] (Cyberlink) -- C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
[2008/02/27 16:56:54 | 03,072,184 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KService.exe
[2006/11/17 13:37:44 | 00,104,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
[2006/11/30 08:50:00 | 00,144,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
[2006/11/30 08:50:00 | 00,054,872 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
[2006/11/17 13:40:56 | 00,136,768 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
[2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe
[2008/10/16 14:09:44 | 00,051,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe
[2008/04/14 00:12:29 | 00,069,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\notepad.exe
[2006/11/30 08:50:00 | 00,112,216 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
[2006/11/17 13:39:58 | 00,136,768 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
[2006/11/03 19:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
[2008/06/10 03:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
[2007/08/24 06:00:48 | 00,033,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[2005/05/20 08:11:06 | 00,925,696 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
[2008/09/02 10:48:12 | 00,049,152 | ---- | M] (Advanced Micro Devices Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
[2006/11/17 03:06:00 | 00,086,016 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\Mctray.exe
[2006/10/18 19:05:26 | 00,204,288 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
[2008/09/02 10:40:46 | 00,049,152 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
[2008/10/31 21:51:58 | 00,307,712 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2008/12/02 10:46:24 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Weihao\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/07/07 07:15:18 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])
[2008/10/01 13:06:14 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
[2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2008/10/29 02:09:10 | 00,585,728 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
[2008/10/28 21:05:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
[2005/01/14 18:22:24 | 00,172,153 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe -- (CLCapSvc [Auto | Running])
[2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2005/01/14 18:22:26 | 00,110,711 | ---- | M] () -- C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe -- (CLSched [Auto | Running])
[2005/01/14 18:22:50 | 00,024,576 | ---- | M] (Cyberlink) -- C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe -- (CyberLink Media Library Service [Auto | Running])
[2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
[2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
[2008/10/01 18:57:00 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
[2008/02/27 16:56:54 | 03,072,184 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KService.exe -- (KService [Auto | Running])
[2006/11/17 13:37:44 | 00,104,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework [Unknown | Running])
[2006/11/30 08:50:00 | 00,144,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield [Unknown | Running])
[2006/11/30 08:50:00 | 00,054,872 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager [Unknown | Running])
[2007/08/24 05:59:20 | 00,068,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand | Stopped])
[2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
[2007/08/24 02:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
[2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2007/10/18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
[2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Running])
[2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
[2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [Auto | Running])

========== Driver Services ==========

[2005/10/05 16:21:10 | 00,141,312 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService [On_Demand | Running])
[2005/03/04 19:53:00 | 00,127,872 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (AEAudioService [On_Demand | Running])
[2001/08/17 13:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\drivers\aliide.sys -- (AliIde [Disabled | Stopped])
[2008/04/13 18:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\drivers\amdagp.sys -- (amdagp [Disabled | Stopped])
[2006/05/10 10:27:00 | 00,036,864 | ---- | M] (Advanced Micro Devices) -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8 [System | Running])
[2001/08/17 13:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\drivers\asc.sys -- (asc [Disabled | Stopped])
[2001/08/17 13:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\drivers\asc3550.sys -- (asc3550 [Disabled | Stopped])
[2008/10/29 03:10:58 | 03,341,824 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
[2001/08/17 13:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\drivers\cmdide.sys -- (CmdIde [Disabled | Stopped])
[2001/08/17 13:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\drivers\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
[2005/04/01 10:42:20 | 00,066,048 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\system32\drivers\EAPPkt.sys -- (EAPPkt [Auto | Running])
[2007/09/07 13:55:04 | 00,027,672 | ---- | M] (EnTech Taiwan) -- C:\WINDOWS\system32\drivers\Entech.sys -- (ENTECH [On_Demand | Stopped])
[2003/08/06 09:43:00 | 00,159,744 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\drivers\Fasttx2k.sys -- (fasttx2k [Disabled | Stopped])
[2008/04/17 12:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2008/12/02 10:52:54 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\system32\drivers\gmer.sys -- (gmer [On_Demand | Stopped])
[2004/10/27 14:21:30 | 00,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService [On_Demand | Stopped])
[2008/04/13 16:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus [On_Demand | Running])
[2004/09/29 22:35:30 | 00,219,136 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2 [On_Demand | Running])
[2004/09/29 22:33:50 | 01,036,928 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP [On_Demand | Running])
[2004/04/20 10:13:00 | 00,472,960 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor [Disabled | Stopped])
[2005/02/05 07:00:00 | 00,085,888 | ---- | M] (ULi Electronics Inc.) -- C:\WINDOWS\system32\drivers\m5287.sys -- (m5287 [Disabled | Stopped])
[2004/12/01 10:49:00 | 00,051,840 | ---- | M] (ULi Electronics Inc.) -- C:\WINDOWS\system32\drivers\m5289.sys -- (m5289 [Disabled | Stopped])
[2004/03/17 19:04:14 | 00,013,059 | ---- | M] (Conexant) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
[2006/11/30 08:50:00 | 00,064,360 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk [On_Demand | Running])
[2006/11/30 08:50:00 | 00,072,264 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Running])
[2006/11/30 08:50:00 | 00,034,152 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Running])
[2006/11/30 08:50:00 | 00,168,776 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk [On_Demand | Running])
[2006/11/30 08:50:00 | 00,031,944 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk [System | Running])
[2006/11/30 08:50:00 | 00,052,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik [System | Running])
[2001/08/17 12:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
[2004/07/09 03:26:38 | 00,015,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE [On_Demand | Stopped])
[2001/08/17 13:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\drivers\mraid35x.sys -- (mraid35x [Disabled | Stopped])
[2005/07/29 16:11:02 | 00,034,048 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD [On_Demand | Running])
[2005/07/29 16:11:04 | 00,012,928 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus [On_Demand | Running])
[2004/08/04 12:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2001/08/17 13:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql1080.sys -- (ql1080 [Disabled | Stopped])
[2001/08/17 13:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql12160.sys -- (ql12160 [Disabled | Stopped])
[2001/08/17 13:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\drivers\ql1280.sys -- (ql1280 [Disabled | Stopped])
[2006/06/16 07:30:16 | 00,176,128 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\drivers\RTL8187.sys -- (RTLWUSB [On_Demand | Running])
[2008/11/17 15:11:06 | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV [System | Running])
[2008/11/17 15:11:08 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Running])
[2008/11/17 15:11:04 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL [System | Running])
[2007/11/13 10:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2005/08/11 12:49:28 | 00,393,088 | ---- | M] (Sensaura) -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService [On_Demand | Running])
[2008/04/13 18:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\drivers\sisagp.sys -- (sisagp [Disabled | Stopped])
[2002/10/02 08:57:12 | 00,013,532 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\system32\drivers\SjyPkt.sys -- (SjyPkt [On_Demand | Stopped])
[2001/08/17 14:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\drivers\sparrow.sys -- (Sparrow [Disabled | Stopped])
[2001/08/17 14:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\drivers\symc810.sys -- (symc810 [Disabled | Stopped])
[2001/08/17 14:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\symc8xx.sys -- (symc8xx [Disabled | Stopped])
[2001/08/17 14:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_hi.sys -- (sym_hi [Disabled | Stopped])
[2001/08/17 14:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\drivers\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
[2001/08/17 13:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\drivers\ultra.sys -- (ultra [Disabled | Stopped])
[2006/08/09 10:10:12 | 00,291,200 | ---- | M] (eMPIA Technology, Inc.) -- C:\WINDOWS\system32\drivers\emBDA.sys -- (USB28xxBGA [On_Demand | Stopped])
[2006/08/09 10:10:12 | 00,028,160 | ---- | M] (eMPIA Technology, Inc.) -- C:\WINDOWS\system32\drivers\emOEM.sys -- (USB28xxOEM [On_Demand | Stopped])
[2004/03/29 12:45:00 | 00,073,600 | ---- | M] (VIA Technologies inc,.ltd) -- C:\WINDOWS\system32\drivers\viamraid.sys -- (viamraid [Disabled | Stopped])
[2004/09/29 22:34:24 | 00,702,592 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Default_Secondary_Page_URL"=
"Extensions Off Page"=about:NoAdd-ons
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Security Risk Page"=about:SecurityRisk
"Start Page"=http://go.microsoft.com/fwlink/?LinkId=69157

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.meshcomputers.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://www.meshcomputers.com

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://www.meshcomputers.com

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://www.meshcomputers.com

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"=http://www.meshcomputers.com

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-385581006-951137195-734082779-1006\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.meshcomputers.com

[HKEY_USERS\S-1-5-21-385581006-951137195-734082779-1006\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-385581006-951137195-734082779-1006\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

[HKEY_USERS\S-1-5-21-385581006-951137195-734082779-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

========== (O1) Hosts File ==========

HOSTS File = (698 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{3049C3E9-B461-4BC5-8870-4C09146192CA} (HKLM) -- C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} (HKLM) -- C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
{7DB2D5A0-7241-4E79-B68D-6309F01C5231} (HKLM) -- C:\Program Files\McAfee\VirusScan Enterprise\ScriptCl.dll (McAfee, Inc.)
{9030D464-4C02-4ABF-8ECC-5164760863C6} (HKLM) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" (Microsoft Corporation)
"High Definition Audio Property Page Shortcut"=HDAShCut.exe (Windows ® Server 2003 DDK provider)
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey (McAfee, Inc.)
"Ptipbmf"=rundll32.exe ptipbmf.dll,SetWriteCacheMode (Promise Technology, Inc.)
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE (McAfee, Inc.)
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray (Analog Devices, Inc.)
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun (Advanced Micro Devices, Inc.)
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" -hide (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"=C:\Program Files\Kontiki\KHost.exe -all (Kontiki Inc.)
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-385581006-951137195-734082779-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"=C:\Program Files\Kontiki\KHost.exe -all (Kontiki Inc.)
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)

========== (O4) Startup Folders ==========


========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-385581006-951137195-734082779-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\Office12\EXCEL.EXE [2008/07/30 02:25:02 | 17,930,264 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-385581006-951137195-734082779-1006\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\Office12\EXCEL.EXE [2008/07/30 02:25:02 | 17,930,264 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [2008/06/10 03:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{2670000A-7350-4f3c-8081-5663EE0C6C49}: Button: Send to OneNote -- %ProgramFiles%\Microsoft Office\Office12\ONBttnIE.dll [2007/12/13 01:20:58 | 00,606,288 | ---- | M] (Microsoft Corporation)
{2670000A-7350-4f3c-8081-5663EE0C6C49}: Menu: S&end to OneNote -- %ProgramFiles%\Microsoft Office\Office12\ONBttnIE.dll [2007/12/13 01:20:58 | 00,606,288 | ---- | M] (Microsoft Corporation)
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [2006/10/26 20:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}: Menu: @xpsp3res.dll,-20001 -- %SystemRoot%\network diagnostic\xpnetdiag.exe [2008/04/13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> [2008/06/10 03:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{2670000A-7350-4f3c-8081-5663EE0C6C49} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\ONBttnIE.dll [Send to OneNote] -> [2007/12/13 01:20:58 | 00,606,288 | ---- | M] (Microsoft Corporation)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [Research] -> [2006/10/26 20:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [Research] -> [2006/10/26 20:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [Research] -> [2006/10/26 20:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-385581006-951137195-734082779-1006\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> [2008/06/10 03:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{2670000A-7350-4f3c-8081-5663EE0C6C49} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\ONBttnIE.dll [Send to OneNote] -> [2007/12/13 01:20:58 | 00,606,288 | ---- | M] (Microsoft Corporation)
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\Office12\REFIEBAR.DLL [Research] -> [2006/10/26 20:12:22 | 00,040,424 | ---- | M] (Microsoft Corporation)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}: -- Reg Error: Key does not exist or could not be opened.
{5ED80217-570B-4DA9-BF44-BE107C0EC166}: http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab -- Windows Live Safety Center Base Module
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}: http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not exist or could not be opened.
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_05
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07

========== (O17) DNS Name Servers ==========

{2A329BA3-C935-49BE-8228-B884F776D848} (Servers: | Description: Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter)
{36162AF2-FC0C-41B2-9545-584D0A128474} (Servers: | Description: )
{4AC70ECF-53FD-4341-A091-BC8C5ADA030D} (Servers: | Description: NVIDIA nForce Networking Controller)
{7C9CD6B0-5208-4DFB-952A-DFEF92444849} (Servers: | Description: Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter)

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
!SASWinLogon: "DllName" = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll -- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
AtiExtEvent: "DllName" = Ati2evxx.dll -- C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" (HKLM) -- C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" (HKLM) -- C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2005/11/25 09:00:41 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[3 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2008/12/03 10:24:57 | 00,000,000 | ---D | C] -- C:\_OTMoveIt
[2008/12/03 10:23:48 | 00,349,696 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Weihao\Desktop\OTMoveIt3.exe
[2008/12/03 10:20:03 | 00,000,000 | ---D | C] -- C:\HostsXpert
[2008/12/03 10:19:14 | 00,353,485 | ---- | C] () -- C:\Documents and Settings\Weihao\Desktop\HostsXpert.zip
[2008/12/02 17:55:54 | 00,011,066 | ---- | C] () -- C:\Documents and Settings\Weihao\Desktop\Blurb.docx
[2008/12/02 10:52:56 | 00,000,250 | ---- | C] () -- C:\WINDOWS\gmer.ini
[2008/12/02 10:52:54 | 00,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll
[2008/12/02 10:52:54 | 00,811,008 | ---- | C] () -- C:\WINDOWS\gmer.exe
[2008/12/02 10:52:54 | 00,085,969 | ---- | C] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2008/12/02 10:52:54 | 00,000,080 | ---- | C] () -- C:\WINDOWS\gmer_uninstall.cmd
[2008/12/02 10:52:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\Desktop\gmer
[2008/12/02 10:50:21 | 00,747,873 | ---- | C] () -- C:\Documents and Settings\Weihao\Desktop\gmer.zip
[2008/12/02 10:45:59 | 00,422,400 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Weihao\Desktop\OTViewIt.exe
[2008/12/01 20:49:06 | 73,425,1008 | ---- | C] () -- C:\Documents and Settings\Weihao\Desktop\In.Bruges.DVDRip.XviD-DiAMOND.avi
[2008/11/30 17:58:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\Local Settings\Application Data\IsolatedStorage
[2008/11/30 17:44:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\My Documents\InstantCDDVD
[2008/11/30 14:23:54 | 00,061,440 | ---- | C] (eMPIA Technology, Inc.) -- C:\WINDOWS\emMON.exe
[2008/11/30 14:23:13 | 00,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vfwwdm32.dll
[2008/11/30 14:23:13 | 00,053,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\vfwwdm32.dll
[2008/11/30 14:22:55 | 00,291,200 | ---- | C] (eMPIA Technology, Inc.) -- C:\WINDOWS\System32\drivers\emBDA.sys
[2008/11/30 14:22:55 | 00,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\emPRP.ax
[2008/11/30 14:22:55 | 00,028,160 | ---- | C] (eMPIA Technology, Inc.) -- C:\WINDOWS\System32\drivers\emOEM.sys
[2008/11/30 14:20:14 | 00,446,464 | ---- | C] (eHelp Corporation.) -- C:\WINDOWS\System32\HHActiveX.dll
[2008/11/30 14:20:07 | 01,060,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MFC71.dll
[2008/11/30 14:20:07 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\atl71.dll
[2008/11/30 14:20:05 | 00,000,000 | ---D | C] -- C:\Program Files\Pinnacle
[2008/11/30 14:19:30 | 00,000,349 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\PCLECHAL.INI
[2008/11/30 14:18:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2008/11/29 22:52:48 | 73,426,1248 | ---- | C] () -- C:\Documents and Settings\Weihao\Desktop\Shanghai Noon.DVDRIP.XViD.Helloween.avi
[2008/11/28 02:24:09 | 00,045,138 | ---- | C] () -- C:\Documents and Settings\Weihao\Desktop\Careers.pdf
[2008/11/28 02:23:50 | 02,008,416 | ---- | C] () -- C:\Documents and Settings\Weihao\Desktop\view.pdf
[2008/11/26 20:59:14 | 00,024,576 | ---- | C] () -- C:\Documents and Settings\Weihao\Desktop\Feeding timetable.xls
[2008/11/25 10:56:55 | 00,776,807 | ---- | C] () -- C:\Documents and Settings\Weihao\Desktop\Zhongfu et al. (2008).pdf
[2008/11/24 09:38:49 | 00,000,000 | ---D | C] -- C:\rsit
[2008/11/24 09:37:51 | 00,305,705 | ---- | C] () -- C:\Documents and Settings\Weihao\Desktop\RSIT.exe
[2008/11/23 16:48:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\Desktop\Antivirus
[2008/11/23 01:09:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2008/11/23 01:09:30 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2008/11/23 01:09:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\Application Data\SUPERAntiSpyware.com
[2008/11/22 14:31:44 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2008/11/21 21:48:19 | 00,001,817 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War Teutonic.lnk
[2008/11/21 21:45:36 | 00,001,817 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War Crusades.lnk
[2008/11/21 21:43:18 | 00,001,827 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War Britannia.lnk
[2008/11/21 21:41:14 | 00,001,817 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War Americas.lnk
[2008/11/21 20:46:54 | 00,001,759 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War.lnk
[2008/11/21 20:36:28 | 00,000,000 | ---D | C] -- C:\Program Files\SEGA
[2008/11/21 20:34:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\Application Data\InstallShield
[2008/11/21 20:23:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\Desktop\saves
[2008/11/21 13:26:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ATI
[2008/11/21 13:23:57 | 00,000,000 | ---D | C] -- C:\Program Files\ATI
[2008/11/21 13:22:01 | 00,593,920 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2008/11/21 10:40:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\Desktop\Total_War_Kingdoms_EnFrItGeSp
[2008/11/20 23:21:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2008/11/20 23:21:25 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2008/11/20 23:20:39 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2008/11/20 23:20:39 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2008/11/20 23:20:39 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2008/11/20 23:20:38 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2008/11/20 23:20:38 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2008/11/20 23:20:38 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsshhdr.dll
[2008/11/20 23:20:38 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2008/11/20 23:20:38 | 00,000,000 | ---D | C] -- C:\c204096a78a6996e0be056
[2008/11/20 23:20:22 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2008/11/20 22:22:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\Application Data\WinRAR
[2008/11/20 22:22:14 | 00,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2008/11/19 17:09:41 | 00,022,927 | ---- | C] () -- C:\Documents and Settings\Weihao\My Documents\Booking Summary.docx
[2008/11/19 12:36:09 | 00,125,440 | ---- | C] () -- C:\Documents and Settings\Weihao\My Documents\KB BTP 19112008 1 - Zhong - First Letter.doc
[2008/11/16 17:03:25 | 00,001,609 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Sunbird.lnk
[2008/11/16 17:03:20 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Sunbird
[2008/11/13 00:24:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Weihao\Application Data\Mozilla
[2008/11/13 00:24:31 | 00,001,609 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008/11/12 10:38:50 | 00,455,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2008/11/12 10:38:35 | 01,106,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msxml3.dll

========== Files - Modified Within 30 Days ==========

[3 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2008/12/03 10:30:44 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2008/12/03 10:29:17 | 00,085,736 | ---- | M] () -- C:\Documents and Settings\Weihao\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/12/03 10:27:22 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/12/03 10:27:13 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/12/03 10:27:12 | 00,060,452 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2008/12/03 10:23:54 | 00,349,696 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Weihao\Desktop\OTMoveIt3.exe
[2008/12/03 10:23:27 | 00,000,698 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2008/12/03 10:19:19 | 00,353,485 | ---- | M] () -- C:\Documents and Settings\Weihao\Desktop\HostsXpert.zip
[2008/12/02 17:55:55 | 00,011,066 | ---- | M] () -- C:\Documents and Settings\Weihao\Desktop\Blurb.docx
[2008/12/02 10:52:56 | 00,000,250 | ---- | M] () -- C:\WINDOWS\gmer.ini
[2008/12/02 10:52:54 | 00,884,736 | ---- | M] () -- C:\WINDOWS\gmer.dll
[2008/12/02 10:52:54 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys
[2008/12/02 10:52:54 | 00,000,080 | ---- | M] () -- C:\WINDOWS\gmer_uninstall.cmd
[2008/12/02 10:50:31 | 00,747,873 | ---- | M] () -- C:\Documents and Settings\Weihao\Desktop\gmer.zip
[2008/12/02 10:46:24 | 00,422,400 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Weihao\Desktop\OTViewIt.exe
[2008/12/01 20:48:49 | 00,039,424 | ---- | M] () -- C:\Documents and Settings\Weihao\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/01 16:34:55 | 00,000,588 | ---- | M] () -- C:\Documents and Settings\Weihao\My Documents\My Sharing Folders.lnk
[2008/12/01 16:01:38 | 00,306,008 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/12/01 09:57:42 | 00,000,592 | ---- | M] () -- C:\WINDOWS\win.ini
[2008/12/01 09:50:22 | 00,000,349 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\PCLECHAL.INI
[2008/11/29 11:56:54 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/11/28 02:24:09 | 00,045,138 | ---- | M] () -- C:\Documents and Settings\Weihao\Desktop\Careers.pdf
[2008/11/28 02:23:50 | 02,008,416 | ---- | M] () -- C:\Documents and Settings\Weihao\Desktop\view.pdf
[2008/11/26 20:59:31 | 00,024,576 | ---- | M] () -- C:\Documents and Settings\Weihao\Desktop\Feeding timetable.xls
[2008/11/25 10:56:55 | 00,776,807 | ---- | M] () -- C:\Documents and Settings\Weihao\Desktop\Zhongfu et al. (2008).pdf
[2008/11/24 09:37:52 | 00,305,705 | ---- | M] () -- C:\Documents and Settings\Weihao\Desktop\RSIT.exe
[2008/11/22 12:26:10 | 00,004,096 | ---- | M] () -- C:\WINDOWS\System32\crash
[2008/11/21 21:48:19 | 00,001,817 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War Teutonic.lnk
[2008/11/21 21:45:37 | 00,001,817 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War Crusades.lnk
[2008/11/21 21:43:18 | 00,001,827 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War Britannia.lnk
[2008/11/21 21:41:14 | 00,001,817 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War Americas.lnk
[2008/11/21 21:19:54 | 00,001,759 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Medieval II Total War.lnk
[2008/11/21 13:04:06 | 00,000,010 | ---- | M] () -- C:\WINDOWS\WININIT.INI
[2008/11/20 23:39:44 | 00,107,888 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS\System32\CmdLineExt.dll
[2008/11/20 23:22:16 | 00,525,268 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/11/20 23:22:16 | 00,445,066 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2008/11/20 23:22:16 | 00,072,654 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2008/11/19 17:15:19 | 00,022,927 | ---- | M] () -- C:\Documents and Settings\Weihao\My Documents\Booking Summary.docx
[2008/11/19 12:36:12 | 00,125,440 | ---- | M] () -- C:\Documents and Settings\Weihao\My Documents\KB BTP 19112008 1 - Zhong - First Letter.doc
[2008/11/16 17:03:25 | 00,001,609 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Sunbird.lnk
[2008/11/13 00:24:31 | 00,001,609 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2008/11/08 19:33:22 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2008/11/03 16:10:26 | 17,318,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
< End of report >

Extras.txt

OTViewIt Extras logfile created on: 03/12/2008 10:35:49 - Run 2
OTViewIt by OldTimer - Version 1.0.20.0 Folder = C:\Documents and Settings\Weihao\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.50 Gb Total Physical Memory | 0.86 Gb Available Physical Memory | 57.29% Memory free
3.35 Gb Paging File | 2.79 Gb Available in Paging File | 83.14% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.65 Gb Total Space | 71.80 Gb Free Space | 49.64% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DEEPTHOUGHT
Current User Name: Weihao
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Reg Error: Value does not exist or could not be read.] -- Reg Error: Key does not exist or could not be opened. File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=1
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=0
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/14 00:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/04/13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 17:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/14 00:12:34 | 00,141,312 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2005/01/14 18:21:44 | 00,045,056 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerCinema\PowerCinema.exe:*:Enabled:PowerCinema
[2006/11/17 13:37:44 | 00,104,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service
[2008/05/08 11:02:13 | 11,202,368 | ---- | M] (THQ Canada Inc.) -- C:\Program Files\THQ\Company of Heroes\RelicCOH.exe:*:Enabled:Company of Heroes - Opposing Fronts
[2008/05/21 03:37:24 | 12,844,576 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook
[2007/08/28 23:23:36 | 00,340,856 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove
[2008/05/21 04:54:40 | 01,022,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote
[2008/04/13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008/10/31 21:51:58 | 00,307,712 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox
File not found -- C:\Program Files\Real\RealOne Player\realplay.exe:*:Enabled:RealOne Player
[2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 17:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)
[2008/02/27 16:56:54 | 03,072,184 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service
[2005/10/18 15:35:32 | 11,691,000 | ---- | M] (Firaxis Games) -- C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4
[2008/05/22 19:51:30 | 00,214,560 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer
File not found -- C:\Documents and Settings\Weihao\Desktop\Nick's stuff\utorrent-1.8-beta-10198.upx.exe:*:Enabled:µTorrent
[2007/12/12 15:25:46 | 21,686,568 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath
[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
[2008/09/18 18:50:21 | 00,147,456 | ---- | M] (Lime Wire, LLC) -- C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
[2008/10/01 18:57:04 | 14,258,472 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
File not found -- C:\Program Files\Pinnacle\MediaCenter\PMC.exe:LocalSubNet:Enabled:Pmc.exe
File not found -- C:\Program Files\Pinnacle\MediaCenter\PSST.exe:LocalSubNet:Enabled:PSST.exe
File not found -- C:\Program Files\Pinnacle\MediaCenter\PMSInstallInit.exe:LocalSubNet:Enabled:PMSInstallInit.exe
File not found -- C:\Program Files\Pinnacle\MediaCenter\PMC.Tvtv.Wizard.exe:LocalSubNet:Enabled:PMC.Tvtv.Wizard.exe
File not found -- C:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe:LocalSubNet:Disabled:PMCService

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -- C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/08/24 06:01:46 | 00,224,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (grooveLocalGWS:{88FED34C-F0CA-4636-A375-3CB6248B04CD} (HKLM) [Local Groove Web Services Protocol])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2007/08/28 22:55:14 | 01,014,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/10/18 11:31:54 | 00,066,072 | ---- | M] (Microsoft Corporation) C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (livecall:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2007/08/28 22:55:14 | 01,014,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2007/08/28 22:55:14 | 01,014,128 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2006/10/26 13:45:02 | 00,873,216 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (ms-help:{314111c7-a502-11d2-bbca-00c04f8ec294} (HKLM) [HxProtocol Class])

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2007/10/18 11:31:54 | 00,066,072 | ---- | M] (Microsoft Corporation) C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (msnim:{828030A1-22C1-4009-854F-8E305202313F} (HKLM) [Reg Error: Value does not exist or could not be read.])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2006/10/26 21:41:48 | 00,044,344 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL text/xml:{807563E5-5146-11D5-A672-00B0D022E945} (HKLM) [Microsoft Office InfoPath XML Mime Filter]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00E15D21-B68B-D7C4-574B-636E2D1ECEBE}"=Catalyst Control Center HydraVision Full
"{02A10468-2F1C-447C-AD8E-4DEDDEA25AE2}"=Medieval II Total War : Kingdoms : Crusades
"{02EBDBB9-4600-41D3-B566-40CB861511D2}"=World of Warcraft FREE Trial
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}"=Steam
"{055EE59D-217B-43A7-ABFF-507B966405D8}"=ATI Catalyst Control Center
"{1170F665-2359-E439-5BC5-932B87423EF1}"=ccc-utility
"{14574B7F-75D1-4718-B7F2-EBF6E2862A35}"=Company of Heroes - FAKEMSI
"{18D10072035C4515918F7E37EAFAACFC}"=AutoUpdate
"{199E6632-EB28-4F73-AECB-3E192EB92D18}"=Company of Heroes - FAKEMSI
"{1A655D51-1423-48A3-B748-8F5A0BE294C8}"=Microsoft Visual J# .NET Redistributable Package 1.1
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}"=PowerStarter
"{21A127AE-2DAF-40B7-8374-34C3E629521C}"=Far Cry (Patch 1.3)
"{25724802-CC14-4B90-9F3B-3D6955EE27B1}"=Company of Heroes - FAKEMSI
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}"=PowerCinema 4.0
"{2E97F7E8-ABDE-4E0D-B0AD-B6B4BAD89E24}"=Rome - Total War - Gold Edition
"{3248F0A8-6813-11D6-A77B-00B0D0160030}"=Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}"=Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java™ 6 Update 7
"{32C4A4EB-C97D-414E-99C5-38F8DFD31D5D}"=Company of Heroes - FAKEMSI
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{35C03C04-3F1F-42C2-A989-A757EE691F65}"=McAfee VirusScan Enterprise
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}"=Oblivion
"{39D74E81-5DED-C7EE-8807-91A8800212FA}"=ccc-core-preinstall
"{3C662203-292F-4E9D-AE02-281071C06903}"=Far Cry (Patch 1.33)
"{40BF1E83-20EB-11D8-97C5-0009C5020658}"=Power2Go 4.0
"{41C01225-45FD-7BCE-1EDA-F7E50945ADD7}"=Catalyst Control Center Core Implementation
"{4377F918-E6C9-4ECA-A7F5-754B310B7ED8}"=Sid Meier's Civilization 4
"{50193078-F553-4EBA-AA77-64C9FAA12F98}"=Company of Heroes - FAKEMSI
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}"=Windows Live Messenger
"{51D718D1-DA81-4FAD-919F-5C1CE3C33379}"=Company of Heroes - FAKEMSI
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}"=Skype™ 3.6
"{5E8E1294-7951-6DA9-10F1-C877871346F3}"=Skins
"{66F78C51-D108-4F0C-A93C-1CBE74CE338F}"=Company of Heroes - FAKEMSI
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}"=PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}"=Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}"=Windows Media Player Firefox Plugin
"{6DA9102E-199F-43A0-A36B-6EF48081A658}"=MobileMe Control Panel
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}"=MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}"=Microsoft Visual C++ 2005 Redistributable
"{75983B66-804C-40D1-BA13-64DAF652A6F1}"=Medieval II Total War : Kingdoms : Americas
"{7AEE1963-7001-4C37-BC20-2FAEB74AA41C}"=Medieval II Total War : Kingdoms : Teutonic
"{7B63B2922B174135AFC0E1377DD81EC2}"=DivX
"{7F4B1592-222F-4E5F-A100-E5AFD61A0BB3}"=Company of Heroes - FAKEMSI
"{80D03817-7943-4839-8E96-B9F924C5E67D}"=Company of Heroes - FAKEMSI
"{826F3B4F-C597-AF1D-4CB1-2F441BE8E2BF}"=ccc-core-static
"{87B20692-9E9D-FAE0-76C7-E75E3CC7B0D1}"=Catalyst Control Center Graphics Full Existing
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}"=Bonjour
"{8DC42D05-680B-41B0-8878-6C14D24602DB}"=QuickTime
"{90120000-0010-0409-0000-0000000FF1CE}"=Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}"=Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}"=Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}"=Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}"=Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}"=Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}"=Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}"=Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{3EC77D26-799B-4CD8-914F-C1565E796173}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}"=Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{430971B1-C31E-45DA-81E0-72C095BAB72C}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}"=Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}"=Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}"=Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0044-0409-0000-0000000FF1CE}"=Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}"=Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0409-0000-0000000FF1CE}"=Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00BA-0409-0000-0000000FF1CE}"=Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0114-0409-0000-0000000FF1CE}"=Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}"=Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}"=Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}"=2007 Microsoft Office Suite Service Pack 1 (SP1)
"{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}"=Apple Mobile Device Support
"{97E5205F-EA4F-438F-B211-F1846419F1C1}"=Company of Heroes - FAKEMSI
"{99A7722D-9ACB-43F3-A222-ABC7133F159E}"=Company of Heroes - FAKEMSI
"{A06275F4-324B-4E85-95E6-87B2CD729401}"=Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}"=Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}"=Microsoft Visual C++ 2005 Redistributable
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}"=Windows Live installer
"{AC76BA86-7AD7-1033-7B44-A81300000003}"=Adobe Reader 8.1.3
"{AC76BA86-7AD7-5464-3428-800000000003}"=Spelling Dictionaries Support For Adobe Reader 8
"{ADD5DB49-72CF-11D8-9D75-000129760D75}"=PowerBackup 1.0
"{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}"=Windows Live Sign-in Assistant
"{B7050CBDB2504B34BC2A9CA0A692CC29}"=DivX Web Player
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}"=PowerProducer
"{BA801B94-C28D-46EE-B806-E1E021A3D519}"=Company of Heroes - FAKEMSI
"{C0698BDA-0D29-40EE-8570-A31106DF9AB1}"=Medieval II Total War
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}"=Microsoft .NET Framework 2.0 Service Pack 2
"{C29769BE-BEDF-DC9E-67A9-5E7AEFF039CF}"=CCC Help English
"{C740289B-FC90-D938-8317-1FFEBF7C04DB}"=Catalyst Control Center Graphics Previews Common
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}"=SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}"=Microsoft .NET Framework 3.5 SP1
"{CEDDEE73-3D36-41C2-AA40-29355D9FBD63}"=Medieval II Total War : Kingdoms : Britannia
"{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}"=Sid Meier's Civilization 4
"{D36DD326-7280-11D8-97C8-000129760CBE}"=PhotoNow! 1.0
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}"=Catalyst Control Center - Branding
"{D466F3D9-510C-4729-B7D4-2E70490E4CDF}"=BBC iPlayer Download Manager
"{D4D244D1-05E0-4D24-86A2-B2433C435671}"=Company of Heroes - FAKEMSI
"{D5A9B7C0-8751-11D8-9D75-000129760D75}"=MediaShow 3.0
"{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}"=iTunes
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}"=Ad-Aware
"{E0F252A6-DE85-4E93-A93B-DFC3537B3965}"=WG111v2 Configuration Utility
"{E280923D-C5D9-4728-8C79-AC9A0DC75875}"=BioShock
"{E3D04529-6EDB-11D8-A372-0050BAE317E1}"=PowerDVD Copy 1.0
"{EAF636A9-F664-4703-A659-85A894DA264F}"=Company of Heroes - FAKEMSI
"{EDE721EC-870A-11D8-9D75-000129760D75}"=PowerDirector Express
"{EE8592F6-FC2B-4AFD-B527-109D127C039F}"=Far Cry (Patch 1.31)
"{F0A37341-D692-11D4-A984-009027EC0A9C}"=SoundMAX
"{F30A8BF7-288C-57C0-357E-6D67BB694682}"=Catalyst Control Center Graphics Full New
"{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}"=Pinnacle MediaCenter
"{F54543CF-EC73-D847-1780-84A6420EA229}"=Catalyst Control Center Graphics Light
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}"=HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"All ATI Software"=ATI - Software Uninstall Utility
"ATI Display Driver"=ATI Display Driver
"Audacity_is1"=Audacity 1.2.6
"BBC iPlayer Download Manager"=BBC iPlayer Download Manager
"cayahooantispy"=CA Yahoo! Anti-Spy (remove only)
"CCleaner"=CCleaner (remove only)
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F30&SUBSYS_205514F1"=PCI SoftV92 Modem
"Company of Heroes"=Company of Heroes
"ENTERPRISE"=Microsoft Office Enterprise 2007
"Fraps"=Fraps
"HijackThis"=HijackThis 2.0.2
"IDNMitigationAPIs"=Microsoft Internationalized Domain Names Mitigation APIs
"ie7"=Windows Internet Explorer 7
"LimeWire"=LimeWire 4.18.8
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1"=Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.4)"=Mozilla Firefox (3.0.4)
"Mozilla Sunbird (0.9)"=Mozilla Sunbird (0.9)
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"NJStar Chinese WP"=NJStar Chinese WP
"NLSDownlevelMapping"=Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers"=NVIDIA Drivers
"RealPlayer 6.0"=RealPlayer
"Sibelius Scorch Plugin"=Sibelius Scorch Plugin
"Steam App 2630"=Call of Duty 2
"SystemRequirementsLab"=System Requirements Lab
"TuxGuitar_0"=TuxGuitar 1.0
"Windows Live OneCare safety scanner"=Windows Live OneCare safety scanner
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 11
"Windows XP Service Pack"=Windows XP Service Pack 3
"WinRAR archiver"=WinRAR archiver
"WMFDist11"=Windows Media Format 11 runtime
"wmp11"=Windows Media Player 11
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion"=Yahoo! Toolbar
"YInstHelper"=Yahoo! Install Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 01/11/2008 19:35:43 | Computer Name = DEEPTHOUGHT | Source = Application Hang | ID = 1002
Description = Hanging application Ad-Aware.exe, version 7.1.0.11, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/11/2008 07:18:49 | Computer Name = DEEPTHOUGHT | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80240016, P2 begininstall, P3 install, P4
1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 NIL,
P10 NIL.

Error - 14/11/2008 19:54:14 | Computer Name = DEEPTHOUGHT | Source = | ID = 0
Description =

Error - 14/11/2008 19:54:14 | Computer Name = DEEPTHOUGHT | Source = | ID = 0
Description =

Error - 14/11/2008 20:19:08 | Computer Name = DEEPTHOUGHT | Source = | ID = 0
Description =

Error - 14/11/2008 20:19:08 | Computer Name = DEEPTHOUGHT | Source = | ID = 0
Description =

Error - 15/11/2008 18:04:33 | Computer Name = DEEPTHOUGHT | Source = | ID = 0
Description =

Error - 15/11/2008 18:04:33 | Computer Name = DEEPTHOUGHT | Source = | ID = 0
Description =

Error - 21/11/2008 07:04:25 | Computer Name = DEEPTHOUGHT | Source = Application Hang | ID = 1002
Description = Hanging application kingdoms.exe, version 1.5.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 21/11/2008 07:04:30 | Computer Name = DEEPTHOUGHT | Source = Application Hang | ID = 1001
Description = Fault bucket 722508169.

[ System Events ]
Error - 21/11/2008 09:16:02 | Computer Name = DEEPTHOUGHT | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 21/11/2008 09:16:02 | Computer Name = DEEPTHOUGHT | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 21/11/2008 09:16:02 | Computer Name = DEEPTHOUGHT | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 21/11/2008 09:59:57 | Computer Name = DEEPTHOUGHT | Source = ati2mtag | ID = 262252
Description = The driver ati2dvag for the display device \Device\Video0 got stuck
in an infinite loop. This usually indicates a problem with the device itself or
with the device driver programming the hardware incorrectly. Please check with your
hardware
device vendor for any driver updates.

Error - 21/11/2008 16:16:46 | Computer Name = DEEPTHOUGHT | Source = ati2mtag | ID = 262252
Description = The driver ati2dvag for the display device \Device\Video0 got stuck
in an infinite loop. This usually indicates a problem with the device itself or
with the device driver programming the hardware incorrectly. Please check with your
hardware
device vendor for any driver updates.

Error - 21/11/2008 21:12:54 | Computer Name = DEEPTHOUGHT | Source = ati2mtag | ID = 262252
Description = The driver ati2dvag for the display device \Device\Video0 got stuck
in an infinite loop. This usually indicates a problem with the device itself or
with the device driver programming the hardware incorrectly. Please check with your
hardware
device vendor for any driver updates.

Error - 22/11/2008 06:21:14 | Computer Name = DEEPTHOUGHT | Source = System Error | ID = 1003
Description = Error code 000000ea, parameter1 88d3eb30, parameter2 893c0148, parameter3
8a42fd58, parameter4 00000001.

Error - 22/11/2008 10:04:36 | Computer Name = DEEPTHOUGHT | Source = System Error | ID = 1003
Description = Error code 1000007e, parameter1 c0000005, parameter2 04e618b0, parameter3
ba4d38a0, parameter4 ba4d359c.

Error - 24/11/2008 05:21:46 | Computer Name = DEEPTHOUGHT | Source = Service Control Manager | ID = 7022
Description = The CyberLink Task Scheduler (CTS) service hung on starting.

Error - 30/11/2008 13:45:26 | Computer Name = DEEPTHOUGHT | Source = Service Control Manager | ID = 7022
Description = The CyberLink Task Scheduler (CTS) service hung on starting.


< End of report >

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:13 PM

Posted 04 December 2008 - 06:20 PM

Hello, Weihao
Those logs look good. How are things running?

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 Weihao

Weihao
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 07 December 2008 - 11:30 AM

Hi Bill,

I'm back! Yes, everything seems to be back to normal now. I can visit all the sites that were blocked before. THANKS!!! :thumbsup:

ESET OnlineScan didn't find anything, guess that's good news! Here's the log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3668 (20081206)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=e84583ea73d1b6419dde8702ff49e6c1
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-12-07 04:21:47
# local_time=2008-12-07 04:21:47 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=340248
# found=0
# scan_time=6379

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:13 PM

Posted 07 December 2008 - 01:18 PM

Hello, Weihao
You're very welcome :)

Congratulations! You now appear clean! :thumbsup:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware


We Need to Clean Up Our Mess
  • Please reopen Posted Image on your desktop.
  • Push the large "Cleanup" button
  • Allow your system to reboot
Reset System Restore
Windows' "System Restore" feature can cause malware files to be cached and retained by your system. Resetting System Restore will clean these files from your system, and will allow you to use System Restore without fear of reinfection.
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Note: You should only do this once, not on a regular basis!
You will not be able to restore computer to any earlier than today!

Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:13 PM

Posted 09 December 2008 - 04:52 PM

Hello, Weihao
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users