Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am infected with Antivirus System pro Plus possibly more.


  • This topic is locked This topic is locked
10 replies to this topic

#1 VetaMega

VetaMega

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 26 November 2009 - 11:06 PM

I am infected with a Trojan to the point where I have no idea how to deal with it.

One of the main symptoms is a popup called Antivirus System Pro, but I looked online and I think mine is different from most of the others.

The most annoying thing is, it won't let me use the taskmanager, add/remove files when not in safe mode. It won't let me use maladwarebytes or update avast ever.

It also sends me to www.porno.com every couple minutes

Here is the hijack this log I have

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:57 PM, on 11/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\LiuW\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = search.net-studio.org
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hide-my-ip.com/unwise.cgi?produ...er=4.0.11.36565
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ojysshus] C:\Documents and Settings\LiuW\Local Settings\Application Data\qrcowx\ehbasysguard.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ojysshus] C:\Documents and Settings\LiuW\Local Settings\Application Data\qrcowx\ehbasysguard.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} (WebActivater Control) - http://game-web.qq.com/client/QQGame2.cab
O16 - DPF: {522F229A-897A-49B6-BEE8-405C0E6E357A} (ScaleXCtrl Class) - http://mks-pla-shp1/JavalinGUI/shipnow/ScaleX.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1139234194213
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = mksinternal.com,astex.com,eniinternal.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = mksinternal.com,astex.com,eniinternal.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mksinternal.com,astex.com,eniinternal.com
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/LiuW/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.gif

--
End of file - 6733 bytes

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 26 November 2009 - 11:15 PM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

==========

RKill by Grinler

Link #1
Link #2
Link #3
Link #4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
==========

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

With your next post please provide:

* Exehelper log
* Combofix.txt
* How is your computer running?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 VetaMega

VetaMega
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 27 November 2009 - 01:04 AM

Did everything that you listed

Status update:

The pop-up Antivirus System Pro does not appear, task manager and add/remove programs both function.

However, still obvious there is a virus running. Computer constantly seems to be loading something. Operations can be slow. Internet explorer still does not work - it's homepage is search.net-studio.org, a website that I never heard of, but it cannot access the web anyways. Just now, when I restarted the computer at login time, it asked me to terminate two programs.

Put computer on safe mode for fear that virus may grow otherwise.

Logs are attached

Thank you for your help. I truly do appreciate it.

Attached Files


Edited by VetaMega, 27 November 2009 - 01:27 AM.


#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 27 November 2009 - 10:00 AM

Hello,

Thanks for the detailed feedback. Keep it up. It is very helpful!
  • Did you run all my steps in Safe Mode?
  • Do you have a Windows XP install disc?
  • Is Symantec your AV?
  • Did you purposely disable it for the fixes or did the malware disable it? (Do not restore it yet please)
I would like to remind you to only perform the steps I have requested. If you run into troubles or have question then please stop and tell me about it.

Please run all steps in Normal Mode unless instructed otherwise!

==========

Please re-run RKill then Exehelper.

==========

:( Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :(

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

SRPeek::
c:\windows\System32\ctfmon.exe

Mia::
c:\windows\System32\ctfmon.exe

DDS::
uInternet Connection Wizard,ShellNext = hxxp://www.hide-my-ip.com/unwise.cgi?product=905&ver=4.0.11.36565
uInternet Settings,ProxyServer = http=127.0.0.1:5555


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.Posted Image
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
==========

With your next post please provide:

* Answer to questions
* EXEhelper log
* Combofix.txt
* Please copy and paste all logs instead of attaching them please.

Kind regards,
~t

Edited by thcbytes, 27 November 2009 - 10:03 AM.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 VetaMega

VetaMega
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 27 November 2009 - 11:24 AM

Questions

* Did you run all my steps in Safe Mode?

Last time. Not this time. This time it was all fun on normal mode

* Do you have a Windows XP install disc?

Yes.

* Is Symantec your AV?

I have it. I mean, I personally installed it a long time ago, not the virus.

* Did you purposely disable it for the fixes or did the malware disable it? (Do not restore it yet please)

I had made it not run on startup. To my knowledge, it is not running at all.

------

OTL Logfile

OTL logfile created on: 11/27/2009 11:16:50 AM - Run 1
OTL by OldTimer - Version 3.1.11.0 Folder = C:\Documents and Settings\LiuW\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.42 Mb Total Physical Memory | 444.21 Mb Available Physical Memory | 43.45% Memory free
2.40 Gb Paging File | 1.97 Gb Available in Paging File | 82.02% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.30 Gb Total Space | 14.76 Gb Free Space | 44.33% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AN2-L-L3MALP3
Current User Name: LiuW
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/11/27 11:16:00 | 00,532,992 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\LiuW\Desktop\OTL.exe
PRC - [2009/10/28 01:07:27 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2007/02/10 08:29:54 | 29,178,224 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2007/02/10 05:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2006/09/27 06:38:22 | 00,053,248 | ---- | M] (IBM Corp) -- C:\lotus\notes\ntmulti.exe
PRC - [2005/11/11 04:33:00 | 00,073,782 | ---- | M] () -- C:\WINDOWS\system32\ibmpmsvc.exe
PRC - [2005/10/07 01:18:26 | 00,385,024 | ---- | M] () -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
PRC - [2005/10/05 01:54:34 | 00,380,928 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2005/10/05 01:54:34 | 00,380,928 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2005/07/23 05:43:20 | 00,372,809 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2005/07/23 05:41:22 | 00,086,016 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2005/07/23 05:40:08 | 00,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2005/07/12 12:40:08 | 00,040,551 | ---- | M] (UPEK Inc.) -- C:\Program Files\Common Files\Virtual Token\vtserver.exe
PRC - [2005/06/06 18:03:00 | 00,077,824 | ---- | M] (Lenovo.) -- C:\WINDOWS\system32\TPHDEXLG.exe
PRC - [2005/03/18 06:07:00 | 00,077,824 | ---- | M] (IBM Corp.) -- C:\WINDOWS\system32\QCONSVC.EXE
PRC - [2004/08/11 04:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
PRC - [2004/08/04 08:00:00 | 01,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/08/04 08:00:00 | 00,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tcpsvcs.exe
PRC - [2004/08/04 08:00:00 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2004/03/12 18:18:06 | 00,169,192 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe
PRC - [2004/03/12 18:17:46 | 01,221,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2004/03/12 18:17:10 | 00,029,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2004/02/29 19:44:54 | 00,242,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2004/02/29 19:44:48 | 00,255,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2003/12/02 13:27:08 | 01,417,048 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PRC - [2002/09/20 17:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2009/11/27 11:16:00 | 00,532,992 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\LiuW\Desktop\OTL.exe
MOD - [2004/08/04 08:00:00 | 01,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2008/05/12 02:11:50 | 01,523,712 | ---- | M] (Altiris, Inc.) -- C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe -- (AeXNSClient)
SRV - [2007/11/07 08:58:18 | 03,004,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon90)
SRV - [2007/02/10 08:29:54 | 29,178,224 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2007/02/10 08:29:47 | 00,242,544 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2007/02/10 05:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2006/10/26 18:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/09/27 06:38:22 | 00,053,248 | ---- | M] (IBM Corp) -- C:\lotus\notes\ntmulti.exe -- (Multi-user Cleanup Service)
SRV - [2006/05/11 18:15:50 | 00,052,736 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\system32\HPZIPM12.DLL -- (Pml Driver HPZ12)
SRV - [2005/11/11 04:33:00 | 00,073,782 | ---- | M] () -- C:\WINDOWS\system32\ibmpmsvc.exe -- (IBMPMSVC)
SRV - [2005/10/14 05:50:19 | 00,045,272 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2005/10/14 00:33:42 | 00,032,256 | ---- | M] () -- C:\WINDOWS\system32\drivers\psasrv.exe -- (PsaSrv)
SRV - [2005/10/07 01:18:26 | 00,385,024 | ---- | M] () -- C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe -- (IBM Rapid Restore Ultra Service)
SRV - [2005/10/05 01:54:34 | 00,380,928 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2005/07/23 05:43:20 | 00,372,809 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor)
SRV - [2005/07/23 05:41:22 | 00,086,016 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng)
SRV - [2005/07/23 05:40:08 | 00,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc)
SRV - [2005/07/12 12:40:08 | 00,040,551 | ---- | M] (UPEK Inc.) -- C:\Program Files\Common Files\Virtual Token\vtserver.exe -- (vtserver)
SRV - [2005/06/07 00:26:22 | 00,032,768 | ---- | M] () -- C:\WINDOWS\system32\TpKmpSvc.exe -- (TpKmpSVC)
SRV - [2005/06/06 18:03:00 | 00,077,824 | ---- | M] (Lenovo.) -- C:\WINDOWS\system32\TPHDEXLG.exe -- (TPHDEXLGSVC)
SRV - [2005/03/18 06:07:00 | 00,077,824 | ---- | M] (IBM Corp.) -- C:\WINDOWS\system32\QCONSVC.EXE -- (QCONSVC)
SRV - [2004/10/22 06:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/08/11 04:45:04 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf)
SRV - [2004/08/11 03:46:56 | 00,483,328 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Windows Media Connect\mswmccds.exe -- (WmcCds) Windows Media Connect (WMC)
SRV - [2004/08/11 00:50:42 | 00,028,160 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Connect\mswmcls.exe -- (WmcCdsLs) Windows Media Connect (WMC)
SRV - [2004/08/04 08:00:00 | 00,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tcpsvcs.exe -- (SimpTcp)
SRV - [2004/08/04 08:00:00 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2004/08/04 08:00:00 | 00,015,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2004/08/04 03:56:44 | 00,027,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\irmon.dll -- (Irmon)
SRV - [2004/03/12 18:18:06 | 00,169,192 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2004/03/12 18:17:46 | 01,221,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2004/03/12 18:17:10 | 00,029,928 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2004/03/11 17:58:32 | 00,193,760 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2004/02/29 19:44:54 | 00,242,808 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2004/02/29 19:44:52 | 00,087,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
SRV - [2004/02/29 19:44:48 | 00,255,096 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2003/12/02 13:27:08 | 01,417,048 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM)
SRV - [2002/09/20 17:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - File not found -- -- (catchme)
DRV - [2009/11/27 00:56:34 | 00,063,616 | ---- | M] (IBM) -- C:\WINDOWS\system32\drivers\ibmfilter.sys -- (ibmfilter)
DRV - [2009/11/26 04:00:00 | 01,323,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091126.016\navex15.sys -- (NAVEX15)
DRV - [2009/11/26 04:00:00 | 00,084,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091126.016\naveng.sys -- (NAVENG)
DRV - [2006/06/07 09:43:16 | 00,079,184 | ---- | M] (MCCI) -- C:\WINDOWS\system32\drivers\pxfhserd.sys -- (pxfhserd) PANTECH PC Card Diagnostic Serial Port (WDM)
DRV - [2006/06/07 09:42:28 | 00,100,240 | ---- | M] (MCCI) -- C:\WINDOWS\system32\drivers\pxfhmdm.sys -- (pxfhmdm)
DRV - [2006/06/07 09:42:26 | 00,009,360 | ---- | M] (MCCI) -- C:\WINDOWS\system32\drivers\pxfhmdfl.sys -- (pxfhmdfl)
DRV - [2006/06/07 09:41:34 | 00,066,704 | ---- | M] (MCCI) -- C:\WINDOWS\system32\drivers\pxfhbus.sys -- (pxfhbus) PANTECH PC Card Composite Device driver (WDM)
DRV - [2006/02/06 13:50:51 | 00,017,801 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\drivers\AegisP.sys -- (AegisP) AEGIS Protocol (IEEE 802.1x)
DRV - [2005/11/11 04:33:00 | 00,010,112 | ---- | M] (Lenovo.) -- C:\WINDOWS\system32\drivers\ibmpmdrv.sys -- (IBMPMDRV)
DRV - [2005/11/04 15:22:00 | 00,069,632 | ---- | M] (Lenovo.) -- C:\WINDOWS\system32\drivers\shockprf.sys -- (Shockprf)
DRV - [2005/10/18 19:53:24 | 00,998,656 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2005/10/18 19:52:38 | 00,242,304 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2005/10/18 19:52:30 | 00,721,280 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2005/10/14 00:33:42 | 00,013,184 | ---- | M] (IBM Corporation) -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2005/10/05 19:57:08 | 00,012,544 | ---- | M] (Conexant) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2005/10/05 02:01:14 | 01,273,856 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/09/15 16:53:10 | 00,177,664 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/08/31 05:40:00 | 00,007,168 | ---- | M] () -- C:\WINDOWS\system32\drivers\TSMAPIP.SYS -- (TSMAPIP)
DRV - [2005/08/31 04:50:00 | 00,014,848 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\SMAPINT.SYS -- (Smapint)
DRV - [2005/08/31 04:50:00 | 00,009,340 | ---- | M] () -- C:\WINDOWS\system32\drivers\TDSMAPI.SYS -- (TDSMAPI)
DRV - [2005/07/23 02:02:44 | 00,011,354 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2005/07/20 00:14:02 | 03,289,088 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2005/07/12 12:47:12 | 00,026,240 | ---- | M] (UPEK Inc.) -- C:\WINDOWS\system32\drivers\tcusb.sys -- (TcUsb)
DRV - [2005/07/12 12:37:08 | 00,003,328 | ---- | M] (UPEK Inc.) -- C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys -- (SmiHlp)
DRV - [2005/07/05 17:57:06 | 00,017,699 | ---- | M] (IBM Corporation) -- C:\WINDOWS\system32\drivers\TPHKDRV.sys -- (TPHKDRV)
DRV - [2005/06/06 14:59:00 | 00,004,736 | ---- | M] (Lenovo.) -- C:\WINDOWS\system32\drivers\ShockMgr.sys -- (ShockMgr)
DRV - [2005/05/25 18:39:06 | 00,006,400 | ---- | M] (Lenovo, Ltd. and IBM Corporation.) -- C:\WINDOWS\system32\drivers\TPInput.sys -- (TPInput)
DRV - [2005/05/25 18:37:58 | 00,014,720 | ---- | M] (Lenovo, Ltd. and IBM Corporation) -- C:\WINDOWS\system32\drivers\TPDiskPM.sys -- (TPDiskPM)
DRV - [2005/04/27 12:16:46 | 00,005,427 | ---- | M] (IBM Corporation) -- C:\WINDOWS\system32\egathdrv.sys -- (EGATHDRV)
DRV - [2005/04/21 19:44:54 | 00,014,336 | ---- | M] (National Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\nsctpm11.sys -- (TPM11)
DRV - [2005/04/14 04:01:00 | 00,004,442 | ---- | M] () -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2005/03/18 06:07:00 | 00,012,288 | ---- | M] (IBM Corporation.) -- C:\WINDOWS\system32\drivers\qcndisif.sys -- (QCNDISIF)
DRV - [2005/03/18 06:07:00 | 00,011,520 | ---- | M] (IBM Corp.) -- C:\WINDOWS\system32\drivers\ANC.sys -- (ANC)
DRV - [2005/03/18 06:07:00 | 00,002,432 | ---- | M] () -- C:\WINDOWS\system32\drivers\IBMBLDID.SYS -- (IBMTPCHK)
DRV - [2005/03/17 19:30:10 | 00,132,608 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/03/07 04:05:00 | 00,100,603 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2005/03/07 04:05:00 | 00,099,098 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2005/03/07 04:05:00 | 00,087,834 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2005/03/07 04:05:00 | 00,034,843 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2005/03/07 04:05:00 | 00,025,883 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2005/03/07 04:05:00 | 00,015,227 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2005/03/07 04:05:00 | 00,006,363 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2005/03/07 04:05:00 | 00,004,123 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2005/03/07 04:05:00 | 00,002,239 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2005/02/10 19:31:34 | 00,260,224 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2005/02/02 06:22:00 | 00,088,080 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2005/02/01 20:00:42 | 00,012,416 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\system32\drivers\PcdrNdisuio.sys -- (PcdrNdisuio)
DRV - [2004/12/08 06:03:00 | 00,020,576 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2004/08/04 08:00:00 | 00,027,440 | ---- | M] () -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2004/08/04 08:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/04 08:00:00 | 00,012,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)
DRV - [2004/08/04 02:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2004/08/04 02:07:44 | 00,041,088 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2004/08/04 02:00:52 | 00,028,672 | ---- | M] (National Semiconductor Corporation) -- C:\WINDOWS\system32\drivers\nscirda.sys -- (NSCIRDA)
DRV - [2004/08/04 01:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/07/14 14:29:04 | 00,005,627 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 14:28:50 | 00,023,545 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2004/07/14 05:56:00 | 00,040,448 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/05/17 12:23:48 | 00,133,200 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2004/03/11 17:58:10 | 00,263,616 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2004/03/11 17:58:08 | 00,016,288 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2004/03/05 02:46:46 | 00,082,832 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2004/02/09 18:43:56 | 00,301,200 | R--- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2004/02/09 18:43:56 | 00,037,008 | R--- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2003/12/02 13:26:22 | 00,268,872 | ---- | M] (Cisco Systems, Inc.) -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2003/09/02 14:44:06 | 00,139,604 | ---- | M] (Deterministic Networks, Inc.) -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2003/08/29 00:40:26 | 00,189,792 | ---- | M] (Zone Labs Inc.) -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2003/05/01 16:26:34 | 00,005,220 | R--- | M] (Cisco Systems, Inc.) -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2002/11/26 14:54:58 | 00,016,936 | ---- | M] (Smith Micro Software, Inc.) -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMNDIS5.sys -- (SMNDIS5)
DRV - [2001/08/17 17:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 17:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 17:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 17:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 17:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 16:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 16:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 16:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 16:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 16:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 16:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 16:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 16:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 16:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 16:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 15:20:04 | 00,096,256 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)
DRV - [2001/08/17 15:12:10 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®
DRV - [2000/05/31 23:29:54 | 00,007,012 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\PMEMNT.SYS -- (PMEM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-44243306-375985335-13523171-15507\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-44243306-375985335-13523171-15507\S-1-5-21-44243306-375985335-13523171-15507\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-44243306-375985335-13523171-15507\S-1-5-21-44243306-375985335-13523171-15507\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.msn.com/"
FF - prefs.js..network.proxy.share_proxy_settings: true

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/10/28 01:07:34 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/10/28 01:07:33 | 00,000,000 | ---D | M]

[2009/09/27 17:57:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LiuW\Application Data\Mozilla\Extensions
[2009/09/27 17:57:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LiuW\Application Data\Mozilla\Firefox\Profiles\zf8fio8p.default\extensions
[2009/09/27 19:09:45 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2006/10/26 19:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL

O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll File not found
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_16\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-44243306-375985335-13523171-15507\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-44243306-375985335-13523171-15507\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-44243306-375985335-13523171-15507\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLogOff = 0
O7 - HKU\S-1-5-21-44243306-375985335-13523171-15507\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-44243306-375985335-13523171-15507\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-44243306-375985335-13523171-15507_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} http://game-web.qq.com/client/QQGame2.cab (WebActivater Control)
O16 - DPF: {522F229A-897A-49B6-BEE8-405C0E6E357A} http://mks-pla-shp1/JavalinGUI/shipnow/ScaleX.ocx (ScaleXCtrl Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1139234194213 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_16)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4.2/...all-142-win.cab (Java Plug-in 1.4.2)
O16 - DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_16)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O20 - Winlogon\Notify\psfus: DllName - C:\Program Files\ThinkVantage Fingerprint Software\psfus.dll - C:\Program Files\ThinkVantage Fingerprint Software\psfus.dll (UPEK Inc.)
O20 - Winlogon\Notify\QConGina: DllName - QConGina.dll - C:\WINDOWS\System32\QConGina.dll (IBM Corp.)
O20 - Winlogon\Notify\tpfnf2: DllName - notifyf2.dll - C:\WINDOWS\System32\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - tphklock.dll - C:\WINDOWS\System32\tphklock.dll ()
O24 - Desktop Components:0 () - file:///C:/DOCUME~1/LiuW/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.gif
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/02/01 23:34:45 | 00,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/27 11:15:58 | 00,532,992 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\LiuW\Desktop\OTL.exe
[2009/11/27 10:59:38 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ctfmon.exe
[2009/11/27 09:12:33 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/11/27 00:23:15 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/11/27 00:22:07 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/11/27 00:22:07 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/11/27 00:22:07 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/11/27 00:22:07 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/11/27 00:21:59 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/11/27 00:21:45 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/11/27 00:15:22 | 00,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2009/11/26 22:52:26 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\LiuW\Desktop\HijackThis.exe
[2009/11/26 22:24:21 | 04,045,528 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\LiuW\Desktop\mbam-setup(2).exe
[2009/11/26 20:37:00 | 00,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2009/11/26 20:23:05 | 00,308,160 | ---- | C] (ALWIL Software) -- C:\Documents and Settings\LiuW\Desktop\avast_home_setup.exe
[2009/11/26 20:10:11 | 04,045,528 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\LiuW\Desktop\mbam-setup.exe
[2009/11/26 20:09:59 | 00,753,864 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\LiuW\Desktop\mbam-setup.exe.part
[2009/11/26 20:06:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\LiuW\Local Settings\Application Data\qrcowx
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/11/27 11:16:00 | 00,532,992 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\LiuW\Desktop\OTL.exe
[2009/11/27 11:02:04 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/27 10:59:59 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/27 10:03:12 | 00,000,246 | ---- | M] () -- C:\WINDOWS\tasks\clean1.job
[2009/11/27 09:58:45 | 04,980,736 | -H-- | M] () -- C:\Documents and Settings\LiuW\NTUSER.DAT
[2009/11/27 09:10:04 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/27 09:09:59 | 10,721,56672 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/27 09:08:57 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\LiuW\ntuser.ini
[2009/11/27 09:08:55 | 02,205,456 | -H-- | M] () -- C:\Documents and Settings\LiuW\Local Settings\Application Data\IconCache.db
[2009/11/27 00:56:34 | 00,063,616 | ---- | M] (IBM) -- C:\WINDOWS\System32\drivers\ibmfilter.sys
[2009/11/27 00:51:53 | 00,000,491 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/27 00:51:53 | 00,000,264 | RHS- | M] () -- C:\BOOT.INI
[2009/11/27 00:36:10 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/27 00:31:02 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/11/27 00:21:17 | 03,575,028 | R--- | M] () -- C:\Documents and Settings\LiuW\Desktop\thcbytes.exe
[2009/11/27 00:19:02 | 00,291,840 | ---- | M] () -- C:\Documents and Settings\LiuW\Desktop\exeHelper.com
[2009/11/27 00:18:11 | 00,262,656 | ---- | M] () -- C:\Documents and Settings\LiuW\Desktop\rkill.pif
[2009/11/27 00:05:11 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/11/26 22:52:26 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\LiuW\Desktop\HijackThis.exe
[2009/11/26 22:24:53 | 04,045,528 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\LiuW\Desktop\mbam-setup(2).exe
[2009/11/26 20:23:11 | 00,308,160 | ---- | M] (ALWIL Software) -- C:\Documents and Settings\LiuW\Desktop\avast_home_setup.exe
[2009/11/26 20:11:54 | 04,045,528 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\LiuW\Desktop\mbam-setup.exe
[2009/11/26 20:10:38 | 00,753,864 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\LiuW\Desktop\mbam-setup.exe.part
[2009/11/26 17:14:58 | 00,002,433 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VPN Client.lnk
[2009/11/26 11:21:38 | 00,001,184 | -H-- | M] () -- C:\Documents and Settings\LiuW\My Documents\Default.rdp
[2009/11/25 22:12:50 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/25 14:03:29 | 01,676,800 | ---- | M] () -- C:\Documents and Settings\LiuW\Desktop\Duality Pictures.docx
[2009/11/24 08:02:00 | 00,952,832 | ---- | M] () -- C:\Documents and Settings\LiuW\Desktop\rundll32.exe
[2009/11/19 00:09:11 | 00,074,876 | ---- | M] () -- C:\Documents and Settings\LiuW\Desktop\Guide-to-home.docx
[2009/11/18 16:55:13 | 00,685,568 | ---- | M] () -- C:\Documents and Settings\LiuW\Desktop\Q4 2009 WW IT Team Meeting.ppt
[2009/11/18 08:47:51 | 00,381,952 | ---- | M] () -- C:\Documents and Settings\LiuW\Desktop\thanksgivingPoster.doc
[2009/11/17 13:59:35 | 00,029,184 | ---- | M] () -- C:\Documents and Settings\LiuW\Desktop\William's Work Log.xls
[2009/11/17 10:31:22 | 00,060,416 | ---- | M] () -- C:\Documents and Settings\LiuW\Desktop\Resume.doc
[2009/11/14 10:53:51 | 00,010,252 | ---- | M] () -- C:\Documents and Settings\LiuW\Desktop\C#.docx
[2009/11/14 01:47:57 | 00,260,608 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/11/11 18:03:22 | 00,013,949 | ---- | M] () -- C:\Documents and Settings\LiuW\Desktop\Thank you for your reply.docx
[2009/11/11 10:42:11 | 00,013,166 | ---- | M] () -- C:\Documents and Settings\LiuW\Desktop\ping-pong.docx
[2009/11/06 11:40:42 | 00,010,898 | ---- | M] () -- C:\Documents and Settings\LiuW\Desktop\Passwords.docx
[2009/11/06 10:45:58 | 00,159,744 | ---- | M] () -- C:\Documents and Settings\LiuW\Desktop\2009(Qing).doc
[2009/11/05 11:41:04 | 00,011,727 | ---- | M] () -- C:\Documents and Settings\LiuW\Desktop\everything in our server machines.docx
[2009/11/01 08:37:44 | 00,655,702 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/01 08:37:44 | 00,537,616 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/01 08:37:44 | 00,106,178 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/10/29 16:39:46 | 00,002,116 | ---- | M] () -- C:\bar.emf
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/27 10:03:12 | 00,000,246 | ---- | C] () -- C:\WINDOWS\tasks\clean1.job
[2009/11/27 09:09:59 | 10,721,56672 | -HS- | C] () -- C:\hiberfil.sys
[2009/11/27 00:23:25 | 00,000,194 | ---- | C] () -- C:\Boot.bak
[2009/11/27 00:23:20 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/11/27 00:22:07 | 00,260,608 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/11/27 00:22:07 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/11/27 00:22:07 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/11/27 00:22:07 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/11/27 00:22:07 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/11/27 00:20:56 | 03,575,028 | R--- | C] () -- C:\Documents and Settings\LiuW\Desktop\thcbytes.exe
[2009/11/27 00:19:00 | 00,291,840 | ---- | C] () -- C:\Documents and Settings\LiuW\Desktop\exeHelper.com
[2009/11/27 00:18:14 | 00,262,656 | ---- | C] () -- C:\Documents and Settings\LiuW\Desktop\rkill.pif
[2009/11/26 22:07:15 | 00,952,832 | ---- | C] () -- C:\Documents and Settings\LiuW\Desktop\rundll32.exe
[2009/11/25 14:03:15 | 01,676,800 | ---- | C] () -- C:\Documents and Settings\LiuW\Desktop\Duality Pictures.docx
[2009/11/18 22:16:52 | 00,074,876 | ---- | C] () -- C:\Documents and Settings\LiuW\Desktop\Guide-to-home.docx
[2009/11/18 11:02:13 | 00,685,568 | ---- | C] () -- C:\Documents and Settings\LiuW\Desktop\Q4 2009 WW IT Team Meeting.ppt
[2009/11/18 08:47:50 | 00,381,952 | ---- | C] () -- C:\Documents and Settings\LiuW\Desktop\thanksgivingPoster.doc
[2009/11/17 10:31:22 | 00,060,416 | ---- | C] () -- C:\Documents and Settings\LiuW\Desktop\Resume.doc
[2009/11/14 10:47:55 | 00,010,252 | ---- | C] () -- C:\Documents and Settings\LiuW\Desktop\C#.docx
[2009/11/06 11:15:29 | 00,010,898 | ---- | C] () -- C:\Documents and Settings\LiuW\Desktop\Passwords.docx
[2009/11/05 11:36:17 | 00,011,727 | ---- | C] () -- C:\Documents and Settings\LiuW\Desktop\everything in our server machines.docx
[2009/11/04 22:45:10 | 00,159,744 | ---- | C] () -- C:\Documents and Settings\LiuW\Desktop\2009(Qing).doc
[2009/11/03 11:58:45 | 00,029,184 | ---- | C] () -- C:\Documents and Settings\LiuW\Desktop\William's Work Log.xls
[2009/11/03 05:07:01 | 00,013,949 | ---- | C] () -- C:\Documents and Settings\LiuW\Desktop\Thank you for your reply.docx
[2009/11/02 23:45:58 | 00,013,166 | ---- | C] () -- C:\Documents and Settings\LiuW\Desktop\ping-pong.docx
[2009/09/27 21:48:17 | 00,173,384 | ---- | C] () -- C:\WINDOWS\System32\AVLibrary.dll
[2009/09/27 18:14:46 | 00,005,120 | ---- | C] () -- C:\Documents and Settings\LiuW\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/27 17:51:03 | 00,000,136 | ---- | C] () -- C:\Documents and Settings\LiuW\Local Settings\Application Data\fusioncache.dat
[2009/06/29 13:11:15 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009/06/07 15:47:55 | 00,000,068 | ---- | C] () -- C:\WINDOWS\MyProg.ini
[2009/05/20 12:45:59 | 00,005,632 | ---- | C] () -- C:\WINDOWS\System32\CNMVS3m.DLL
[2009/05/03 14:29:10 | 00,052,224 | ---- | C] () -- C:\WINDOWS\System32\ActPanel.dll
[2009/02/27 17:46:10 | 00,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/02/26 22:52:01 | 00,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2009/02/26 22:52:01 | 00,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2009/02/26 22:51:37 | 00,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2009/02/26 22:51:37 | 00,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2009/02/26 22:51:36 | 00,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2009/02/13 15:06:48 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2006/02/08 18:33:36 | 00,000,510 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/10/14 00:42:19 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/10/14 00:41:32 | 00,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2005/10/14 00:37:21 | 00,002,432 | ---- | C] () -- C:\WINDOWS\System32\drivers\IBMBLDID.SYS
[2005/10/14 00:25:50 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/10/14 00:25:50 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/10/14 00:25:50 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/10/14 00:25:50 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/10/14 00:25:50 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/10/14 00:25:50 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/10/14 00:24:01 | 00,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/10/14 00:14:16 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\FPCALL.dll
[2005/10/14 00:13:56 | 00,007,168 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSMAPIP.SYS
[2005/10/14 00:10:04 | 00,009,340 | ---- | C] () -- C:\WINDOWS\System32\drivers\TDSMAPI.SYS
[2005/10/13 23:57:44 | 00,002,481 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/07/06 02:45:08 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\notifyf2.dll
[2005/06/21 21:46:52 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\DEVMAN.DLL
[2005/05/04 17:32:42 | 00,090,112 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
[2005/05/04 17:32:42 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
[2005/04/27 12:53:10 | 00,019,853 | ---- | C] () -- C:\WINDOWS\ibmprc.ini
[2005/03/31 23:22:38 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/09 14:03:43 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/01/09 09:10:32 | 00,143,360 | ---- | C] () -- C:\WINDOWS\System32\AIBMRUNL.dll
[2003/12/02 13:27:06 | 00,139,096 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2003/04/10 19:04:00 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[1999/07/30 08:24:34 | 00,000,218 | ---- | C] () -- C:\WINDOWS\oraodbc.ini
[1980/01/01 03:00:00 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[1980/01/01 03:00:00 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\SynTPCoI.dll
[1980/01/01 03:00:00 | 00,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[1980/01/01 03:00:00 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\tphklock.dll

========== LOP Check ==========

[2009/09/27 20:58:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\admin\Application Data\Hide IP NG
[2005/10/14 00:22:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\admin\Application Data\IBM
[2005/10/14 00:22:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\IBM
[2005/10/14 00:25:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ibm
[2009/02/18 10:58:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
[2009/06/23 07:02:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tencent
[2005/10/14 00:22:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\IBM
[2005/10/14 00:22:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ITHelp\Application Data\IBM
[2009/09/27 17:58:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LiuW\Application Data\AR System
[2009/10/15 08:41:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LiuW\Application Data\DameWare Development
[2005/10/14 00:22:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LiuW\Application Data\IBM
[2009/09/27 17:58:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LiuW\Application Data\InterVideo
[2009/09/27 17:58:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LiuW\Application Data\Leadertech
[2009/09/27 17:57:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LiuW\Application Data\Smith Micro
[2009/09/27 17:57:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LiuW\Application Data\SQL Developer
[2009/09/27 17:57:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LiuW\Application Data\Tencent
[2009/02/13 15:14:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LiuW2\Application Data\AR System
[2009/02/19 23:47:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LiuW2\Application Data\DameWare Development
[2005/10/14 00:22:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LiuW2\Application Data\IBM
[2009/03/06 11:08:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LiuW2\Application Data\InterVideo
[2009/09/08 08:55:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LiuW2\Application Data\Leadertech
[2009/02/13 17:55:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LiuW2\Application Data\Smith Micro
[2009/04/28 14:17:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LiuW2\Application Data\SQL Developer
[2009/07/14 05:23:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LiuW2\Application Data\Tencent
[2009/06/23 05:24:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Tencent
[2006/02/06 12:49:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\MKS\Application Data\IBM
[2009/11/27 10:03:12 | 00,000,246 | ---- | M] () -- C:\WINDOWS\Tasks\clean1.job

========== Purity Check ==========



========== Files - Unicode (All) ==========
[2009/09/27 18:01:36 | 00,000,475 | ---- | C] ()(C:\Documents and Settings\LiuW\Desktop\????.txt) -- C:\Documents and Settings\LiuW\Desktop\医疗保险.txt
[2009/03/15 23:20:10 | 00,000,475 | ---- | M] ()(C:\Documents and Settings\LiuW\Desktop\????.txt) -- C:\Documents and Settings\LiuW\Desktop\医疗保险.txt
< End of report >

---

Extras.txt

OTL Extras logfile created on: 11/27/2009 11:16:50 AM - Run 1
OTL by OldTimer - Version 3.1.11.0 Folder = C:\Documents and Settings\LiuW\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.42 Mb Total Physical Memory | 444.21 Mb Available Physical Memory | 43.45% Memory free
2.40 Gb Paging File | 1.97 Gb Available in Paging File | 82.02% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 33.30 Gb Total Space | 14.76 Gb Free Space | 44.33% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: AN2-L-L3MALP3
Current User Name: LiuW
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05EC21B8-4593-3037-A781-A6B5AFFCB19D}" = Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools
"{0873B1A3-00A9-40D6-BACE-3DB4BC5DA840}" = ThinkPad SATA Power Management Driver
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{1007F41F-7D69-468E-8017-3849A5A973C2}" = IBM ThinkVantage Technologies Welcome Message
"{11783F13-C3A9-44A8-929B-21A476F65272}" = IBM Rescue and Recovery with Rapid Restore
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = IBM DLA
"{1297C681-92D7-40EF-93BF-03F66EC5105C}" = ThinkPad EasyEject Utility
"{1F695CFF-C3A2-4A06-8D40-2FC93BC4208A}" = BMC Remedy User 7.0
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{2111B23F-7FDA-4A41-8309-E5A1663CA296}" = ThinkPad Keyboard Customizer Utility
"{22B71A00-4DED-11D4-A5E5-0004AC564F43}" = IBM Access Connections
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{241F2BF7-69EB-42A4-9156-96B2426C7504}" = Microsoft SQL Server Compact 3.5 for Devices ENU
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver
"{291B3A3B-F808-45B8-8113-DF232FCB6C82}" = Microsoft .NET Compact Framework 3.5
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2C92EA30-1014-4F16-AC2D-1A8944A86412}" = Omnify Client 4.0
"{2E5C075E-11AB-4BDD-918C-7B9A68953FF8}" = Microsoft SQL Server Compact 3.5 Design Tools ENU
"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5
"{3248F0A8-6813-11D6-A77B-00B0D0150160}" = J2SE Runtime Environment 5.0 Update 16
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3DFB275E-92F1-4D4A-A546-C5475917FA41}" = Lotus Notes 7.0.2
"{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}" = Cisco Systems VPN Client 4.0.3 ©
"{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}" = ATI HYDRAVISION
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4A702DA1-9E48-4346-8030-26B399CCFA8C}" = Altiris Application Metering Agent
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{64c5b887-b5ee-42b8-8596-78905a6b5f1f}" = Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
"{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}" = Microsoft Document Explorer 2008
"{6AA003BF-73E5-4911-ADB7-71DD5674DDD4}" = Oracle Data Provider for .NET Help
"{6C9F6D23-E9AD-43C9-B43A-011562AAF876}" = Windows Mobile 5.0 SDK R2 for Pocket PC
"{6CE96A14-61E2-48CC-837E-22710A953ADE}" = IBM Themes
"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{72806716-7088-41B2-8FA6-717A2A164DAB}" = ThinkVantage Active Protection System
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{82512BC9-BD5D-4C50-BE4D-B98E7DF78687}" = ThinkPad UltraNav Wizard
"{848AC794-8B81-440A-81AE-6474337DB527}" = Symantec AntiVirus
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8F55B163-7B42-42A3-9307-C7FCB9655225}" = PC-Doctor for Windows
"{8FB53850-246A-3507-8ADE-0060093FFEA6}" = Visual Studio Tools for the Office system 3.0 Runtime
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-0021-0000-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer 2007
"{90120000-0021-0409-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer MUI (English) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0051-0000-0000-0000000FF1CE}" = Microsoft Office Visio Professional 2007
"{90120000-0054-0409-0000-0000000FF1CE}" = Microsoft Office Visio MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = IBM RecordNow!
"{9656F3AC-6BA9-43F0-ABED-F214B5DAB27B}" = Windows Mobile 5.0 SDK R2 for Smartphone
"{9A1E6130-8F5E-4076-899A-D51FF01EDA6C}" = System Migration Assistant 5.0
"{9A33B83D-FFC4-44CF-BEEF-632DECEF2FCD}" = Microsoft SQL Server Database Publishing Wizard 1.2
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9E936417-55D6-402D-97AA-07C7FEF07444}" = ThinkVantage Fingerprint Software 4.6.0
"{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}" = IBM ThinkPad Power Manager
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A4512736-8D63-4298-9271-5329931FA46B}" = Microsoft SQL Server Management Studio Express
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B32E7732-B2FB-3FD0-81AC-6025B1104C66}" = Microsoft Device Emulator version 3.0 - ENU
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{BCC899FE-2DAA-460C-A5FB-60291E73D9C3}" = Microsoft SQL Server Compact 3.5 ENU
"{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser
"{CAA376AF-0DE8-4FCA-942E-C6AC579B94B3}" = Microsoft Windows SDK for Visual Studio 2008 Tools
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D7DAD1E4-45F4-3B2B-899A-EA728167EC4F}" = Microsoft Visual Studio 2008 Professional Edition - ENU
"{D8E79FF4-8B9D-427C-8B4A-FF388E5716AD}" = DameWare NT Utilities
"{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2
"{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}" = Microsoft SQL Server VSS Writer
"{EA664480-3844-11D5-8C25-444553540000}" = TrackPoint Accessibility Features
"{EC6AF20D-4376-4070-BEE4-D3A0DFF7E140}" = Access IBM
"{EDDF99D9-9FE3-4871-A7DB-D1522C51EE9A}" = Microsoft .NET Compact Framework 2.0 SP2
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F386C340-DF4B-4BBA-9503-420FB7EDB395}" = Wallpapers
"{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}" = Windows Media Connect
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}" = Microsoft SQL Server Native Client
"{FC081D4D-DF1B-4CF1-B530-027E4118D846}" = ThinkPad Configuration
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_05591014" = ThinkPad Integrated 56K Modem
"ENTERPRISE" = Microsoft Office Enterprise 2007
"InstallShield_{8F55B163-7B42-42A3-9307-C7FCB9655225}" = PC-Doctor for Windows
"InstallShield_{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2
"Java Development Kit 1.2" = Java Development Kit 1.2
"LiveUpdate" = LiveUpdate 2.0 (Symantec Corporation)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5
"Microsoft Document Explorer 2008" = Microsoft Document Explorer 2008
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"Microsoft Visual Studio 2008 Professional Edition - ENU" = Microsoft Visual Studio 2008 Professional Edition - ENU
"Mozilla Firefox (3.0.15)" = Mozilla Firefox (3.0.15)
"PANTECH PC Card" = PANTECH PC Card Software
"Power Management Driver" = ThinkPad Power Management Driver
"Presentation Director" = ThinkPad Presentation Director
"ProInst" = Intel® PROSet/Wireless Software
"SynTPDeinstKey" = ThinkPad UltraNav Driver
"ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier
"ThinkPadSoftwareInstaller" = Software Installer
"TPKBDLED" = Scroll Lock Indicator Utility
"VISPRO" = Microsoft Office Visio Professional 2007
"Visual Studio Tools for the Office system 3.0 Runtime" = Visual Studio Tools for the Office system 3.0 Runtime
"VisualWebDeveloper" = Microsoft Visual Studio Web Authoring Component
"VZAccess Manager" = VZAccess Manager
"WIC" = Windows Imaging Component
"Windows Media Connect" = Windows Media Connect
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"WinLiveSuite_Wave3" = Windows Live Essentials
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/26/2009 5:59:00 PM | Computer Name = AN2-L-L3MALP3 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 11/26/2009 6:31:24 PM | Computer Name = AN2-L-L3MALP3 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 11/26/2009 9:20:14 PM | Computer Name = AN2-L-L3MALP3 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 11/26/2009 10:20:43 PM | Computer Name = AN2-L-L3MALP3 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 11/26/2009 11:10:53 PM | Computer Name = AN2-L-L3MALP3 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 11/26/2009 11:40:24 PM | Computer Name = AN2-L-L3MALP3 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 11/27/2009 1:08:37 AM | Computer Name = AN2-L-L3MALP3 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 11/27/2009 1:31:45 AM | Computer Name = AN2-L-L3MALP3 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 11/27/2009 1:51:25 AM | Computer Name = AN2-L-L3MALP3 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 11/27/2009 10:11:27 AM | Computer Name = AN2-L-L3MALP3 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

[ System Events ]
Error - 11/27/2009 1:50:27 AM | Computer Name = AN2-L-L3MALP3 | Source = W32Time | ID = 39452700
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are accessible. NtpClient has no
source of accurate time.

Error - 11/27/2009 1:56:14 AM | Computer Name = AN2-L-L3MALP3 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain MKS due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 11/27/2009 1:57:24 AM | Computer Name = AN2-L-L3MALP3 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain MKS due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 11/27/2009 1:57:49 AM | Computer Name = AN2-L-L3MALP3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 11/27/2009 1:58:59 AM | Computer Name = AN2-L-L3MALP3 | Source = Service Control Manager | ID = 7001
Description = The Simple Mail Transfer Protocol (SMTP) service depends on the IIS
Admin service which failed to start because of the following error: %%1068

Error - 11/27/2009 1:58:59 AM | Computer Name = AN2-L-L3MALP3 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
ANC Fips IBMTPCHK intelppm SAVRT ShockMgr Smapint SYMTDI TDSMAPI TPHKDRV TPPWRIF TSMAPIP

Error - 11/27/2009 10:08:56 AM | Computer Name = AN2-L-L3MALP3 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 11/27/2009 10:10:20 AM | Computer Name = AN2-L-L3MALP3 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain MKS due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 11/27/2009 10:10:24 AM | Computer Name = AN2-L-L3MALP3 | Source = W32Time | ID = 39452700
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are accessible. NtpClient has no
source of accurate time.

Error - 11/27/2009 11:51:48 AM | Computer Name = AN2-L-L3MALP3 | Source = Service Control Manager | ID = 7034
Description = The IBM KCU Service service terminated unexpectedly. It has done
this 1 time(s).


< End of report >

---


Combofix log

ComboFix 09-11-24.02 - LiuW 11/27/2009 10:52.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.523 [GMT -5:00]
Running from: c:\documents and settings\LiuW\Desktop\thcbytes.exe
Command switches used :: c:\documents and settings\LiuW\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\ctfmon.exe was missing
Restored copy from - c:\system volume information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP258\A0029272.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.

2009-11-27 15:59 . 2004-08-04 13:00 15360 ----a-w- c:\windows\system32\dllcache\ctfmon.exe
2009-11-27 15:59 . 2004-08-04 13:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
2009-11-27 14:12 . 2009-11-27 14:12 -------- d-----w- c:\windows\LastGood
2009-11-27 05:15 . 2009-11-27 05:15 -------- d--h--w- c:\windows\PIF
2009-11-27 01:37 . 2009-11-27 01:37 -------- d-----w- c:\program files\Alwil Software
2009-11-27 01:06 . 2009-11-27 05:19 -------- d-----w- c:\documents and settings\LiuW\Local Settings\Application Data\qrcowx
2009-11-25 14:33 . 2009-11-10 22:48 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ef011.vdb\navex32a.dll
2009-11-25 14:33 . 2009-11-10 22:48 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ef011.vdb\naveng.sys
2009-11-25 14:33 . 2009-11-10 22:48 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ef011.vdb\naveng32.dll
2009-11-25 14:33 . 2009-11-10 22:48 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ef011.vdb\navex15.sys
2009-11-25 14:33 . 2009-11-24 09:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ef011.vdb\ecmsvr32.dll
2009-11-25 14:33 . 2009-09-09 01:24 2747952 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ef011.vdb\CCERASER.DLL
2009-11-25 14:33 . 2009-08-18 01:15 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ef011.vdb\ERASER.SYS
2009-11-25 14:33 . 2009-08-18 01:15 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2ef011.vdb\EECTRL.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 14:10 . 2006-02-06 17:06 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-27 05:56 . 2005-04-27 18:27 63616 ----a-w- c:\windows\system32\drivers\ibmfilter.sys
2009-10-21 05:00 . 2009-10-21 05:00 -------- d-----w- c:\program files\Microsoft
2009-10-21 05:00 . 2009-10-21 04:55 -------- d-----w- c:\program files\Windows Live
2009-10-21 04:58 . 2009-10-21 04:58 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-21 04:50 . 2009-10-21 04:50 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-15 13:41 . 2009-09-27 22:58 -------- d-----w- c:\documents and settings\LiuW\Application Data\DameWare Development
2009-10-15 13:19 . 2009-09-27 22:58 5120 ----a-r- c:\documents and settings\LiuW\Application Data\Microsoft\Installer\{D8E79FF4-8B9D-427C-8B4A-FF388E5716AD}\IconA2E65BCA3.exe
2009-10-15 13:19 . 2009-09-27 22:58 70144 ----a-r- c:\documents and settings\LiuW\Application Data\Microsoft\Installer\{D8E79FF4-8B9D-427C-8B4A-FF388E5716AD}\IconA2E65BCA.exe
2009-09-28 03:00 . 2009-09-28 03:00 8704 ----a-w- c:\windows\system32\SpOrder.dll
2009-09-27 22:04 . 2009-09-27 22:04 48672 ----a-w- C:\GDIPFONTCACHEV1.DAT
2009-09-10 14:15 . 2009-09-27 22:57 652616 ----a-w- c:\documents and settings\LiuW\Application Data\Tencent\QQ\STemp\QQpinyinDL~0\QQPinyinDownload\QQDownload.dll
2009-09-10 14:15 . 2009-09-27 22:57 210248 ----a-w- c:\documents and settings\LiuW\Application Data\Tencent\QQ\STemp\QQpinyinDL~0\QQPinyinDownload\QQPinyinDownload.exe
2009-09-08 19:26 . 2009-09-27 23:14 48672 ----a-w- c:\documents and settings\LiuW\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

c:\windows\system32\ctfmon.exe [x]
[7] 24232996A38C0B0CF151C2140AE29FC8 15360 \RP258\A0029272.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-11-27_05.31.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-02-06 13:58 . 2009-08-07 00:24 44768 c:\windows\system32\wups2.dll
+ 2004-08-09 18:52 . 2009-08-07 00:24 35552 c:\windows\system32\wups.dll
+ 2004-08-09 18:52 . 2009-08-07 00:24 53472 c:\windows\system32\wuauclt.exe
+ 2005-10-14 05:03 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
- 2005-10-14 05:03 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
+ 2009-11-27 05:36 . 2009-08-07 00:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2009-11-27 05:36 . 2009-08-07 00:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 1980-01-01 08:00 . 2008-08-28 08:00 74752 c:\windows\system32\msw3prt.dll
+ 2004-08-09 18:52 . 2009-08-07 00:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2004-08-09 18:52 . 2009-08-07 00:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2008-08-28 08:00 . 2008-08-28 08:00 74752 c:\windows\system32\dllcache\msw3prt.dll
+ 1980-01-01 08:00 . 2009-08-07 00:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 1980-01-01 08:00 . 2009-08-07 00:24 96480 c:\windows\system32\cdm.dll
+ 2009-11-27 05:36 . 2007-11-30 11:18 26488 c:\windows\$hf_mig$\KB953155\update\spcustom.dll
+ 2009-11-27 05:36 . 2007-11-30 11:18 17272 c:\windows\$hf_mig$\KB953155\spmsg.dll
+ 2008-08-28 07:30 . 2008-08-28 07:30 74752 c:\windows\$hf_mig$\KB953155\SP3QFE\msw3prt.dll
+ 2008-08-28 07:46 . 2008-08-28 07:46 74752 c:\windows\$hf_mig$\KB953155\SP3GDR\msw3prt.dll
+ 2008-08-28 07:52 . 2008-08-28 07:52 74752 c:\windows\$hf_mig$\KB953155\SP2QFE\msw3prt.dll
+ 2009-11-27 05:35 . 2007-03-06 01:22 22752 c:\windows\$hf_mig$\KB942831\update\spcustom.dll
+ 2009-11-27 05:35 . 2007-03-06 01:22 14048 c:\windows\$hf_mig$\KB942831\spmsg.dll
+ 2009-11-27 05:36 . 2007-03-06 01:22 22752 c:\windows\$hf_mig$\KB942830\update\spcustom.dll
+ 2009-11-27 05:36 . 2007-03-06 01:22 14048 c:\windows\$hf_mig$\KB942830\spmsg.dll
+ 2009-11-27 05:35 . 2005-10-12 23:12 22752 c:\windows\$hf_mig$\KB939373\update\spcustom.dll
+ 2009-11-27 05:35 . 2005-10-12 23:12 14048 c:\windows\$hf_mig$\KB939373\spmsg.dll
+ 2004-08-09 18:52 . 2009-08-07 00:24 209632 c:\windows\system32\wuweb.dll
+ 2004-08-09 18:52 . 2009-08-07 00:24 327896 c:\windows\system32\wucltui.dll
+ 2004-08-09 18:52 . 2009-08-07 00:23 575704 c:\windows\system32\wuapi.dll
+ 1980-01-01 08:00 . 2008-08-28 08:00 104448 c:\windows\system32\win32spl.dll
+ 2009-02-27 02:49 . 2007-06-26 08:27 363520 c:\windows\system32\inetsrv\w3svc.dll
- 2009-02-27 02:49 . 2004-08-04 13:00 363520 c:\windows\system32\inetsrv\w3svc.dll
+ 2009-02-27 03:52 . 2009-11-27 14:12 214440 c:\windows\system32\inetsrv\MetaBase.bin
- 2009-02-27 02:49 . 2004-08-04 13:00 257024 c:\windows\system32\inetsrv\infocomm.dll
+ 2009-02-27 02:49 . 2008-01-10 05:20 257024 c:\windows\system32\inetsrv\infocomm.dll
+ 2009-02-27 02:49 . 2008-01-10 18:44 369664 c:\windows\system32\inetsrv\asp.dll
- 2009-02-27 02:49 . 2004-08-04 13:00 369664 c:\windows\system32\inetsrv\asp.dll
+ 2004-08-09 18:52 . 2009-08-07 00:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2004-08-09 18:52 . 2009-08-07 00:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2004-08-09 18:52 . 2009-08-07 00:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2008-08-28 08:00 . 2008-08-28 08:00 104448 c:\windows\system32\dllcache\win32spl.dll
- 2009-02-27 02:49 . 2004-08-04 13:00 363520 c:\windows\system32\dllcache\w3svc.dll
+ 2009-02-27 02:49 . 2007-06-26 08:27 363520 c:\windows\system32\dllcache\w3svc.dll
+ 2009-02-27 02:49 . 2008-01-10 05:20 257024 c:\windows\system32\dllcache\infocomm.dll
- 2009-02-27 02:49 . 2004-08-04 13:00 257024 c:\windows\system32\dllcache\infocomm.dll
- 2009-02-27 02:49 . 2004-08-04 13:00 369664 c:\windows\system32\dllcache\asp51.dll
+ 2009-02-27 02:49 . 2008-01-10 18:44 369664 c:\windows\system32\dllcache\asp51.dll
+ 2009-11-27 05:36 . 2007-11-30 12:39 382840 c:\windows\$hf_mig$\KB953155\update\updspapi.dll
+ 2009-11-27 05:36 . 2007-11-30 12:39 755576 c:\windows\$hf_mig$\KB953155\update\update.exe
+ 2009-11-27 05:36 . 2007-11-30 11:18 231288 c:\windows\$hf_mig$\KB953155\spuninst.exe
+ 2008-08-28 07:30 . 2008-08-28 07:30 104960 c:\windows\$hf_mig$\KB953155\SP3QFE\win32spl.dll
+ 2008-08-28 07:46 . 2008-08-28 07:46 104960 c:\windows\$hf_mig$\KB953155\SP3GDR\win32spl.dll
+ 2008-08-28 07:52 . 2008-08-28 07:52 104960 c:\windows\$hf_mig$\KB953155\SP2QFE\win32spl.dll
+ 2009-11-27 05:35 . 2007-03-06 01:23 371424 c:\windows\$hf_mig$\KB942831\update\updspapi.dll
+ 2009-11-27 05:35 . 2007-03-06 01:22 716000 c:\windows\$hf_mig$\KB942831\update\update.exe
+ 2009-11-27 05:35 . 2007-03-06 01:22 213216 c:\windows\$hf_mig$\KB942831\spuninst.exe
+ 2008-01-10 05:09 . 2008-01-10 05:09 257024 c:\windows\$hf_mig$\KB942831\SP2QFE\infocomm.dll
+ 2009-11-27 05:36 . 2007-03-06 01:23 371424 c:\windows\$hf_mig$\KB942830\update\updspapi.dll
+ 2009-11-27 05:36 . 2007-03-06 01:22 716000 c:\windows\$hf_mig$\KB942830\update\update.exe
+ 2009-11-27 05:36 . 2007-03-06 01:22 213216 c:\windows\$hf_mig$\KB942830\spuninst.exe
+ 2008-01-10 18:36 . 2008-01-10 18:36 369664 c:\windows\$hf_mig$\KB942830\SP2QFE\asp51.dll
+ 2009-11-27 05:35 . 2005-10-12 23:12 371424 c:\windows\$hf_mig$\KB939373\update\updspapi.dll
+ 2009-11-27 05:35 . 2005-10-12 23:12 716000 c:\windows\$hf_mig$\KB939373\update\update.exe
+ 2009-11-27 05:35 . 2005-10-12 23:12 213216 c:\windows\$hf_mig$\KB939373\spuninst.exe
+ 2007-06-26 08:38 . 2007-06-26 08:38 363520 c:\windows\$hf_mig$\KB939373\SP2QFE\w3svc.dll
+ 2004-08-09 18:52 . 2009-08-07 00:23 1929952 c:\windows\system32\wuaueng.dll
+ 2004-08-09 18:52 . 2009-08-07 00:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-07-12 17:45 109664 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psfus.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 11:07 262144 ----a-w- c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 07:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-06-17 06:23 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [10/14/2005 12:09 AM 14720]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [4/27/2005 1:27 PM 63616]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/12/2004 6:18 PM 169192]
R2 SmiHlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [7/12/2005 12:37 PM 3328]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [10/14/2005 12:09 AM 6400]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1/1/1980 3:00 AM 14336]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [10/14/2005 12:37 AM 12288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-11-27 c:\windows\Tasks\clean1.job
- c:\projects\clean\clean1.bat [2009-11-27 14:57]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {3D8F74EE-8692-4F8F-B8D2-7522E732519E} - hxxp://game-web.qq.com/client/QQGame2.cab
DPF: {522F229A-897A-49B6-BEE8-405C0E6E357A} - hxxp://mks-pla-shp1/JavalinGUI/shipnow/ScaleX.ocx
FF - ProfilePath - c:\documents and settings\LiuW\Application Data\Mozilla\Firefox\Profiles\zf8fio8p.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPJPI150_16.dll
FF - plugin: c:\program files\Java\jre1.5.0_16\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-27 10:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1036)
c:\windows\system32\Ati2evxx.dll
c:\program files\ThinkVantage Fingerprint Software\psfus.dll
c:\program files\Common Files\Virtual Token\psutil.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'explorer.exe'(3380)
c:\windows\system32\msi.dll
c:\windows\system32\shdoclc.dll
.
Completion time: 2009-11-27 11:02
ComboFix-quarantined-files.txt 2009-11-27 16:02
ComboFix2.txt 2009-11-27 05:42

Pre-Run: 15,860,068,352 bytes free
Post-Run: 15,825,850,368 bytes free

- - End Of File - - A68511FBAA0391BCC73C8DE74A85CAF1

-----

exehelperlog

exeHelper by Raktor
Build 20091122
Run at 00:19:14 on 11/27/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ojysshus
Deleting file C:\Documents and Settings\LiuW\Local Settings\Application Data\qrcowx\ehbasysguard.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ojysshus
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20091122
Run at 10:46:53 on 11/27/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

----

Also, Combofix had asked me if I wanted to update it to a newer version. I pressed no.

Edited by VetaMega, 27 November 2009 - 11:28 AM.


#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 27 November 2009 - 06:33 PM

If we need to run Combofix in the future please let it update. Are you still getting redirected?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 VetaMega

VetaMega
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 27 November 2009 - 11:43 PM

No I am not being redirected from Internet Explorer.

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 28 November 2009 - 12:56 AM

Ok. Thanks.

Let's continue.......

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
==========

With your next post please provide:

* MBAM log
* ESET log
* Any further problems?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 VetaMega

VetaMega
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:32 PM

Posted 28 November 2009 - 10:36 AM

Malwarebytes' Anti-Malware

does not work

Run time error 0 Run time error 440

ESET OnlineScan link does not work.

Computer freezes easily.

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 28 November 2009 - 10:52 AM

Alright.

Please do this......

First...

Re-run RKill then Exehelper.

==========

Next..

Right click and delete Combofix.

Re-download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

Finally..

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

MBAM

Additional instructions can be found here if needed.

==========

Re-run RKill.

==========

Please re-download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

You may have corrupt critical system files. Let's see if we can fix that.

* Click Start > Run and type sfc /scannow and the click OK.
o Note the space between the c and the /
* You may need your Windows XP CD so have it ready.
o If you have Service Pack 2 (SP2) or SP3 installed, you will need the SP2 or SP3 version of the version of the CD. This can be done with a borrowed CD, if you don't have one.
* Allow the scan to run and when completed, reboot the system.


==========

Your hard disk displays errors - Let's fix that!

* Click Start > Run and type chkdsk /f and the click OK.
o Note the space between the k and the /

* Allow the scan to run and when completed, reboot the system. It might not begin until you reboot.

==========

With your next post please provide:

* Exehelper log
* Combofix.txt
* MBAM log
* Did sfc prompt you for your install disc?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:32 PM

Posted 04 December 2009 - 08:43 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users