Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox and IE redirect to ad sites, can't safe mode


  • This topic is locked This topic is locked
13 replies to this topic

#1 peanut83

peanut83

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 12 February 2010 - 11:35 PM

About two weeks ago I downloaded some windows productivity stuff using Firefox browser and got infected with malware. Now whenever I use Firefox or IE, I get redirected to ad sites. Also get a lot of pop ups. Ran Spyware Doctor, Malwarebytes, Spyware Blaster, Super Anti-Spyware. But they were not able to detect the problem. Downloaded some other spyware removal programs to try to fix the problem, but the instructions require Safe Mode. When I try to start in Safe Mode, I get a blue screen that says at the top "A problem has been detected and windows has been shut down to prevent damage to your computer." Purchased and ran Safe Mode fixer from Moonvalley.com but didn't work. Tried re-installing Firefox, didn't work. Don't know what else to do.

Did the pre-requisite stuff before posting, except when I try to do run GMER, it scans before I have a chance to uncheck the recommended items. Second time I did it, screen went black for a long time. Not sure if that was normal so I restarted the computer. Afraid to try it a third time.

Can anyone help?


DDS (Ver_09-12-01.01) - NTFSx86
Run by Angellee Chen at 18:50:07.12 on Wed 02/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2876 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\Cobian Backup 9\Cobian.exe
C:\Program Files\Cobian Backup 9\cbInterface.exe
C:\Documents and Settings\Angellee Chen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Nuance.ctfmngr] c:\program files\nuance\naturallyspeaking10\program\ctfmngr.exe /terminate
mRun: [Module Loader] c:\program files\creative\shared files\module loader\DLLML.exe -StartUpRun
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [CTAPR2] "c:\program files\creative\sound blaster x-fi notebook\console launcher\CTAPR2.exe" /r
mRun: [Creative KSRun Persistence Module] RunDll32 KSRun.dll,RunDLLEntry
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [WinCalendar] "c:\program files\sapro systems wincalendar\WinCalendar_SysTray.exe" /q /c
uPolicies-explorer: NoSMHelp = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
mPolicies-system: HideFastUserSwitching = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\angell~1\applic~1\mozilla\firefox\profiles\fc2bpesx.default 2\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?rlz=1R0GGIC_en
FF - component: c:\documents and settings\angellee chen\application data\mozilla\firefox\profiles\fc2bpesx.default 2\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\angellee chen\application data\mozilla\firefox\profiles\fc2bpesx.default 2\extensions\openxmlviewer@codeplex.com\plugins\npDocX.dll
FF - plugin: c:\documents and settings\angellee chen\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-14 207792]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-2-8 112592]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-1-1 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-1-1 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-1-1 144704]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2009-12-27 26137]
R3 ksaud;Creative USB Audio Driver;c:\windows\system32\drivers\ksaud.sys [2010-1-10 773120]
R3 ksaudfl;ksaudfl;c:\windows\system32\drivers\ksaudfl.sys [2010-1-10 1830912]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-1-1 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-1-1 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-1-1 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-1-1 40552]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\aec671x.sys [2008-12-17 12128]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\dmx3191.sys [2008-12-17 17700]
S2 UDNT;UDNT;c:\windows\system32\drivers\udnt.sys [2008-12-17 76260]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-1-30 79360]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2009-12-27 155152]
S3 jumi;%Jumi%;c:\windows\system32\drivers\jumi.sys [2009-7-23 6528]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-1-1 34248]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-4-12 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-4-12 1141712]

=============== Created Last 30 ================

2010-02-11 01:47:32 0 ----a-w- c:\documents and settings\angellee chen\defogger_reenable
2010-02-11 01:32:07 0 d-----w- c:\program files\Cobian Backup 9
2010-02-10 23:50:03 98816 ----a-w- c:\windows\sed.exe
2010-02-10 23:50:03 77312 ----a-w- c:\windows\MBR.exe
2010-02-10 23:50:03 261632 ----a-w- c:\windows\PEV.exe
2010-02-10 23:50:03 161792 ----a-w- c:\windows\SWREG.exe
2010-02-10 08:09:14 0 d-sha-r- C:\cmdcons
2010-02-10 08:08:42 0 d-----w- c:\windows\setupupd
2010-02-10 06:59:26 0 d-----w- c:\program files\Microsoft Virtual PC
2010-02-10 06:26:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Nero
2010-02-09 07:23:21 0 d-----w- c:\windows\setup.pss
2010-02-09 06:25:58 36864 ----a-w- c:\windows\system32\MD5.ocx
2010-02-09 06:25:58 0 d-----w- c:\program files\Safe_Mode_Fixer
2010-02-09 04:11:46 767952 ----a-w- c:\windows\BDTSupport.dll.old
2010-02-09 04:11:46 767952 ----a-w- c:\windows\BDTSupport.dll
2010-02-09 04:11:45 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-02-09 04:11:45 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-02-09 04:11:45 1640400 ----a-w- c:\windows\PCTBDCore.dll.old
2010-02-09 04:11:45 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-02-09 04:05:50 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-02-09 04:05:46 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-02-09 04:05:46 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-02-09 04:05:40 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-02-09 02:55:30 0 d-----w- C:\SDFix
2010-02-08 04:09:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-02-07 07:31:03 0 d-----w- c:\program files\Uniblue
2010-02-06 05:51:06 0 d-----w- c:\program files\Trend Micro
2010-02-06 01:27:04 0 d-----w- c:\program files\SpywareBlaster
2010-02-06 01:24:25 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-06 01:24:18 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-06 01:24:18 0 d-----w- c:\docume~1\angell~1\applic~1\SUPERAntiSpyware.com
2010-02-06 01:23:50 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-05 21:19:14 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-05 21:18:18 0 d-----w- c:\program files\Spyware Doctor
2010-02-05 21:18:18 0 d-----w- c:\program files\common files\PC Tools
2010-02-05 21:18:18 0 d-----w- c:\docume~1\angell~1\applic~1\PC Tools
2010-02-05 21:18:18 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-02-05 07:58:54 882 ----a-w- c:\windows\RegSDImport.xml
2010-02-05 07:58:54 879 ----a-w- c:\windows\RegISSImport.xml
2010-02-05 07:58:54 131 ----a-w- c:\windows\IDB.zip
2010-02-05 07:58:54 1152444 ----a-w- c:\windows\UDB.zip
2010-02-05 07:52:28 0 d-----w- c:\program files\common files\PC Tools(2)
2010-02-05 02:18:22 0 d-----w- c:\program files\WinSplit Revolution
2010-02-05 00:54:48 2142 ----a-w- c:\documents and settings\angellee chen\.recently-used.xbel
2010-02-04 06:20:25 0 d-----w- c:\program files\SmartDraw 2010
2010-02-04 06:11:50 0 d-----w- c:\program files\Free Labs
2010-01-30 08:11:22 28635 ----a-r- c:\windows\system32\ksaud.ini
2010-01-30 08:05:19 0 d-----w- c:\program files\common files\Creative Labs Shared
2010-01-30 06:44:11 61 ----a-w- c:\windows\sbwin.ini
2010-01-30 03:21:32 0 d--h--w- c:\program files\Creative Installation Information
2010-01-23 06:36:36 0 d-----w- c:\docume~1\angell~1\applic~1\Foxit Software
2010-01-18 23:53:04 0 d-----w- c:\documents and settings\angellee chen\.fontconfig
2010-01-18 04:39:06 4952064 ----a-w- c:\windows\system32\stacgui.cpl
2010-01-18 04:39:06 405504 ----a-w- c:\windows\stsystra.exe
2010-01-18 04:39:06 1601536 ----a-w- c:\windows\system32\stlang.dll
2010-01-18 04:38:46 270336 ----a-w- c:\windows\system32\stacapi.dll
2010-01-18 04:38:44 0 d-----w- c:\program files\SigmaTel
2010-01-16 09:34:40 453152 ----a-w- c:\windows\system32\nvudisp.exe
2010-01-16 09:03:17 144896 ----a-w- c:\windows\system32\staco.dll
2010-01-16 07:45:14 453152 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-01-12 04:44:36 0 d-----w- c:\docume~1\angell~1\applic~1\FastStone

==================== Find3M ====================

2010-02-08 04:09:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-07 07:49:21 2035 ----a-w- c:\docume~1\angell~1\applic~1\SAS7_000.DAT
2010-01-14 18:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-10 06:43:06 5 -c--a-w- c:\windows\system32\drivers\DELL_LAT_D830.MRK
2010-01-10 06:43:06 5 -c--a-w- c:\windows\system32\drivers\1028_Dell_LAT_D830.mrk
2010-01-07 23:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-13 18:37:19 2395 -c--a-w- c:\windows\checkip.dat
2009-12-07 23:39:04 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-11-30 09:19:58 143872 ----a-w- c:\windows\system32\itircl.dll
2009-11-30 09:19:58 143872 ----a-w- c:\windows\system32\dllcache\itircl.dll
2009-11-30 09:19:43 249856 ------w- c:\windows\Setup1.exe
2009-11-30 09:19:41 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-11-21 15:51:04 471552 ----a-w- c:\windows\system32\dllcache\aclayers.dll
2009-11-13 22:57:16 922112 ------w- c:\windows\system32\imapi2fs.dll
2009-11-13 22:57:16 922112 ------w- c:\windows\system32\dllcache\imapi2fs.dll
2009-11-13 22:57:16 426496 ------w- c:\windows\system32\imapi2.dll
2009-11-13 22:57:16 426496 ------w- c:\windows\system32\dllcache\imapi2.dll
2009-10-16 01:35:14 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-08-23 08:01:40 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat

============= FINISH: 18:51:03.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:11 PM

Posted 18 February 2010 - 09:26 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 peanut83

peanut83
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 19 February 2010 - 12:28 AM

Here's the OTL.txt report. I didn't see any Extra.txt report. Did a search for it and didn't find it.

Thank you for helping me out. I've tried everything I can think of short of reinstalling Windows XP Professional, but haven't been able to get rid of the problem. The problem started in early February. I downloaded several things from a site that reviews free software utilities. I vaguely remember one of them causing a McAfee warning about running some kind of program as an app. That might have been the culprit. I didn't know what it meant, so I foolishly ignored it. I was using Mozilla Firefox, but the problem also affects Internet Explorer. It does not affect Google Chrome. I deleted all temp files and tried restoring to an earlier date, reinstalled Firefox and IE, updated Java. I ran Malwarebytes, superAntiSpyware, McAfee, Spybot and a bunch of other malware scanners in diagnosis mode and they all come up clean. If I try to boot in Safe Mode, I get a blue screen that says near the top "PAGE_FAULT_IN_NONPAGED_AREA". sad.gif



------------------------------------------------
OTL logfile created on: 2/18/2010 9:04:34 PM - Run 2
OTL by OldTimer - Version 3.1.30.0 Folder = C:\Documents and Settings\Angellee Chen\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 83.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.70 Gb Total Space | 75.90 Gb Free Space | 67.95% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 3.87 Gb Total Space | 0.22 Gb Free Space | 5.62% Space Free | Partition Type: FAT32

Computer Name: LATITUDE-D830
Current User Name: Angellee Chen
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/18 20:56:32 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Angellee Chen\Desktop\Toolbc.exe
PRC - [2010/02/04 17:37:32 | 000,142,976 | ---- | M] () -- C:\Program Files\Mobiola Headset for iPhone\MobiolaWaveService.exe
PRC - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/11/04 16:53:34 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/10/29 06:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/29 06:54:44 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/10/07 15:01:36 | 002,498,560 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\WLTRAY.EXE
PRC - [2009/10/07 15:01:36 | 000,025,088 | ---- | M] () -- C:\WINDOWS\system32\WLTRYSVC.EXE
PRC - [2009/10/07 15:01:28 | 002,232,320 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\BCMWLTRY.EXE
PRC - [2009/08/28 19:42:54 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/06/23 13:00:50 | 000,250,392 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2009/06/23 13:00:48 | 000,142,360 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2009/02/22 20:43:55 | 000,307,200 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe
PRC - [2008/12/12 11:17:38 | 000,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 17:12:41 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2008/04/13 17:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/06 17:11:36 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe
PRC - [2006/12/19 12:21:48 | 000,079,432 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2005/02/16 16:15:22 | 000,221,184 | ---- | M] (InstallShield Software Corporation) -- c:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2005/02/16 16:15:20 | 000,581,632 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
PRC - [2005/02/16 16:15:20 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe


========== Modules (SafeList) ==========

MOD - [2010/02/18 20:56:32 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Angellee Chen\Desktop\Toolbc.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (stllssvr)
SRV - [2010/02/12 22:11:16 | 001,181,328 | ---- | M] (Lavasoft) [Auto | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2010/02/04 17:37:32 | 000,142,976 | ---- | M] () [Auto | Running] -- C:\Program Files\Mobiola Headset for iPhone\MobiolaWaveService.exe -- (Mobiola Wave Service)
SRV - [2010/01/30 01:05:19 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
SRV - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/11/12 16:33:00 | 000,545,568 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/11/04 16:53:34 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/11/04 15:59:50 | 000,606,736 | ---- | M] (McAfee, Inc.) [Disabled | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/10/29 06:54:44 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/10/28 11:50:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/10/27 11:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/07 15:01:36 | 000,025,088 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (wltrysvc)
SRV - [2009/09/26 03:31:58 | 000,149,336 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2009/08/28 19:42:54 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/03/30 16:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2009/03/25 20:23:53 | 000,183,280 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/02/22 20:43:55 | 000,307,200 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
SRV - [2008/12/12 11:17:38 | 000,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/04 01:06:28 | 000,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/04/13 17:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/13 17:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2008/04/13 17:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/05/06 17:11:36 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Program Files\SigmaTel\C-Major Audio\WDM\stacsv.exe -- (STacSV)
SRV - [2006/12/19 12:21:48 | 000,079,432 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe -- (ASFIPmon)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2005/04/04 00:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - [2010/02/15 01:47:58 | 000,229,224 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\VMM.sys -- (vmm)
DRV - [2010/01/28 18:10:22 | 000,024,832 | ---- | M] (SHAPE Services) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mobiolawave.sys -- (MOBIOLA_Wave) Mobiola Wave Audio Device (WDM)
DRV - [2010/01/05 07:56:06 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/01/05 07:56:04 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/01/05 07:56:02 | 000,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/12/02 06:19:06 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - [2009/11/04 16:54:12 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/11/04 16:54:12 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/11/04 16:54:12 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 16:54:12 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/11/04 16:53:40 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/10/07 15:01:32 | 002,649,216 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2009/08/28 19:42:52 | 000,040,448 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2009/07/23 12:07:40 | 000,006,528 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\jumi.sys -- (jumi)
DRV - [2009/07/16 12:32:26 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/06/22 18:52:46 | 000,773,120 | R--- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ksaud.sys -- (ksaud)
DRV - [2009/06/12 17:52:48 | 006,278,272 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2009/05/18 14:17:00 | 000,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/11/20 12:19:06 | 000,043,872 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/10/24 03:27:06 | 001,830,912 | R--- | M] (Creative) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ksaudfl.sys -- (ksaudfl)
DRV - [2008/04/13 11:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 11:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 11:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 09:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/05 01:50:44 | 000,059,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMNetSrv.sys -- (VPCNetS2)
DRV - [2007/12/23 17:18:48 | 000,068,696 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\oz776.sys -- (guardian2)
DRV - [2007/11/13 03:25:53 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/08/02 17:35:12 | 000,989,952 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2007/08/02 17:34:30 | 000,211,200 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2007/08/02 17:34:26 | 000,731,136 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2007/06/25 18:53:10 | 000,155,136 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/05/06 17:12:00 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/04/26 12:29:30 | 000,041,856 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)
DRV - [2007/04/26 12:29:28 | 000,073,600 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Tosrfhid.sys -- (Tosrfhid)
DRV - [2007/04/26 12:29:28 | 000,064,896 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2007/04/26 12:29:28 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)
DRV - [2007/04/26 12:29:26 | 000,113,920 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbd.sys -- (tosrfbd)
DRV - [2007/04/26 12:29:26 | 000,036,480 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (tosrfbnp)
DRV - [2007/04/26 12:29:24 | 000,041,600 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosporte.sys -- (tosporte)
DRV - [2007/02/16 15:46:00 | 000,160,256 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2006/12/19 12:21:52 | 000,010,480 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\Program Files\Broadcom\ASFIPMon\BASFND.sys -- (BASFND)
DRV - [2006/08/18 11:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 11:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 11:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 11:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 11:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 11:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 11:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 11:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 09:05:58 | 000,051,768 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2006/08/11 08:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 08:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2006/07/21 09:21:26 | 000,099,176 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2006/06/19 14:26:58 | 000,012,672 | R--- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\mdmxsdk.sys -- (mdmxsdk)
DRV - [2006/04/27 15:30:48 | 000,026,137 | ---- | M] (Nortel Networks) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\eacfilt.sys -- (Eacfilt)
DRV - [2006/04/27 15:30:26 | 000,155,152 | ---- | M] (Nortel Networks NA, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ipsecw2k.sys -- (IPSECSHM)
DRV - [2006/04/27 15:30:26 | 000,155,152 | ---- | M] (Nortel Networks NA, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ipsecw2k.sys -- (IPSECEXT)
DRV - [2006/01/10 09:07:58 | 000,004,864 | ---- | M] (GTek Technologies Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2004/08/04 03:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/03 20:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\ASC.SYS -- (asc)
DRV - [2001/08/17 12:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 12:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 12:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 12:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 12:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 11:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 11:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 11:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 11:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 11:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 11:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 11:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 11:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 11:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 10:12:10 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®
DRV - [1999/02/23 01:12:40 | 000,017,700 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\DMX3191.SYS -- (DMX3191)
DRV - [1998/09/18 08:48:02 | 000,076,260 | ---- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\udnt.sys -- (UDNT)
DRV - [1998/05/05 11:06:04 | 000,012,128 | ---- | M] (Acard Technology Corp.) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\AEC671X.SYS -- (AEC671X)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070827
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070827


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070827
IE - HKU\.DEFAULT\..\URLSearchHook: {31c7d459-9cc3-44f2-9dca-fc11795309b4} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070827
IE - HKU\S-1-5-18\..\URLSearchHook: {31c7d459-9cc3-44f2-9dca-fc11795309b4} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\S-1-5-21-1347659003-2121365797-3136764092-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\S-1-5-21-1347659003-2121365797-3136764092-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2008/11/13 00:48:09 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/02/15 21:58:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/14 01:15:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/13 17:54:54 | 000,000,000 | ---D | M]

[2010/02/14 01:15:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Angellee Chen\Application Data\Mozilla\Extensions
[2010/02/14 21:26:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Angellee Chen\Application Data\Mozilla\Firefox\Profiles\7uw9fgnx.default\extensions
[2010/02/13 17:54:54 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/08/04 03:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {31C7D459-9CC3-44F2-9DCA-FC11795309B4} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {31C7D459-9CC3-44F2-9DCA-FC11795309B4} - No CLSID value found.
O3 - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\..\Toolbar\WebBrowser: (no name) - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No CLSID value found.
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.EXE (Dell Inc.)
O4 - HKLM..\Run: [Creative KSRun Persistence Module] C:\WINDOWS\System32\KSRun.dll (Creative Technology Ltd.)
O4 - HKLM..\Run: [CTAPR2] C:\Program Files\Creative\Sound Blaster X-Fi Notebook\Console Launcher\CTAPR2.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [WinCalendar] C:\Program Files\Sapro Systems WinCalendar\WinCalendar_SysTray.exe (Sapro Systems)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [WinCalendar] C:\Program Files\Sapro Systems WinCalendar\WinCalendar_SysTray.exe (Sapro Systems)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideFastUserSwitching = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon: AllowMultipleTSSessions = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoComputersNearMe = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetworkConnections = 01 00 00 00 [binary data]
O7 - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 63 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 63 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 63 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1347659003-2121365797-3136764092-1005\..Trusted Domains: 33 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareup...15111/CTPID.cab (Creative Software AutoUpdate Support Package)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Coffee Bean.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Coffee Bean.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 15:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/11 15:02:12 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - Services: "sdCoreService"
MsConfig - Services: "Browser Defender Update Service"
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe - (Avanquest Software )
MsConfig - StartUpFolder: C:^Documents and Settings^Angellee Chen^Start Menu^Programs^Startup^Dragon NaturallySpeaking 10.0.lnk - C:\WINDOWS\Installer\{E7712E53-7A7F-46EB-AA13-70D5987D30F2}\NatSpeak_Shortcut_E7712E537A7F46EBAA1370D5987D30F2.exe - (Macrovision Corporation)
MsConfig - StartUpFolder: C:^Documents and Settings^Angellee Chen^Start Menu^Programs^Startup^WINWORD.EXE.lnk - C:\Program Files\Microsoft Office\Office12\WINWORD.EXE - (Microsoft Corporation)
MsConfig - StartUpFolder: C:^Documents and Settings^Angellee Chen^Start Menu^Programs^Startup^WORD2007StartupNoDoc.lnk - C:\PROGRA~1\MICROS~4\Office12\WINWORD.EXE - File not found
MsConfig - StartUpReg: Apoint - hkey= - key= - C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
MsConfig - StartUpReg: CoolSwitch - hkey= - key= - File not found
MsConfig - StartUpReg: Google Update - hkey= - key= - C:\Documents and Settings\Angellee Chen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
MsConfig - StartUpReg: HotKeysCmds - hkey= - key= - File not found
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: Module Loader - hkey= - key= - C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe (Creative Technology Ltd.)
MsConfig - StartUpReg: Nuance.ctfmngr - hkey= - key= - C:\Program Files\Nuance\NaturallySpeaking10\Program\ctfmngr.exe (Nuance Communications, Inc.)
MsConfig - StartUpReg: PDVDDXSrv - hkey= - key= - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
MsConfig - StartUpReg: SmartDefrag - hkey= - key= - C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe (IObit)
MsConfig - StartUpReg: SSBkgdUpdate - hkey= - key= - C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
MsConfig - StartUpReg: STC - hkey= - key= - C:\Program Files\Innovative Solutions\System Tray Cleaner\stc.exe (Innovative Solutions)
MsConfig - StartUpReg: SUPERAntiSpyware - hkey= - key= - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
MsConfig - StartUpReg: TouchFreeze - hkey= - key= - C:\Program Files\TouchFreeze\TouchFreeze.exe ()
MsConfig - StartUpReg: VolPanel - hkey= - key= - C:\Program Files\Creative\Sound Blaster X-Fi Notebook\Volume Panel\VolPanlu.exe (Creative Technology Ltd)
MsConfig - StartUpReg: WinCalendar - hkey= - key= - C:\Program Files\Sapro Systems WinCalendar\WinCalendar_SysTray.exe (Sapro Systems)
MsConfig - StartUpReg: Windows Defender - hkey= - key= - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 2
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Service
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Service
SafeBootMin: mcmscsvc - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SafeBootMin: MCODS - C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Service
SafeBootMin: SCSI Class - Driver
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - CD-ROM Drive
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Volume
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Service

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Service
SafeBootNet: mcmscsvc - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SafeBootNet: MCODS - C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SafeBootNet: MpfService - C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Service
SafeBootNet: NetDDEGroup - Service
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Service
SafeBootNet: nm.sys - Service
SafeBootNet: PCI Configuration - Service
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver
SafeBootNet: SCSI Class - Driver
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Service
SafeBootNet: TDI - Driver
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - CD-ROM Drive
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Volume
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 11.0
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 11.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {8b15971b-5355-4c82-8c07-7e181ea07608} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {94de52c8-2d59-4f1b-883e-79663d2d9a8c} - rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2010/02/18 20:56:29 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Angellee Chen\Desktop\Toolbc.exe
[2010/02/18 20:23:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/02/15 01:47:58 | 000,229,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\VMM.sys
[2010/02/14 01:15:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angellee Chen\Application Data\Mozilla
[2010/02/13 19:31:49 | 000,000,000 | ---D | C] -- C:\Program Files\ACW
[2010/02/13 18:30:40 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/02/13 18:24:58 | 000,137,576 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Angellee Chen\Desktop\clean boot.exe
[2010/02/13 17:54:52 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/02/13 12:34:23 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Angellee Chen\Desktop\iPhone Quickword
[2010/02/12 22:42:12 | 000,439,808 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Angellee Chen\Desktop\ToolTC2.exe
[2010/02/12 22:40:02 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Angellee Chen\Desktop\ToolTC.exe
[2010/02/12 22:34:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angellee Chen\Desktop\GMER
[2010/02/12 22:32:50 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/12 22:32:47 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/12 22:32:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/12 22:26:34 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/02/12 22:25:55 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/02/12 22:22:55 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2010/02/12 22:21:51 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/02/12 22:19:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angellee Chen\Desktop\ToolRR
[2010/02/12 22:12:44 | 000,064,288 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2010/02/12 22:10:40 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2010/02/12 22:10:22 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/02/12 22:10:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2010/02/12 21:52:18 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/02/12 21:27:09 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Angellee Chen\Desktop\toolOld.exe
[2010/02/12 01:17:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/02/11 01:15:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angellee Chen\My Documents\Mobiola Audio Files
[2010/02/11 01:12:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angellee Chen\Application Data\SHAPE Services
[2010/02/11 00:47:43 | 000,024,832 | ---- | C] (SHAPE Services) -- C:\WINDOWS\System32\drivers\mobiolawave.sys
[2010/02/11 00:47:43 | 000,000,000 | ---D | C] -- C:\Program Files\Mobiola Headset for iPhone
[2010/02/10 18:32:07 | 000,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 9
[2010/02/10 16:50:03 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/02/10 16:50:03 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/02/10 16:50:03 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/02/10 16:50:03 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/02/10 16:48:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/10 01:29:31 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Angellee Chen\Recent
[2010/02/10 01:09:14 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/02/10 01:08:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\setupupd
[2010/02/10 00:04:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angellee Chen\My Documents\My Virtual Machines
[2010/02/09 23:59:26 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Virtual PC
[2010/02/09 23:29:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angellee Chen\Application Data\Nero
[2010/02/09 23:26:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nero
[2010/02/09 22:46:44 | 000,000,000 | ---D | C] -- C:\Program Files\Ahead
[2010/02/09 00:23:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\setup.pss
[2010/02/08 23:45:10 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/08 23:25:58 | 000,036,864 | ---- | C] (MoonValleySoft.com) -- C:\WINDOWS\System32\MD5.ocx
[2010/02/08 23:25:58 | 000,000,000 | ---D | C] -- C:\Program Files\Safe_Mode_Fixer
[2010/02/08 21:25:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angellee Chen\Local Settings\Application Data\Threat Expert
[2010/02/08 21:11:45 | 001,640,400 | ---- | C] (Threat Expert Ltd.) -- C:\WINDOWS\PCTBDCore.dll.old
[2010/02/08 19:33:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angellee Chen\Desktop\GooredFix Backups
[2010/02/08 19:00:41 | 000,070,858 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Angellee Chen\Desktop\GooredFix(1).exe
[2010/02/07 21:13:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/02/07 21:13:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/02/07 21:09:59 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/02/07 21:09:59 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/02/07 21:09:59 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/02/07 21:09:59 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/02/07 20:58:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angellee Chen\Desktop\javara
[2010/02/07 00:31:03 | 000,000,000 | ---D | C] -- C:\Program Files\Uniblue
[2010/02/05 18:24:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/02/05 18:24:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angellee Chen\Application Data\SUPERAntiSpyware.com
[2010/02/05 14:18:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/02/05 14:18:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/02/05 14:18:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angellee Chen\Application Data\PC Tools
[2010/02/05 14:18:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/02/05 14:16:24 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2010/02/04 19:18:22 | 000,000,000 | ---D | C] -- C:\Program Files\WinSplit Revolution
[2010/01/30 01:05:19 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Creative Labs Shared
[2010/01/30 00:03:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angellee Chen\My Documents\Organ Donation
[2010/01/29 20:45:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angellee Chen\Application Data\Creative
[2010/01/29 20:21:32 | 000,000,000 | -H-D | C] -- C:\Program Files\Creative Installation Information
[2010/01/25 21:59:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angellee Chen\My Documents\Forensic Resources
[2010/01/24 01:53:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angellee Chen\Desktop\ME Files
[2010/01/22 23:36:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angellee Chen\Application Data\Foxit Software
[2010/01/20 21:41:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Angellee Chen\My Documents\2007 Templates
[2009/12/04 00:53:46 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/12/02 00:22:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee
[2009/08/29 13:06:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\SACore
[2009/01/30 16:34:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2008/12/09 16:16:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2008/10/15 18:56:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/08/23 01:03:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/05/24 20:54:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\NTRU Cryptosystems
[2008/05/07 02:00:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2008/03/01 21:03:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2007/09/08 18:04:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2007/09/08 18:04:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Google

========== Files - Modified Within 30 Days ==========

[2010/02/18 21:09:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{6B1F69D1-73B9-4DBD-9FF7-416B30B0B4DD}.job
[2010/02/18 21:03:20 | 000,020,973 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/02/18 21:00:28 | 000,030,720 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\Desktop\BleepingComputerInstructions.doc
[2010/02/18 20:56:32 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Angellee Chen\Desktop\Toolbc.exe
[2010/02/18 20:49:08 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/02/18 20:49:01 | 000,000,581 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/02/18 20:49:01 | 000,000,322 | RHS- | M] () -- C:\boot.ini
[2010/02/18 20:49:01 | 000,000,254 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/18 20:48:47 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/02/18 20:48:46 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/02/18 20:48:46 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/02/18 20:48:45 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/02/18 20:48:45 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/02/18 20:47:49 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/18 20:45:55 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/18 20:45:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/18 20:45:44 | 3747,573,760 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/18 20:44:50 | 006,553,600 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\ntuser.dat
[2010/02/18 20:44:50 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Angellee Chen\ntuser.ini
[2010/02/18 20:39:56 | 009,956,146 | -H-- | M] () -- C:\Documents and Settings\Angellee Chen\Local Settings\Application Data\IconCache.db
[2010/02/18 00:13:45 | 000,002,115 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\Application Data\SAS7_000.DAT
[2010/02/15 18:55:54 | 000,582,812 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/02/15 18:55:54 | 000,487,202 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/02/15 18:55:54 | 000,087,194 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/02/15 01:51:01 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/15 01:47:58 | 000,229,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\VMM.sys
[2010/02/14 18:58:04 | 000,317,152 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/02/13 21:46:29 | 000,318,976 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\My Documents\Removing Spyware.doc
[2010/02/13 19:54:33 | 000,080,128 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/02/13 18:27:15 | 000,035,328 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\My Documents\Clean Boot.doc
[2010/02/13 18:24:59 | 000,137,576 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Angellee Chen\Desktop\clean boot.exe
[2010/02/13 18:17:07 | 003,153,920 | ---- | M] () -- C:\WINDOWS\System32\secsetup.sdb
[2010/02/13 17:57:20 | 000,000,134 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\Desktop\Internet Explorer Troubleshooting.url
[2010/02/13 16:54:42 | 000,136,178 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\Desktop\bookmarks-2010-02-13.json
[2010/02/13 16:37:01 | 000,067,584 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\Desktop\Hijack this Fixes for Specific Infections.doc
[2010/02/13 16:30:17 | 000,040,448 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\Desktop\PC Cleaning Procedures.doc
[2010/02/13 16:30:10 | 000,038,400 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\Desktop\PC Protection.doc
[2010/02/13 16:15:19 | 000,920,576 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\My Documents\Weed Control Begins With Pre (Autosaved).doc
[2010/02/13 15:51:50 | 000,661,431 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\Desktop\SSF 0508 Chen,Angelee.pdf
[2010/02/13 14:03:34 | 000,548,352 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\My Documents\Weed Control Begins With Pre.doc
[2010/02/13 13:44:27 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Angellee Chen\My Documents\~$ed Control Begins With Pre.doc
[2010/02/13 12:33:45 | 000,389,120 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\My Documents\To start the computer and use the Recovery Console.doc
[2010/02/13 01:36:02 | 000,023,552 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\My Documents\Start Up Processes.doc
[2010/02/12 22:42:14 | 000,439,808 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Angellee Chen\Desktop\ToolTC2.exe
[2010/02/12 22:40:03 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Angellee Chen\Desktop\ToolTC.exe
[2010/02/12 22:32:53 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/12 22:26:36 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/02/12 22:22:56 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\Desktop\SpywareBlaster.lnk
[2010/02/12 22:21:51 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\Desktop\HijackThis.lnk
[2010/02/12 22:10:38 | 000,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/02/12 21:52:22 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\Desktop\Spybot - Search & Destroy.lnk
[2010/02/12 21:27:47 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Angellee Chen\Desktop\toolOld.exe
[2010/02/12 16:32:08 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\Desktop\Catch me Files to delete.doc
[2010/02/12 00:31:23 | 000,091,648 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\My Documents\Firefox Fix.doc
[2010/02/11 19:03:14 | 000,002,537 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\Desktop\Dragon NaturallySpeaking 10.0.lnk
[2010/02/11 01:35:51 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\My Documents\Mobiola ad hoc.doc
[2010/02/11 00:47:44 | 000,000,852 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\Desktop\Mobiola Headset for iPhone.lnk
[2010/02/10 23:06:01 | 000,001,154 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\Desktop\Shortcut to ASC MEDEX (X).lnk
[2010/02/10 18:47:32 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\defogger_reenable
[2010/02/10 01:47:45 | 000,632,320 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\Desktop\How to use ComboFix.doc
[2010/02/10 01:24:13 | 000,449,536 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\Desktop\Slipstreaming Windows XP with Service Pack 3.doc
[2010/02/08 23:25:59 | 000,000,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Safe_Mode_Fixer.lnk
[2010/02/08 22:43:47 | 000,000,433 | RHS- | M] () -- C:\BOOT.BAK
[2010/02/08 19:00:42 | 000,070,858 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Angellee Chen\Desktop\GooredFix(1).exe
[2010/02/08 17:02:38 | 000,105,119 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\My Documents\To start the computer and use the Recovery Console.docx
[2010/02/07 21:09:45 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2010/02/07 21:09:45 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/02/07 21:09:45 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/02/07 21:09:45 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/02/07 21:09:45 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/02/05 22:12:26 | 000,018,870 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\My Documents\Response.docm
[2010/02/04 17:54:48 | 000,002,142 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\.recently-used.xbel
[2010/02/02 22:04:08 | 000,469,504 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\My Documents\Travis County ME Problems.doc
[2010/02/01 01:00:03 | 000,000,334 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/01/31 20:36:21 | 000,001,732 | -H-- | M] () -- C:\Documents and Settings\Angellee Chen\My Documents\Default.rdp
[2010/01/30 01:12:00 | 000,000,268 | RH-- | M] () -- C:\WINDOWS\ctfile.rfc
[2010/01/29 23:44:11 | 000,000,061 | ---- | M] () -- C:\WINDOWS\sbwin.ini
[2010/01/28 18:10:22 | 000,024,832 | ---- | M] (SHAPE Services) -- C:\WINDOWS\System32\drivers\mobiolawave.sys
[2010/01/26 22:47:44 | 000,030,720 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\My Documents\ME position questions.doc
[2010/01/23 19:27:50 | 000,224,860 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\My Documents\Needs of America's Medicolegal Offices.PDF
[2010/01/23 19:20:46 | 012,558,743 | ---- | M] () -- C:\Documents and Settings\Angellee Chen\My Documents\Rhode Island Autopsy Report Backlog.PDF

========== Files Created - No Company Name ==========

[2010/02/18 21:00:28 | 000,030,720 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Desktop\BleepingComputerInstructions.doc
[2010/02/15 01:46:54 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/02/13 21:46:29 | 000,318,976 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\My Documents\Removing Spyware.doc
[2010/02/13 18:27:14 | 000,035,328 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\My Documents\Clean Boot.doc
[2010/02/13 18:17:05 | 003,153,920 | ---- | C] () -- C:\WINDOWS\System32\secsetup.sdb
[2010/02/13 17:57:20 | 000,000,134 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Desktop\Internet Explorer Troubleshooting.url
[2010/02/13 16:54:42 | 000,136,178 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Desktop\bookmarks-2010-02-13.json
[2010/02/13 16:30:17 | 000,040,448 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Desktop\PC Cleaning Procedures.doc
[2010/02/13 16:30:10 | 000,038,400 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Desktop\PC Protection.doc
[2010/02/13 16:20:35 | 000,067,584 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Desktop\Hijack this Fixes for Specific Infections.doc
[2010/02/13 16:15:18 | 000,920,576 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\My Documents\Weed Control Begins With Pre (Autosaved).doc
[2010/02/13 15:51:47 | 000,661,431 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Desktop\SSF 0508 Chen,Angelee.pdf
[2010/02/13 13:44:27 | 000,548,352 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\My Documents\Weed Control Begins With Pre.doc
[2010/02/13 13:44:27 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Angellee Chen\My Documents\~$ed Control Begins With Pre.doc
[2010/02/13 12:33:45 | 000,389,120 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\My Documents\To start the computer and use the Recovery Console.doc
[2010/02/12 22:32:53 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/12 22:26:36 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/02/12 22:22:56 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Desktop\SpywareBlaster.lnk
[2010/02/12 22:21:51 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Desktop\HijackThis.lnk
[2010/02/12 22:13:21 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/02/12 22:13:21 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 4).job
[2010/02/12 22:13:21 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 3).job
[2010/02/12 22:13:21 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 2).job
[2010/02/12 22:13:21 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily 1).job
[2010/02/12 22:10:38 | 000,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2010/02/12 21:52:22 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Desktop\Spybot - Search & Destroy.lnk
[2010/02/12 16:07:32 | 000,023,040 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Desktop\Catch me Files to delete.doc
[2010/02/12 00:31:23 | 000,091,648 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\My Documents\Firefox Fix.doc
[2010/02/12 00:18:30 | 000,023,552 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\My Documents\Start Up Processes.doc
[2010/02/11 01:35:50 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\My Documents\Mobiola ad hoc.doc
[2010/02/11 00:47:44 | 000,000,852 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Desktop\Mobiola Headset for iPhone.lnk
[2010/02/10 23:13:58 | 000,224,860 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\My Documents\Needs of America's Medicolegal Offices.PDF
[2010/02/10 23:13:53 | 000,544,357 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\My Documents\Budgeting for Results.pdf
[2010/02/10 23:13:48 | 000,028,160 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\My Documents\Employment lawyer.doc
[2010/02/10 23:13:33 | 000,018,870 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\My Documents\Response.docm
[2010/02/10 23:13:24 | 012,558,743 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\My Documents\Rhode Island Autopsy Report Backlog.PDF
[2010/02/10 23:13:13 | 000,469,504 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\My Documents\Travis County ME Problems.doc
[2010/02/10 23:13:09 | 000,105,119 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\My Documents\To start the computer and use the Recovery Console.docx
[2010/02/10 23:05:02 | 000,001,154 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Desktop\Shortcut to ASC MEDEX (X).lnk
[2010/02/10 18:47:32 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\defogger_reenable
[2010/02/10 16:50:03 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/02/10 16:50:03 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/02/10 16:50:03 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/02/10 16:50:03 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/02/10 16:50:03 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/10 01:09:57 | 000,000,433 | RHS- | C] () -- C:\BOOT.BAK
[2010/02/10 01:09:42 | 000,260,288 | RHS- | C] () -- C:\cmldr
[2010/02/09 02:19:49 | 000,449,536 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Desktop\Slipstreaming Windows XP with Service Pack 3.doc
[2010/02/08 23:58:29 | 000,632,320 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Desktop\How to use ComboFix.doc
[2010/02/08 23:25:59 | 000,000,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Safe_Mode_Fixer.lnk
[2010/02/08 21:11:46 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll.old
[2010/02/04 17:54:48 | 000,002,142 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\.recently-used.xbel
[2010/02/04 11:38:33 | 000,172,752 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/01/31 17:33:49 | 006,553,600 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\ntuser.dat
[2010/01/30 01:11:22 | 000,028,635 | R--- | C] () -- C:\WINDOWS\System32\ksaud.ini
[2010/01/29 23:44:11 | 000,000,061 | ---- | C] () -- C:\WINDOWS\sbwin.ini
[2010/01/10 15:33:11 | 000,033,327 | ---- | C] () -- C:\WINDOWS\System32\kschimp.ini
[2010/01/10 15:33:10 | 000,228,864 | R--- | C] () -- C:\WINDOWS\System32\KSXPPI32.dll
[2010/01/02 19:23:07 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2010/01/02 19:23:07 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2009/12/03 17:41:44 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2009/12/03 17:41:44 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2009/12/03 17:41:43 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2009/08/29 02:28:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\exctrlst.INI
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/07/03 19:37:04 | 000,002,115 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Application Data\SAS7_000.DAT
[2009/01/20 22:03:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\UNIVMGR.INI
[2009/01/04 19:56:51 | 000,000,103 | ---- | C] () -- C:\WINDOWS\System32\hptrace.ini
[2009/01/03 01:53:08 | 001,843,784 | ---- | C] () -- C:\WINDOWS\System32\igklg400.dll
[2009/01/03 01:53:07 | 001,399,880 | ---- | C] () -- C:\WINDOWS\System32\igklg450.dll
[2009/01/03 01:53:07 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/01/03 01:53:07 | 000,104,636 | ---- | C] () -- C:\WINDOWS\System32\igmedcompkrn.dll
[2008/12/19 12:05:47 | 000,000,022 | ---- | C] () -- C:\WINDOWS\ppdrv.ini
[2008/12/17 18:44:48 | 000,006,932 | ---- | C] () -- C:\WINDOWS\System32\glscan.sys
[2008/12/17 18:44:45 | 000,076,260 | ---- | C] () -- C:\WINDOWS\System32\drivers\udnt.sys
[2008/12/13 18:20:21 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Application Data\Echo
[2008/11/06 22:35:14 | 000,001,426 | ---- | C] () -- C:\WINDOWS\hpdj6122.ini
[2008/10/16 00:05:24 | 000,000,147 | ---- | C] () -- C:\WINDOWS\topocr.INI
[2008/06/10 19:40:06 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Ambient
[2008/06/09 00:31:59 | 000,000,145 | ---- | C] () -- C:\WINDOWS\Eudcedit.ini
[2008/04/20 20:33:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ViewNX.INI
[2008/04/19 09:43:09 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
[2008/04/19 09:17:14 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT
[2008/04/19 09:17:14 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Application Data\Analog Mono
[2008/04/19 09:14:23 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2007/12/25 21:37:24 | 000,004,096 | -H-- | C] () -- C:\Documents and Settings\Angellee Chen\Local Settings\Application Data\keyfile3.drm
[2007/11/21 21:17:09 | 000,000,000 | ---- | C] () -- C:\WINDOWS\plclient.INI
[2007/09/23 15:31:19 | 000,051,815 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Application Data\.googlewebacchosts
[2007/09/07 01:43:11 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/09/05 22:28:10 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\Angellee Chen\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/08/27 20:01:16 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/08/27 19:58:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
[2007/08/27 19:54:08 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
[2007/08/27 19:54:08 | 000,000,167 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/08/27 19:50:11 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2007/08/27 19:50:10 | 000,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2007/08/27 19:44:35 | 001,736,704 | ---- | C] () -- C:\WINDOWS\System32\Tsp1.dll
[2007/08/27 19:17:43 | 000,910,304 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2007/08/27 19:17:43 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4831.dll
[2007/08/27 19:16:43 | 000,001,120 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2007/01/30 13:30:30 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\detoured.dll
[2006/11/07 02:25:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/09/16 21:36:50 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
[2006/09/16 21:36:50 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2005/09/02 12:44:08 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/07/22 19:30:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2004/08/11 15:24:19 | 000,000,885 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/07/20 15:04:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/15 12:43:28 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >


< MD5 for: AGP440.SYS >
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/08/23 00:27:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/08/23 00:27:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 21:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS
[2004/08/03 21:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/08/23 00:27:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/08/23 00:27:56 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/03 20:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys
[2004/08/03 20:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 20:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
[2004/08/03 20:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0017\DriverFiles\i386\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 03:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll
[2004/08/04 03:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 03:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll
[2004/08/04 03:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 03:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2004/08/04 03:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 229 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F35A93AD
@Alternate Data Stream - 153 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E9648353
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FA5F15C4
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:11 PM

Posted 20 February 2010 - 05:47 AM

Hi,

please run gmer next:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 peanut83

peanut83
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 20 February 2010 - 08:33 PM

The first several times I ran GMER, it kept getting stuck on the same file, an iPhone backup file. As I mentioned, I am unable to start in Safe Mode. I deleted the file that the program kept getting stuck on and ran GMER in Diagnosis Mode. Here is the result:


-----------------------------------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-20 17:59:18
Windows 5.1.2600 Service Pack 3
Running: trh8st1p.exe; Driver: C:\DOCUME~1\ANGELL~1\LOCALS~1\Temp\ffryrfoc.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA0F887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA0F8BFE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA825678A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA8256738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA825674C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA82567CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA8256710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA8256724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA825679E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA8256776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA8256762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA82567F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA82567E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA82567B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A82567B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A825678E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP A82567CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP A82567E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP A82567A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP A8256714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP A8256728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP A8256766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP A8256750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 2 Bytes JMP A825673C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess + 3 805D11FD 2 Bytes [C8, 27]
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP A825677A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP A82567FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xB9F03780]
init C:\WINDOWS\system32\drivers\ksaudfl.sys entry point in "init" section [0xA8461630]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0F57
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0F68
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0F79
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0F94
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0FC0
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0F46
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0082
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0F10
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0F21
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC0EF5
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0FAF
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC0071
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0036
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\svchost.exe[152] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC009F
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0F72
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0F83
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[152] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0F94
.text C:\WINDOWS\system32\svchost.exe[152] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0027
.text C:\WINDOWS\system32\svchost.exe[152] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0016
.text C:\WINDOWS\system32\svchost.exe[152] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0FB7
.text C:\WINDOWS\system32\svchost.exe[152] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[152] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA0FA6
.text C:\WINDOWS\system32\svchost.exe[152] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0FD2
.text C:\WINDOWS\system32\svchost.exe[152] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B90000
.text C:\WINDOWS\Explorer.EXE[940] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\Explorer.EXE[940] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F6F
.text C:\WINDOWS\Explorer.EXE[940] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A006E
.text C:\WINDOWS\Explorer.EXE[940] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F8A
.text C:\WINDOWS\Explorer.EXE[940] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0047
.text C:\WINDOWS\Explorer.EXE[940] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\Explorer.EXE[940] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00B7
.text C:\WINDOWS\Explorer.EXE[940] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A009A
.text C:\WINDOWS\Explorer.EXE[940] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00E3
.text C:\WINDOWS\Explorer.EXE[940] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F4A
.text C:\WINDOWS\Explorer.EXE[940] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00FE
.text C:\WINDOWS\Explorer.EXE[940] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0036
.text C:\WINDOWS\Explorer.EXE[940] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0000
.text C:\WINDOWS\Explorer.EXE[940] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A007F
.text C:\WINDOWS\Explorer.EXE[940] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A001B
.text C:\WINDOWS\Explorer.EXE[940] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\Explorer.EXE[940] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00C8
.text C:\WINDOWS\Explorer.EXE[940] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290F9E
.text C:\WINDOWS\Explorer.EXE[940] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0029001B
.text C:\WINDOWS\Explorer.EXE[940] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FB9
.text C:\WINDOWS\Explorer.EXE[940] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FD4
.text C:\WINDOWS\Explorer.EXE[940] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0029000A
.text C:\WINDOWS\Explorer.EXE[940] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\Explorer.EXE[940] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290F72
.text C:\WINDOWS\Explorer.EXE[940] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\Explorer.EXE[940] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290F8D
.text C:\WINDOWS\Explorer.EXE[940] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0F9F
.text C:\WINDOWS\Explorer.EXE[940] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FB0
.text C:\WINDOWS\Explorer.EXE[940] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FD2
.text C:\WINDOWS\Explorer.EXE[940] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\Explorer.EXE[940] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FC1
.text C:\WINDOWS\Explorer.EXE[940] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0000
.text C:\WINDOWS\Explorer.EXE[940] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\Explorer.EXE[940] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\Explorer.EXE[940] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002C0FC3
.text C:\WINDOWS\Explorer.EXE[940] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002C0014
.text C:\WINDOWS\Explorer.EXE[940] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02550000
.text C:\WINDOWS\system32\services.exe[1752] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[1752] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000600A4
.text C:\WINDOWS\system32\services.exe[1752] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00060FAF
.text C:\WINDOWS\system32\services.exe[1752] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00060FC0
.text C:\WINDOWS\system32\services.exe[1752] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00060073
.text C:\WINDOWS\system32\services.exe[1752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0006003D
.text C:\WINDOWS\system32\services.exe[1752] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00060F5C
.text C:\WINDOWS\system32\services.exe[1752] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00060F83
.text C:\WINDOWS\system32\services.exe[1752] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000600DA
.text C:\WINDOWS\system32\services.exe[1752] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000600BF
.text C:\WINDOWS\system32\services.exe[1752] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00060F30
.text C:\WINDOWS\system32\services.exe[1752] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00060058
.text C:\WINDOWS\system32\services.exe[1752] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[1752] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00060F94
.text C:\WINDOWS\system32\services.exe[1752] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[1752] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00060FDB
.text C:\WINDOWS\system32\services.exe[1752] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00060F41
.text C:\WINDOWS\system32\services.exe[1752] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00050FB9
.text C:\WINDOWS\system32\services.exe[1752] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00050F72
.text C:\WINDOWS\system32\services.exe[1752] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00050FD4
.text C:\WINDOWS\system32\services.exe[1752] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\services.exe[1752] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00050F8D
.text C:\WINDOWS\system32\services.exe[1752] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[1752] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0005002F
.text C:\WINDOWS\system32\services.exe[1752] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00050FA8
.text C:\WINDOWS\system32\services.exe[1752] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00040033
.text C:\WINDOWS\system32\services.exe[1752] msvcrt.dll!system 77C293C7 5 Bytes JMP 00040FA8
.text C:\WINDOWS\system32\services.exe[1752] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00040018
.text C:\WINDOWS\system32\services.exe[1752] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[1752] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00040FC3
.text C:\WINDOWS\system32\services.exe[1752] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00040FDE
.text C:\WINDOWS\system32\lsass.exe[1764] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\lsass.exe[1764] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D1007F
.text C:\WINDOWS\system32\lsass.exe[1764] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10F94
.text C:\WINDOWS\system32\lsass.exe[1764] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10062
.text C:\WINDOWS\system32\lsass.exe[1764] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D10FA5
.text C:\WINDOWS\system32\lsass.exe[1764] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D10FDB
.text C:\WINDOWS\system32\lsass.exe[1764] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D10F5B
.text C:\WINDOWS\system32\lsass.exe[1764] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D100A1
.text C:\WINDOWS\system32\lsass.exe[1764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D100D2
.text C:\WINDOWS\system32\lsass.exe[1764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D10F2F
.text C:\WINDOWS\system32\lsass.exe[1764] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D100E3
.text C:\WINDOWS\system32\lsass.exe[1764] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D10FC0
.text C:\WINDOWS\system32\lsass.exe[1764] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D1001B
.text C:\WINDOWS\system32\lsass.exe[1764] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D10090
.text C:\WINDOWS\system32\lsass.exe[1764] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D1003D
.text C:\WINDOWS\system32\lsass.exe[1764] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D1002C
.text C:\WINDOWS\system32\lsass.exe[1764] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D10F4A
.text C:\WINDOWS\system32\lsass.exe[1764] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D00FB6
.text C:\WINDOWS\system32\lsass.exe[1764] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D0003D
.text C:\WINDOWS\system32\lsass.exe[1764] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D00011
.text C:\WINDOWS\system32\lsass.exe[1764] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\lsass.exe[1764] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D00F80
.text C:\WINDOWS\system32\lsass.exe[1764] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D00FE5
.text C:\WINDOWS\system32\lsass.exe[1764] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D00022
.text C:\WINDOWS\system32\lsass.exe[1764] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D00F9B
.text C:\WINDOWS\system32\lsass.exe[1764] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CF0F92
.text C:\WINDOWS\system32\lsass.exe[1764] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CF001D
.text C:\WINDOWS\system32\lsass.exe[1764] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CF0FC1
.text C:\WINDOWS\system32\lsass.exe[1764] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\lsass.exe[1764] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CF000C
.text C:\WINDOWS\system32\lsass.exe[1764] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CF0FD2
.text C:\WINDOWS\system32\lsass.exe[1764] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AC00B5
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AC0FC0
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AC009A
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AC0073
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AC0062
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AC00D2
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AC0F8A
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AC0F54
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AC00ED
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AC0108
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AC0FD1
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AC001B
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AC0FA5
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AC0047
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AC002C
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AC0F6F
.text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AB0FC3
.text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AB0F83
.text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AB0FDE
.text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AB000A
.text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AB0040
.text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AB0FEF
.text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AB0FA8
.text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CB, 88]
.text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AB002F
.text C:\WINDOWS\system32\svchost.exe[2020] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AA0042
.text C:\WINDOWS\system32\svchost.exe[2020] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AA0FAD
.text C:\WINDOWS\system32\svchost.exe[2020] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AA000C
.text C:\WINDOWS\system32\svchost.exe[2020] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AA0FEF
.text C:\WINDOWS\system32\svchost.exe[2020] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AA001D
.text C:\WINDOWS\system32\svchost.exe[2020] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AA0FDE
.text C:\WINDOWS\system32\svchost.exe[2020] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A90FEF

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\atapi \Device\Ide\IdePort0 [B9EF6B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9EF6B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [B9EF6B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B9EF6B3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{552EEA9E-CCC2-2BD4-25B2-D80057A80059}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{552EEA9E-CCC2-2BD4-25B2-D80057A80059}@najmcienmcnbpooofcofcbbfjfcb 0x6A 0x61 0x6E 0x67 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{552EEA9E-CCC2-2BD4-25B2-D80057A80059}@mapmkjhehofekogoahccecllhh 0x6A 0x61 0x6E 0x67 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:11 PM

Posted 21 February 2010 - 08:17 AM

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 peanut83

peanut83
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 23 February 2010 - 01:34 PM

I had a feeling it was a bad one! Unfortunately, now my computer won't boot at all, in safe mode or otherwise. I'll be Saturday before I can get to my Windows installation CD and try to reboot or renistall. Please keep my post open until then as I will likely need assistance. Right now my computer is compeletely out of commission.

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:11 PM

Posted 26 February 2010 - 05:51 AM

Hi,

if you have your windows cd we should be able to fix it. If you prefer to reformat, make sure you back up your data.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 peanut83

peanut83
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 04 March 2010 - 09:13 PM

Wow, that was bad! The computer wouldn't boot even with the Windows CD. Couldn't repair either. Luckily, I had backed up my documents the week before. I decided to reinstall windows. (Really didn't have much choice!) Not surprisingly, it did not go off without numerous complications. The first problem being that the instructions I needed to reinstall and get back online were either on the computer or online, and if I could get to either of those places, I wouldn't be needing the instructions to begin with.

I decided to use a microscopic set of instructions on my iPhone to reinstall windows on my laptop. Everything was going well until I connected to the internet and tried to download the McAfee software from my ISP. A problem is detected and the software canít be installed. I finally realize that the reinstallation procedure did not delete the old program files. I didnít see any McAfee folders in the Program Files folder. Maybe because the download is supposed to delete any existing McAfee software before it installs the current one. Since I was going to have to redo the Windows installation all over again anyway, I decided to go into the registry and look for any McAfee entries. There was a whole bunch; some were kind of bizarre looking. I deleted them all and was then able to install the McAfee software without any problem. When I went online to look for the proper instructions to completely reinstall Windows, the redirecting and pop-up problem was still there!

I finally got the right set of instructions for reformatting and reinstalling Windows and figured out how to reconfigure and reconnect my wireless router. I downloaded McAfee without any problems and havenít seen any redirects. So I think Iím finally back in business!

Is it possible to avoid this problem in the future by partitioning your computer into two different Windows installations and only using one of them to download stuff from the internet?


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:11 PM

Posted 05 March 2010 - 05:38 PM

Hi,

from what you say it may be that you did a repair install instead of a reformat? Are all your old programs and all your files still available?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 peanut83

peanut83
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 06 March 2010 - 06:05 AM

No. They're wiped out now. The first time, under the procedure to format the hard disk and install Windows XP, the instructions I was using said to choose "Leave the current file system intact (no changes)." The second time, I chose "Format the partition by using the NTFS file system." I'm actually thinking of doing it again and creating separate partitions for Windows, Program Files, and Data Files. The only thing I had backed up was my Documents file onto a USB memory stick. I didn't want to risk reinstalling the virus.

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:11 PM

Posted 06 March 2010 - 02:50 PM

Hi,

since you did a reinstall I think we are mostly done. Do you have any questions left?

These are tips I usually give to people after the cleaning, it may help you to stay clean in future:
[/list]Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:Have a nice day
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 peanut83

peanut83
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 06 March 2010 - 03:47 PM

Thanks, for all your help in diagnosing and fixing the problem. You guys are awesome! I will take your advice for staying out of trouble in the future and will try to be less promiscuous with my internet surfing. I've learned my lesson! Malware is BAD!!

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:11 PM

Posted 06 March 2010 - 04:56 PM

Hi,

I'm glad we could help! thumbup.gif

Since this topic appears to be resolved, I will now close it.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users