Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Results Redirects/Pop-Up Problem - Vista


  • This topic is locked This topic is locked
14 replies to this topic

#1 choie

choie

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 08 June 2010 - 01:02 PM

Hi guys. Yet another victim of this pernicious Google results redirecting malware. I'm running Vista with McAfee and have had the computer for 3 years without ever having a problem. I've downloaded nothing new (except in the past 24 hours -- Malwarebytes, Defogger, GMER, DDS, etc.) and don't click on unknown email links, but obviously somewhere I visited had something bad attached to it. I do have an always-on internet connection (DSL).

The trouble I'm seeing began yesterday morning:

- Google search results look normal but when clicked go to random unrelated sites. This occurs in both IE7 and FF3.5.9, and whether I use my Google toolbar searchbox or Google's regular searchbox.

- While I'm reading a regular, uninfected page (such as bleepingcomputer), my browser will sometimes spawn a new window with random advertising pages. This is spontaneous without my having clicked on anything.

Anyway, here's what I've done so far:

1. Yesterday (June 7) I ran Malwarebytes and it found several items, which I removed. That didn't change anything. I came here and saw your directions, which I've followed. If you need the log I can attach that in a subsequent post.

2. Ran DeFogger. (Actually I don't think I have any CD Emulation software in the first place...)

3. Ran DDS. I'll add the results below. Note after looking at them -- I'm not sure why it's saying my only security program is Windows Defender. I'm definitely running McAfee, which (prior to running GMER) has been enabled.

4. Tried to run GMER several times. First I ran it in regular mode (after turning McAfee off) but it froze my system. Then I tried it in SAFE mode, and it did the same. Could only move the mouse but unable to click anything. From the scan when it first started up, I did notice that the last thing before the freeze said "suspicious activity: nvstor"

Below is the DDS log file (not attach.txt -- if you need that let me know):

===============================================

DDS (Ver_10-03-17.01) - NTFSx86
Run by Kira at 21:09:53.89 on Mon 06/07/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3326.1911 [GMT -4:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\OpenVPNTech\bin\instant-xmlserv.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskeng.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\wanmpsvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Windows\sttray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\eFax Messenger 4.4\J2GTray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\BitComet\BitComet.exe
C:\Users\Kira\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.1.9.24.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [<NO NAME>]
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [AdobeBridge]
uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\users\kira\appdata\roaming\micros~1\windows\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\users\kira\appdata\roaming\micros~1\windows\startm~1\programs\startup\efax44~1.lnk - c:\program files\efax messenger 4.4\J2GTray.exe
StartupFolder: c:\users\kira\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - {E7A829CC-671F-4C3D-B590-8C0AEA72E6B2} - c:\program files\bitcomet\tools\BitCometBHO_1.1.9.24.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: aspworld.com\bookbyyou
DPF: {38CE661B-0F4A-4120-9CA7-90015C5C3241} - hxxps://shopping.discovery.com/MediaManager/DiscoveryDS_1_0_0_12.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxps://shopping.discovery.com/MediaManager/Entriq_3_5_2_2_Silent.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://service.futuremark.com/gom/receiver/tc/FMSI.cab
SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - c:\windows\system32\ieframe.dll
mASetup: ccc-core-static - msiexec /fums {65E6362A-B878-4A7B-86DA-D16F8DBD75C7} /qb

================= FIREFOX ===================

FF - ProfilePath - c:\users\kira\appdata\roaming\mozilla\firefox\profiles\fsawh5d0.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\kira\appdata\roaming\idm\idmmzcc2\components\idmmzcc.dll
FF - component: c:\users\kira\appdata\roaming\mozilla\firefox\profiles\fsawh5d0.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - plugin: c:\program files\gametap\bin\release\npgametaptool.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\npdsplay.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\NPSWF32.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\npwmsdrm.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-6-7 214664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-11 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-4-16 144704]
R2 OpenVPNTechOVPN_Instantiator;OpenVPNTech Instantiator Service AS;c:\program files\openvpntech\bin\instant-xmlserv.exe [2009-12-27 1016011]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-16 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-6-7 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-6-7 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-6-7 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-6-7 40552]
R3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\drivers\tapoas.sys [2009-11-19 25984]
S3 CpPwdSvc;CopyPwd Service;c:\program files\laplink\pcmover\cppwdsvc.exe [2007-3-15 46648]
S3 PortAcc;Spearit Port Access;c:\program files\laplink\pcmover\PortAcc.sys [2007-3-15 16440]

=============== Created Last 30 ================

2010-06-08 01:07:45 0 ----a-w- c:\users\kira\defogger_reenable
2010-06-07 19:35:22 0 d-----w- c:\users\kira\appdata\roaming\Malwarebytes
2010-06-07 19:35:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-07 19:35:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-07 19:35:04 0 d-----w- c:\programdata\Malwarebytes
2010-06-07 19:35:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 15:29:10 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-19 17:34:49 2560 ----a-w- c:\windows\system32\bitcometres.dll
2010-05-16 22:52:39 0 d-----w- c:\users\kira\appdata\roaming\OpenVPNTech
2010-05-16 22:52:38 0 d-----w- c:\program files\OpenVPNTech
2010-05-16 22:28:14 65536 ------w- c:\windows\system32\Ikeext.etl
2010-05-12 06:07:48 738304 ----a-w- c:\windows\system32\inetcomm.dll

==================== Find3M ====================

2010-05-16 22:55:08 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-16 22:55:08 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-16 22:55:06 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2009-06-08 07:10:15 174 --sha-w- c:\program files\desktop.ini
2009-06-08 06:56:10 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2006-02-06 20:00:26 19968 ----a-w- c:\program files\Tablet Driver.doc
2009-06-26 00:01:40 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-06-26 00:01:40 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-06-26 00:01:40 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2007-06-07 22:02:14 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 21:11:38.84 ===============


Thanks in advance for any assistance you can provide. I'm willing to take the computer to a repair shop that specializes in this sort of thing, but that's more a last resort. I'm hoping to be able to take of things on my own with the invaluable assistance of you generous volunteers! smile.gif I've enabled instant email notification so am ready/willing to follow all instructions. (Whether I'm able, I dunno... I'm pretty computer savvy but you never know!)

Edited just to correct the version of FF I'm using. It's 3.5.9, not 3.5.5.

Edited by choie, 08 June 2010 - 02:57 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:28 AM

Posted 11 June 2010 - 02:19 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 choie

choie
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 11 June 2010 - 03:20 PM

Hi! Thanks for the prelim response, schrauber. Sadly my problem still exists, though I do notice that the new window popup issue hasn't occured yet today. Google search results are still being redirected in both IE and FF.

One new possible symptom that began yesterday: my "new mail" icon is no longer visible in the corner of my screen. Usually when I get new email (I use Windows Mail), the notification appears right beside my McAfee icon, without having to click the tiny arrow to expand the row of icons. Suddenly it's disappeared unless I click the arrow. It's very minor but also annoying, since it means I don't easily see my new messages.

My second DDS scan results are below and the Attach.txt file is zipped and added in an attachment.

GMER still isn't working for me. First I turned of my AV (McAfee) and disconnected from the internet, ran a scan, and it froze. Tried again in safe mode and again it froze & went to blue screen. However, I did notice the "suspicious modification" notice next to "nvstor.sys" (I think that was the extension) and this time I spotted a bunch of results besides /drivers/mfehidk.sys that said "Host Intrusion Detection..." (couldn't see the rest).

DDS.txt results:
=================================


DDS (Ver_10-03-17.01) - NTFSx86
Run by Kira at 15:32:15.95 on Fri 06/11/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3326.2008 [GMT -4:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Windows\sttray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\OpenVPNTech\bin\instant-xmlserv.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\wanmpsvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\system32\taskeng.exe
C:\Users\Kira\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.1.9.24.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [<NO NAME>]
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [AdobeBridge]
uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\users\kira\appdata\roaming\micros~1\windows\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\users\kira\appdata\roaming\micros~1\windows\startm~1\programs\startup\efax44~1.lnk - c:\program files\efax messenger 4.4\J2GTray.exe
StartupFolder: c:\users\kira\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - {E7A829CC-671F-4C3D-B590-8C0AEA72E6B2} - c:\program files\bitcomet\tools\BitCometBHO_1.1.9.24.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: aspworld.com\bookbyyou
DPF: {38CE661B-0F4A-4120-9CA7-90015C5C3241} - hxxps://shopping.discovery.com/MediaManager/DiscoveryDS_1_0_0_12.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.systemrequirementslab.com/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxps://shopping.discovery.com/MediaManager/Entriq_3_5_2_2_Silent.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://service.futuremark.com/gom/receiver/tc/FMSI.cab
TCP: {6C329013-F18E-49BE-ADE9-E4BEC8896B4C} = 95.172.1.2 95.172.4.139
SEH: Internet Shortcut: {fbf23b40-e3f0-101b-8488-00aa003e56f8} - c:\windows\system32\ieframe.dll
mASetup: ccc-core-static - msiexec /fums {65E6362A-B878-4A7B-86DA-D16F8DBD75C7} /qb

================= FIREFOX ===================

FF - ProfilePath - c:\users\kira\appdata\roaming\mozilla\firefox\profiles\fsawh5d0.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\kira\appdata\roaming\idm\idmmzcc2\components\idmmzcc.dll
FF - component: c:\users\kira\appdata\roaming\mozilla\firefox\profiles\fsawh5d0.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - plugin: c:\program files\gametap\bin\release\npgametaptool.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\npdsplay.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\NPSWF32.dll
FF - plugin: c:\program files\opera 10 beta\program\plugins\npwmsdrm.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-6-7 214664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-11 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-4-16 144704]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 OpenVPNTechOVPN_Instantiator;OpenVPNTech Instantiator Service AS;c:\program files\openvpntech\bin\instant-xmlserv.exe [2009-12-27 1016011]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-6-7 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-6-7 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-6-7 34248]
R3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\drivers\tapoas.sys [2009-11-19 25984]
S3 CpPwdSvc;CopyPwd Service;c:\program files\laplink\pcmover\cppwdsvc.exe [2007-3-15 46648]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-6-7 40552]
S3 PortAcc;Spearit Port Access;c:\program files\laplink\pcmover\PortAcc.sys [2007-3-15 16440]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-16 606736]

=============== Created Last 30 ================

2010-06-11 00:20:40 46 ----a-w- c:\windows\system32\DonationCoder_urlsnooper_InstallInfo.dat
2010-06-11 00:20:40 0 d-----w- c:\users\kira\appdata\roaming\DonationCoder
2010-06-11 00:19:27 73 ----a-w- c:\windows\system32\-1
2010-06-11 00:19:25 0 d-----w- c:\program files\WinPcap
2010-06-11 00:19:07 0 d-----w- c:\programdata\DonationCoder
2010-06-11 00:19:07 0 d-----w- c:\program files\URLSnooper2
2010-06-08 01:07:45 0 ----a-w- c:\users\kira\defogger_reenable
2010-06-07 19:35:22 0 d-----w- c:\users\kira\appdata\roaming\Malwarebytes
2010-06-07 19:35:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-07 19:35:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-07 19:35:04 0 d-----w- c:\programdata\Malwarebytes
2010-06-07 19:35:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 15:29:10 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-19 17:34:49 2560 ----a-w- c:\windows\system32\bitcometres.dll
2010-05-16 22:52:39 0 d-----w- c:\users\kira\appdata\roaming\OpenVPNTech
2010-05-16 22:52:38 0 d-----w- c:\program files\OpenVPNTech
2010-05-16 22:28:14 65536 ------w- c:\windows\system32\Ikeext.etl

==================== Find3M ====================

2010-05-16 22:55:08 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-16 22:55:08 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-16 22:55:06 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2009-06-08 07:10:15 174 --sha-w- c:\program files\desktop.ini
2009-06-08 06:56:10 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2006-02-06 20:00:26 19968 ----a-w- c:\program files\Tablet Driver.doc
2009-06-26 00:01:40 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-06-26 00:01:40 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-06-26 00:01:40 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2007-06-07 22:02:14 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 15:37:10.62 ===============


I hope whoever helps me see some way out of this mess! Thanks in advance. smile.gif

Edited to add info about my hidden "new mail" notification icon. Sorry!

Attached Files


Edited by choie, 11 June 2010 - 04:01 PM.


#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:28 AM

Posted 12 June 2010 - 03:50 AM

Hello, choie
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 4-5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 choie

choie
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 12 June 2010 - 09:42 AM

Hello and thank you, schrauber! I greatly appreciate your help.

(Just FYI the instructions for showing hidden files was a bit off -- I think those were for XP rather than Vista. No problems though, I found other instructions elsewhere! smile.gif)

After shutting off my McAfee, I downloaded and ran ComboFix, renamed to schrauber.exe. As it set itself up, it didn't say anything about Windows Recovery Console, so I guess that means it was already installed?

The program ran smoothly and seemed to delete a whole bunch of things in system32/help folders. It warned that it found a rootkit and started my system over.

I just did a quick Google search and noticed that the search results are fine! So that seems to be a good sign. Crossing my fingers.... smile.gif

Here's the log. Can you tell what the rootkit was? Is there a name/identification for whatever-it-is I have/had?

======================================
ComboFix 10-06-11.01 - Kira 06/12/2010 10:02:13.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3326.2493 [GMT -4:00]
Running from: c:\users\Kira\Desktop\schrauber.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\SET57.tmp
c:\program files\Internet Explorer\SET58.tmp
c:\program files\Internet Explorer\SET5A.tmp
C:\setup.exe
c:\users\Kira\AppData\Roaming\inst.exe
c:\windows\system32\Data
c:\windows\system32\Help
c:\windows\system32\Help\Help\About_KMT.html
c:\windows\system32\Help\Help\Customer_Support.html
c:\windows\system32\Help\Help\FAQs.html
c:\windows\system32\Help\Help\Introduction.html
c:\windows\system32\Help\Help\My Favorites.html
c:\windows\system32\Help\Help\Opening a Template.html
c:\windows\system32\Help\Help\OR 4.css
c:\windows\system32\Help\Help\PDF_Roundtrip.html
c:\windows\system32\Help\Help\Photo_Editor.html
c:\windows\system32\Help\Help\PhotoImages\brightness.jpg
c:\windows\system32\Help\Help\PhotoImages\contrast.jpg
c:\windows\system32\Help\Help\PhotoImages\crop to fit.jpg
c:\windows\system32\Help\Help\PhotoImages\flip.jpg
c:\windows\system32\Help\Help\PhotoImages\grau scale.jpg
c:\windows\system32\Help\Help\PhotoImages\hue.jpg
c:\windows\system32\Help\Help\PhotoImages\Main screen.jpg
c:\windows\system32\Help\Help\PhotoImages\mosaic.jpg
c:\windows\system32\Help\Help\PhotoImages\motion blur.jpg
c:\windows\system32\Help\Help\PhotoImages\partial gray scale.jpg
c:\windows\system32\Help\Help\PhotoImages\revert to original image.jpg
c:\windows\system32\Help\Help\PhotoImages\rotate left.jpg
c:\windows\system32\Help\Help\PhotoImages\rotate right.jpg
c:\windows\system32\Help\Help\PhotoImages\saturation.jpg
c:\windows\system32\Help\Help\PhotoImages\sepia.jpg
c:\windows\system32\Help\Help\PhotoImages\sharpness.jpg
c:\windows\system32\Help\Help\PhotoImages\undo.jpg
c:\windows\system32\Help\Help\Preferences.html
c:\windows\system32\Help\Help\Profiles.html
c:\windows\system32\Help\Help\Readme.html
c:\windows\system32\Help\Help\TemplateZone_Products.html
c:\windows\system32\Help\Help\Theme Manager.html
c:\windows\system32\Help\Help\ThemeImages\apply color theme.jpg
c:\windows\system32\Help\Help\ThemeImages\Color Beam button.jpg
c:\windows\system32\Help\Help\ThemeImages\Color Palette button.jpg
c:\windows\system32\Help\Help\ThemeImages\Color Picker button.jpg
c:\windows\system32\Help\Help\ThemeImages\color wheel.jpg
c:\windows\system32\Help\Help\ThemeImages\Create color theme.jpg
c:\windows\system32\Help\Help\ThemeImages\default color theme.jpg
c:\windows\system32\Help\Help\ThemeImages\edit theme.jpg
c:\windows\system32\Help\Help\ThemeImages\Theme manager create theme.jpg
c:\windows\system32\Help\Help\ThemeImages\Theme Manager.jpg
c:\windows\system32\Help\Help\ThemeImages\thememanager link.jpg
c:\windows\system32\Help\Help\TOC.html
c:\windows\system32\Help\Help\Uninstalling_the_Product.html
c:\windows\system32\Help\Help\Using_TemplatePacks.html
c:\windows\system32\Help\Help\Using_the_TemplateBrowser.html
c:\windows\system32\Help\Help\Working_with_ExcelTemplates.html
c:\windows\system32\Help\Help\Working_with_PowerPointTemplates.html
c:\windows\system32\Help\Help\Working_with_WordTemplates.html
c:\windows\system32\JGAW400.DLL
c:\windows\system32\sfcfiles.dll

Infected copy of c:\windows\system32\drivers\nvstor.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-12 to 2010-06-12 )))))))))))))))))))))))))))))))
.

2010-06-12 14:22 . 2010-06-12 14:22 -------- d-----w- c:\users\Kira\AppData\Local\temp
2010-06-12 14:22 . 2010-06-12 14:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-12 14:22 . 2010-06-12 14:22 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-06-12 14:22 . 2010-06-12 14:22 -------- d-----w- c:\users\Kira nonadmin\AppData\Local\temp
2010-06-11 00:20 . 2010-06-11 00:20 46 ----a-w- c:\windows\system32\DonationCoder_urlsnooper_InstallInfo.dat
2010-06-11 00:20 . 2010-06-11 00:20 -------- d-----w- c:\users\Kira\AppData\Roaming\DonationCoder
2010-06-11 00:19 . 2010-06-11 00:19 -------- d-----w- c:\program files\WinPcap
2010-06-11 00:19 . 2010-06-11 00:20 -------- d-----w- c:\program files\URLSnooper2
2010-06-11 00:19 . 2010-06-11 00:19 -------- d-----w- c:\programdata\DonationCoder
2010-06-07 19:35 . 2010-06-07 19:35 -------- d-----w- c:\users\Kira\AppData\Roaming\Malwarebytes
2010-06-07 19:35 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-07 19:35 . 2010-06-07 19:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-07 19:35 . 2010-06-07 19:35 -------- d-----w- c:\programdata\Malwarebytes
2010-06-07 19:35 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-07 05:21 . 2010-06-07 05:21 -------- d-----w- c:\users\Kira\AppData\Local\sytnrfekb
2010-05-26 15:29 . 2010-04-23 13:55 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-19 17:34 . 2010-05-19 17:34 2560 ----a-w- c:\windows\system32\bitcometres.dll
2010-05-16 22:52 . 2010-05-16 22:55 -------- d-----w- c:\users\Kira\AppData\Roaming\OpenVPNTech
2010-05-16 22:52 . 2010-05-16 22:55 -------- d-----w- c:\program files\OpenVPNTech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-12 13:58 . 2007-06-13 04:46 12 ----a-w- c:\windows\bthservsdp.dat
2010-06-10 22:55 . 2009-09-13 21:56 -------- d-----w- c:\users\Kira\AppData\Roaming\DMCache
2010-06-07 20:12 . 2008-08-27 02:58 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-07 00:31 . 2007-06-14 00:57 -------- d-----w- c:\program files\Steam
2010-05-31 04:24 . 2009-05-23 02:56 -------- d-----w- c:\program files\BitComet
2010-05-26 06:56 . 2008-06-30 23:55 -------- d-----w- c:\programdata\CanonIJPLM
2010-05-19 18:23 . 2009-08-23 21:13 -------- d-----w- c:\program files\Need for Speed 3 Vista Edition
2010-05-12 15:21 . 2009-10-03 02:47 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 07:25 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 07:03 . 2007-06-07 15:32 -------- d-----w- c:\programdata\Microsoft Help
2010-05-08 19:17 . 2007-09-13 04:01 -------- d-----w- c:\program files\Common Files\Steam
2010-05-07 20:15 . 2010-05-07 20:15 -------- d-----w- c:\program files\BBC iPlayer Desktop
2010-04-14 14:47 . 2009-07-10 21:19 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-14 12:45 . 2009-09-14 15:34 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-14 12:45 . 2009-07-10 21:11 38784 ----a-w- c:\users\Kira\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-04-14 11:31 . 2007-06-07 15:34 -------- d-----w- c:\program files\McAfee
2006-02-06 20:00 . 2006-02-06 20:00 19968 ----a-w- c:\program files\Tablet Driver.doc
2007-06-07 22:02 . 2007-06-07 22:01 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

------- Sigcheck -------

[-] 2004-08-04 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . c:\windows\System32\APPMGMTS.DLL

[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\System32\MSGSVC.DLL

[-] 2005-01-28 18:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2005-01-28 18:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\System32\MsPMSNSv.dll
[-] 2005-01-28 18:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\System32\DLLCACHE\mspmsnsv.dll
[-] 2004-08-04 11:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

[-] 2004-08-04 11:00 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\System32\NTMSSVC.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-12 446976]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-12-23 2642168]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"BitComet"="c:\program files\BitComet\BitComet.exe" [2007-10-08 6338872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 101136]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-12 101136]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-16 271672]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"SigmatelSysTrayApp"="sttray.exe" [2007-02-08 303104]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-06 198160]

c:\users\Kira\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-5-7 95232]
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-6-7 50688]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-6-6 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 OpenVPNTechOVPN_Instantiator;OpenVPNTech Instantiator Service AS;c:\program files\OpenVPNTech\bin\instant-xmlserv.exe [2009-12-27 1016011]
R3 CpPwdSvc;CopyPwd Service;c:\program files\Laplink\PCmover\cppwdsvc.exe [2007-03-15 46648]
R3 PortAcc;Spearit Port Access;c:\program files\Laplink\PCmover\PortAcc.sys [2007-03-15 16440]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\DRIVERS\tapoas.sys [2009-11-19 25984]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

2010-06-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

2010-06-12 c:\windows\Tasks\User_Feed_Synchronization-{7FE2BE88-986B-4043-B805-929437EE3464}.job
- c:\windows\system32\msfeedssync.exe [2008-09-15 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
Trusted Zone: aspworld.com\bookbyyou
TCP: {6C329013-F18E-49BE-ADE9-E4BEC8896B4C} = 95.172.1.2 95.172.4.139
DPF: {38CE661B-0F4A-4120-9CA7-90015C5C3241} - hxxps://shopping.discovery.com/MediaManager/DiscoveryDS_1_0_0_12.cab
FF - ProfilePath - c:\users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\Kira\AppData\Roaming\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll
FF - plugin: c:\program files\GameTap\bin\Release\npgametaptool.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Opera 10 Beta\program\plugins\np_gp.dll
FF - plugin: c:\program files\Opera 10 Beta\program\plugins\npdsplay.dll
FF - plugin: c:\program files\Opera 10 Beta\program\plugins\NPSWF32.dll
FF - plugin: c:\program files\Opera 10 Beta\program\plugins\npwmsdrm.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
ActiveSetup-ccc-core-static - msiexec



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3346137780-2011386069-1459367445-1000_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):c1,df,2d,c4,4b,24,45,88,55,6a,47,5d,fc,4f,44,0f,1c,1d,25,7e,75,
19,2a,95,28,47,3d,c9,36,27,07,da,04,83,5b,88,b9,e1,65,31,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-3346137780-2011386069-1459367445-1000_Classes\CLSID\{87294f56-21dd-451d-9a68-06a3d1b8415a}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:000000a0
"Therad"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-06-12 10:28:47
ComboFix-quarantined-files.txt 2010-06-12 14:28

Pre-Run: 72,388,202,496 bytes free
Post-Run: 73,898,356,736 bytes free

- - End Of File - - 196FD992E032DD3C47E59D66C4A2EB2C
==========================================

I'm truly grateful for your help so far and I'm ready for my next instructions! Also I really am curious about the identity of this rootkit so I can learn more about it, so if you can pass on any info you spot here, I'd greatly appreciate it. Thanks!

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:28 AM

Posted 12 June 2010 - 11:19 AM

This was a tdss/tdl3 version, also known as alureon rootkit smile.gif



Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.





I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt




  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemdrive%\*.sys /90 /md5
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 choie

choie
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 12 June 2010 - 11:51 PM

Thanks, Tom. Wow, that ESET scan took forever! More than five hours. Wasn't expecting that! smile.gif

Ran all three scans without much problem, though ESET found two threats, which you'll see below. First the MalwareBytes scan log:

================================================
mbam-log:
================================================

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4191

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

6/12/2010 1:37:03 PM
mbam-log-2010-06-12 (13-37-03).txt

Scan type: Quick scan
Objects scanned: 159334
Time elapsed: 9 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

================================================
ESET log:
================================================

C:\Qoobox\Quarantine\C\Windows\system32\Drivers\nvstor.sys.vir Win32/Olmarik.ZC trojan cleaned - quarantined
C:\Users\Kira\Documents\mail_accounts\rdmhotels.dbx Win32/Klez.E worm unable to clean


NOTE: I should mention that this rdmhotels.dbx is an old Outlook Express mailbox archived from an old computer. I can delete it if you recommend it -- I doubt I'll ever figure out how to convert it to Windows Mail!

================================================
OTL.txt
================================================

OTL logfile created on: 6/13/2010 12:08:22 AM - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Users\Kira\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free
7.00 Gb Paging File | 5.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.04 Gb Total Space | 69.72 Gb Free Space | 24.20% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.30 Gb Free Space | 53.00% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KIRA-PC
Current User Name: Kira
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/06/08 12:44:03 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\Kira\Desktop\OTL.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/07/10 00:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2008/10/29 02:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/01/19 03:33:21 | 000,635,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe
PRC - [2007/04/13 11:49:00 | 000,101,528 | ---- | M] () -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe
PRC - [2007/03/19 06:22:00 | 002,440,088 | ---- | M] (JGsoft - Just Great Software) -- C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe
PRC - [2006/11/03 19:02:14 | 000,050,688 | ---- | M] (Avanquest Software ) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2006/10/23 08:50:35 | 000,046,640 | R--- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
PRC - [2003/08/27 12:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\Windows\wanmpsvc.exe


========== Modules (SafeList) ==========

MOD - [2010/06/08 12:44:03 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\Kira\Desktop\OTL.exe
MOD - [2008/01/19 03:33:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2008/01/19 03:26:34 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (RoxWatch9)
SRV - [2010/05/08 15:14:41 | 000,390,952 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/12/27 05:55:54 | 001,016,011 | ---- | M] () [Auto | Stopped] -- C:\Program Files\OpenVPNTech\bin\instant-xmlserv.exe -- (OpenVPNTechOVPN_Instantiator)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/20 14:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [Disabled | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/10 00:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\program files\common files\mcafee\mna\mcnasvc.exe -- (McNASvc)
SRV - [2009/06/08 14:36:16 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2008/01/19 03:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/04/13 11:49:00 | 000,101,528 | ---- | M] () [Auto | Running] -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)
SRV - [2007/03/15 08:50:08 | 000,046,648 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Laplink\PCmover\cppwdsvc.exe -- (CpPwdSvc)
SRV - [2006/11/07 14:27:02 | 000,070,656 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2006/10/23 08:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)
SRV - [2003/08/27 12:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\Windows\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2009/11/19 12:47:28 | 000,025,984 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tapoas.sys -- (tapoas)
DRV - [2009/10/20 14:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\npf.sys -- (NPF)
DRV - [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 12:32:26 | 000,130,424 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/12/19 20:08:28 | 000,030,088 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\point32k.sys -- (Point32)
DRV - [2008/09/02 15:29:46 | 000,024,576 | ---- | M] (Exent Technologies Ltd.) [Kernel | Auto | Running] -- C:\Program Files\GameTap\bin\Release\X4HSX32.sys -- (X4HSX32)
DRV - [2008/08/14 07:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\adfs.sys -- (adfs)
DRV - [2008/01/19 01:56:08 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usb8023.sys -- (USB_RNDIS_XP)
DRV - [2008/01/19 01:53:22 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (winusb)
DRV - [2007/08/02 12:31:30 | 000,021,120 | ---- | M] (NCH Swift Sound) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nchssvad.sys -- (NCHSSVAD)
DRV - [2007/06/07 18:02:13 | 000,020,152 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2007/06/07 18:02:13 | 000,019,128 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2007/06/07 18:02:13 | 000,017,592 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/05/01 08:26:26 | 000,131,368 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvrd32.sys -- (nvrd32)
DRV - [2007/05/01 08:26:26 | 000,102,696 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2007/04/04 08:54:32 | 002,313,216 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2007/03/15 08:50:18 | 000,016,440 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Laplink\PCmover\PortAcc.sys -- (PortAcc)
DRV - [2007/03/05 04:07:46 | 000,045,568 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2007/02/08 01:16:26 | 000,647,680 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/01/11 20:15:16 | 000,032,528 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2007/01/11 20:15:06 | 000,032,272 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2007/01/06 01:59:42 | 000,035,920 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 05:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 05:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 05:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 05:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 05:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 05:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 05:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 05:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 05:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 05:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 05:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 05:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 05:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 05:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 05:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 05:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 05:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 05:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 05:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 05:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 05:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 05:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 05:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 05:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 05:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 05:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 05:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 05:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 04:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 04:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 04:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 04:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 04:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 04:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 03:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 03:30:55 | 000,200,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2006/11/02 03:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2006/11/01 16:18:15 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2006/10/18 14:09:26 | 000,986,624 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2006/10/18 14:08:18 | 000,258,048 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2006/10/18 14:08:04 | 000,659,968 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2006/10/05 17:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/08/17 16:43:52 | 000,007,424 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\Program Files\DellSupport\Drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/08/04 20:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig?hl=en&source=iglk
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 44
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7
FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.05
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.1.10
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100211.5
FF - prefs.js..extensions.enabledItems: {3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}:0.8.6.1
FF - prefs.js..extensions.enabledItems: mozilla_cc@internetdownloadmanager.com:6.3
FF - prefs.js..extensions.enabledItems: beta@linkdiagnosis.com:2.2.41
FF - prefs.js..extensions.enabledItems: {8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}:0.16
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.07103010
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5.1
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8}:1.0.8
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/30 18:53:13 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/01 12:33:24 | 000,000,000 | ---D | M]

[2008/07/16 16:11:13 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Mozilla\Extensions
[2010/06/12 01:11:41 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions
[2010/02/23 00:07:31 | 000,000,000 | ---D | M] (FlashGot) -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2009/09/03 02:36:56 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/02/23 00:08:06 | 000,000,000 | ---D | M] (Html Validator) -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}
[2010/02/23 00:07:45 | 000,000,000 | ---D | M] (Stylish) -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
[2009/06/07 16:04:21 | 000,000,000 | ---D | M] (IE Tab) -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2010/03/29 16:02:18 | 000,000,000 | ---D | M] (Live HTTP Headers) -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}
[2010/02/23 00:07:32 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2009/09/14 11:28:23 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/02/23 00:07:38 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/06/10 18:31:48 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\beta@linkdiagnosis.com
[2008/06/08 11:16:48 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\firebug@software.joehewitt.com
[2008/08/27 18:07:05 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\moveplayer@movenetworks.com
[2010/02/23 00:07:31 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\personas@christopher.beard
[2007/10/03 16:32:32 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\videodowloader@videodownloader.net
[2008/07/16 16:08:20 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/06/18 02:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2007/08/15 20:15:12 | 000,069,632 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npitunes.dll
[2004/02/20 16:14:09 | 000,176,177 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2010/06/12 10:23:47 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (IDMIEHlprObj Class) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (Tonec Inc.)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (FGCatchUrl) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (www.flashget.com)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll (BitComet)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (IeMonitorBho Class) - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll (Megaupload Limited)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (FlashGet GetFlash Class) - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (www.flashget.com)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE (Logitech Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Windows\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [BitComet] C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O4 - HKCU..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKCU..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [eFax 4.4] C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe (j2 Global Communications, Inc.)
O4 - HKCU..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKCU..\Run: [VeohPlugin] C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe (Veoh Networks)
O4 - Startup: C:\Users\Kira\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe ()
O4 - Startup: C:\Users\Kira\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eFax 4.4.lnk = C:\Program Files\eFax Messenger 4.4\J2GTray.exe (j2 Global Communications, Inc.)
O4 - Startup: C:\Users\Kira\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\JC_ALL.HTM ()
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\JC_LINK.HTM ()
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm ()
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm ()
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll (BitComet)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)
O9 - Extra 'Tools' menuitem : FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)
O9 - Extra Button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O9 - Extra 'Tools' menuitem : Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKCU\..Trusted Domains: aspworld.com ([bookbyyou] http in Trusted sites)
O16 - DPF: {38CE661B-0F4A-4120-9CA7-90015C5C3241} https://shopping.discovery.com/MediaManager...DS_1_0_0_12.cab (Reg Error: Key error.)
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} http://srtest-cdn.systemrequirementslab.co...eqlabdetect.cab (Reg Error: Key error.)
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} http://support.dell.com/systemprofiler/SysProExe.CAB (WMI Class)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.systemrequirementslab.com/sysreqlab2.cab (System Requirements Lab Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} https://shopping.discovery.com/MediaManager..._2_2_Silent.cab (MediaControl Class)
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} http://service.futuremark.com/gom/receiver/tc/FMSI.cab (Futuremark SystemInfo)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Kira\Pictures\CrystalCove11_0031.jpg
O24 - Desktop BackupWallPaper: C:\Users\Kira\Pictures\CrystalCove11_0031.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009/06/08 02:58:16 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 90 Days ==========

[2010/06/12 13:42:43 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/06/12 10:28:53 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/06/12 10:28:49 | 000,000,000 | ---D | C] -- C:\Users\Kira\AppData\Local\temp
[2010/06/12 09:52:37 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/06/12 09:52:37 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/06/12 09:52:37 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/06/12 09:52:22 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/06/12 09:52:20 | 000,000,000 | ---D | C] -- C:\schrauber
[2010/06/12 09:51:36 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/06/12 09:51:16 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/06/10 20:20:40 | 000,000,000 | ---D | C] -- C:\Users\Kira\Documents\DonationCoder
[2010/06/10 20:20:40 | 000,000,000 | ---D | C] -- C:\Users\Kira\AppData\Roaming\DonationCoder
[2010/06/10 20:19:25 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2010/06/10 20:19:07 | 000,000,000 | ---D | C] -- C:\Program Files\URLSnooper2
[2010/06/10 20:19:07 | 000,000,000 | ---D | C] -- C:\ProgramData\DonationCoder
[2010/06/08 12:43:59 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Users\Kira\Desktop\OTL.exe
[2010/06/07 15:35:22 | 000,000,000 | ---D | C] -- C:\Users\Kira\AppData\Roaming\Malwarebytes
[2010/06/07 15:35:05 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/06/07 15:35:04 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/06/07 15:35:04 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/07 15:35:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/06/07 15:33:54 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Kira\Desktop\mbam-setup-1.46.exe
[2010/06/07 01:21:24 | 000,000,000 | ---D | C] -- C:\Users\Kira\AppData\Local\sytnrfekb
[2010/05/19 13:34:49 | 000,002,560 | ---- | C] (BitComet) -- C:\Windows\System32\bitcometres.dll
[2010/05/16 18:52:39 | 000,000,000 | ---D | C] -- C:\Users\Kira\AppData\Roaming\OpenVPNTech
[2010/05/16 18:52:38 | 000,000,000 | ---D | C] -- C:\Program Files\OpenVPNTech
[2010/05/09 19:15:59 | 000,000,000 | ---D | C] -- C:\Users\Kira\AppData\Local\tueeiqgen
[2010/05/07 16:15:43 | 000,000,000 | ---D | C] -- C:\Program Files\BBC iPlayer Desktop
[2010/04/13 21:20:22 | 000,000,000 | ---D | C] -- C:\Users\Kira\Documents\2010_04news
[2010/03/23 05:05:24 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2007/07/19 15:01:15 | 000,040,960 | ---- | C] ( ) -- C:\Windows\Interop.OR4PhotoComponent.dll
[2007/07/19 15:00:24 | 000,040,960 | ---- | C] ( ) -- C:\Windows\System32\MACTrackBarLib.dll
[2005/09/30 04:07:54 | 000,018,944 | ---- | C] ( ) -- C:\Windows\System32\IMPLODE.DLL
[3 C:\Users\Kira\Documents\*.tmp files -> C:\Users\Kira\Documents\*.tmp -> ]
[28 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[17 C:\Windows\System32\dllcache\*.tmp files -> C:\Windows\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/06/13 00:08:10 | 011,534,336 | -HS- | M] () -- C:\Users\Kira\NTUSER.DAT
[2010/06/12 23:59:30 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/06/12 23:59:30 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/06/12 23:17:29 | 000,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{7FE2BE88-986B-4043-B805-929437EE3464}.job
[2010/06/12 10:23:55 | 000,000,236 | ---- | M] () -- C:\Windows\system.ini
[2010/06/12 10:23:47 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/06/12 10:07:17 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/06/12 10:07:17 | 000,595,446 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/06/12 10:07:17 | 000,101,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/06/12 09:59:38 | 000,065,536 | ---- | M] () -- C:\Windows\System32\Ikeext.etl
[2010/06/12 09:59:27 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/06/12 09:59:23 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/06/12 09:59:18 | 3486,015,488 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/12 09:58:42 | 000,524,288 | -HS- | M] () -- C:\Users\Kira\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/06/12 09:58:42 | 000,065,536 | -HS- | M] () -- C:\Users\Kira\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/06/12 09:58:22 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2010/06/12 09:58:21 | 000,030,617 | ---- | M] () -- C:\Windows\System32\Config.MPF
[2010/06/12 09:43:05 | 003,706,656 | R--- | M] () -- C:\Users\Kira\Desktop\schrauber.exe
[2010/06/11 16:19:22 | 000,005,886 | ---- | M] () -- C:\Users\Kira\Desktop\Attach.zip
[2010/06/11 16:00:55 | 194,633,740 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/06/10 21:32:25 | 001,631,188 | ---- | M] () -- C:\Users\Kira\Desktop\malloy (8).flv
[2010/06/10 21:16:40 | 178,550,645 | ---- | M] () -- C:\Users\Kira\Desktop\malloy.flv
[2010/06/10 20:20:40 | 000,000,046 | ---- | M] () -- C:\Windows\System32\DonationCoder_urlsnooper_InstallInfo.dat
[2010/06/10 20:19:28 | 000,000,073 | ---- | M] () -- C:\Windows\System32\-1
[2010/06/10 20:19:08 | 000,000,779 | ---- | M] () -- C:\Users\Kira\Desktop\URLSnooper 2.lnk
[2010/06/10 20:18:36 | 003,481,600 | ---- | M] () -- C:\Users\Kira\Desktop\URLSnooperSetup.exe
[2010/06/10 12:52:56 | 003,231,479 | -H-- | M] () -- C:\Users\Kira\AppData\Local\IconCache.db
[2010/06/08 12:44:03 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\Kira\Desktop\OTL.exe
[2010/06/07 21:28:12 | 000,000,900 | ---- | M] () -- C:\Users\Kira\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk
[2010/06/07 21:09:32 | 000,525,824 | ---- | M] () -- C:\Users\Kira\Desktop\dds.scr
[2010/06/07 21:07:45 | 000,000,000 | ---- | M] () -- C:\Users\Kira\defogger_reenable
[2010/06/07 21:07:14 | 000,050,477 | ---- | M] () -- C:\Users\Kira\Desktop\Defogger.exe
[2010/06/07 20:54:03 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2010/06/07 15:35:08 | 000,000,820 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/07 15:34:33 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Kira\Desktop\mbam-setup-1.46.exe
[2010/06/01 01:00:00 | 000,000,368 | ---- | M] () -- C:\Windows\tasks\McQcTask.job
[2010/05/27 03:20:03 | 000,000,788 | ---- | M] () -- C:\Users\Public\Desktop\Steam.lnk
[2010/05/19 14:08:40 | 000,049,847 | ---- | M] () -- C:\Users\Kira\Desktop\SKP.docx
[2010/05/19 13:34:50 | 000,002,560 | ---- | M] (BitComet) -- C:\Windows\System32\bitcometres.dll
[2010/05/16 19:02:16 | 003,291,264 | ---- | M] () -- C:\Users\Kira\Documents\OpenVPN_InstallerDE.exe
[2010/05/16 19:00:40 | 000,005,861 | ---- | M] () -- C:\Users\Kira\Documents\clientDE.ovpn
[2010/05/16 18:55:22 | 000,000,923 | ---- | M] () -- C:\Users\Public\Desktop\OpenVPN-AS.lnk
[2010/05/16 18:43:16 | 000,005,861 | ---- | M] () -- C:\Users\Kira\Documents\client.ovpn
[2010/05/16 18:36:13 | 003,291,264 | ---- | M] () -- C:\Users\Kira\Documents\OpenVPN_InstallerGosport.exe
[2010/05/16 18:09:50 | 003,291,264 | ---- | M] () -- C:\Users\Kira\Documents\OpenVPN_Installer.exe
[2010/05/15 01:00:00 | 000,000,366 | ---- | M] () -- C:\Windows\tasks\McDefragTask.job
[2010/05/07 16:15:43 | 000,000,864 | ---- | M] () -- C:\Users\Public\Desktop\BBC iPlayer Desktop.lnk
[2010/05/06 16:12:04 | 002,005,056 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\Windows\PEV.exe
[2010/03/29 11:39:37 | 000,035,328 | ---- | M] () -- C:\Users\Kira\Documents\FilipinoSecretsAmericanDreams.wps
[2010/03/29 00:09:56 | 000,050,176 | ---- | M] () -- C:\Users\Kira\Documents\Filipino Secrets, American Dreams.doc
[2010/03/28 22:56:32 | 000,039,936 | ---- | M] () -- C:\Users\Kira\Documents\Filipino Secrets, American Dreams.wps
[2010/03/26 20:03:50 | 000,005,083 | ---- | M] () -- C:\Users\Kira\Desktop\404.asp
[2010/03/26 19:30:44 | 000,019,177 | ---- | M] () -- C:\Users\Kira\Desktop\bbyhead2-TR.gif
[2010/03/26 19:30:43 | 000,005,091 | ---- | M] () -- C:\Users\Kira\Desktop\homepage_basic.css
[2010/03/26 19:30:43 | 000,000,478 | ---- | M] () -- C:\Users\Kira\Desktop\homepage_general.css
[2010/03/19 15:18:11 | 000,004,224 | ---- | M] () -- C:\Windows\cdplayer.ini
[3 C:\Users\Kira\Documents\*.tmp files -> C:\Users\Kira\Documents\*.tmp -> ]
[28 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[17 C:\Windows\System32\dllcache\*.tmp files -> C:\Windows\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\ProgramData\huyuweje
[2010/06/12 09:52:37 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/06/12 09:52:37 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/06/12 09:52:37 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/06/12 09:52:37 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/06/12 09:52:37 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/06/12 09:42:29 | 003,706,656 | R--- | C] () -- C:\Users\Kira\Desktop\schrauber.exe
[2010/06/11 16:19:22 | 000,005,886 | ---- | C] () -- C:\Users\Kira\Desktop\Attach.zip
[2010/06/11 15:56:46 | 3486,015,488 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/10 21:32:22 | 001,631,188 | ---- | C] () -- C:\Users\Kira\Desktop\malloy (8).flv
[2010/06/10 20:23:15 | 178,550,645 | ---- | C] () -- C:\Users\Kira\Desktop\malloy.flv
[2010/06/10 20:20:40 | 000,000,046 | ---- | C] () -- C:\Windows\System32\DonationCoder_urlsnooper_InstallInfo.dat
[2010/06/10 20:19:27 | 000,000,073 | ---- | C] () -- C:\Windows\System32\-1
[2010/06/10 20:19:08 | 000,000,779 | ---- | C] () -- C:\Users\Kira\Desktop\URLSnooper 2.lnk
[2010/06/10 20:16:58 | 003,481,600 | ---- | C] () -- C:\Users\Kira\Desktop\URLSnooperSetup.exe
[2010/06/07 21:09:29 | 000,525,824 | ---- | C] () -- C:\Users\Kira\Desktop\dds.scr
[2010/06/07 21:07:45 | 000,000,000 | ---- | C] () -- C:\Users\Kira\defogger_reenable
[2010/06/07 21:07:31 | 000,050,477 | ---- | C] () -- C:\Users\Kira\Desktop\Defogger.exe
[2010/06/07 15:35:08 | 000,000,820 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/19 14:08:40 | 000,049,847 | ---- | C] () -- C:\Users\Kira\Desktop\SKP.docx
[2010/05/16 19:01:27 | 003,291,264 | ---- | C] () -- C:\Users\Kira\Documents\OpenVPN_InstallerDE.exe
[2010/05/16 19:00:40 | 000,005,861 | ---- | C] () -- C:\Users\Kira\Documents\clientDE.ovpn
[2010/05/16 18:55:22 | 000,000,923 | ---- | C] () -- C:\Users\Public\Desktop\OpenVPN-AS.lnk
[2010/05/16 18:43:16 | 000,005,861 | ---- | C] () -- C:\Users\Kira\Documents\client.ovpn
[2010/05/16 18:35:59 | 003,291,264 | ---- | C] () -- C:\Users\Kira\Documents\OpenVPN_InstallerGosport.exe
[2010/05/16 18:28:14 | 000,065,536 | ---- | C] () -- C:\Windows\System32\Ikeext.etl
[2010/05/16 18:08:55 | 003,291,264 | ---- | C] () -- C:\Users\Kira\Documents\OpenVPN_Installer.exe
[2010/03/29 00:10:34 | 000,035,328 | ---- | C] () -- C:\Users\Kira\Documents\FilipinoSecretsAmericanDreams.wps
[2010/03/28 22:57:16 | 000,050,176 | ---- | C] () -- C:\Users\Kira\Documents\Filipino Secrets, American Dreams.doc
[2010/03/28 22:56:31 | 000,039,936 | ---- | C] () -- C:\Users\Kira\Documents\Filipino Secrets, American Dreams.wps
[2010/03/26 19:47:42 | 000,019,177 | ---- | C] () -- C:\Users\Kira\Desktop\bbyhead2-TR.gif
[2010/03/26 19:47:42 | 000,005,091 | ---- | C] () -- C:\Users\Kira\Desktop\homepage_basic.css
[2010/03/26 19:47:42 | 000,000,478 | ---- | C] () -- C:\Users\Kira\Desktop\homepage_general.css
[2010/03/26 19:47:33 | 000,005,083 | ---- | C] () -- C:\Users\Kira\Desktop\404.asp
[2010/02/27 21:31:18 | 000,000,000 | ---- | C] () -- C:\Windows\iPlayer.INI
[2009/12/26 18:45:56 | 000,139,152 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2009/10/20 14:19:30 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll
[2008/06/30 19:41:13 | 000,011,776 | ---- | C] () -- C:\Windows\System32\pmsbfn32.dll
[2008/06/30 19:39:30 | 000,000,412 | ---- | C] () -- C:\Windows\MAXLINK.INI
[2007/09/01 23:05:15 | 000,029,696 | ---- | C] () -- C:\Windows\System32\asutl8.dll
[2007/09/01 22:56:00 | 000,056,832 | ---- | C] () -- C:\Windows\System32\IKxfrnew32.dll
[2007/07/29 23:55:21 | 000,000,010 | ---- | C] () -- C:\Windows\winfile.ini
[2007/07/19 15:01:15 | 000,032,768 | ---- | C] () -- C:\Windows\AxInterop.OR4PhotoComponent.dll
[2007/07/19 15:00:21 | 002,592,768 | ---- | C] () -- C:\Windows\System32\InvestintechConversionDLL.dll
[2007/06/19 09:59:36 | 000,070,400 | ---- | C] () -- C:\Windows\System32\PhysXLoader.dll
[2007/06/07 18:03:42 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2007/04/22 20:15:29 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2007/04/22 20:01:47 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll
[2007/04/20 08:57:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2006/11/13 18:34:36 | 000,065,536 | ---- | C] () -- C:\Windows\System32\YCRWin32.dll
[2006/11/07 15:25:58 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/10/09 23:17:56 | 000,217,088 | ---- | C] () -- C:\Windows\System32\libmySQL.dll
[2006/10/09 23:17:56 | 000,102,400 | ---- | C] () -- C:\Windows\System32\TrackerNET.dll
[2006/10/09 22:24:37 | 000,000,460 | ---- | C] () -- C:\Windows\SIERRA.INI
[2006/10/05 17:45:50 | 000,021,840 | ---- | C] () -- C:\Windows\System32\SIntfNT.dll
[2006/10/05 17:45:50 | 000,017,212 | ---- | C] () -- C:\Windows\System32\SIntf32.dll
[2006/10/05 17:45:49 | 000,012,067 | ---- | C] () -- C:\Windows\System32\SIntf16.dll
[2006/09/17 00:36:50 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/17 00:36:50 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/06/17 15:56:25 | 000,049,152 | ---- | C] () -- C:\Windows\System32\Funckey.dll
[2006/06/17 15:56:25 | 000,003,306 | ---- | C] () -- C:\Windows\aiptbl.ini
[2006/05/06 23:18:57 | 000,000,882 | ---- | C] () -- C:\Windows\DC.ini
[2006/02/22 01:43:43 | 000,000,045 | ---- | C] () -- C:\Windows\System32\RPVersion.ini
[2006/02/17 20:47:17 | 000,000,190 | ---- | C] () -- C:\Windows\QTW.INI
[2006/02/10 01:56:48 | 000,000,044 | ---- | C] () -- C:\Windows\liveup.ini
[2005/12/29 08:10:14 | 000,139,264 | ---- | C] () -- C:\Windows\System32\VSCWR12.dll
[2005/12/12 22:30:51 | 000,000,000 | ---- | C] () -- C:\Windows\System32\UNWISE.INI
[2005/11/23 04:53:32 | 000,000,034 | ---- | C] () -- C:\Windows\Tiny_Run.ini
[2005/11/21 06:12:35 | 000,000,004 | -H-- | C] () -- C:\Windows\uccspecb.sys
[2005/10/28 03:49:54 | 000,014,848 | ---- | C] () -- C:\Windows\System32\BASSMOD.dll
[2005/10/24 21:30:26 | 000,040,448 | ---- | C] () -- C:\Windows\System32\regobj.dll
[2005/09/30 04:09:34 | 000,000,084 | ---- | C] () -- C:\Windows\3dhi.INI
[2005/09/30 04:08:33 | 000,023,552 | ---- | C] () -- C:\Windows\System32\Odbcstf.dll
[2005/09/12 15:29:53 | 000,102,466 | ---- | C] () -- C:\Windows\System32\dzwrapper.dll
[2005/09/12 15:27:21 | 004,182,067 | ---- | C] () -- C:\Windows\System32\dzcore.dll
[2005/08/29 22:47:49 | 000,000,044 | ---- | C] () -- C:\Windows\pp80.INI
[2005/08/27 17:57:07 | 000,373,248 | ---- | C] () -- C:\Windows\EyeCand3.INI
[2005/08/06 14:03:07 | 000,004,224 | ---- | C] () -- C:\Windows\cdplayer.ini
[2005/07/29 10:58:09 | 001,056,768 | ---- | C] () -- C:\Windows\System32\daz-qsa.dll
[2005/07/29 10:58:07 | 003,588,096 | ---- | C] () -- C:\Windows\System32\daz-qt-mt.dll
[2005/06/30 04:59:11 | 000,000,141 | ---- | C] () -- C:\Windows\asym.ini
[2005/06/15 18:37:20 | 000,000,000 | ---- | C] () -- C:\Windows\PROTOCOL.INI
[2005/05/18 15:02:57 | 001,513,984 | ---- | C] () -- C:\Windows\System32\MgxRdr80.dll
[2005/05/18 15:02:57 | 000,210,944 | ---- | C] () -- C:\Windows\System32\MSVCRT10.DLL
[2005/05/18 15:02:01 | 000,338,944 | ---- | C] () -- C:\Windows\System32\LFFPX7.DLL
[2005/05/18 15:02:01 | 000,118,784 | ---- | C] () -- C:\Windows\System32\LFKODAK.DLL
[2005/05/18 15:01:48 | 000,064,000 | ---- | C] () -- C:\Windows\System32\Ppiv30.dll
[2005/05/18 15:01:47 | 000,001,077 | ---- | C] () -- C:\Windows\Mgxclean.sys
[2005/02/10 20:06:57 | 000,000,061 | ---- | C] () -- C:\Windows\smscfg.ini
[2005/02/10 20:00:32 | 000,000,864 | ---- | C] () -- C:\Windows\wininit.ini
[2005/02/10 19:53:41 | 000,000,482 | ---- | C] () -- C:\Windows\ODBC.INI
[2005/02/10 19:52:17 | 000,000,231 | ---- | C] () -- C:\Windows\AC3API.INI
[2005/02/10 19:52:07 | 000,003,278 | ---- | C] () -- C:\Windows\System32\LudaP17.ini
[2005/02/10 19:52:06 | 000,000,029 | ---- | C] () -- C:\Windows\System32\ctzapxx.ini
[2005/02/10 19:52:01 | 000,000,072 | ---- | C] () -- C:\Windows\SBWIN.INI
[2004/08/11 19:25:56 | 000,000,844 | ---- | C] () -- C:\Windows\ORUN32.INI
[2004/01/12 23:53:52 | 000,172,032 | ---- | C] () -- C:\Windows\System32\lame_enc.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI
[2002/12/18 16:10:36 | 000,006,048 | ---- | C] () -- C:\Windows\System32\MCC16.DLL
[1996/04/03 15:33:26 | 000,005,248 | ---- | C] () -- C:\Windows\System32\giveio.sys
[1980/01/01 02:00:00 | 000,060,928 | ---- | C] () -- C:\Windows\System32\P17.dll
[1980/01/01 02:00:00 | 000,053,248 | ---- | C] () -- C:\Windows\System32\P17CPI.dll

========== LOP Check ==========

[2008/07/03 20:25:41 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Amazon
[2007/09/02 01:26:11 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Anvil Studio
[2009/08/29 13:07:48 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
[2007/09/15 17:29:14 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Bioshock
[2008/08/05 22:42:03 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Canon
[2009/10/24 00:51:40 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\com.drwicked.writeordie.WriteorDieDesktop.6612D25620E961818EB6367A60EAB552BE4CD874.1
[2010/06/10 18:55:27 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\DMCache
[2010/06/10 20:20:40 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\DonationCoder
[2009/09/03 16:24:38 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\eFax Messenger
[2009/02/26 21:39:59 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\FileZilla
[2007/06/17 16:51:48 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\FlashGet
[2007/06/17 21:29:31 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\GlobalSCAPE
[2009/09/14 11:31:05 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\IDM
[2009/09/03 16:16:25 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\j2 Global
[2007/06/17 17:11:08 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\JGsoft
[2007/06/16 14:45:45 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Laplink
[2009/07/20 19:44:42 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\LucasArts
[2007/06/21 19:15:28 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Megaupload
[2007/08/02 12:31:18 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\NCH Swift Sound
[2010/05/16 18:55:47 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\OpenVPNTech
[2009/08/21 23:23:36 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Opera
[2010/03/07 14:23:40 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\RenPy
[2008/06/30 19:39:15 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\ScanSoft
[2009/09/21 15:36:52 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Serif
[2009/03/17 16:29:24 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Spacejock Software
[2007/06/14 13:43:56 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Spearit
[2007/08/08 02:03:35 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\ToolbarToggle
[2008/01/04 18:52:31 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\uTorrent
[2009/05/17 19:30:33 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Vso
[2010/05/15 01:00:00 | 000,000,366 | ---- | M] () -- C:\Windows\Tasks\McDefragTask.job
[2010/06/01 01:00:00 | 000,000,368 | ---- | M] () -- C:\Windows\Tasks\McQcTask.job
[2010/06/12 09:58:23 | 000,032,546 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/06/12 23:17:29 | 000,000,416 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{7FE2BE88-986B-4043-B805-929437EE3464}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2005/12/05 23:40:21 | 000,010,920 | ---- | M] () -- C:\aolconnfix.exe
[2005/09/29 14:51:50 | 000,700,416 | ---- | M] (LimeWire) -- C:\StubInstaller.exe


< MD5 for: AGP440.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
[2008/01/19 03:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/19 03:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/19 03:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2004/08/04 01:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\I386\AGP440.SYS
[2007/06/07 18:01:42 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=8B10CE1C1F9F1D47E4DEB1A547A00CD4 -- C:\Windows\ERDNT\cache\AGP440.sys
[2007/06/07 18:01:42 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=8B10CE1C1F9F1D47E4DEB1A547A00CD4 -- C:\Windows\System32\drivers\AGP440.sys
[2007/06/07 18:01:42 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=8B10CE1C1F9F1D47E4DEB1A547A00CD4 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_8ed06b47\AGP440.sys
[2007/06/07 18:01:42 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=8B10CE1C1F9F1D47E4DEB1A547A00CD4 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.16400_none_b82caac9c18a4e3b\AGP440.sys
[2007/06/07 18:01:42 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=BF34B4A0E0B64440C5389AA6B902F4AD -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.20496_none_b85af81edaeb8461\AGP440.sys
[2006/11/02 05:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2009/04/11 02:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/19 03:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/19 03:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 05:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2007/06/07 18:02:22 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=5653737BAD8C6C10136451C195C19881 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20485_none_db8a029f3dbd443b\atapi.sys
[2007/06/07 18:02:13 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=9E7E85EC61D1C9C3171CC08427108863 -- C:\Windows\ERDNT\cache\atapi.sys
[2007/06/07 18:02:13 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=9E7E85EC61D1C9C3171CC08427108863 -- C:\Windows\System32\drivers\atapi.sys
[2007/06/07 18:02:13 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=9E7E85EC61D1C9C3171CC08427108863 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5a9555b4\atapi.sys
[2007/06/07 18:02:13 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=9E7E85EC61D1C9C3171CC08427108863 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20509_none_dbe4850d3d78c736\atapi.sys
[2007/06/07 18:02:22 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=A779CA2C76DA4FCB595E692C05E8E4EB -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_82339ef2\atapi.sys
[2007/06/07 18:02:22 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=A779CA2C76DA4FCB595E692C05E8E4EB -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16391_none_daf194c024ab5b06\atapi.sys
[2008/02/13 04:06:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2008/02/13 04:06:00 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\I386\atapi.sys
[2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\Windows\System32\DLLCACHE\atapi.sys
[2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\Windows\System32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
[2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\Windows\System32\ReinstallBackups\0013\DriverFiles\i386\atapi.sys
[2008/02/13 04:05:59 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_64dfd8ea\atapi.sys
[2008/02/13 04:05:59 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 05:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\ERDNT\cache\cngaudit.dll
[2006/11/02 05:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 05:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: EVENTLOG.DLL >
[2004/08/04 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\I386\EVENTLOG.DLL
[2004/08/04 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\Windows\System32\EVENTLOG.DLL

< MD5 for: IASTORV.SYS >
[2008/01/19 03:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/19 03:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys
[2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2006/11/02 05:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll
[2009/04/11 02:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2004/08/04 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\I386\NETLOGON.DLL
[2008/01/19 03:35:36 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\ERDNT\cache\netlogon.dll
[2008/01/19 03:35:36 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\System32\netlogon.dll
[2008/01/19 03:35:36 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVRD32.SYS >
[2007/05/01 08:26:26 | 000,131,368 | ---- | M] (NVIDIA Corporation) MD5=1988AF02F581EE0A0A0C4D920B7E272F -- C:\Drivers\storage\R155144\nvrd32.sys
[2007/05/01 08:26:26 | 000,131,368 | ---- | M] (NVIDIA Corporation) MD5=1988AF02F581EE0A0A0C4D920B7E272F -- C:\Windows\System32\drivers\nvrd32.sys
[2007/05/01 08:26:26 | 000,131,368 | ---- | M] (NVIDIA Corporation) MD5=1988AF02F581EE0A0A0C4D920B7E272F -- C:\Windows\System32\DriverStore\FileRepository\nvrd32.inf_a8e6d559\nvrd32.sys

< MD5 for: NVSTOR.SYS >
[2007/01/06 01:59:42 | 000,035,920 | ---- | M] (NVIDIA Corporation) MD5=4A5FCAB82D9BF6AF8A023A66802FE9E9 -- C:\Drivers\system\r148912\nvstor.sys
[2007/01/06 01:59:42 | 000,035,920 | ---- | M] (NVIDIA Corporation) MD5=4A5FCAB82D9BF6AF8A023A66802FE9E9 -- C:\Windows\System32\drivers\nvstor.sys
[2007/01/06 01:59:42 | 000,035,920 | ---- | M] (NVIDIA Corporation) MD5=4A5FCAB82D9BF6AF8A023A66802FE9E9 -- C:\Windows\System32\DriverStore\FileRepository\nvstor.inf_f48b8337\nvstor.sys
[2006/11/02 05:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/19 03:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/19 03:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: NVSTOR32.SYS >
[2007/05/01 08:26:26 | 000,102,696 | ---- | M] (NVIDIA Corporation) MD5=E1C2036823B9E75535051499C61350F6 -- C:\Drivers\storage\R155144\nvstor32.sys
[2007/05/01 08:26:26 | 000,102,696 | ---- | M] (NVIDIA Corporation) MD5=E1C2036823B9E75535051499C61350F6 -- C:\Windows\System32\drivers\nvstor32.sys
[2007/05/01 08:26:26 | 000,102,696 | ---- | M] (NVIDIA Corporation) MD5=E1C2036823B9E75535051499C61350F6 -- C:\Windows\System32\DriverStore\FileRepository\nvrd32.inf_a8e6d559\nvstor32.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\I386\SCECLI.DLL
[2008/01/19 03:36:19 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\ERDNT\cache\scecli.dll
[2008/01/19 03:36:19 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\System32\scecli.dll
[2008/01/19 03:36:19 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2006/11/02 05:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll
[2009/04/11 02:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/01/19 03:38:03 | 000,242,744 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2008/01/19 03:36:10 | 000,225,792 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll
[28 C:\Windows\system32\*.tmp files -> C:\Windows\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 06:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 06:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 06:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 06:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemdrive%\*.sys /90 /md5 >
[2010/06/12 09:59:18 | 3486,015,488 | -HS- | M] () Unable to obtain MD5 -- C:\hiberfil.sys
[2010/06/12 09:59:16 | 3801,686,016 | -HS- | M] () Unable to obtain MD5 -- C:\pagefile.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 648 bytes -> C:\Users\Kira\Documents\appt_ w_wasserstein.eml:OECustomProperty
@Alternate Data Stream - 596 bytes -> C:\Users\Kira\Documents\tris.eml:OECustomProperty
@Alternate Data Stream - 542 bytes -> C:\Users\Kira\Documents\Out of office.eml:OECustomProperty
@Alternate Data Stream - 470 bytes -> C:\Users\Kira\Documents\peterpan.eml:OECustomProperty
@Alternate Data Stream - 143 bytes -> C:\Users\Kira\Documents\verizon.eml:OECustomProperty
@Alternate Data Stream - 140 bytes -> C:\ProgramData\TEMP:0C1EFF69
@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:0A8E2C33
< End of report >


================================================
OTL - Extras.txt
================================================

OTL Extras logfile created on: 6/13/2010 12:08:22 AM - Run 1
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Users\Kira\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free
7.00 Gb Paging File | 5.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.04 Gb Total Space | 69.72 Gb Free Space | 24.20% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.30 Gb Free Space | 53.00% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KIRA-PC
Current User Name: Kira
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.txt [@ = txtfile] -- C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe (JGsoft - Just Great Software)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{259949AA-818E-49C4-ABFE-26F4AB78487F}" = lport=5353 | protocol=6 | dir=in | name=adobe csi cs4 |
"{479423DA-E1AD-4E65-BE9F-3359D820B8A7}" = lport=13751 | protocol=6 | dir=in | name=bitcomet 13751 tcp |
"{8314F369-8910-4D1D-8F40-771663B18F54}" = lport=13751 | protocol=17 | dir=in | name=bitcomet 13751 udp |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00905FC6-C24F-4D00-B996-35A171998512}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{0A8DF3B3-6307-421D-B581-CFA5DC671740}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\deus ex\system\deusex.exe |
"{1BDBFFEB-00FA-454A-A133-FAEB6DB0F4DE}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{1F21E586-2BDC-45D4-B953-1083EE70581D}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\kiwilerner\garrysmod\hl2.exe |
"{204BBBC2-C8E9-49C8-98B0-2520EF09AB54}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\return to castle wolfenstein\wolfmp.exe |
"{26E67867-FA53-4861-B58F-E6A164392D60}" = protocol=17 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |
"{295D7D7F-FD64-429B-B6F4-B185384D99D2}" = protocol=6 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |
"{2C75E3E7-7309-468B-A2CB-7DF79EB2C474}" = protocol=17 | dir=in | app=c:\program files\aol 9.0\waol.exe |
"{35C7E3E0-0388-4373-90CF-BAAC2687C90D}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{3D11FCEA-D805-4445-AE89-4FC4B1D73D23}" = protocol=17 | dir=in | app=c:\program files\common files\aol\topspeed\3.0\aoltpsd3.exe |
"{41C75A58-9D98-4B3C-AEA8-D47B4BFB36B5}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\psychonauts demo\psychonauts.exe |
"{472BE9DA-1573-486F-A947-95364714DB56}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\psychonauts demo\psychonauts.exe |
"{488D561F-2A8D-4F76-867B-1BF158E21719}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{513B896F-3F36-41B8-A1E4-BC91C52F5D2D}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\stalker shadow of chernobyl\bin\xr_3da.exe |
"{5990A8CE-8CD6-45EC-BB4D-64171647D473}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\medal of honor airborne\unrealengine3\binaries\moha.exe |
"{5B94AE31-8D90-42B9-9C68-7A21948E6CFA}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\aaaaaaaaaaaaaaaaaaaaaaaaa!!!\main.exe |
"{5C85DA59-7AA7-4F08-96BB-21B4C99F43AB}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{6C125F9D-8E83-424A-BC90-DB87C0A6FF66}" = protocol=17 | dir=in | app=c:\program files\steam\steam.exe |
"{73FD904B-817D-4B29-8E62-7957B0B4E178}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{74319382-70F8-47CC-976E-95EC4F749FD3}" = protocol=17 | dir=in | app=c:\program files\common files\aol\system information\sinf.exe |
"{7B454599-D03C-4908-A7F1-B9D73A25E8F6}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\world of goo\worldofgoo.exe |
"{81612BA2-9332-418E-B05E-8673F159F74B}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\world of goo\worldofgoo.exe |
"{83CFAD39-3167-4E61-A5CF-E638D961EA0F}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\return to castle wolfenstein\wolfsp.exe |
"{8C067E8C-A350-420E-939F-393D50A7B783}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\return to castle wolfenstein\wolfmp.exe |
"{8EA7C1A2-5B5A-48F8-B489-5C1CB55CBB01}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{8FFBE254-FC33-43EA-8AE5-F2FAB4460C77}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{949211BB-75B5-4C7D-8F3D-173DD5283E52}" = protocol=6 | dir=in | app=c:\program files\steam\steam.exe |
"{9A8B65A0-49DC-4202-B982-0B1D8D584E6E}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\medal of honor airborne\unrealengine3\binaries\moha.exe |
"{9C2EBCD7-C819-4C1E-B329-E13F172C9C32}" = protocol=6 | dir=in | app=c:\program files\common files\aol\system information\sinf.exe |
"{9F208D46-8D2D-4B63-8EA7-6CBF44B4FFE9}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\deus ex\system\deusex.exe |
"{A038DB9A-1A32-4468-AE08-859A37E0E14C}" = protocol=6 | dir=in | app=c:\program files\aol 9.0\waol.exe |
"{A109974F-6365-47FA-A8E8-5E606BEDECBA}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\aaaaaaaaaaaaaaaaaaaaaaaaa!!!\main.exe |
"{ACC1D463-9A68-419C-A5A3-F4D086D8024B}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\common\return to castle wolfenstein\wolfsp.exe |
"{B6AE430F-2244-4F21-8469-855C26902D1B}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"{BF11FE06-B86E-477E-A1A8-9F9C01730446}" = protocol=6 | dir=in | app=c:\program files\smartftp client\smartftp.exe |
"{C1B4B10B-6FF6-4D8C-8E61-2653D7A16C4A}" = protocol=17 | dir=in | app=c:\program files\smartftp client\smartftp.exe |
"{C55E655E-E179-428A-9112-1A5954E36497}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"{CBCA47B7-FBF5-4BED-8ACF-2FABBEF09010}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{D021B014-E05E-433B-BF66-721FC6B366BC}" = protocol=6 | dir=in | app=c:\program files\steam\steamapps\kiwilerner\garrysmod\hl2.exe |
"{D11E3D94-4701-4BA3-8B5E-9EC5CEFD0FAB}" = protocol=6 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"{DB021D63-BC4F-4440-B00D-FE3BF5917843}" = protocol=6 | dir=in | app=c:\program files\common files\aol\topspeed\3.0\aoltpsd3.exe |
"{ECAC8BAA-59C0-4D9B-979E-DEE813A05175}" = protocol=17 | dir=in | app=c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe |
"{F10C6029-000B-4A71-9EF0-1EC3BEE00891}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{F48C2821-6B6D-4D43-8B8C-9FC5F6B5375E}" = protocol=17 | dir=in | app=c:\program files\steam\steamapps\common\stalker shadow of chernobyl\bin\xr_3da.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{05156799-4EC3-4885-864E-E190A429B307}" = FaceGen Modeller 3.4 Free
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0DE20748-45A5-6CD9-610E-F881A34E7342}" = Catalyst Control Center Localization Arabic
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{0F756CD9-4A1E-409B-B101-601DDC4C03AA}" = Qualxserve Service Agreement
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX700_series" = Canon MX700 series
"{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5}" = Dell System Customization Wizard
"{15C768E2-AB61-4DE3-952F-6B237A834951}" = Adobe Setup
"{15CC10AB-4266-210D-E2D2-03089C25A028}" = CCC Help English
"{1603C7DC-358B-97AF-B451-B2DDAC734117}" = Catalyst Control Center Localization French
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1E99F5D7-4262-4C7C-9135-F066E7485811}" = System Requirements Lab
"{214030BC-490D-57D4-2547-D0D4ECC851A5}" = Catalyst Control Center Localization Japanese
"{2168245A-B5AD-40D8-A641-48E3E070B5B6}" = Adobe Flash CS4 STI-en
"{2274624C-5B38-41AD-AD27-CEC0924EB628}" = Adobe Setup
"{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}" = Rhapsody Player Engine
"{2357B8BC-88C9-4A72-818C-050CC4EB0778}" = AOL Install
"{24D1FCDD-FE3F-43D4-96D6-EDA0A8F633E7}_is1" = Sothink DHTML Menu 8
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2B98E4C3-AABC-9594-3219-A6EB60006C2C}" = Catalyst Control Center Graphics Full Existing
"{2C698DB8-0D99-5A27-DA3D-A3414FC5DBA7}" = Catalyst Control Center Graphics Light
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{2FD82635-1477-46DB-BF7D-A72AAF52E6D6}" = Opera 10.00
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{31DBBB49-CAC2-984A-64CA-A88102056E10}" = CCC Help German
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A12C952-61D5-4C3B-B68B-8CFBE47E22F1}" = Adobe Setup
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3A6829EF-0791-4FDD-9382-C690DD0821B9}" = Adobe Flash Player 10 ActiveX
"{3B6E3FC6-274C-4B6C-BC85-5C3B15DE18E2}" = Mega Manager
"{3CD921DC-FE10-404C-99DB-FA57A6FCB32E}_is1" = Ben There Dan That 1.1.3.8
"{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}" = Adobe Photoshop CS3
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3E1ECEEC-814C-4B53-9E08-9B1F2FA83434}" = Easy MP3 Sound Recorder 2.01
"{3E25E350-949F-4DB7-8288-2A60E018B4C1}" = Games, Music, & Photos Launcher
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{412FECA2-836F-3DF6-A302-924CEC5B4DE2}" = CCC Help Spanish
"{420C7754-7758-49F5-807A-A3F9F2790704}" = OfficeReady 4.0
"{43509E18-076E-40FE-AF38-CA5ED400A5A9}" = Pixel Bender Toolkit
"{44CDBD1B-89FB-4E02-8319-2A4C550F664A}" = RTC Client API v1.2
"{46ACAEB5-365A-74BB-D405-980EA4FE3545}" = CCC Help Japanese
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4AAB7E8F-1C71-E364-458F-5A6797670157}" = Catalyst Control Center Graphics Full New
"{50DECEE8-63A6-4EE0-8EDD-655A01B16D28}" = OfficeReadyToolBarSetup
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}" = User's Guides
"{5E68BB65-4059-4FE5-AAC4-0CD1D79BBDE2}" = EarthLink Setup Files
"{60DB5894-B5A1-4B62-B0F3-669A22C0EE5D}" = Adobe Dynamiclink Support
"{619B8475-0F48-41B7-A370-5147F7092989}" = Virtual Earth 3D (Beta)
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{65E6362A-B878-4A7B-86DA-D16F8DBD75C7}" = ccc-core-static
"{65F1CF63-31E0-450B-96F3-4A88BE7361A6}" = AGEIA PhysX v7.07.09
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{67E158AF-8856-4337-B483-EA21930786AF}" = GameTap
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6DD45BD7-DB28-E59F-8239-CF6816AE1FA4}" = Skins
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{763E8D6C-0098-4FF4-801A-3F311D2D9D80}" = Apple Mobile Device Support
"{76C73966-AED3-5ACB-B438-B47E9B1FB2E3}" = CCC Help Chinese Standard
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{78225D0F-D12C-09E4-5D6D-A64D763E8982}" = BBC iPlayer Desktop
"{793D1D88-6141-43DE-BE58-59BCE31B4090}" = Adobe Flash CS4 Extension - Flash Lite STI en
"{794F49F0-2A44-EE74-62FE-22FD68953A25}" = ccc-utility
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7CD5F286-FF0A-E638-8143-0E258E3C17E2}" = CCC Help Thai
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{8186FF34-D389-4B7E-9A2F-C197585BCFBD}" = Adobe Media Encoder CS4 Importer
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{892C010C-2C53-4746-9EB8-834E0B85A8C8}" = Mega Manager
"{89CEAE14-DD0F-448E-9554-15781EC9DB24}" = Product Documentation Launcher
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}" = CDDRV_Installer
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_WebDesigner_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_WebDesigner_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_WebDesigner_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0026-0000-0000-0000000FF1CE}" = Microsoft Expression Web
"{90120000-0026-0000-0000-0000000FF1CE}_WebDesigner_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0026-0000-0000-0000000FF1CE}_WebDesigner_{9037FDA8-8383-4B6F-859D-D49C3C625225}" = Microsoft Expression Web Service Pack 1 (SP1)
"{90120000-0026-0409-0000-0000000FF1CE}" = Microsoft Expression Web MUI (English)
"{90120000-0026-0409-0000-0000000FF1CE}_WebDesigner_{E1044ED2-E4AD-4B39-B500-31109750F6B4}" = Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_WebDesigner_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_WebDesigner_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90170409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office FrontPage 2003
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{9060B698-2B29-4A1F-B876-BEAC4C0A25D5}" = KhalSetup
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91F34319-08DE-457a-99C0-0BCDFAC145B9}" = CuteFTP 8 Professional
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{974C05A0-C76C-4724-A9A2-11D5D1355729}" = iTunes
"{98698CC8-F4C4-A0A7-F521-8547DDD1BB6B}" = Catalyst Control Center Localization Chinese Standard
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{AF013586-7F78-43D8-AC8C-B8868C70144E}_is1" = Time Gentlemen Please 1.1.3.8
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B2F3DBD9-A9D2-4838-B45D-C917DAB32BC3}" = ScanSoft OmniPage SE 4
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B4572608-DFF7-4E77-A8DD-D814DB87787A}" = CoffeeCup Flash Button Factory
"{B45BC844-43A3-E9F1-C46D-3EEC9A8436A9}" = Write or Die Desktop Edition
"{B651AD20-D522-2D6F-3AC7-A5F625FCB283}" = Catalyst Control Center Core Implementation
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BC0CB11B-3551-4C88-A20D-DF7B0913F74F}" = Serif DrawPlus SE PRO
"{BCDB856C-D247-4DEE-9132-89C02F4D6B8C}_is1" = Sothink SWF Decompiler
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{BEE64C14-BEF1-4610-8A68-A16EAA47B882}" = Futuremark SystemInfo
"{C00949CC-2EA9-4A5E-8062-DFD02F894BAD}" = PCmover
"{C169D3BB-9A27-43F5-9979-09A0D65FE95C}" = SmartFTP Client
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{C3E2D64C-1B8E-D142-A76F-DEAC02AFF4FA}" = CCC Help Polish
"{C5145CD4-4F74-C986-F86B-F57F3995C59B}" = Catalyst Control Center Localization Arabic
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C7DDA8E7-AD3D-4F51-AC1E-B0FF57002192}" = Microsoft IntelliPoint 6.3
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{C8D524C0-FBD2-C4F0-2446-912EABA681E0}" = CCC Help Portuguese
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CCF7F09E-A1C5-7D81-437D-B2DC347CC52E}" = Catalyst Control Center Localization Spanish
"{CCFF1E13-77A2-4032-8B12-7566982A27DF}" = Internet Service Offers Launcher
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}" = WinZip 11.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEEE47BB-4AB7-9AEB-2212-ECC6D05DDC74}" = Catalyst Control Center Localization Italian
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}" = Presto! PageManager 7.15.16
"{D42AF88F-7669-48DF-8CFF-887EB9D250EF}" = FloorPlan 3D v10
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{D71B45B0-70B5-12BA-4ACF-2CEC94FE8A06}" = CCC Help Korean
"{D7A53E41-3F32-4A44-989C-53DDEBB2130C}" = Adobe Extension Manager CS3
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{DEB90B8E-0DCB-48CE-B90E-8842A2BD643E}" = Adobe Media Encoder CS4
"{DF6DA606-904D-4C18-823F-A4CFC3035E53}" = eFax Messenger
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
"{E5FCED12-3E77-4C0E-A305-5AEB38A52A70}" = AdobeColorCommonSetCMYK
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{E7744050-4D6F-1280-5331-2EA048B51E94}" = Catalyst Control Center Localization Arabic
"{ECA80341-4BFB-172D-EC5D-64FD8DD41F5A}" = Catalyst Control Center Localization German
"{ECBEB9C6-CC47-70F7-E939-1E20E3BEEC8F}" = Catalyst Control Center Localization Korean
"{EED50C97-C79E-4149-BD82-7C5A22437708}" = Adobe Setup
"{F01D5ED5-D53A-4468-B428-149DC2CB3110}" = Adobe Dreamweaver CS3
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F3885DDF-E711-4F14-B4C9-5CA3F07A13E9}" = PCsync
"{F4FA8AC4-6B6A-CAA6-8E44-FC64227CC4F7}" = CCC Help Italian
"{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Modem Diagnostic Tool
"{F6412237-45F7-B34B-0803-4D77E2D39D0C}" = Catalyst Control Center Localization Chinese Traditional
"{F6E99614-F042-4459-82B7-8B38B2601356}" = Adobe Flash CS4
"{F86B6D9F-FA9A-4164-A66A-EAFF7C067272}_is1" = Sothink Flash Video Encoder
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FD01FEBF-376F-F125-09F8-E94B04D21E77}" = CCC Help French
"{FF001690-A829-9DFD-9EF6-DA285783C49C}" = CCC Help Chinese Traditional
"{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}" = Adobe Setup
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Adobe_435a6af7459cb02a9c1138113a26e93" = Adobe Dreamweaver CS3
"Adobe_719d6f144d0c086a0dfa7ff76bb9ac1" = Adobe Photoshop CS3
"Adobe_a68eec966ce913ddaa63251dc82ed31" = Adobe Flash CS4 Professional
"Adobe_cbb2ea61da9c780bd7e47a5230a9ed7" = Adobe Stock Photos CS3
"Amara - Flash Intro and Banner Builder" = Amara - Flash Intro and Banner Builder
"Amara - Flash Menu Builder" = Amara - Flash Menu Builder
"Amara - Flash News Ticker" = Amara - Flash News Ticker
"Amara - Flash Photo Animation Software" = Amara - Flash Photo Animation Software
"Amara - Flash Slide Show Builder" = Amara - Flash Slide Show Builder
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.3
"Amyuni PDF Converter" = Amyuni PDF Converter
"AOL Uninstaller" = AOL Uninstaller (Choose which Products to Remove)
"AsUninst.exe" = Anvil Studio
"Banner Maker Pro for Flash_is1" = Banner Maker Pro for Flash Version 1
"BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1" = BBC iPlayer Desktop
"BitComet" = BitComet 0.94
"Canon MX700 series User Registration" = Canon MX700 series User Registration
"Canon_IJ_Network_Scan_UTILITY" = Canon IJ Network Scan Utility
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"CANONIJPLM100" = PIXMA Extended Survey Program
"CanonMyPrinter" = Canon My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 PCI V.92 Modem
"CoffeeCup Flash FireStarter" = CoffeeCup Flash FireStarter
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.drwicked.writeordie.WriteorDieDesktop.6612D25620E961818EB6367A60EAB552BE4CD874.1" = Write or Die Desktop Edition
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Digital - A Love Story" = Digital - A Love Story 1.1
"DVDFab Platinum 4_is1" = DVDFab Platinum 4.0.3.2
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"EditPad Lite" = JGsoft EditPad Lite 6.2.2
"Entriq MediaSphere_is1" = Entriq MediaSphere 3.5.2.2
"ESET Online Scanner" = ESET Online Scanner v3
"FavOrg" = FavOrg
"ffdshow" = ffdshow (remove only)
"FlashGet" = FlashGet 1.8.4.1001
"FLVPlayer" = FLV Player 1.3.3
"FREE Hi-Q Recorder_is1" = FREE Hi-Q Recorder 1.92
"Half-Life 2 Riot Act" = Half-Life 2 Riot Act 1.0
"Half-Life: Blue Shift" = Half-Life: Blue Shift
"Half-Life: Opposing Force" = Half-Life: Opposing Force
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{C00949CC-2EA9-4A5E-8062-DFD02F894BAD}" = PCmover
"InterActual Player" = InterActual Player
"Internet Download Manager" = Internet Download Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Micrografx Picture Publisher 8" = Micrografx Picture Publisher 8
"Micrografx Webtricity 2" = Micrografx Webtricity 2
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MINERVA: Metastasis" = MINERVA: Metastasis
"Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
"MP Navigator EX 1.0" = Canon MP Navigator EX 1.0
"MP3 to SWF Converter" = MP3 to SWF Converter 2.4 build 867
"MSC" = McAfee SecurityCenter
"Need For Speed III" = Need For Speed III
"NVIDIA Drivers" = NVIDIA Drivers
"OpenVPN-AS Client" = OpenVPN-AS Client 1.3.4
"Peggle Nights" = Peggle Nights
"PunkBusterSvc" = PunkBuster Services
"RealPlayer 12.0" = RealPlayer
"SlideshowZilla" = SlideshowZilla 1.50
"SoundTap" = SoundTap Uninstall
"Steam App 15520" = AaaaaAAaaaAAAaaAAAAaAAAAA!!! - A Reckless Disregard for Gravity
"Steam App 215" = Source SDK Base
"Steam App 24840" = Medal of Honor Airborne
"Steam App 380" = Half-Life 2: Episode One
"Steam App 3840" = Psychonauts Demo
"Steam App 400" = Portal
"Steam App 4000" = Garry's Mod
"Steam App 420" = Half-Life 2: Episode Two
"Steam App 440" = Team Fortress 2
"Steam App 4500" = STALKER: Shadow of Chernobyl
"Steam App 6040" = The Dig
"Steam App 6910" = Deus Ex: Game of the Year Edition
"Steam App 70" = Half-Life
"Steam App 9010" = Return to Castle Wolfenstein
"SwiftMP3_is1" = SwiftMP3 1.6 Trial
"SystemRequirementsLab" = System Requirements Lab
"Total Video Converter 3.21_is1" = Total Video Converter 3.21 090220
"URLSnooper 2_is1" = URL Snooper v2.28.01
"Veoh Web Player Beta" = Veoh Web Player
"ViewpointMediaPlayer" = Viewpoint Media Player
"WebDesigner" = Microsoft Expression Web
"WinPcapInst" = WinPcap 4.1.1
"yWriter5_is1" = yWriter5

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Cities XL" = Cities XL
"FileZilla Client" = FileZilla Client 3.0.1
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer
"Steam App 220" = Half-Life 2
"Steam App 340" = Half-Life 2: Lost Coast
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/9/2008 3:13:10 PM | Computer Name = Kira-PC | Source = Application Error | ID = 1000
Description = Faulting application cuteftppro.exe, version 8.0.7.0, time stamp 0x465ef984,
faulting module cuteftppro.exe, version 8.0.7.0, time stamp 0x465ef984, exception
code 0xc0000005, fault offset 0x000d0f50, process id 0x13758, application start
time 0x01c8b208b55a08be.

Error - 5/9/2008 3:21:16 PM | Computer Name = Kira-PC | Source = EventSystem | ID = 4621
Description =

Error - 5/9/2008 11:33:09 PM | Computer Name = Kira-PC | Source = EventSystem | ID = 4621
Description =

Error - 5/9/2008 11:33:17 PM | Computer Name = Kira-PC | Source = Perflib | ID = 1008
Description =

Error - 5/9/2008 11:33:18 PM | Computer Name = Kira-PC | Source = Perflib | ID = 1010
Description =

Error - 5/9/2008 11:33:20 PM | Computer Name = Kira-PC | Source = Perflib | ID = 1008
Description =

Error - 5/10/2008 4:11:09 PM | Computer Name = Kira-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16643, time stamp
0x47bce1b0, faulting module ntdll.dll, version 6.0.6000.16386, time stamp 0x4549bdc9,
exception code 0xc0000374, fault offset 0x000af1c9, process id 0x17d8, application
start time 0x01c8b253565ceea9.

Error - 5/11/2008 12:41:19 AM | Computer Name = Kira-PC | Source = Perflib | ID = 1008
Description =

Error - 5/11/2008 12:41:20 AM | Computer Name = Kira-PC | Source = Perflib | ID = 1010
Description =

Error - 5/11/2008 12:41:20 AM | Computer Name = Kira-PC | Source = Perflib | ID = 1008
Description =

[ OSession Events ]
Error - 8/30/2007 11:23:31 PM | Computer Name = Kira-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 20, Application Name: Microsoft Expression Web, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 21940
seconds with 4920 seconds of active time. This session ended with a crash.

Error - 8/31/2007 12:18:01 AM | Computer Name = Kira-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 20, Application Name: Microsoft Expression Web, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 3263
seconds with 2400 seconds of active time. This session ended with a crash.

Error - 10/18/2007 4:03:09 PM | Computer Name = Kira-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 20, Application Name: Microsoft Expression Web, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 4809
seconds with 3000 seconds of active time. This session ended with a crash.

Error - 1/23/2009 10:13:06 PM | Computer Name = Kira-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 13761
seconds with 1620 seconds of active time. This session ended with a crash.

Error - 6/15/2009 5:25:08 PM | Computer Name = Kira-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 94968
seconds with 2640 seconds of active time. This session ended with a crash.

Error - 11/27/2009 3:21:11 AM | Computer Name = Kira-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 118294
seconds with 23220 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 6/12/2010 3:23:51 AM | Computer Name = Kira-PC | Source = Service Control Manager | ID = 7032
Description =

Error - 6/12/2010 9:57:00 AM | Computer Name = Kira-PC | Source = Service Control Manager | ID = 7031
Description =

Error - 6/12/2010 9:57:00 AM | Computer Name = Kira-PC | Source = Service Control Manager | ID = 7034
Description =

Error - 6/12/2010 9:57:22 AM | Computer Name = Kira-PC | Source = Service Control Manager | ID = 7034
Description =

Error - 6/12/2010 9:57:23 AM | Computer Name = Kira-PC | Source = Service Control Manager | ID = 7030
Description =

Error - 6/12/2010 9:59:27 AM | Computer Name = Kira-PC | Source = HTTP | ID = 15016
Description =

Error - 6/12/2010 10:01:02 AM | Computer Name = Kira-PC | Source = Service Control Manager | ID = 7034
Description =

Error - 6/12/2010 10:01:08 AM | Computer Name = Kira-PC | Source = Service Control Manager | ID = 7034
Description =

Error - 6/12/2010 10:01:09 AM | Computer Name = Kira-PC | Source = Service Control Manager | ID = 7030
Description =

Error - 6/12/2010 10:23:51 AM | Computer Name = Kira-PC | Source = Service Control Manager | ID = 7030
Description =


< End of report >


================================================

WHEW! I don't envy you scanning all those logs. Thanks for letting me know what the rootkit was! If you spot anything else, do please let me know. I like to learn about these things rather than just cleaning them up without knowing anything about the threat. It helps fight my ignorance!

OH! I nearly forgot a question. I notice that after the ComboFis scan and turning McAfee off and on, I'm now getting a little popup on my Google homepage in IE7 telling me "You are about to view pages over a secure connection" followed swiftly by "You are now leaving a secure connection..." There's a checkbox on the popup telling me I can turn off those notifications. Is this a result of having reset a security option somewhere? Is it okay if I click the checkbox to remove those notices?

Many, many thanks for your assistance so far, Tom. I'll understand if you won't be able to get to this on a Sunday, of course. Hope the above logs look clean!

Edited to Add: This is interesting. My McAfee just popped up a warning about a Trojan -- in the schrauber.exe file, which is the remamed ComboFix.exe file on my desktop. The log says:

QUOTE
One or more items were detected on your computer.
Detection name: Artemis!8A3346E1C340 (Trojan), Artemis!8A3346E1C340 (Trojan)
File: C:\Users\Kira\Desktop\schrauber.exe
Process: C:\Windows\System32\svchost.exe
Process description: Host Process for Windows Services


This is probably a false positive but I thought I'd better mention it, just in case...!

Edited by choie, 13 June 2010 - 12:52 AM.


#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:28 AM

Posted 14 June 2010 - 02:41 PM

QUOTE
NOTE: I should mention that this rdmhotels.dbx is an old Outlook Express mailbox archived from an old computer. I can delete it if you recommend it -- I doubt I'll ever figure out how to convert it to Windows Mail!


Yes, would be better to delete it.

QUOTE
This is probably a false positive but I thought I'd better mention it, just in case...!


It is smile.gif




Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.




Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    CODE
    :OTL
    [2010/06/07 01:21:24 | 000,000,000 | ---D | C] -- C:\Users\Kira\AppData\Local\sytnrfekb
    [2010/05/09 19:15:59 | 000,000,000 | ---D | C] -- C:\Users\Kira\AppData\Local\tueeiqgen
    [2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\ProgramData\huyuweje
  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
================================Follow up scan=================================
  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.




How is it running now?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 choie

choie
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 14 June 2010 - 03:08 PM



#10 choie

choie
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 14 June 2010 - 03:09 PM

^^ Wow, I have no idea why the above message posted blank. I was able to repost the text below, fortunately!

Hi Tom,

The computer's running very well, knock wood -- nothing suspicious (no slow-downs, bad search results, or pop-ups) since running ComboFix.

The only change is that small security notification I mentioned above:

>>>>>OH! I nearly forgot a question. I notice that after the ComboFis scan and turning McAfee off and on, I'm now getting a little popup on my Google homepage in IE7 telling me "You are about to view pages over a secure connection" followed swiftly by "You are now leaving a secure connection..." There's a checkbox on the popup telling me I can turn off those notifications. Is this a result of having reset a security option somewhere? Is it okay if I click the checkbox to remove those notices?<<<<<<

Can I get rid of these notifications or do you recommend I keep them? They're kind of annoying...

Anyway, I ran the Uninstall Programs wizard and the only one of the files you mentioned that showed up was Viewpoint Media, which I deleted. I also removed that rdmhotels.dbx file as you recommended.

Here are the two OTL logs:

====================================
OTL Fix
====================================

========== OTL ==========
C:\Users\Kira\AppData\Local\sytnrfekb folder moved successfully.
C:\Users\Kira\AppData\Local\tueeiqgen folder moved successfully.
C:\ProgramData\huyuweje moved successfully.

OTL by OldTimer - Version 3.2.5.3 log created on 06142010_155116


====================================
OTL Quick Scan
====================================

OTL logfile created on: 6/14/2010 3:53:45 PM - Run 2
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Users\Kira\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 60.00% Memory free
7.00 Gb Paging File | 5.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.04 Gb Total Space | 69.47 Gb Free Space | 24.12% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.30 Gb Free Space | 53.00% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KIRA-PC
Current User Name: Kira
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/06/08 12:44:03 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\Kira\Desktop\OTL.exe
PRC - [2010/05/07 16:15:38 | 000,095,232 | ---- | M] () -- C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
PRC - [2009/12/27 05:55:54 | 001,016,011 | ---- | M] () -- C:\Program Files\OpenVPNTech\bin\instant-xmlserv.exe
PRC - [2009/12/23 15:18:18 | 002,642,168 | ---- | M] (Veoh Networks) -- C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/06 12:20:20 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/07/10 00:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/05/21 10:55:32 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2009/02/26 15:24:50 | 000,097,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
PRC - [2009/01/07 15:47:02 | 000,440,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
PRC - [2008/10/29 02:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/10/07 16:30:26 | 000,656,896 | ---- | M] (j2 Global Communications, Inc.) -- C:\Program Files\eFax Messenger 4.4\J2GTray.exe
PRC - [2008/10/07 16:25:48 | 000,095,744 | ---- | M] (j2 Global Communications, Inc.) -- C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
PRC - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/01/19 03:38:38 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2008/01/19 03:33:12 | 000,299,520 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\ieuser.exe
PRC - [2007/10/08 04:54:10 | 006,338,872 | ---- | M] (www.BitComet.com) -- C:\Program Files\BitComet\BitComet.exe
PRC - [2007/06/06 11:10:02 | 000,394,856 | R--- | M] (WinZip Computing, S.L.) -- C:\Program Files\WinZip\WZQKPICK.EXE
PRC - [2007/04/13 11:49:00 | 000,101,528 | ---- | M] () -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe
PRC - [2007/04/03 21:50:00 | 001,603,152 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2007/03/19 06:22:00 | 002,440,088 | ---- | M] (JGsoft - Just Great Software) -- C:\Program Files\JGsoft\EditPadLite\EditPadLite.exe
PRC - [2007/02/08 01:16:24 | 000,303,104 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\sttray.exe
PRC - [2007/02/04 12:02:14 | 000,079,400 | ---- | M] (Nuance Communications, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
PRC - [2006/11/12 03:19:46 | 000,446,976 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\DSAgnt.exe
PRC - [2006/11/03 19:02:14 | 000,050,688 | ---- | M] (Avanquest Software ) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2006/10/23 08:50:35 | 000,046,640 | R--- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
PRC - [2005/02/16 16:15:20 | 000,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2003/08/27 12:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) -- C:\Windows\wanmpsvc.exe


========== Modules (SafeList) ==========

MOD - [2010/06/08 12:44:03 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\Kira\Desktop\OTL.exe
MOD - [2008/05/27 01:17:26 | 000,032,768 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mssprxy.dll
MOD - [2008/01/19 03:38:03 | 000,242,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\rsaenh.dll
MOD - [2008/01/19 03:36:10 | 000,225,792 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\SLC.dll
MOD - [2008/01/19 03:34:00 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cscapi.dll
MOD - [2008/01/19 03:33:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2008/01/19 03:26:34 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll
MOD - [2007/10/01 22:33:22 | 000,156,968 | ---- | M] (SmartSoft Ltd.) -- C:\Program Files\SmartFTP Client\SmartHook.dll
MOD - [2007/09/19 15:00:26 | 000,041,472 | ---- | M] () -- C:\Program Files\FileZilla Client\fzshellext.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (RoxWatch9)
SRV - [2010/05/08 15:14:41 | 000,390,952 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/12/27 05:55:54 | 001,016,011 | ---- | M] () [Auto | Running] -- C:\Program Files\OpenVPNTech\bin\instant-xmlserv.exe -- (OpenVPNTechOVPN_Instantiator)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/20 14:19:48 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
SRV - [2009/09/16 11:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 10:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 09:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [Disabled | Stopped] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/10 00:26:20 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\program files\common files\mcafee\mna\mcnasvc.exe -- (McNASvc)
SRV - [2009/06/08 14:36:16 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/08/13 18:32:40 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2008/01/19 03:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/04/13 11:49:00 | 000,101,528 | ---- | M] () [Auto | Running] -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)
SRV - [2007/03/15 08:50:08 | 000,046,648 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Laplink\PCmover\cppwdsvc.exe -- (CpPwdSvc)
SRV - [2006/11/07 14:27:02 | 000,070,656 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2006/10/23 08:50:35 | 000,046,640 | R--- | M] (AOL LLC) [Auto | Running] -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe -- (AOL ACS)
SRV - [2003/08/27 12:29:46 | 000,065,536 | ---- | M] (America Online, Inc.) [Auto | Running] -- C:\Windows\wanmpsvc.exe -- (WANMiniportService) WAN Miniport (ATW)


========== Driver Services (SafeList) ==========

DRV - [2009/11/19 12:47:28 | 000,025,984 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tapoas.sys -- (tapoas)
DRV - [2009/10/20 14:19:44 | 000,050,704 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\npf.sys -- (NPF)
DRV - [2009/09/16 10:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 10:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 12:32:26 | 000,130,424 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/12/19 20:08:28 | 000,030,088 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\point32k.sys -- (Point32)
DRV - [2008/09/02 15:29:46 | 000,024,576 | ---- | M] (Exent Technologies Ltd.) [Kernel | Auto | Running] -- C:\Program Files\GameTap\bin\Release\X4HSX32.sys -- (X4HSX32)
DRV - [2008/08/14 07:57:42 | 000,074,720 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\adfs.sys -- (adfs)
DRV - [2008/01/19 01:56:08 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usb8023.sys -- (USB_RNDIS_XP)
DRV - [2008/01/19 01:53:22 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (winusb)
DRV - [2007/08/02 12:31:30 | 000,021,120 | ---- | M] (NCH Swift Sound) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nchssvad.sys -- (NCHSSVAD)
DRV - [2007/06/07 18:02:13 | 000,020,152 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2007/06/07 18:02:13 | 000,019,128 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2007/06/07 18:02:13 | 000,017,592 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/05/01 08:26:26 | 000,131,368 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvrd32.sys -- (nvrd32)
DRV - [2007/05/01 08:26:26 | 000,102,696 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2007/04/04 08:54:32 | 002,313,216 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2007/03/15 08:50:18 | 000,016,440 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Laplink\PCmover\PortAcc.sys -- (PortAcc)
DRV - [2007/03/05 04:07:46 | 000,045,568 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2007/02/08 01:16:26 | 000,647,680 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/01/11 20:15:16 | 000,032,528 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2007/01/11 20:15:06 | 000,032,272 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2007/01/06 01:59:42 | 000,035,920 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 05:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 05:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 05:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 05:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 05:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 05:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 05:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 05:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 05:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 05:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 05:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 05:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 05:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 05:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 05:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 05:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 05:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 05:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 05:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 05:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 05:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 05:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 05:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 05:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 05:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 05:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 05:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 05:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 04:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 04:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 04:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 04:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 04:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 04:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 03:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 03:30:55 | 000,200,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2006/11/02 03:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2006/11/01 16:18:15 | 000,033,588 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\wanatw4.sys -- (wanatw) WAN Miniport (ATW)
DRV - [2006/10/18 14:09:26 | 000,986,624 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2006/10/18 14:08:18 | 000,258,048 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2006/10/18 14:08:04 | 000,659,968 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2006/10/05 17:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Running] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/08/17 16:43:52 | 000,007,424 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\Program Files\DellSupport\Drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/08/04 20:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig?hl=en&source=iglk
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 44
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7
FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.05
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.1.10
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100211.5
FF - prefs.js..extensions.enabledItems: {3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}:0.8.6.1
FF - prefs.js..extensions.enabledItems: mozilla_cc@internetdownloadmanager.com:6.3
FF - prefs.js..extensions.enabledItems: beta@linkdiagnosis.com:2.2.41
FF - prefs.js..extensions.enabledItems: {8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}:0.16
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.07103010
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.5.1
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8}:1.0.8
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/30 18:53:13 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/14 15:49:26 | 000,000,000 | ---D | M]

[2008/07/16 16:11:13 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Mozilla\Extensions
[2010/06/14 01:58:44 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions
[2010/02/23 00:07:31 | 000,000,000 | ---D | M] (FlashGot) -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2009/09/03 02:36:56 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/02/23 00:08:06 | 000,000,000 | ---D | M] (Html Validator) -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}
[2010/02/23 00:07:45 | 000,000,000 | ---D | M] (Stylish) -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}
[2009/06/07 16:04:21 | 000,000,000 | ---D | M] (IE Tab) -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2010/03/29 16:02:18 | 000,000,000 | ---D | M] (Live HTTP Headers) -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}
[2010/02/23 00:07:32 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2009/09/14 11:28:23 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/02/23 00:07:38 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/06/10 18:31:48 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\beta@linkdiagnosis.com
[2008/06/08 11:16:48 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\firebug@software.joehewitt.com
[2008/08/27 18:07:05 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\moveplayer@movenetworks.com
[2010/02/23 00:07:31 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\personas@christopher.beard
[2007/10/03 16:32:32 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Mozilla\Firefox\Profiles\fsawh5d0.default\extensions\videodowloader@videodownloader.net
[2008/07/16 16:08:20 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/06/18 02:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2007/08/15 20:15:12 | 000,069,632 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npitunes.dll
[2004/02/20 16:14:09 | 000,176,177 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2010/06/12 10:23:47 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (IDMIEHlprObj Class) - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (Tonec Inc.)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (FGCatchUrl) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (www.flashget.com)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll (BitComet)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (IeMonitorBho Class) - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll (Megaupload Limited)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (FlashGet GetFlash Class) - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (www.flashget.com)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE (Logitech Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Windows\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [BitComet] C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O4 - HKCU..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKCU..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [eFax 4.4] C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe (j2 Global Communications, Inc.)
O4 - HKCU..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKCU..\Run: [VeohPlugin] C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe (Veoh Networks)
O4 - Startup: C:\Users\Kira\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe ()
O4 - Startup: C:\Users\Kira\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eFax 4.4.lnk = C:\Program Files\eFax Messenger 4.4\J2GTray.exe (j2 Global Communications, Inc.)
O4 - Startup: C:\Users\Kira\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\JC_ALL.HTM ()
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\JC_LINK.HTM ()
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm ()
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm ()
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll (BitComet)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)
O9 - Extra 'Tools' menuitem : FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)
O9 - Extra Button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O9 - Extra 'Tools' menuitem : Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKCU\..Trusted Domains: aspworld.com ([bookbyyou] http in Trusted sites)
O16 - DPF: {38CE661B-0F4A-4120-9CA7-90015C5C3241} https://shopping.discovery.com/MediaManager...DS_1_0_0_12.cab (Reg Error: Key error.)
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} http://srtest-cdn.systemrequirementslab.co...eqlabdetect.cab (Reg Error: Key error.)
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} http://support.dell.com/systemprofiler/SysProExe.CAB (WMI Class)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.systemrequirementslab.com/sysreqlab2.cab (System Requirements Lab Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} https://shopping.discovery.com/MediaManager..._2_2_Silent.cab (MediaControl Class)
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} http://service.futuremark.com/gom/receiver/tc/FMSI.cab (Futuremark SystemInfo)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Kira\Pictures\CrystalCove11_0031.jpg
O24 - Desktop BackupWallPaper: C:\Users\Kira\Pictures\CrystalCove11_0031.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/06/14 15:51:16 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/06/12 13:42:43 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/06/12 10:28:53 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/06/12 10:28:49 | 000,000,000 | ---D | C] -- C:\Users\Kira\AppData\Local\temp
[2010/06/12 09:52:37 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/06/12 09:52:37 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/06/12 09:52:37 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/06/12 09:52:22 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/06/12 09:52:20 | 000,000,000 | ---D | C] -- C:\schrauber
[2010/06/12 09:51:36 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/06/12 09:51:16 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/06/10 20:20:40 | 000,000,000 | ---D | C] -- C:\Users\Kira\Documents\DonationCoder
[2010/06/10 20:20:40 | 000,000,000 | ---D | C] -- C:\Users\Kira\AppData\Roaming\DonationCoder
[2010/06/10 20:19:25 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2010/06/10 20:19:07 | 000,000,000 | ---D | C] -- C:\Program Files\URLSnooper2
[2010/06/10 20:19:07 | 000,000,000 | ---D | C] -- C:\ProgramData\DonationCoder
[2010/06/08 12:43:59 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Users\Kira\Desktop\OTL.exe
[2010/06/07 15:35:22 | 000,000,000 | ---D | C] -- C:\Users\Kira\AppData\Roaming\Malwarebytes
[2010/06/07 15:35:05 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/06/07 15:35:04 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/06/07 15:35:04 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/07 15:35:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/06/07 15:33:54 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Kira\Desktop\mbam-setup-1.46.exe
[2010/05/19 13:34:49 | 000,002,560 | ---- | C] (BitComet) -- C:\Windows\System32\bitcometres.dll
[2010/05/16 18:52:39 | 000,000,000 | ---D | C] -- C:\Users\Kira\AppData\Roaming\OpenVPNTech
[2010/05/16 18:52:38 | 000,000,000 | ---D | C] -- C:\Program Files\OpenVPNTech
[2010/05/07 16:15:43 | 000,000,000 | ---D | C] -- C:\Program Files\BBC iPlayer Desktop
[2010/04/13 21:20:22 | 000,000,000 | ---D | C] -- C:\Users\Kira\Documents\2010_04news
[2010/03/23 05:05:24 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2007/07/19 15:01:15 | 000,040,960 | ---- | C] ( ) -- C:\Windows\Interop.OR4PhotoComponent.dll
[2007/07/19 15:00:24 | 000,040,960 | ---- | C] ( ) -- C:\Windows\System32\MACTrackBarLib.dll
[2005/09/30 04:07:54 | 000,018,944 | ---- | C] ( ) -- C:\Windows\System32\IMPLODE.DLL
[3 C:\Users\Kira\Documents\*.tmp files -> C:\Users\Kira\Documents\*.tmp -> ]
[28 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[17 C:\Windows\System32\dllcache\*.tmp files -> C:\Windows\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/06/14 15:53:36 | 011,534,336 | -HS- | M] () -- C:\Users\Kira\NTUSER.DAT
[2010/06/14 15:43:13 | 000,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{7FE2BE88-986B-4043-B805-929437EE3464}.job
[2010/06/14 15:20:04 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/06/14 15:20:04 | 000,003,568 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/06/14 07:27:27 | 000,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/06/14 07:27:27 | 000,595,446 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/06/14 07:27:27 | 000,101,144 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/06/14 07:20:14 | 000,065,536 | ---- | M] () -- C:\Windows\System32\Ikeext.etl
[2010/06/14 07:20:04 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/06/14 07:19:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/06/14 07:19:31 | 3488,079,872 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/14 07:18:45 | 000,524,288 | -HS- | M] () -- C:\Users\Kira\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2010/06/14 07:18:45 | 000,065,536 | -HS- | M] () -- C:\Users\Kira\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/06/14 07:18:43 | 006,291,456 | -H-- | M] () -- C:\Users\Kira\AppData\Local\IconCache.db
[2010/06/14 07:18:32 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2010/06/14 07:18:31 | 000,030,585 | ---- | M] () -- C:\Windows\System32\Config.MPF
[2010/06/13 03:34:02 | 002,005,056 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/06/12 10:23:55 | 000,000,236 | ---- | M] () -- C:\Windows\system.ini
[2010/06/12 10:23:47 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/06/11 16:19:22 | 000,005,886 | ---- | M] () -- C:\Users\Kira\Desktop\Attach.zip
[2010/06/11 16:00:55 | 194,633,740 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/06/10 21:32:25 | 001,631,188 | ---- | M] () -- C:\Users\Kira\Desktop\malloy (8).flv
[2010/06/10 21:16:40 | 178,550,645 | ---- | M] () -- C:\Users\Kira\Desktop\malloy.flv
[2010/06/10 20:20:40 | 000,000,046 | ---- | M] () -- C:\Windows\System32\DonationCoder_urlsnooper_InstallInfo.dat
[2010/06/10 20:19:28 | 000,000,073 | ---- | M] () -- C:\Windows\System32\-1
[2010/06/10 20:19:08 | 000,000,779 | ---- | M] () -- C:\Users\Kira\Desktop\URLSnooper 2.lnk
[2010/06/10 20:18:36 | 003,481,600 | ---- | M] () -- C:\Users\Kira\Desktop\URLSnooperSetup.exe
[2010/06/08 12:44:03 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\Kira\Desktop\OTL.exe
[2010/06/07 21:28:12 | 000,000,900 | ---- | M] () -- C:\Users\Kira\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk
[2010/06/07 21:09:32 | 000,525,824 | ---- | M] () -- C:\Users\Kira\Desktop\dds.scr
[2010/06/07 21:07:45 | 000,000,000 | ---- | M] () -- C:\Users\Kira\defogger_reenable
[2010/06/07 21:07:14 | 000,050,477 | ---- | M] () -- C:\Users\Kira\Desktop\Defogger.exe
[2010/06/07 20:54:03 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2010/06/07 15:35:08 | 000,000,820 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/07 15:34:33 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Kira\Desktop\mbam-setup-1.46.exe
[2010/06/01 01:00:00 | 000,000,368 | ---- | M] () -- C:\Windows\tasks\McQcTask.job
[2010/05/27 03:20:03 | 000,000,788 | ---- | M] () -- C:\Users\Public\Desktop\Steam.lnk
[2010/05/19 14:08:40 | 000,049,847 | ---- | M] () -- C:\Users\Kira\Desktop\SKP.docx
[2010/05/19 13:34:50 | 000,002,560 | ---- | M] (BitComet) -- C:\Windows\System32\bitcometres.dll
[2010/05/16 19:02:16 | 003,291,264 | ---- | M] () -- C:\Users\Kira\Documents\OpenVPN_InstallerDE.exe
[2010/05/16 19:00:40 | 000,005,861 | ---- | M] () -- C:\Users\Kira\Documents\clientDE.ovpn
[2010/05/16 18:55:22 | 000,000,923 | ---- | M] () -- C:\Users\Public\Desktop\OpenVPN-AS.lnk
[2010/05/16 18:43:16 | 000,005,861 | ---- | M] () -- C:\Users\Kira\Documents\client.ovpn
[2010/05/16 18:36:13 | 003,291,264 | ---- | M] () -- C:\Users\Kira\Documents\OpenVPN_InstallerGosport.exe
[2010/05/16 18:09:50 | 003,291,264 | ---- | M] () -- C:\Users\Kira\Documents\OpenVPN_Installer.exe
[2010/05/15 01:00:00 | 000,000,366 | ---- | M] () -- C:\Windows\tasks\McDefragTask.job
[2010/05/07 16:15:43 | 000,000,864 | ---- | M] () -- C:\Users\Public\Desktop\BBC iPlayer Desktop.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\Windows\PEV.exe
[2010/03/29 11:39:37 | 000,035,328 | ---- | M] () -- C:\Users\Kira\Documents\FilipinoSecretsAmericanDreams.wps
[2010/03/29 00:09:56 | 000,050,176 | ---- | M] () -- C:\Users\Kira\Documents\Filipino Secrets, American Dreams.doc
[2010/03/28 22:56:32 | 000,039,936 | ---- | M] () -- C:\Users\Kira\Documents\Filipino Secrets, American Dreams.wps
[2010/03/26 20:03:50 | 000,005,083 | ---- | M] () -- C:\Users\Kira\Desktop\404.asp
[2010/03/26 19:30:44 | 000,019,177 | ---- | M] () -- C:\Users\Kira\Desktop\bbyhead2-TR.gif
[2010/03/26 19:30:43 | 000,005,091 | ---- | M] () -- C:\Users\Kira\Desktop\homepage_basic.css
[2010/03/26 19:30:43 | 000,000,478 | ---- | M] () -- C:\Users\Kira\Desktop\homepage_general.css
[2010/03/19 15:18:11 | 000,004,224 | ---- | M] () -- C:\Windows\cdplayer.ini
[3 C:\Users\Kira\Documents\*.tmp files -> C:\Users\Kira\Documents\*.tmp -> ]
[28 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[17 C:\Windows\System32\dllcache\*.tmp files -> C:\Windows\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/12 09:52:37 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/06/12 09:52:37 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/06/12 09:52:37 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/06/12 09:52:37 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/06/12 09:52:37 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/06/11 16:19:22 | 000,005,886 | ---- | C] () -- C:\Users\Kira\Desktop\Attach.zip
[2010/06/11 15:56:46 | 3488,079,872 | -HS- | C] () -- C:\hiberfil.sys
[2010/06/10 21:32:22 | 001,631,188 | ---- | C] () -- C:\Users\Kira\Desktop\malloy (8).flv
[2010/06/10 20:23:15 | 178,550,645 | ---- | C] () -- C:\Users\Kira\Desktop\malloy.flv
[2010/06/10 20:20:40 | 000,000,046 | ---- | C] () -- C:\Windows\System32\DonationCoder_urlsnooper_InstallInfo.dat
[2010/06/10 20:19:27 | 000,000,073 | ---- | C] () -- C:\Windows\System32\-1
[2010/06/10 20:19:08 | 000,000,779 | ---- | C] () -- C:\Users\Kira\Desktop\URLSnooper 2.lnk
[2010/06/10 20:16:58 | 003,481,600 | ---- | C] () -- C:\Users\Kira\Desktop\URLSnooperSetup.exe
[2010/06/07 21:09:29 | 000,525,824 | ---- | C] () -- C:\Users\Kira\Desktop\dds.scr
[2010/06/07 21:07:45 | 000,000,000 | ---- | C] () -- C:\Users\Kira\defogger_reenable
[2010/06/07 21:07:31 | 000,050,477 | ---- | C] () -- C:\Users\Kira\Desktop\Defogger.exe
[2010/06/07 15:35:08 | 000,000,820 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/19 14:08:40 | 000,049,847 | ---- | C] () -- C:\Users\Kira\Desktop\SKP.docx
[2010/05/16 19:01:27 | 003,291,264 | ---- | C] () -- C:\Users\Kira\Documents\OpenVPN_InstallerDE.exe
[2010/05/16 19:00:40 | 000,005,861 | ---- | C] () -- C:\Users\Kira\Documents\clientDE.ovpn
[2010/05/16 18:55:22 | 000,000,923 | ---- | C] () -- C:\Users\Public\Desktop\OpenVPN-AS.lnk
[2010/05/16 18:43:16 | 000,005,861 | ---- | C] () -- C:\Users\Kira\Documents\client.ovpn
[2010/05/16 18:35:59 | 003,291,264 | ---- | C] () -- C:\Users\Kira\Documents\OpenVPN_InstallerGosport.exe
[2010/05/16 18:28:14 | 000,065,536 | ---- | C] () -- C:\Windows\System32\Ikeext.etl
[2010/05/16 18:08:55 | 003,291,264 | ---- | C] () -- C:\Users\Kira\Documents\OpenVPN_Installer.exe
[2010/03/29 00:10:34 | 000,035,328 | ---- | C] () -- C:\Users\Kira\Documents\FilipinoSecretsAmericanDreams.wps
[2010/03/28 22:57:16 | 000,050,176 | ---- | C] () -- C:\Users\Kira\Documents\Filipino Secrets, American Dreams.doc
[2010/03/28 22:56:31 | 000,039,936 | ---- | C] () -- C:\Users\Kira\Documents\Filipino Secrets, American Dreams.wps
[2010/03/26 19:47:42 | 000,019,177 | ---- | C] () -- C:\Users\Kira\Desktop\bbyhead2-TR.gif
[2010/03/26 19:47:42 | 000,005,091 | ---- | C] () -- C:\Users\Kira\Desktop\homepage_basic.css
[2010/03/26 19:47:42 | 000,000,478 | ---- | C] () -- C:\Users\Kira\Desktop\homepage_general.css
[2010/03/26 19:47:33 | 000,005,083 | ---- | C] () -- C:\Users\Kira\Desktop\404.asp
[2010/02/27 21:31:18 | 000,000,000 | ---- | C] () -- C:\Windows\iPlayer.INI
[2009/12/26 18:45:56 | 000,139,152 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2009/10/20 14:19:30 | 000,053,299 | ---- | C] () -- C:\Windows\System32\pthreadVC.dll
[2008/06/30 19:41:13 | 000,011,776 | ---- | C] () -- C:\Windows\System32\pmsbfn32.dll
[2008/06/30 19:39:30 | 000,000,412 | ---- | C] () -- C:\Windows\MAXLINK.INI
[2007/09/01 23:05:15 | 000,029,696 | ---- | C] () -- C:\Windows\System32\asutl8.dll
[2007/09/01 22:56:00 | 000,056,832 | ---- | C] () -- C:\Windows\System32\IKxfrnew32.dll
[2007/07/29 23:55:21 | 000,000,010 | ---- | C] () -- C:\Windows\winfile.ini
[2007/07/19 15:01:15 | 000,032,768 | ---- | C] () -- C:\Windows\AxInterop.OR4PhotoComponent.dll
[2007/07/19 15:00:21 | 002,592,768 | ---- | C] () -- C:\Windows\System32\InvestintechConversionDLL.dll
[2007/06/19 09:59:36 | 000,070,400 | ---- | C] () -- C:\Windows\System32\PhysXLoader.dll
[2007/06/07 18:03:42 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2007/04/22 20:15:29 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2007/04/22 20:01:47 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll
[2007/04/20 08:57:30 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2007/04/20 08:57:28 | 000,053,248 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2006/11/13 18:34:36 | 000,065,536 | ---- | C] () -- C:\Windows\System32\YCRWin32.dll
[2006/11/07 15:25:58 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/10/09 23:17:56 | 000,217,088 | ---- | C] () -- C:\Windows\System32\libmySQL.dll
[2006/10/09 23:17:56 | 000,102,400 | ---- | C] () -- C:\Windows\System32\TrackerNET.dll
[2006/10/09 22:24:37 | 000,000,460 | ---- | C] () -- C:\Windows\SIERRA.INI
[2006/10/05 17:45:50 | 000,021,840 | ---- | C] () -- C:\Windows\System32\SIntfNT.dll
[2006/10/05 17:45:50 | 000,017,212 | ---- | C] () -- C:\Windows\System32\SIntf32.dll
[2006/10/05 17:45:49 | 000,012,067 | ---- | C] () -- C:\Windows\System32\SIntf16.dll
[2006/09/17 00:36:50 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/17 00:36:50 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/06/17 15:56:25 | 000,049,152 | ---- | C] () -- C:\Windows\System32\Funckey.dll
[2006/06/17 15:56:25 | 000,003,306 | ---- | C] () -- C:\Windows\aiptbl.ini
[2006/05/06 23:18:57 | 000,000,882 | ---- | C] () -- C:\Windows\DC.ini
[2006/02/22 01:43:43 | 000,000,045 | ---- | C] () -- C:\Windows\System32\RPVersion.ini
[2006/02/17 20:47:17 | 000,000,190 | ---- | C] () -- C:\Windows\QTW.INI
[2006/02/10 01:56:48 | 000,000,044 | ---- | C] () -- C:\Windows\liveup.ini
[2005/12/29 08:10:14 | 000,139,264 | ---- | C] () -- C:\Windows\System32\VSCWR12.dll
[2005/12/12 22:30:51 | 000,000,000 | ---- | C] () -- C:\Windows\System32\UNWISE.INI
[2005/11/23 04:53:32 | 000,000,034 | ---- | C] () -- C:\Windows\Tiny_Run.ini
[2005/11/21 06:12:35 | 000,000,004 | -H-- | C] () -- C:\Windows\uccspecb.sys
[2005/10/28 03:49:54 | 000,014,848 | ---- | C] () -- C:\Windows\System32\BASSMOD.dll
[2005/10/24 21:30:26 | 000,040,448 | ---- | C] () -- C:\Windows\System32\regobj.dll
[2005/09/30 04:09:34 | 000,000,084 | ---- | C] () -- C:\Windows\3dhi.INI
[2005/09/30 04:08:33 | 000,023,552 | ---- | C] () -- C:\Windows\System32\Odbcstf.dll
[2005/09/12 15:29:53 | 000,102,466 | ---- | C] () -- C:\Windows\System32\dzwrapper.dll
[2005/09/12 15:27:21 | 004,182,067 | ---- | C] () -- C:\Windows\System32\dzcore.dll
[2005/08/29 22:47:49 | 000,000,044 | ---- | C] () -- C:\Windows\pp80.INI
[2005/08/27 17:57:07 | 000,373,248 | ---- | C] () -- C:\Windows\EyeCand3.INI
[2005/08/06 14:03:07 | 000,004,224 | ---- | C] () -- C:\Windows\cdplayer.ini
[2005/07/29 10:58:09 | 001,056,768 | ---- | C] () -- C:\Windows\System32\daz-qsa.dll
[2005/07/29 10:58:07 | 003,588,096 | ---- | C] () -- C:\Windows\System32\daz-qt-mt.dll
[2005/06/30 04:59:11 | 000,000,141 | ---- | C] () -- C:\Windows\asym.ini
[2005/06/15 18:37:20 | 000,000,000 | ---- | C] () -- C:\Windows\PROTOCOL.INI
[2005/05/18 15:02:57 | 001,513,984 | ---- | C] () -- C:\Windows\System32\MgxRdr80.dll
[2005/05/18 15:02:57 | 000,210,944 | ---- | C] () -- C:\Windows\System32\MSVCRT10.DLL
[2005/05/18 15:02:01 | 000,338,944 | ---- | C] () -- C:\Windows\System32\LFFPX7.DLL
[2005/05/18 15:02:01 | 000,118,784 | ---- | C] () -- C:\Windows\System32\LFKODAK.DLL
[2005/05/18 15:01:48 | 000,064,000 | ---- | C] () -- C:\Windows\System32\Ppiv30.dll
[2005/05/18 15:01:47 | 000,001,077 | ---- | C] () -- C:\Windows\Mgxclean.sys
[2005/02/10 20:06:57 | 000,000,061 | ---- | C] () -- C:\Windows\smscfg.ini
[2005/02/10 20:00:32 | 000,000,864 | ---- | C] () -- C:\Windows\wininit.ini
[2005/02/10 19:53:41 | 000,000,482 | ---- | C] () -- C:\Windows\ODBC.INI
[2005/02/10 19:52:17 | 000,000,231 | ---- | C] () -- C:\Windows\AC3API.INI
[2005/02/10 19:52:07 | 000,003,278 | ---- | C] () -- C:\Windows\System32\LudaP17.ini
[2005/02/10 19:52:06 | 000,000,029 | ---- | C] () -- C:\Windows\System32\ctzapxx.ini
[2005/02/10 19:52:01 | 000,000,072 | ---- | C] () -- C:\Windows\SBWIN.INI
[2004/08/11 19:25:56 | 000,000,844 | ---- | C] () -- C:\Windows\ORUN32.INI
[2004/01/12 23:53:52 | 000,172,032 | ---- | C] () -- C:\Windows\System32\lame_enc.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI
[2002/12/18 16:10:36 | 000,006,048 | ---- | C] () -- C:\Windows\System32\MCC16.DLL
[1996/04/03 15:33:26 | 000,005,248 | ---- | C] () -- C:\Windows\System32\giveio.sys
[1980/01/01 02:00:00 | 000,060,928 | ---- | C] () -- C:\Windows\System32\P17.dll
[1980/01/01 02:00:00 | 000,053,248 | ---- | C] () -- C:\Windows\System32\P17CPI.dll

========== LOP Check ==========

[2008/07/03 20:25:41 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Amazon
[2007/09/02 01:26:11 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Anvil Studio
[2009/08/29 13:07:48 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
[2007/09/15 17:29:14 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Bioshock
[2008/08/05 22:42:03 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Canon
[2009/10/24 00:51:40 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\com.drwicked.writeordie.WriteorDieDesktop.6612D25620E961818EB6367A60EAB552BE4CD874.1
[2010/06/10 18:55:27 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\DMCache
[2010/06/10 20:20:40 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\DonationCoder
[2009/09/03 16:24:38 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\eFax Messenger
[2009/02/26 21:39:59 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\FileZilla
[2007/06/17 16:51:48 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\FlashGet
[2007/06/17 21:29:31 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\GlobalSCAPE
[2009/09/14 11:31:05 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\IDM
[2009/09/03 16:16:25 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\j2 Global
[2007/06/17 17:11:08 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\JGsoft
[2007/06/16 14:45:45 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Laplink
[2009/07/20 19:44:42 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\LucasArts
[2007/06/21 19:15:28 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Megaupload
[2007/08/02 12:31:18 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\NCH Swift Sound
[2010/05/16 18:55:47 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\OpenVPNTech
[2009/08/21 23:23:36 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Opera
[2010/03/07 14:23:40 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\RenPy
[2008/06/30 19:39:15 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\ScanSoft
[2009/09/21 15:36:52 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Serif
[2009/03/17 16:29:24 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Spacejock Software
[2007/06/14 13:43:56 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Spearit
[2007/08/08 02:03:35 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\ToolbarToggle
[2008/01/04 18:52:31 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\uTorrent
[2009/05/17 19:30:33 | 000,000,000 | ---D | M] -- C:\Users\Kira\AppData\Roaming\Vso
[2010/05/15 01:00:00 | 000,000,366 | ---- | M] () -- C:\Windows\Tasks\McDefragTask.job
[2010/06/01 01:00:00 | 000,000,368 | ---- | M] () -- C:\Windows\Tasks\McQcTask.job
[2010/06/14 07:18:34 | 000,032,546 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/06/14 15:43:13 | 000,000,416 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{7FE2BE88-986B-4043-B805-929437EE3464}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 648 bytes -> C:\Users\Kira\Documents\appt_ w_wasserstein.eml:OECustomProperty
@Alternate Data Stream - 596 bytes -> C:\Users\Kira\Documents\tris.eml:OECustomProperty
@Alternate Data Stream - 542 bytes -> C:\Users\Kira\Documents\Out of office.eml:OECustomProperty
@Alternate Data Stream - 470 bytes -> C:\Users\Kira\Documents\peterpan.eml:OECustomProperty
@Alternate Data Stream - 143 bytes -> C:\Users\Kira\Documents\verizon.eml:OECustomProperty
@Alternate Data Stream - 140 bytes -> C:\ProgramData\TEMP:0C1EFF69
@Alternate Data Stream - 133 bytes -> C:\ProgramData\TEMP:0A8E2C33
< End of report >

=====================================

A quick scan was okay, right? Or should I have run a full scan? I notice that this time there was no "Extras.txt" file generated.

How does it all look? Do we have a clean bill of health yet, I hope? Thanks very much for all your help so far!

-- Kira

Edited by choie, 14 June 2010 - 03:12 PM.


#11 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:28 AM

Posted 15 June 2010 - 03:00 PM

Cleanup time smile.gif


Delete ComboFix and Clean Up
Click Start > Run > type combofix /Uninstall > OK (Note the space between combofix and /Uninstall)
Please advise if this step is missed for any reason as it performs some important actions.




Please run OTL one more time and hit Cleanup. This will remove OTL and all helper tools.





Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean smile.gif

Hiding Hidden Files
Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
One of the most common questions found when cleaning Spyware or other Malware is "how did my machine get infected?". There are a variety of reasons, but the most common ones are that you are going to sites that you are not practicing Safe Internet, you are not running the proper security software, and that your computer's security settings are set too low.

Below I have outlined a series of categories that outline how you can increase the security of your computer so that you will not be infected again in the future.


Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  1. If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.

  2. If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.

  3. If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.

  4. If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.

    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites

  5. Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.

  6. Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.

  7. When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.

  8. Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.

  9. Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.

  10. DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
Visit Microsoft's Windows Update Site Frequently

It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Make Internet Explorer 7 more secure
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    1. Change the Download signed ActiveX controls to Prompt
    2. Change the Download unsigned ActiveX controls to Disable
    3. Change the Initialize and script ActiveX controls not marked as safe to Disable
    4. Change the Installation of desktop items to Prompt
    5. Change the Launching programs and files in an IFRAME to Prompt
    6. Change the Navigate sub-frames across different domains to Prompt
    7. When all these settings have been made, click on the OK button.
    8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


Install SpywareBlaster

SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware


Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#12 choie

choie
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 15 June 2010 - 04:29 PM

Hi again, Tom! Great news to hear my PC seems to be clean. smile.gif

Something strange though. I started to follow your instructions re: uninstalling ComboFix and ran into trouble. First, just as a reminder, I'm on Vista, and your instructions are for XP. smile.gif But more importantly, remember that we renamed ComboFix to schrauber.exe ? I tried doing "Run" then "schrauber /Uninstall" but that didn't work either. I couldn't even find the schrauber.exe file on my desktop anymore.

Doing a little digging I did find a folder called C:/schrauber, but the only files there are:

CF25647.cfxxe
mbr.cfxxe
mbr.txt

I'm not sure what to do. I don't want to click on anything there without your advice, so I'll await it! Help?

Finally, I asked a couple times before about the security notifications I've been getting for the past couple of days since running ComboFix. Every time I go to a page with any secure elements a window pops up and I have to click "OK," and then when I leave I get warned that I'm no longer secure and I have to click "OK" again. What is causing them and can I safely click "don't show these notifications anymore"?

Thanks very much!

#13 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:28 AM

Posted 16 June 2010 - 12:12 PM

Just ran the OTL cleanup, this will remove Combofix also. You can delete c:\schrauber if it is still there after OTL cleanup and a reboot smile.gif

QUOTE
Every time I go to a page with any secure elements a window pops up and I have to click "OK," and then when I leave I get warned that I'm no longer secure and I have to click "OK" again. What is causing them and can I safely click "don't show these notifications anymore"?


IE is set back to default, thats why you get these messages. There should be a little box where you can place a checkmark to not showing them anymore.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#14 choie

choie
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 16 June 2010 - 02:00 PM

Got it. Thanks a million for your patience and help, Tom. I greatly appreciate all you've done for me!

I just used that little orange button at the bottom of your sig. It's not nearly enough to thank you properly but it's all I can spare at the moment. wub.gif

Many thanks again to you and BleepingComputer!

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:28 AM

Posted 19 June 2010 - 05:24 AM

You're most welcome smile.gif


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users