Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ckvo.exe - Ordinal Not Found I'm trying to fix up my cousin's computer laptop.


  • This topic is locked This topic is locked
27 replies to this topic

#1 Magpiefly

Magpiefly

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:7003
  • Local time:01:07 PM

Posted 28 February 2011 - 02:53 AM

This computer is an HP Mini 110 running Windows XP Home Edition Version 5.1

First off I can't access the safe mode at all on this computer. I press F11 on bootup, I select safe mode then starts the cycle: bootup, select how you would like to start windows, safe mode then bootup again. no help there.

This computer I know has several different problems, especially on startup.
An error message appears once the computer is fully up:
Title: ckvo.exe - Ordinal Not Found
Subject: The ordinal 51595 could not be located in the dynamic link library KERNEL32.DLL.
Options: Ok
Then a Second Error Message concerning Adobe Reader and Acrobat Manger encountering a problem and needs to close. Then, a Javascript Alert and a random website in a foreign language.

I Thoroughly appreciate any help. :)


My DDS.txt log:



DDS (Ver_10-12-12.02) - NTFSx86
Run by karina at 0:34:41.76 on Mon 02/28/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.417 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
svchost.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\HP\HPBTWD.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\syncables\syncables desktop\Syncables.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\syncables\syncables desktop\jre\bin\javaw.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\syncables\syncables desktop\MigoMapi.exe
C:\Program Files\Gamevance\gamevance32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\TEMP\LOCALS~1\Temp\winjuqoat.exe
C:\DOCUME~1\TEMP\LOCALS~1\Temp\winvmhm.exe
C:\Program Files\PC Tools Security\pctsAuxs.exe
C:\Program Files\PC Tools Security\pctsSvc.exe
C:\Program Files\PC Tools Security\pctsGui.exe
C:\Documents and Settings\TEMP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/?pc=Z015&form=ZGAPHP
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: H - No File
BHO: Gamevance: {0ed403e8-470a-4a8a-85a4-d7688cfe39a3} - c:\program files\gamevance\gamevancelib32.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ooVoo Toolbar: {59c6f12b-f004-43e5-9997-08f2123119b6} - c:\program files\oovootoolbar\oovootoolbarX.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live AplicaciŪn auxiliar de inicio de sesiŪn: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Mighty Magoo Text: {97e74a14-e5f1-40cc-9b0f-0d11946e5469} - c:\program files\mighty magoo\mmagootl.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Gamevance Text: {beac7dc8-e106-4c6a-931e-5a42e7362883} - c:\program files\gamevance\gvtl.dll
BHO: Dogpile Bundle Toolbar BHO: {bfe4b5cb-63f7-4a51-9266-6167655d5b4f} - c:\program files\dogpile bundle toolbar\Toolbar.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0559.0\msneshellx.dll
BHO: Trillian Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: Mighty Magoo: {eead004e-7e2d-49f8-831c-a01647e85b53} - c:\program files\mighty magoo\mightymagoolib32.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0559.0\msneshellx.dll
TB: Trillian Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Dogpile Bundle Toolbar: {c80bdeb2-8735-44c6-bd55-a1ccd555667a} - c:\program files\dogpile bundle toolbar\Toolbar.dll
TB: ooVoo Toolbar: {59c6f12b-f004-43e5-9997-08f2123119b6} - c:\program files\oovootoolbar\oovootoolbarX.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Tok-Cirrhatus]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [kamsoft] c:\windows\system32\ckvo.exe
uRun: [Google Update] "c:\documents and settings\temp\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ooVoo.exe] c:\program files\oovoo\oovoo.exe /minimized
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [HP BTW Detect Program] c:\program files\hp\HPBTWD.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Mobile Broadband] c:\swsetup\hpqwwan\HPMobileBroadband.exe /TrayMode
mRun: [Syncables] c:\program files\syncables\syncables desktop\Syncables.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [XP-D1C3E4E8] c:\windows\system32\XP-D1C3E4E8.EXE
mRun: [Mightymagoo] c:\program files\mighty magoo\mightymagoo32.exe a
mRun: [4StoryPrePatch] c:\program files\gameforge4d\gatesofandaron\PrePatch.exe
mRun: [Gamevance] c:\program files\gamevance\gamevance32.exe a
mRun: [ISTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI
dRun: [Tok-Cirrhatus]
mExplorerRun: [<NO NAME>] 1 (0x1)
StartupFolder: c:\docume~1\temp\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\temp\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe
StartupFolder: c:\docume~1\temp\startm~1\programs\startup\75cd~1.lnk - c:\windows\system32\XP-D1C3E4E8.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\whites~1.lnk - c:\documents and settings\temp\local settings\temp\WSZugo.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://webmail.advisorcompass.com/whalecom3edc1568260bca2e9ff9b3e77780001b09/whalecom0/dwa7W.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {28ABC5C0-4FCB-11CF-AAX5-81CX1C635612} - c:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-2-27 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-2-27 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-2-27 656320]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2009-6-14 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2009-6-14 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [2008-9-25 103792]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2009-6-14 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2008-12-12 125424]
R2 BOTService;BOTService;c:\program files\roxio\backontrack\instant restore\BOTService.exe [2009-3-19 203248]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-1-4 54752]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-2-27 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-2-27 1150936]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-6-14 113664]
R3 asc3360pr;asc3360pr;\??\c:\windows\system32\drivers\entlsg.sys --> c:\windows\system32\drivers\entlsg.sys [?]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-3-2 38912]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-8 205296]
S3 amsint32;amsint32;\??\c:\windows\system32\drivers\entlsg.sys --> c:\windows\system32\drivers\entlsg.sys [?]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 EraserUtilDrv10822;EraserUtilDrv10822;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10822.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10822.sys [?]
S3 fsssvc;Servicio de Windows Live ProtecciŪn infantil;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 778600]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rts5121.sys --> c:\windows\system32\drivers\RTS5121.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

=============== Created Last 30 ================

2011-02-28 04:51:26 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-02-28 04:51:26 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-02-28 04:51:25 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-02-28 04:51:21 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-02-28 04:51:21 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-02-28 04:50:54 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-02-28 04:49:57 -------- d-----w- c:\program files\common files\PC Tools
2011-02-28 04:49:56 -------- d-----w- c:\program files\PC Tools Security
2011-02-28 04:49:56 -------- d-----w- c:\docume~1\temp\applic~1\PC Tools
2011-02-28 04:49:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2011-02-28 02:58:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\kGhHmJd08501
2011-02-27 18:00:41 -------- d-----w- c:\program files\The Weather Channel FW
2011-02-27 18:00:34 -------- d-----w- c:\docume~1\temp\locals~1\applic~1\The Weather Channel
2011-02-27 18:00:23 -------- d-----w- c:\program files\Gamevance
2011-02-24 22:52:19 17920 ----a-w- c:\windows\system32\T62FD155.EXE
2011-02-24 22:52:14 17920 --sh--w- c:\windows\system32\ZH151.EXE
2011-02-08 20:28:07 718336 ----a-w- c:\windows\system32\ntdll.dll
2011-02-08 20:28:07 718336 ------w- c:\windows\system32\dllcache\ntdll.dll
2011-02-08 20:28:05 2192768 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-02-08 20:28:05 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-02-08 20:28:05 2148864 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-02-08 20:28:04 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-08 20:28:04 2027008 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-02-08 20:28:03 2069376 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe

==================== Find3M ====================

2011-02-25 03:41:51 737 ----a-w- c:\windows\system32\og.dll
2011-02-25 03:25:06 2404 ----a-w- c:\windows\system32\ul.dll
2011-02-15 20:23:27 17920 ----a-w- c:\windows\system32\S7B11173.EXE
2011-01-26 20:52:53 17920 --sh--w- c:\windows\system32\ZH139.EXE
2011-01-26 01:07:42 17920 ----a-w- c:\windows\system32\W582A6EC.EXE
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-19 20:18:11 17920 --sh--w- c:\windows\system32\ZH39.EXE
2011-01-12 23:48:09 17408 ----a-w- c:\windows\system32\R5A69F16.EXE
2011-01-12 23:48:05 17408 --sh--w- c:\windows\system32\ZH79.EXE
2011-01-11 00:56:02 17920 ----a-w- c:\windows\system32\R114586D.EXE
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-27 16:54:00 17920 --sh--w- c:\windows\system32\ZH99.EXE
2010-12-27 00:17:02 16384 ----a-w- c:\windows\system32\N9B55CF1.EXE
2010-12-27 00:16:59 16384 --sh--w- c:\windows\system32\ZH98.EXE
2010-12-25 21:29:46 15872 ----a-w- c:\windows\system32\ZQ50E6A8F.EXE
2010-12-25 21:29:45 14336 ----a-w- c:\windows\system32\V7C4060.EXE
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08:45 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08:45 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08:45 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:25 389120 ----a-w- c:\windows\system32\html.iec
2010-12-20 03:01:10 14336 --sh--w- c:\windows\system32\TC-Z6P.EXE
2010-12-16 20:40:19 15360 ----a-w- c:\windows\system32\V3030F8.EXE
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-05 23:04:30 15360 --sh--w- c:\windows\system32\TC-Z5P.EXE
2010-12-04 17:26:13 12800 ----a-w- c:\windows\system32\SU77BCD2.EXE
2010-11-30 23:04:35 15872 --sh--w- c:\windows\system32\NU98.EXE
2010-09-02 11:54:48 14848 --sh--w- c:\windows\system32\9UM68.EXE
2010-09-18 18:07:29 14848 --sh--w- c:\windows\system32\9UM78.EXE
2010-10-10 16:20:27 15872 --sh--w- c:\windows\system32\9UU78.EXE
2008-08-17 22:54:48 182272 --sh--r- c:\windows\system32\ckvo.exe
2010-09-02 11:52:19 85504 --sh--r- c:\windows\system32\ckvo0.dll
2010-05-11 17:50:28 23552 --sh--w- c:\windows\system32\GC-BZ6.EXE
2010-06-07 16:48:32 23040 --sh--w- c:\windows\system32\GC-WZ9.EXE
2010-07-05 20:42:00 23040 --sh--w- c:\windows\system32\GUN08.EXE
2010-07-24 19:12:25 20992 --sh--w- c:\windows\system32\GUN58.EXE
2008-04-15 12:00:00 1384479 --sh--r- c:\windows\system32\msvbvm60.dll
2010-10-18 00:10:50 15360 --sh--w- c:\windows\system32\NU78.EXE
2010-09-02 11:54:45 13312 --sh--w- c:\windows\system32\TC-G9.EXE
2010-09-14 01:09:46 12800 --sh--w- c:\windows\system32\TC-GP.EXE
2010-06-07 16:48:36 14336 --sh--w- c:\windows\system32\TC-WL2.EXE
2010-05-11 17:50:31 13824 --sh--w- c:\windows\system32\TC-WZ6.EXE
2010-10-16 18:05:53 13312 --sh--w- c:\windows\system32\TC-Z2P.EXE
2010-10-18 20:35:16 13824 --sh--w- c:\windows\system32\TC-Z3P.EXE
2010-11-17 23:05:00 12800 --sh--w- c:\windows\system32\TC-Z4P.EXE
2010-10-06 20:53:29 13824 --sh--w- c:\windows\system32\TC-ZGP.EXE
2010-07-05 20:41:56 14336 --sh--w- c:\windows\system32\VC-WL8.EXE

============= FINISH: 0:36:42.15 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:07 PM

Posted 01 March 2011 - 06:25 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Magpiefly

Magpiefly
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:7003
  • Local time:01:07 PM

Posted 02 March 2011 - 08:13 AM

Thanks CatByte,

I began running Combofix last night and have let it run through the night, but it's still not completed. Is that a problem or should I keep waiting?

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:07 PM

Posted 02 March 2011 - 06:11 PM

Open task manager (Ctrl+alt+del) > look for the processes PEV.exe, SED.exe or cfxxx.exe > end process on those tasks if they are there.

Now delete the copy of ComboFix that you have on your desktop and download a fresh copy but rename it to iexplore before saving it to your desktop, now run it. If it still hangs > run it in safe mode.

To enter safemode > reboot > tap F8 repeatedly until a menu appears > arrow up to safemode with networking > now run ComboFix

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Magpiefly

Magpiefly
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:7003
  • Local time:01:07 PM

Posted 02 March 2011 - 06:54 PM

When I press Ctrl>Alt>Delete a window pops up saying: 'Task Manager has been disabled by your administrator'
I'm sorry for the delay :(

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:07 PM

Posted 02 March 2011 - 07:01 PM

Open a run box (windows key + R) > copy/paste the following command into the run box > OK



reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t Reg_dword /d 0 /f

This should enable your Task Manager.

Re-run this command as often as you need to if the malware disables it again.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Magpiefly

Magpiefly
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:7003
  • Local time:01:07 PM

Posted 02 March 2011 - 07:49 PM

It's still not entering task manager.. did it disable the reg too? :mellow:

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:07 PM

Posted 02 March 2011 - 08:58 PM

It may very well have

Click the "x" in the corner of the combofix window if it is still open, then try again to delete and download a fresh copy and rename it

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Magpiefly

Magpiefly
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:7003
  • Local time:01:07 PM

Posted 02 March 2011 - 10:20 PM

It worked Finally!!

Ok heres the Combofix Log:



ComboFix 11-03-01.03 - karina 03/02/2011 21:51:08.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.668 [GMT -5:00]
Running from: c:\documents and settings\TEMP\Desktop\iexplorer.exe
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\All Users\Start Menu\Programs\Startup\WhiteSmoke Writer 2010+.lnk
c:\documents and settings\Guest\Local Settings\Application Data\Bron.tok-17-10
c:\documents and settings\Guest\Local Settings\Application Data\Bron.tok-17-11
c:\documents and settings\Guest\Local Settings\Application Data\Bron.tok-17-12
c:\documents and settings\Guest\Local Settings\Application Data\Bron.tok-17-15
c:\documents and settings\Guest\Local Settings\Application Data\Bron.tok-17-22
c:\documents and settings\Guest\Local Settings\Application Data\Bron.tok-17-23
c:\documents and settings\Guest\Local Settings\Application Data\Bron.tok-17-24
c:\documents and settings\Guest\Local Settings\Application Data\Bron.tok.A17.em.bin
c:\documents and settings\Guest\Local Settings\Application Data\csrss.exe
c:\documents and settings\Guest\Local Settings\Application Data\inetinfo.exe
c:\documents and settings\Guest\Local Settings\Application Data\Kosong.Bron.Tok.txt
c:\documents and settings\Guest\Local Settings\Application Data\lsass.exe
c:\documents and settings\Guest\Local Settings\Application Data\services.exe
c:\documents and settings\Guest\Local Settings\Application Data\smss.exe
c:\documents and settings\Guest\Local Settings\Application Data\svchost.exe
c:\documents and settings\Guest\Local Settings\Application Data\winlogon.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\°°°°°°.lnk
c:\documents and settings\Guest\Templates\6612-NendangBro.com
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-1
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-10
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-11
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-12
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-13
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-14
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-15
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-16
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-17
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-18
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-19
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-2
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-20
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-21
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-22
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-23
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-24
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-25
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-26
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-27
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-28
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-29
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-3
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-30
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-31
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-4
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-5
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-6
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-7
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-8
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok-17-9
c:\documents and settings\karina\Local Settings\Application Data\Bron.tok.A17.em.bin
c:\documents and settings\karina\Local Settings\Application Data\Kosong.Bron.Tok.txt
c:\documents and settings\karina\Local Settings\Application Data\smss.exe
c:\documents and settings\karina\Local Settings\Application Data\svchost.exe
c:\documents and settings\karina\Start Menu\Programs\Startup\°°°°°°.lnk
c:\documents and settings\karina\Templates\9252-NendangBro.com
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-1
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-10
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-11
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-12
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-13
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-14
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-15
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-16
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-17
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-18
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-19
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-2
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-20
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-21
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-22
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-23
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-24
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-25
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-26
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-27
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-28
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-29
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-3
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-30
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-31
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-4
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-5
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-6
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-7
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-8
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok-17-9
c:\documents and settings\NetworkService\Local Settings\Application Data\csrss.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\inetinfo.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\Kosong.Bron.Tok.txt
c:\documents and settings\NetworkService\Local Settings\Application Data\lsass.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\services.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\smss.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\svchost.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\winlogon.exe
c:\documents and settings\NetworkService\Start Menu\Programs\Startup\°°°°°°.lnk
c:\documents and settings\TEMP\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com
c:\documents and settings\TEMP\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\chrome.manifest
c:\documents and settings\TEMP\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\chrome\gvtextlinks.jar
c:\documents and settings\TEMP\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\gvtlf.dll
c:\documents and settings\TEMP\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\gvtlf.xpt
c:\documents and settings\TEMP\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\install.rdf
c:\documents and settings\TEMP\Desktop\Improve Your PC.lnk
c:\documents and settings\TEMP\Local Settings\Application Data\br4743on.exe
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-1
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-10
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-11
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-12
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-13
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-14
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-15
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-16
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-17
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-18
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-19
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-2
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-20
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-21
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-22
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-23
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-24
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-25
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-26
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-27
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-28
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-29
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-3
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-30
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-31
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-4
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-5
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-6
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-7
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-8
c:\documents and settings\TEMP\Local Settings\Application Data\Bron.tok-17-9
c:\documents and settings\TEMP\Local Settings\Application Data\csrss.exe
c:\documents and settings\TEMP\Local Settings\Application Data\inetinfo.exe
c:\documents and settings\TEMP\Local Settings\Application Data\Kosong.Bron.Tok.txt
c:\documents and settings\TEMP\Local Settings\Application Data\smss.exe
c:\documents and settings\TEMP\Recent\Thumbs.db
c:\documents and settings\TEMP\Start Menu\Programs\Startup\°°°°°°.lnk
c:\documents and settings\TEMP\Templates\7668-NendangBro.com
C:\n6t1h.cmd
c:\program files\Gamevance
c:\program files\Gamevance\ars.cfg
c:\program files\Gamevance\gamevance32.exe
c:\program files\Gamevance\gamevancelib32.dll
c:\program files\Gamevance\gvtl.dll
c:\program files\Gamevance\gvun.exe
c:\program files\Gamevance\icon.ico
c:\program files\HP\HPBTWD.exe
c:\program files\Mighty Magoo
c:\program files\Mighty Magoo\ars.cfg
c:\program files\Mighty Magoo\icon.ico
c:\program files\Mighty Magoo\mightymagoo32.exe
c:\program files\Mighty Magoo\mightymagoolib32.dll
c:\program files\Mighty Magoo\mmAGootl.dll
c:\program files\Mighty Magoo\mmagooun.exe
C:\qqcr.pif
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\windows\Media\smss.exe
c:\windows\system32\ckvo.exe
c:\windows\system32\ckvo0.dll
c:\windows\system32\com.run
c:\windows\system32\dp1.fne
c:\windows\system32\eAPI.fne
c:\windows\system32\internet.fne
c:\windows\system32\krnln.fnr
c:\windows\system32\og.dll
c:\windows\system32\og.edt
c:\windows\system32\RegEx.fnr
c:\windows\system32\shell.fne
c:\windows\system32\spec.fne
c:\windows\system32\ul.dll

----- File Replicators -----

c:\documents and settings\Guest\Local Settings\Application Data\csrss.exe
c:\documents and settings\Guest\Local Settings\Application Data\inetinfo.exe
c:\documents and settings\Guest\Local Settings\Application Data\lsass.exe
c:\documents and settings\Guest\Local Settings\Application Data\services.exe
c:\documents and settings\Guest\Local Settings\Application Data\smss.exe
c:\documents and settings\Guest\Local Settings\Application Data\svchost.exe
c:\documents and settings\Guest\Local Settings\Application Data\winlogon.exe
c:\documents and settings\karina\Local Settings\Application Data\smss.exe
c:\documents and settings\karina\Local Settings\Application Data\svchost.exe
c:\documents and settings\karina\My Documents\Downloads\Downloads.exe
c:\documents and settings\karina\My Documents\My Music\iTunes\Album Artwork\Cache\295258C55FBDF0F4\01\00\13\13.exe
c:\documents and settings\karina\My Documents\My Music\iTunes\Album Artwork\Cache\295258C55FBDF0F4\10\01\10\10.exe
c:\documents and settings\karina\My Documents\My Music\iTunes\iTunes Media\Downloads\Podcasts\The Twilight Saga_ Eclipse - TV Spot.tmp\The Twilight Saga_ Eclipse - TV Spot.tmp`.exe
c:\documents and settings\karina\My Documents\My Music\iTunes\iTunes Media\iTunes Media.exe
c:\documents and settings\karina\My Documents\My Music\iTunes\iTunes Media\Music\Unknown Artist\Unknown Album\Unknown Album.exe
c:\documents and settings\karina\My Documents\My Music\iTunes\iTunes Media\Podcasts\The Twilight Saga\The Twilight Saga.exe
c:\documents and settings\karina\My Documents\My Music\iTunes\iTunes.exe
c:\documents and settings\karina\My Documents\My Music\My Playlists\My Playlists.exe
c:\documents and settings\karina\My Documents\My Pictures\karii's pictz\karii's pictz.exe
c:\documents and settings\karina\My Documents\My Videos\Narration\Narration.exe
c:\documents and settings\karina\My Documents\OneNote Notebooks\OneNote 2007 Guide\OneNote 2007 Guide.exe
c:\documents and settings\karina\My Documents\OneNote Notebooks\OneNote Notebooks.exe
c:\documents and settings\karina\My Documents\OneNote Notebooks\Personal Notebook\Personal Notebook.exe
c:\documents and settings\karina\My Documents\OneNote Notebooks\Work Notebook\Work Notebook.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\csrss.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\inetinfo.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\lsass.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\services.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\smss.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\svchost.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\winlogon.exe
c:\documents and settings\TEMP\Desktop\Todo\project64 1.6\Docs\3rd Party Plugins\3rd Party Plugins.exe
c:\documents and settings\TEMP\Desktop\Todo\project64 1.6\Docs\3rd Party Plugins\N-Rage\N-Rage.exe
c:\documents and settings\TEMP\Desktop\Todo\project64 1.6\Docs\Cheat Codes\Cheat Codes.exe
c:\documents and settings\TEMP\Desktop\Todo\project64 1.6\Docs\Docs.exe
c:\documents and settings\TEMP\Desktop\Todo\project64 1.6\Docs\Game FAQ\Game FAQ.exe
c:\documents and settings\TEMP\Desktop\Todo\project64 1.6\Docs\Plugin Specs\Plugin Specs.exe
c:\documents and settings\TEMP\Desktop\Todo\project64 1.6\Docs\RDB\RDB.exe
c:\documents and settings\TEMP\Desktop\Todo\project64 1.6\Docs\RDX\RDX.exe
c:\documents and settings\TEMP\Desktop\Todo\project64 1.6\Lang\Lang.exe
c:\documents and settings\TEMP\Desktop\Todo\project64 1.6\Plugin\Plugin.exe
c:\documents and settings\TEMP\Desktop\Todo\project64 1.6\Project64 1.6`.exe
c:\documents and settings\TEMP\Desktop\Todo\project64 1.6\Save\Save.exe
c:\documents and settings\TEMP\Desktop\Todo\project64 1.6\Screenshots\Screenshots.exe
c:\documents and settings\TEMP\Local Settings\Application Data\br4743on.exe
c:\documents and settings\TEMP\Local Settings\Application Data\csrss.exe
c:\documents and settings\TEMP\Local Settings\Application Data\inetinfo.exe
c:\documents and settings\TEMP\Local Settings\Application Data\smss.exe
c:\documents and settings\TEMP\My Documents\Downloads\Downloads.exe
c:\documents and settings\TEMP\My Documents\My Music\iTunes\iTunes Media\iTunes Media.exe
c:\documents and settings\TEMP\My Documents\My Music\iTunes\iTunes Media\Music\Ludwig van Beethoven, composer. Seattle\Beethoven [Vox] Disc 1\Beethoven [Vox] Disc 1.exe
c:\documents and settings\TEMP\My Documents\My Music\iTunes\iTunes Media\Music\Marc Seales, composer. New Stories. Erni\Speakin' Out\Speakin' Out.exe
c:\documents and settings\TEMP\My Documents\My Music\iTunes\iTunes.exe
c:\documents and settings\TEMP\My Documents\My Music\My Playlists\My Playlists.exe
c:\documents and settings\TEMP\My Documents\OneNote Notebooks\OneNote 2007 Guide\OneNote 2007 Guide.exe
c:\documents and settings\TEMP\My Documents\OneNote Notebooks\OneNote Notebooks.exe
c:\documents and settings\TEMP\My Documents\OneNote Notebooks\Personal Notebook\Personal Notebook.exe
c:\documents and settings\TEMP\My Documents\OneNote Notebooks\Work Notebook\Work Notebook.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\COMMON FILES\Windows Live\.cache\2dd318e81ca8dbd\Silverlight.2.0.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\COMMON FILES\Windows Live\.cache\383e808e1ca8dbc\WindowsXP-KB954708-x86-ENU.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\COMMON FILES\Windows Live\.cache\48b35bc41ca8dbc\DXSETUP.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\Google\GOOGLE TOOLBAR\COMPONENT\GoogleToolbarManager_223E2B8E7BAD9544.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\Google\GOOGLE TOOLBAR\COMPONENT\GoogleToolbarUser_32_AB64B7729EAD4285.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\Google\GOOGLE TOOLBAR\COMPONENT\SearchWithGoogleUpdate_6805C127AD7DF030.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\Google\Update\1.2.183.39\GoogleUpdate.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\Google\Update\GoogleUpdate.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\INSTALLSHIELD INSTALLATION INFORMATION\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}\setup.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\internet explorer\iexplore.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\MICROSOFT SILVERLIGHT\4.0.50917.0\agcp.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\Microsoft Works\lnchtour.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\outlook express\wab.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\Skype\Phone\Skype.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\Skype\PLUGIN MANAGER\skypePM.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\WINDOWS LIVE\Contacts\wlcomm.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\Program Files\WINDOWS LIVE\Photo Gallery\WLXPhotoGalleryRepair.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\APPLICATION DATA\MICROSOFT\INSTALLER\{082702D5-5DD8-4600-BCE5-48B15174687F}\ARPPRODUCTICON.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\Temp\000196DC_RAR\XP-D1C3E4E8.EXE
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\Temp\0001A8BE_RAR\XP-D1C3E4E8.EXE
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB2183461-IE7\SP3QFE\ie4uinit.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB2183461-IE7\SP3QFE\ieudinit.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB2183461-IE7\SP3QFE\iexplore.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB2229593\SP3QFE\helpsvc.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB2360131-IE7\SP3QFE\ie4uinit.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB2360131-IE7\SP3QFE\ieudinit.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB2360131-IE7\SP3QFE\iexplore.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB898461\spupdsvc.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB923561\SP3QFE\wordpad.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ie4uinit.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieudinit.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB951978\SP3QFE\cscript.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB951978\SP3QFE\wscript.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntkrnlmp.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntkrpamp.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB956572\SP3QFE\sc.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB956572\SP3QFE\wmiprvse.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB960859\SP3QFE\telnet.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB960859\SP3QFE\tlntsess.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB971486\SP3QFE\ntkrnlmp.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB971486\SP3QFE\ntkrnlpa.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB971486\SP3QFE\ntkrpamp.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB972260-IE7\SP3QFE\ie4uinit.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB972260-IE7\SP3QFE\ieudinit.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB975561\SP3QFE\moviemk.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB976325-IE7\SP3QFE\ie4uinit.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB976325-IE7\SP3QFE\ieudinit.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB976325-IE7\SP3QFE\iexplore.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB978706\SP3QFE\mspaint.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB979683\SP3QFE\ntkrnlmp.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB979683\SP3QFE\ntkrnlpa.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB979683\SP3QFE\ntkrpamp.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB979683\SP3QFE\ntoskrnl.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB979687\SP3QFE\wordpad.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB980182-IE7\SP3QFE\ie4uinit.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB980182-IE7\SP3QFE\ieudinit.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB980182-IE7\SP3QFE\iexplore.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB981852\SP3QFE\ntkrnlmp.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB981852\SP3QFE\ntkrnlpa.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB981852\SP3QFE\ntkrpamp.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB981852\SP3QFE\ntoskrnl.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB981997\SP3QFE\moviemk.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB982381-IE7\SP3QFE\ie4uinit.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB982381-IE7\SP3QFE\ieudinit.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\$hf_mig$\KB982381-IE7\SP3QFE\iexplore.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Driver Cache\i386\ntkrnlmp.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Driver Cache\i386\ntkrpamp.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Driver Cache\i386\ntoskrnl.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Installer\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}\MSWorks.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Installer\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}\WksCal.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Installer\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}\wksdb.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Installer\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}\WksSb.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Installer\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}\wksss.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Installer\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}\WksWP.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Installer\{25F6A201-C40C-4669-936D-473877CFEB4C}\WLXPhotoGalleryIcon.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Installer\{BEC001F9-0451-4396-92D7-E1A4E7854BF3}\wlmail.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\Installer\{D103C4BA-F905-437A-8049-DB24763BBE36}\SkypeIcon.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\system32\ckvo.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\system32\dllcache\ie4uinit.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\system32\dllcache\ieudinit.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\system32\dllcache\iexplore.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\system32\dllcache\ntkrnlmp.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\system32\dllcache\ntkrnlpa.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\system32\dllcache\ntkrpamp.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\system32\dllcache\ntoskrnl.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\system32\ie4uinit.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\system32\ieudinit.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\system32\java.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\system32\javaw.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\system32\javaws.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\system32\ntkrnlpa.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\system32\ntoskrnl.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Attrib\WINDOWS\system32\tzchange.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\br5403on.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\csrss.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\inetinfo.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\lsass.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\services.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\smss.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\svchost.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\winlogon.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc53.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Target\WINDOWS\KesenjanganSosial.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Target\WINDOWS\SHELLNEW\RakyatKelaparan.exe
c:\system rollback data\Restore\Archive\00000052\00000001\2\Target\WINDOWS\system32\cmd-brontok.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\Program Files\Adobe\Reader 9.0\Reader\LogTransport2.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\Program Files\Google\Update\1.2.183.39\GoogleUpdate.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\Program Files\Google\Update\GoogleUpdate.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\Program Files\INSTALLSHIELD INSTALLATION INFORMATION\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}\setup.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\Program Files\Microsoft Works\lnchtour.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\Program Files\Skype\Phone\Skype.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\Program Files\Skype\PLUGIN MANAGER\skypePM.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\APPLICATION DATA\MICROSOFT\INSTALLER\{082702D5-5DD8-4600-BCE5-48B15174687F}\ARPPRODUCTICON.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\Temp\000196DC_RAR\XP-D1C3E4E8.EXE
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\Temp\0001A8BE_RAR\XP-D1C3E4E8.EXE
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2183461-IE7\SP3QFE\ie4uinit.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2183461-IE7\SP3QFE\ieudinit.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2183461-IE7\SP3QFE\iexplore.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2229593\SP3QFE\helpsvc.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2360131-IE7\SP3QFE\ie4uinit.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2360131-IE7\SP3QFE\ieudinit.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2360131-IE7\SP3QFE\iexplore.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2393802\SP3QFE\ntkrnlmp.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2393802\SP3QFE\ntkrnlpa.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2393802\SP3QFE\ntkrpamp.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2393802\SP3QFE\ntoskrnl.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2416400-IE7\SP3QFE\ie4uinit.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2416400-IE7\SP3QFE\ieudinit.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2416400-IE7\SP3QFE\iexplore.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2423089\SP3QFE\wab.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2482017-IE7\SP3QFE\ie4uinit.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2482017-IE7\SP3QFE\ieudinit.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB2482017-IE7\SP3QFE\iexplore.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB898461\spupdsvc.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB923561\SP3QFE\wordpad.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ie4uinit.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\ieudinit.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\iexplore.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB951978\SP3QFE\cscript.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB951978\SP3QFE\wscript.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntkrnlmp.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntkrpamp.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB956572\SP3QFE\sc.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB956572\SP3QFE\wmiprvse.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB960859\SP3QFE\telnet.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB960859\SP3QFE\tlntsess.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB971486\SP3QFE\ntkrnlmp.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB971486\SP3QFE\ntkrnlpa.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB971486\SP3QFE\ntkrpamp.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB971486\SP3QFE\ntoskrnl.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB972260-IE7\SP3QFE\ie4uinit.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB972260-IE7\SP3QFE\ieudinit.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB975561\SP3QFE\moviemk.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB976325-IE7\SP3QFE\ie4uinit.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB976325-IE7\SP3QFE\ieudinit.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB976325-IE7\SP3QFE\iexplore.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB978706\SP3QFE\mspaint.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB979683\SP3QFE\ntkrnlmp.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB979683\SP3QFE\ntkrnlpa.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB979683\SP3QFE\ntkrpamp.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB979683\SP3QFE\ntoskrnl.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB979687\SP3QFE\wordpad.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB980182-IE7\SP3QFE\ie4uinit.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB980182-IE7\SP3QFE\ieudinit.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB980182-IE7\SP3QFE\iexplore.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB981852\SP3QFE\ntkrnlmp.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB981852\SP3QFE\ntkrnlpa.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB981852\SP3QFE\ntkrpamp.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB981852\SP3QFE\ntoskrnl.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB981997\SP3QFE\moviemk.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB982381-IE7\SP3QFE\ie4uinit.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB982381-IE7\SP3QFE\ieudinit.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\$hf_mig$\KB982381-IE7\SP3QFE\iexplore.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Attrib\WINDOWS\system32\ckvo.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\br5403on.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\csrss.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\inetinfo.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\lsass.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\services.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\smss.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\svchost.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\winlogon.exe
c:\system rollback data\Restore\Archive\00000053\00000052\0\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc53.exe
c:\system rollback data\Restore\Current\00086\1\Attrib\Program Files\INSTALLSHIELD INSTALLATION INFORMATION\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}\setup.exe
c:\system rollback data\Restore\Current\00086\1\Attrib\Program Files\MICROSOFT WORKS\lnchtour.exe
c:\system rollback data\Restore\Current\00086\1\Attrib\Program Files\Skype\Phone\Skype.exe
c:\system rollback data\Restore\Current\00086\1\Attrib\Program Files\Skype\PLUGIN MANAGER\skypePM.exe
c:\system rollback data\Restore\Current\00086\1\Attrib\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe
c:\system rollback data\Restore\Current\00086\1\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\APPLICATION DATA\MICROSOFT\INSTALLER\{082702D5-5DD8-4600-BCE5-48B15174687F}\ARPPRODUCTICON.exe
c:\system rollback data\Restore\Current\00086\1\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\Temp\000196DC_RAR\XP-D1C3E4E8.EXE
c:\system rollback data\Restore\Current\00086\1\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\Temp\0001A8BE_RAR\XP-D1C3E4E8.EXE
c:\system rollback data\Restore\Current\00086\1\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\br5403on.exe
c:\system rollback data\Restore\Current\00086\1\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\csrss.exe
c:\system rollback data\Restore\Current\00086\1\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\inetinfo.exe
c:\system rollback data\Restore\Current\00086\1\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\lsass.exe
c:\system rollback data\Restore\Current\00086\1\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\services.exe
c:\system rollback data\Restore\Current\00086\1\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\smss.exe
c:\system rollback data\Restore\Current\00086\1\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\svchost.exe
c:\system rollback data\Restore\Current\00086\1\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\LOCAL SETTINGS\APPLICATION DATA\winlogon.exe
c:\system rollback data\Restore\Current\00086\1\Target\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc53.exe
c:\system rollback data\Restore\Current\00086\3\Attrib\Program Files\Google\GOOGLE TOOLBAR\Component\GoogleToolbarManager_4079369A224CB572.exe
c:\system rollback data\Restore\Current\00086\3\Attrib\Program Files\Google\GOOGLE TOOLBAR\Component\GoogleToolbarUser_32_FF19882ADAF9F281.exe
c:\system rollback data\Restore\Current\00086\3\Attrib\Program Files\Google\GOOGLE TOOLBAR\Component\SearchWithGoogleUpdate_2FBCB829D9F367DB.exe
c:\system rollback data\Restore\Current\00086\4\Attrib\WINDOWS\system32\ckvo.exe
c:\system rollback data\Restore\Current\00086\5\Attrib\DOCUMENTS AND SETTINGS\TEMP\Desktop\ComboFix.exe
c:\system rollback data\Restore\Current\00086\5\Attrib\PROGRAM FILES\Google\Update\GOOGLEUPDATE.EXE
c:\system rollback data\Restore\Current\00086\5\Attrib\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe
c:\system rollback data\Restore\Current\00086\5\Attrib\WINDOWS\system32\ckvo.exe
c:\system rollback data\Restore\Current\00086\7\Attrib\PROGRAM FILES\Google\Update\GOOGLEUPDATE.EXE
c:\system rollback data\Restore\Current\00086\7\Attrib\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe
c:\system rollback data\Restore\Current\00086\7\Attrib\WINDOWS\system32\ckvo.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\DOCUMENTS AND SETTINGS\TEMP\Desktop\iexplorer.exe.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\PROGRAM FILES\Google\Update\GOOGLEUPDATE.EXE
c:\system rollback data\Restore\Current\00086\9\Attrib\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\winse32.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc149.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\Application Data\Microsoft\Installer\{082702D5-5DD8-4600-BCE5-48B15174687F}\ARPPRODUCTICON.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\Local Settings\Application Data\br5403on.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\Local Settings\Application Data\csrss.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\Local Settings\Application Data\inetinfo.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\Local Settings\Application Data\lsass.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\Local Settings\Application Data\services.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\Local Settings\Application Data\smss.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\Local Settings\Application Data\svchost.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\Local Settings\Application Data\winlogon.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\Local Settings\Temp\000196DC_Rar\XP-D1C3E4E8.EXE
c:\system rollback data\Restore\Current\00086\9\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc197\Local Settings\Temp\0001A8BE_Rar\XP-D1C3E4E8.EXE
c:\system rollback data\Restore\Current\00086\9\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc203.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc232.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc36.6\Project64.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc48.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\RECYCLER\S-1-5-21-85108940-1029042187-4087283800-1006\Dc53.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\WINDOWS\regedit.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\WINDOWS\system32\attrib.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\WINDOWS\system32\ckvo.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\WINDOWS\system32\cmd.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\WINDOWS\system32\cscript.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\WINDOWS\system32\ping.exe
c:\system rollback data\Restore\Current\00086\9\Attrib\WINDOWS\system32\route.exe
c:\windows\Media\br3951on.exe
c:\windows\Media\csrss.exe
c:\windows\Media\inetinfo.exe
c:\windows\Media\lsass.exe
c:\windows\Media\services.exe
c:\windows\Media\smss.exe
c:\windows\system32\U-7T82.EXE
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3360PR
-------\Service_amsint32
-------\Service_asc3360pr


((((((((((((((((((((((((( Files Created from 2011-02-03 to 2011-03-03 )))))))))))))))))))))))))))))))
.

2011-03-03 00:49 . 2011-03-03 00:49 150 ----a-w- C:\taskmgrenable.reg
2011-02-28 04:51 . 2010-07-16 19:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-02-28 04:51 . 2010-07-16 19:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-02-28 04:51 . 2010-11-17 15:19 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-02-28 04:51 . 2010-11-25 15:53 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-02-28 04:51 . 2010-11-25 15:43 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-02-28 04:50 . 2010-11-25 15:42 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-02-28 04:49 . 2011-02-28 04:53 -------- d-----w- c:\program files\Common Files\PC Tools
2011-02-28 04:49 . 2011-03-02 02:44 -------- d-----w- c:\program files\PC Tools Security
2011-02-28 04:49 . 2011-02-28 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-02-28 04:49 . 2011-02-28 04:49 -------- d-----w- c:\documents and settings\TEMP\Application Data\PC Tools
2011-02-28 04:49 . 2011-03-02 02:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-02-28 02:58 . 2011-02-28 02:58 -------- d-----w- c:\documents and settings\All Users\Application Data\kGhHmJd08501
2011-02-27 18:00 . 2011-02-27 18:00 -------- d-----w- c:\program files\The Weather Channel FW
2011-02-27 18:00 . 2011-02-27 18:00 -------- d-----w- c:\documents and settings\TEMP\Local Settings\Application Data\The Weather Channel
2011-02-24 22:52 . 2011-02-25 00:32 17920 ----a-w- c:\windows\system32\T62FD155.EXE
2011-02-24 22:52 . 2011-02-24 22:52 17920 --sh--w- c:\windows\system32\ZH151.EXE
2011-02-08 20:28 . 2010-12-09 15:15 718336 ----a-w- c:\windows\system32\ntdll.dll
2011-02-08 20:28 . 2010-12-09 15:15 718336 ------w- c:\windows\system32\dllcache\ntdll.dll
2011-02-08 20:28 . 2010-12-09 13:42 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-02-08 20:28 . 2010-12-09 13:42 2148864 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-02-08 20:28 . 2010-12-09 13:38 2192768 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-02-08 20:28 . 2010-12-09 13:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-08 20:28 . 2010-12-09 13:07 2027008 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2011-02-08 20:28 . 2010-12-09 13:07 2069376 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-15 20:23 . 2011-01-26 20:52 17920 ----a-w- c:\windows\system32\S7B11173.EXE
2011-01-26 20:52 . 2011-01-26 20:52 17920 --sh--w- c:\windows\system32\ZH139.EXE
2011-01-26 01:07 . 2011-01-19 20:18 17920 ----a-w- c:\windows\system32\W582A6EC.EXE
2011-01-21 14:44 . 2011-01-21 14:44 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-19 20:18 . 2011-01-19 20:18 17920 --sh--w- c:\windows\system32\ZH39.EXE
2011-01-12 23:48 . 2011-01-12 23:48 17408 ----a-w- c:\windows\system32\R5A69F16.EXE
2011-01-12 23:48 . 2011-01-12 23:48 17408 --sh--w- c:\windows\system32\ZH79.EXE
2011-01-11 00:56 . 2010-12-27 17:27 17920 ----a-w- c:\windows\system32\R114586D.EXE
2011-01-08 01:41 . 2011-01-07 20:40 157 ----a-w- c:\documents and settings\TEMP\Local Settings\Application Data\JunkAtx.bin
2011-01-07 14:09 . 2011-01-07 14:09 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-06 23:57 . 2011-01-06 22:58 157 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\JunkAtx.bin
2010-12-31 13:10 . 2010-12-31 13:10 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-27 16:54 . 2010-12-27 16:54 17920 --sh--w- c:\windows\system32\ZH99.EXE
2010-12-27 00:17 . 2010-12-27 00:17 16384 ----a-w- c:\windows\system32\N9B55CF1.EXE
2010-12-27 00:16 . 2010-12-27 00:16 16384 --sh--w- c:\windows\system32\ZH98.EXE
2010-12-25 21:29 . 2010-11-30 23:04 15872 ----a-w- c:\windows\system32\ZQ50E6A8F.EXE
2010-12-25 21:29 . 2010-12-20 03:01 14336 ----a-w- c:\windows\system32\V7C4060.EXE
2010-12-22 12:34 . 2010-12-22 12:34 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08 . 2010-12-20 23:08 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08 . 2010-12-20 23:08 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08 . 2010-12-20 23:08 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08 . 2010-12-20 23:08 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 17:26 . 2010-12-20 17:26 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2010-12-20 12:55 389120 ----a-w- c:\windows\system32\html.iec
2010-12-20 03:01 . 2010-12-19 18:29 14336 --sh--w- c:\windows\system32\TC-Z6P.EXE
2010-12-16 20:40 . 2010-12-05 23:04 15360 ----a-w- c:\windows\system32\V3030F8.EXE
2010-12-09 14:30 . 2010-12-09 14:30 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-05 23:04 . 2010-12-05 23:04 15360 --sh--w- c:\windows\system32\TC-Z5P.EXE
2010-12-04 17:26 . 2010-11-17 23:05 12800 ----a-w- c:\windows\system32\SU77BCD2.EXE
2010-09-02 11:54 14848 --sh--w- c:\windows\system32\9UM68.EXE
2010-09-18 18:07 14848 --sh--w- c:\windows\system32\9UM78.EXE
2010-10-10 16:20 15872 --sh--w- c:\windows\system32\9UU78.EXE
2010-05-11 17:50 23552 --sh--w- c:\windows\system32\GC-BZ6.EXE
2010-06-07 16:48 23040 --sh--w- c:\windows\system32\GC-WZ9.EXE
2010-07-05 20:42 23040 --sh--w- c:\windows\system32\GUN08.EXE
2010-07-24 19:12 20992 --sh--w- c:\windows\system32\GUN58.EXE
2008-04-15 12:00 1384479 --sh--r- c:\windows\system32\msvbvm60.dll
2010-10-18 00:10 15360 --sh--w- c:\windows\system32\NU78.EXE
2010-11-30 23:04 15872 --sh--w- c:\windows\system32\NU98.EXE
2010-09-02 11:54 13312 --sh--w- c:\windows\system32\TC-G9.EXE
2010-09-14 01:09 12800 --sh--w- c:\windows\system32\TC-GP.EXE
2010-06-07 16:48 14336 --sh--w- c:\windows\system32\TC-WL2.EXE
2010-05-11 17:50 13824 --sh--w- c:\windows\system32\TC-WZ6.EXE
2010-10-16 18:05 13312 --sh--w- c:\windows\system32\TC-Z2P.EXE
2010-10-18 20:35 13824 --sh--w- c:\windows\system32\TC-Z3P.EXE
2010-11-17 23:05 12800 --sh--w- c:\windows\system32\TC-Z4P.EXE
2010-10-06 20:53 13824 --sh--w- c:\windows\system32\TC-ZGP.EXE
2010-07-05 20:41 14336 --sh--w- c:\windows\system32\VC-WL8.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59c6f12b-f004-43e5-9997-08f2123119b6}]
2010-12-05 18:24 81920 ----a-w- c:\program files\oovootoolbar\oovootoolbarX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFE4B5CB-63F7-4A51-9266-6167655D5B4F}]
2010-10-23 01:49 1530368 ----a-w- c:\program files\Dogpile Bundle Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 22:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
"{C80BDEB2-8735-44C6-BD55-A1CCD555667A}"= "c:\program files\Dogpile Bundle Toolbar\Toolbar.dll" [2010-10-23 1530368]
"{59c6f12b-f004-43e5-9997-08f2123119b6}"= "c:\program files\oovootoolbar\oovootoolbarX.dll" [2010-12-05 81920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{c80bdeb2-8735-44c6-bd55-a1ccd555667a}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{CCBDEEA9-517A-4862-B0A1-862AE9532228}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]

[HKEY_CLASSES_ROOT\clsid\{59c6f12b-f004-43e5-9997-08f2123119b6}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
"{C80BDEB2-8735-44C6-BD55-A1CCD555667A}"= "c:\program files\Dogpile Bundle Toolbar\Toolbar.dll" [2010-10-23 1530368]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{c80bdeb2-8735-44c6-bd55-a1ccd555667a}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{CCBDEEA9-517A-4862-B0A1-862AE9532228}]
[HKEY_CLASSES_ROOT\FCTB000060231.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3954000]
"Google Update"="c:\documents and settings\TEMP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-09-11 214000]
"ooVoo.exe"="c:\program files\ooVoo\oovoo.exe" [2010-11-01 20263608]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2010-04-16 900208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 237568]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 335872]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 233472]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-18 815104]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-01-16 1488168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-15 341400]
"HP Mobile Broadband"="c:\swsetup\HPQWWAN\HPMobileBroadband.exe" [2011-02-10 832056]
"Syncables"="c:\program files\syncables\syncables desktop\Syncables.exe" [2009-04-02 247088]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-06 916840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 668976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 220016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 3004352]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 1011712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 219424]
"XP-D1C3E4E8"="c:\windows\system32\XP-D1C3E4E8.EXE" [2010-01-24 1690592]
"4StoryPrePatch"="c:\program files\Gameforge4D\GatesofAndaron\PrePatch.exe" [2010-10-06 413696]

c:\documents and settings\karina\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 171408]

c:\documents and settings\TEMP\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 171408]
Trillian.lnk - c:\program files\Trillian\trillian.exe [2010-8-23 2138464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\syncables\\syncables desktop\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\SWsetup\\HPQWWAN\\HPMobileBroadband.exe"=
"c:\\WINDOWS\\system32\\XP-D1C3E4E8.EXE"=
"c:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe"=
"c:\\Documents and Settings\\karina\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\Microsoft\\Search Enhancement Pack\\Default Manager\\DefMgr.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Roxio\\BackOnTrack\\Instant Restore\\RstIdle.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"=
"c:\\WINDOWS\\system32\\igfxsrvc.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=
"c:\\Program Files\\Roxio\\BackOnTrack\\Instant Restore\\UINotification.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\Program Files\\Hewlett-Packard\\Shared\\HpqToaster.exe"=
"c:\\Program Files\\IDT\\WDM\\sttray.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\WINDOWS\\system32\\igfxpers.exe"=
"c:\\Program Files\\syncables\\syncables desktop\\MigoMapi.exe"=
"c:\\Documents and Settings\\karina\\Local Settings\\Application Data\\Google\\Update\\1.2.183.23\\GoogleCrashHandler.exe"=
"c:\\WINDOWS\\system32\\MsiExec.exe"=
"c:\\Documents and Settings\\karina\\My Documents\\Downloads\\QuickTimeInstaller.exe"=
"c:\\Program Files\\Windows Live\\Toolbar\\wltuser.exe"=
"c:\\WINDOWS\\system32\\W15EC23D.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTEM.EXE"=
"c:\\WINDOWS\\system32\\QC19C885.EXE"=
"c:\\Program Files\\Windows Media Player\\wmdbexport.exe"=
"c:\\WINDOWS\\system32\\AESTFltr.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"c:\\PROGRA~1\\MICROS~3\\wkgdcach.exe"=
"c:\\Program Files\\MSN\\Toolbar\\3.0.0559.0\\msntask.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Wireless Assistant\\HPWAMain.exe"=
"c:\\Program Files\\syncables\\syncables desktop\\Syncables.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Microsoft Works\\WksWP.exe"=
"c:\\PROGRA~1\\MICROS~3\\WkDStore.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jucheck.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\WINDOWS\\system32\\WISPTIS.EXE"=
"c:\\Documents and Settings\\TEMP\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Documents and Settings\\TEMP\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe"=
"c:\\WINDOWS\\system32\\PV628725.EXE"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\PROGRA~1\\MICROS~3\\wkcalrem.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Google\\Update\\1.2.183.39\\GoogleCrashHandler.exe"=
"c:\\Program Files\\Dogpile Bundle Toolbar\\TroubleShooter.exe"=
"c:\\WINDOWS\\system32\\W582A6EC.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Gameforge4D\\GatesofAndaron\\PrePatch.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\kGhHmJd08501\\kGhHmJd08501.exe"=
"c:\\Program Files\\ooVoo\\oovoo.exe"=
"c:\\DOCUME~1\\TEMP\\LOCALS~1\\Temp\\winxdyak.exe"=
"c:\\DOCUME~1\\TEMP\\LOCALS~1\\Temp\\winlngn.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2/27/2011 11:51 PM 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2/27/2011 11:51 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2/27/2011 11:51 PM 656320]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [6/14/2009 7:57 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [6/14/2009 7:57 PM 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [9/25/2008 12:09 AM 103792]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [6/14/2009 7:57 PM 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [12/12/2008 12:46 AM 125424]
R2 BOTService;BOTService;c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [3/19/2009 2:04 PM 203248]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/14/2009 7:47 PM 113664]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [3/2/2009 4:03 PM 38912]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/8/2010 2:00 PM 205296]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 EraserUtilDrv10822;EraserUtilDrv10822;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10822.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10822.sys [?]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys --> c:\windows\system32\Drivers\RTS5121.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2/27/2011 11:50 PM 440568]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASC3360PR
.
Contents of the 'Scheduled Tasks' folder

2011-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2011-03-03 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
- c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2009-03-19 19:05]

2011-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-08 19:00]

2011-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-08 19:00]

2011-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-85108940-1029042187-4087283800-1006Core.job
- c:\documents and settings\TEMP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-11 05:01]

2011-03-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-85108940-1029042187-4087283800-1006UA.job
- c:\documents and settings\TEMP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-11 05:01]

2011-03-02 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 22:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z015&form=ZGAPHP
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe
HKLM-Run-HP BTW Detect Program - c:\program files\HP\HPBTWD.exe
HKLM-Run-Mightymagoo - c:\program files\Mighty Magoo\mightymagoo32.exe
HKLM-Run-Gamevance - c:\program files\Gamevance\gamevance32.exe
HKU-Default-Run-Tok-Cirrhatus - (no file)
AddRemove-Gamevance - c:\program files\Gamevance\gvun.exe
AddRemove-MightyMagoo - c:\program files\Mighty Magoo\mmagooun.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-02 22:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(888)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(2340)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\idt\wdm\STacSV.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Roxio\BackOnTrack\Instant Restore\UINotification.exe
c:\docume~1\TEMP\LOCALS~1\Temp\winxdyak.exe
c:\docume~1\TEMP\LOCALS~1\Temp\winlngn.exe
.
**************************************************************************
.
Completion time: 2011-03-02 22:14:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-03 03:14

Pre-Run: 113,543,352,320 bytes free
Post-Run: 113,809,838,080 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - CD8A55FBDFDAA37FF7F810384E4F0D4B

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:07 PM

Posted 04 March 2011 - 08:40 AM

Hi

Sorry I didn't get back to you sooner, I was traveling.

I don't believe it is good news, the "file replicators" section generally means there is an infection such as ramnit on board, which is only cleanable with a reformat/reinstall as it is impossible to clean as many, many files could be infected,

run these scans to be certain:


Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Magpiefly

Magpiefly
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:7003
  • Local time:01:07 PM

Posted 04 March 2011 - 10:40 AM

Thanks, Oh I hope it's not that infected :( I accidentally selected it not to restart so i rescanned and then restarted. I'm posting both logs.


Here is the first Malwarebytes' Anti-Malware Log:


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5951
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
3/4/2011 10:22:16 AM
mbam-log-2011-03-04 (10-22-16).txt
Scan type: Quick scan
Objects scanned: 171190
Time elapsed: 5 minute(s), 20 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 3
Files Infected: 26
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\APPID\MightyMagooText.DLL (PUP.MightyMagoo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\GamevanceText.DLL (Adware.GameVance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AppDataLow\gvtl (Adware.GameVance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AppDataLow\mmagootl (PUP.MightyMagoo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MightyMagoo (PUP.MightyMagoo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XP-D1C3E4E8 (Trojan.Agent) -> Value: XP-D1C3E4E8 -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
c:\documents and settings\TEMP\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\TEMP\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\chrome (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\TEMP\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\components (PUP.MightyMagoo) -> Quarantined and deleted successfully.
Files Infected:
c:\documents and settings\TEMP\my documents\downloads\mightymagoo.exe (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\7668-nendangbro.com (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\klmhg.pif (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\GC-BZ6.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\k@riin@'s setting.scr (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\karina's setting.scr (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\N9B55CF1.EXE (Trojan.FlyStudio) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\NU78.EXE (Trojan.FlyStudio) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\R114586D.EXE (Trojan.Dynamer) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SU77BCD2.EXE (Trojan.Dynamer) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\system's setting.scr (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\TC-Z3P.EXE (Trojan.FlyStudio) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\TC-Z4P.EXE (Trojan.Dynamer) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\temp's setting.scr (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\Z77FD328.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ZH98.EXE (Trojan.FlyStudio) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ZH99.EXE (Trojan.Dynamer) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\ZX9E0321.EXE (Trojan.FlyStudio) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\zz26738b8.exe (Trojan.FlyStudio) -> Quarantined and deleted successfully.
c:\WINDOWS\Media\svchost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\xp-d1c3e4e8.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\TEMP\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\chrome.manifest (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\TEMP\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\install.rdf (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\TEMP\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\chrome\mmtextlinks.jar (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\TEMP\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\components\mmagootlf.dll (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\TEMP\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\components\mmagootlf.xpt (PUP.MightyMagoo) -> Quarantined and deleted successfully.

Here is the second Malwarebytes' Anti-Malware Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5951
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
3/4/2011 10:37:13 AM
mbam-log-2011-03-04 (10-37-13).txt
Scan type: Quick scan
Objects scanned: 171332
Time elapsed: 5 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\klmhg.pif (Malware.Packer.Gen) -> Quarantined and deleted successfully.

#12 Magpiefly

Magpiefly
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:7003
  • Local time:01:07 PM

Posted 04 March 2011 - 11:07 AM

For Some reason the online scan website will not open no matter how many times i refresh but I can get on in my mac.

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:07 PM

Posted 04 March 2011 - 11:33 AM

OK

Go to the Kaspersky website and download and install the trial AV (uninstall it when you are done)


post the resulting log


http://www.kaspersky.com/kav-trial-register


when the scan is complete, re-run ComboFix > allow it to update if it requests to do so.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 Magpiefly

Magpiefly
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:7003
  • Local time:01:07 PM

Posted 04 March 2011 - 12:28 PM

Ok so, I tried to download Kaspersky but the site would not open, so what i did is i opened it in my mac laptop,

then downloaded the exe file and saved it to a memory stick. Then I Installed it in the problem computer and then tried to run kaspersky but every-time it would try to run then it would stop.

Thanks for all your patience

Should i still re-run ComboFix?


Edit: Now whenever I press kaspersky it loads but then goes strait to a bluescreen and proceeds to restart. :o

Edited by Magpiefly, 04 March 2011 - 12:55 PM.


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:07 PM

Posted 04 March 2011 - 01:58 PM

yes, I'm afraid your machine is still infected, give combofix another run and we'll see where we go from there

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users