Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.
     
2 Pages V   1 2 >  
 Closed TopicStart new topic
Can"t access my safe mode from any of the ways my system restore,
chenery
post Nov 1 2008, 07:30 PM
Post #1


New Member
*
Posts: 8
From: North Carolina
OS: xp
QUOTE (chenery @ Oct 30 2008, 10:02 PM) *
Information removed as it is dangerous


Hello I hope I did this right for I am very new to this fixing problem or just about learning about my computer. Many Thanks to all and also to the member that replied to me. I followed all the steps and I hope correctly. Practice makes perfect. When i booted back up the last time Kodak file ESApp.dll could not be loaded? Also Incompatible software running Kaspersky Antvirus as a result Standard Shield,P2P Shield, Instant Messanging Shield Disabled. Yet I could find no kaspersky products to remove. helpsmilie.gif Also i had 81 virus,trogans,spyware ect! Also when I ran the Malware I had 160+ of them Everything is quarantined. Well thanks to everyone and I am learning. thumbsup.gif

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:09 PM, on 11/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\keyhook.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BellSouth Accelerator Technology\propelac.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\WINDOWS\system32\sistray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Digital Lifeline\bin\mpbtn.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\OpenOffice.org1.0\program\soffice.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\SbPFCl.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchFilter.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.v2premier.com"); (C:\Documents and Settings\DEBORAH\Application Data\Mozilla\Profiles\default\szbd82yu.slt\prefs.js)
O1 - Hosts: 61.191.52.111 sdch.sdo.com
O1 - Hosts: 61.191.52.111 ekey.sdo.com
O1 - Hosts: 61.191.52.103 mir2.sdo.com
O1 - Hosts: 61.191.52.111 kf.sdo.com
O1 - Hosts: 61.191.52.103 www.mir2.com.cn
O1 - Hosts: 61.191.52.103 mir2.com.cn
O1 - Hosts: 61.191.52.103 home.mir2.sdo.com
O1 - Hosts: 61.191.52.103 shandacs.allyes.com
O1 - Hosts: 61.191.52.103 home.woool.sdo.com
O1 - Hosts: 61.191.52.103 woool.sdo.com
O1 - Hosts: 61.191.52.111 pwd.sdo.com
O1 - Hosts: 61.191.52.111 www.sdo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - (no file)
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\BellSouth Accelerator Technology\prpl_IePopupBlocker.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\BellSouth Accelerator Technology\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB002" /M "Stylus C84"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [iolo Utility Bar] "C:\Program Files\iolo\System Mechanic 5 Professional\SMUtilityBar.exe"
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKLM\..\Policies\Explorer\Run: [put120] put120.exe
O4 - HKLM\..\Policies\Explorer\Run: [pksetexd.exe] C:\WINDOWS\system32\pksetexd.exe
O4 - HKLM\..\Policies\Explorer\Run: [kvtrwkcc.exe] C:\WINDOWS\system32\kvtrwkcc.exe
O4 - S-1-5-18 Startup: OpenOffice.org 1.0.lnk = C:\Program Files\OpenOffice.org1.0\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 1.0.lnk = C:\Program Files\OpenOffice.org1.0\program\quickstart.exe (User 'Default user')
O4 - .DEFAULT User Startup: OpenOffice.org 1.0.lnk = C:\Program Files\OpenOffice.org1.0\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 1.0.lnk = C:\Program Files\OpenOffice.org1.0\program\quickstart.exe
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: iSchedule-it.lnk = C:\Program Files\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe
O4 - Global Startup: Digital Lifeline.lnk = C:\Program Files\Digital Lifeline\bin\mpbtn.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Personal Coach.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Defender Pro\Defender Pro Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: Capture Links - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCaptureLinks.js
O8 - Extra context menu item: Capture Page - C:\Program Files\Insight Development\Net Knowledge Tools\common\MenuExtCapturePage.js
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Insight NetKnowledge Tools - {102910D3-CF07-4BED-ACDC-D165385B9B66} - C:\Program Files\Insight Development\Net Knowledge Tools\common\Insight NetKnowledge Tools.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Deborah\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.taxsimple.org/tsweb/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3444EB45-5F68-4030-95C1-0E8E6EE7A789}: NameServer = 207.40.113.20,192.168.1.2
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: SbPF.Launcher - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFLnch.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software, Inc. - C:\Program Files\Sunbelt Software\Personal Firewall\SbPFSvc.exe

--
End of file - 16029 bytes
Go to the top of the page
 
+Quote Post
Essexboy
post Nov 2 2008, 12:12 PM
Post #2


Global Moderator
Group Icon
Posts: 10,049
From: Darkest Cornwall
OS: Vista Ultimate
Hi there and welcome. If you are unsure of anything I ask you to do then stop and let me know smile.gif

But first did you put these Chinese sites in your Host file
QUOTE
O1 - Hosts: 61.191.52.111 sdch.sdo.com
O1 - Hosts: 61.191.52.111 ekey.sdo.com
O1 - Hosts: 61.191.52.103 mir2.sdo.com
O1 - Hosts: 61.191.52.111 kf.sdo.com
O1 - Hosts: 61.191.52.103 www.mir2.com.cn
O1 - Hosts: 61.191.52.103 mir2.com.cn
O1 - Hosts: 61.191.52.103 home.mir2.sdo.com
O1 - Hosts: 61.191.52.103 shandacs.allyes.com
O1 - Hosts: 61.191.52.103 home.woool.sdo.com
O1 - Hosts: 61.191.52.103 woool.sdo.com
O1 - Hosts: 61.191.52.111 pwd.sdo.com
O1 - Hosts: 61.191.52.111 www.sdo.com
The reason I ask is that this looks like a Chinese infection

Lets start to move these shall we, first we will clear the easy rubbish.

This is a long fix so I would recommend that you copy to a text file for reference. Doing one stage at a time. If one stage should fail then move on to the next

Please download ATF Cleaner by Atribune.
This program is for XP, Vista and Windows 2000 only
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

NEXT

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

FOLLOWED BY

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    CODE
    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
    "put120"=-
    "pksetexd.exe"=-
    "kvtrwkcc.exe"=-

    :Files
    C:\put120.exe /s
    C:\WINDOWS\system32\pksetexd.exe
    C:\WINDOWS\system32\kvtrwkcc.exe

    :Commands
    [purity]
    [emptytemp]

  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

FINALLY FOR NOW

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the Radio button for Rootkit check YES
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  • Under Additional Scans check the following:
    • Reg - BotCheck
    • File - Additional Folder Scans
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post
Go to the top of the page
 
+Quote Post
chenery
post Nov 2 2008, 03:00 PM
Post #3


New Member
*
Posts: 8
From: North Carolina
OS: xp
Hello Sir
Essexboy
Attached File  OTScanIt.Txt ( 248.55K ) Number of downloads: 14


Thank you a million times over. My greatest gratitude.

No i didn't put these chinese sites in my host file. This seems to have started a few days ago when my computer shut down on its own then when it booted back up it had a chinese home page which replaced my home page and no matter what i did i couldn't change it and also no safe mode or system restore etc. I have my system restore back plus my system settings which before i couldn't control either, don't know about the safe mode. I was given 8 things to perform then send that hijack report in and now these other logs except when i ran the OTMoveit3 by Old Timer it brought up nothing. the only message that keeps coming up when I reboot is my avast virus window with a message saying Incompatible software running Kaspersky Antivirus which i uninstalled it but I can't find it anywhere, and as a result Standard Shield/P2P Shield/Instantmessinger Shield Disabled. Well if I am not doing something right please correct me. confused1.gif Have a great day. blushing.gif thumbsup.gif
Chenery

Malwarebytes' Anti-Malware 1.30
Database version: 1357
Windows 5.1.2600 Service Pack 3

11/2/2008 2:20:44 PM
mbam-log-2008-11-02 (14-20-44).txt

Scan type: Quick Scan
Objects scanned: 61463
Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\disk (Trojan.Agent) -> Delete on reboot.

Awaiting your instructions!
Attached File  OTScanIt.Txt ( 248.55K ) Number of downloads: 14
Go to the top of the page
 
+Quote Post
Essexboy
post Nov 2 2008, 04:05 PM
Post #4


Global Moderator
Group Icon
Posts: 10,049
From: Darkest Cornwall
OS: Vista Ultimate
Looks better still some to get though

First lets get rid of Kaspersky so that Avast will work properly

Go to this page and read the instructions for using the removal tool. Then download the tool from here

A reboot will be required

Now to remove the balance of what I can see

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

CODE
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\put120 -> put120.exe
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\pksetexd.exe -> %SystemRoot%\system32\pksetexd.exe [C:\WINDOWS\system32\pksetexd.exe]
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\kvtrwkcc.exe -> %SystemRoot%\system32\kvtrwkcc.exe [C:\WINDOWS\system32\kvtrwkcc.exe]
< HOSTS File > (391 bytes and 17 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts
YN -> 61.191.52.111 sdch.sdo.com ->
YN -> 61.191.52.111 ekey.sdo.com ->
YN -> 61.191.52.103 mir2.sdo.com ->
YN -> 61.191.52.111 kf.sdo.com ->
YN -> 61.191.52.103 www.mir2.com.cn ->
YN -> 61.191.52.103 mir2.com.cn ->
YN -> 61.191.52.103 home.mir2.sdo.com ->
YN -> 61.191.52.103 shandacs.allyes.com ->
YN -> 61.191.52.103 home.woool.sdo.com ->
YN -> 61.191.52.103 woool.sdo.com ->
YN -> 61.191.52.111 pwd.sdo.com ->
YN -> 61.191.52.111 www.sdo.com ->
[Files/Folders - Created Within 90 days]
NY -> pksetexd.inf -> %SystemRoot%\System32\pksetexd.inf
NY -> wukak.exe -> %SystemRoot%\wukak.exe
NY -> qhpqj.exe -> %SystemRoot%\qhpqj.exe
NY -> lvohy.exe -> %SystemRoot%\lvohy.exe
NY -> pedhu.exe -> %SystemRoot%\pedhu.exe
NY -> oxfby.exe -> %SystemRoot%\oxfby.exe
NY -> hxuak.exe -> %SystemRoot%\hxuak.exe
[Files/Folders - Modified Within 90 days]
NY -> pksetexd.inf -> %SystemRoot%\System32\pksetexd.inf
NY -> qwimp.ini -> %SystemRoot%\qwimp.ini
NY -> wukak.exe -> %SystemRoot%\wukak.exe
NY -> qhpqj.exe -> %SystemRoot%\qhpqj.exe
NY -> lvohy.exe -> %SystemRoot%\lvohy.exe
NY -> pedhu.exe -> %SystemRoot%\pedhu.exe
NY -> oxfby.exe -> %SystemRoot%\oxfby.exe
NY -> hxuak.exe -> %SystemRoot%\hxuak.exe
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

On completion of this retry safe mode and let me know if it works, plus any other problems you are experiencing
Go to the top of the page
 
+Quote Post
chenery
post Nov 3 2008, 02:11 AM
Post #5


New Member
*
Posts: 8
From: North Carolina
OS: xp
Hello again,
I am starting this post again because this is the 2nd time because I was almost done and it disappeared on me. I am so tired I have been working on this problem for about 10 hours now. I have tried to remove Kaspersky to no luck. I have been all over there web site trying to find an answer, not. I manually went into the registry and deleted it but after I rebooted it was right back again. I probaly did it about 12 times because I was'nt going to be defeated laughing.gif but they got me I give up. I guess Kaspersky doesn't want to leave. These are the anti virus software I have had on my computer for the last few years Macafee, Panda, System Mechanic 5, System Mechanic 6, Defender Pro 10-in-1, Defender Pro 15-in-1 2008. When i booted back up the last time Kodak file ESApp.dll could not be loaded? Also Avast box came up with this message Incompatible software running Kaspersky Antvirus, as a result Standard Shield,P2P Shield, Instant Messanging Shield in Avast is Disabled.
CODE
OTScanIt logfile created on: 11/3/2008 1:45:05 AM
OTScanIt by OldTimer - Version 1.0.19.0     Folder = C:\Documents and Settings\Deborah\Desktop\OTScanIt
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

447.48 Mb Total Physical Memory | 124.08 Mb Available Physical Memory | 27.73% Memory free
1.03 Gb Paging File | 0.52 Gb Available in Paging File | 49.93% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 142.34 Gb Total Space | 105.34 Gb Free Space | 74.01% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JCPDAM
Current User Name: Deborah
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On

[Processes - Non-Microsoft Only]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 16056 bytes | Modified Date = 7/19/2008 10:25:06 AM | Attr =    ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 147640 bytes | Modified Date = 7/19/2008 10:38:28 AM | Attr =    ]
aolsp scheduler.exe -> %SystemDrive%\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe ->  [Ver = 1, 5, 0, 0 | Size = 83544 bytes | Modified Date = 4/11/2005 10:36:56 AM | Attr =    ]
ashdisp.exe -> %SystemDrive%\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 78008 bytes | Modified Date = 7/19/2008 10:38:34 AM | Attr =    ]
e_s4i2d1.exe -> %SystemRoot%\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE -> SEIKO EPSON CORPORATION [Ver = 3.00 | Size = 99840 bytes | Modified Date = 5/27/2003 3:00:00 AM | Attr =    ]
propelac.exe -> %ProgramFiles%\BellSouth Accelerator Technology\propelac.exe -> Propel Software Corporation [Ver = 5.1.1 | Size = 918331 bytes | Modified Date = 6/27/2006 5:08:00 PM | Attr =    ]
mnyexpr.exe -> %ProgramFiles%\Microsoft Money\System\mnyexpr.exe -> Microsoft Corp. [Ver = 12.00.0613 | Size = 200704 bytes | Modified Date = 6/18/2003 12:00:00 PM | Attr =    ]
pcletray.exe -> %ProgramFiles%\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe -> Pinnacle Systems [Ver = 1.0.0.36 | Size = 770048 bytes | Modified Date = 9/2/2004 10:37:44 AM | Attr =    ]
crypserv.exe -> %SystemRoot%\system32\crypserv.exe -> Kenonic Controls Ltd. [Ver = 5.4.0 | Size = 52224 bytes | Modified Date = 6/29/2000 1:45:10 AM | Attr =    ]
mccicmservice.exe -> %CommonProgramFiles%\Motive\McciCMService.exe -> Motive Communications, Inc. [Ver = 6,1,0,218 | Size = 303104 bytes | Modified Date = 1/28/2008 4:56:42 PM | Attr =    ]
ischedule-it.exe -> %ProgramFiles%\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe -> Insight Development Corporation [Ver = 2, 1, 0, 0 | Size = 221184 bytes | Modified Date = 4/25/2002 10:40:04 AM | Attr =    ]
mpbtn.exe -> %ProgramFiles%\Digital Lifeline\bin\mpbtn.exe -> Motive Communications, Inc. [Ver = 4.03.01.1.20010830_170344 | Size = 176128 bytes | Modified Date = 8/30/2001 5:17:06 PM | Attr =    ]
sbpflnch.exe -> %ProgramFiles%\Sunbelt Software\Personal Firewall\SbPFLnch.exe -> Sunbelt Software, Inc. [Ver = 4.6.1845.0 | Size = 95528 bytes | Modified Date = 7/30/2008 10:36:54 AM | Attr =    ]
minimavis.exe -> %ProgramFiles%\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe -> TLC Education Properties LLC [Ver = 1, 0, 0, 1 | Size = 2392064 bytes | Modified Date = 8/30/2002 12:02:58 PM | Attr =    ]
wincinemamgr.exe -> %ProgramFiles%\InterVideo\Common\Bin\WinCinemaMgr.exe -> InterVideo Inc. [Ver = 1.7.1 | Size = 114688 bytes | Modified Date = 12/12/2003 8:02:12 PM | Attr =    ]
slserv.exe -> %SystemRoot%\system32\slserv.exe ->   [Ver = 2.80.00(24Apr2000) | Size = 45056 bytes | Modified Date = 8/10/2003 8:28:42 PM | Attr =    ]
sbpfsvc.exe -> %ProgramFiles%\Sunbelt Software\Personal Firewall\SbPFSvc.exe -> Sunbelt Software, Inc. [Ver = 4.6.1845.0 | Size = 1361192 bytes | Modified Date = 7/30/2008 10:36:56 AM | Attr =    ]
sbpfcl.exe -> %ProgramFiles%\Sunbelt Software\Personal Firewall\SbPFCl.exe -> Sunbelt Software, Inc. [Ver = 4.6.1845.0 | Size = 1705256 bytes | Modified Date = 7/30/2008 10:36:54 AM | Attr =    ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 250040 bytes | Modified Date = 7/19/2008 10:38:04 AM | Attr =    ]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 8, 1229, 0 | Size = 348344 bytes | Modified Date = 7/23/2008 10:25:46 AM | Attr =    ]
firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> Mozilla Corporation [Ver = 1.9.0.3 | Size = 307712 bytes | Modified Date = 10/8/2008 1:15:38 AM | Attr =    ]

[Win32 Services - Non-Microsoft Only]
(AOLService) AOL Spyware Protection Service [Win32_Own | Auto | Stopped] -> %SystemDrive%\PROGRA~1\COMMON~1\AOL\AOLSPY~1\aolserv.exe ->  [Ver =  | Size = 184373 bytes | Modified Date = 6/29/2004 9:29:30 AM | Attr =    ]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 16056 bytes | Modified Date = 7/19/2008 10:25:06 AM | Attr =    ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 147640 bytes | Modified Date = 7/19/2008 10:38:28 AM | Attr =    ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 250040 bytes | Modified Date = 7/19/2008 10:38:04 AM | Attr =    ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 8, 1229, 0 | Size = 348344 bytes | Modified Date = 7/23/2008 10:25:46 AM | Attr =    ]
(Crypkey License) Crypkey License [Win32_Own | Auto | Running] -> %SystemRoot%\system32\crypserv.exe -> Kenonic Controls Ltd. [Ver = 5.4.0 | Size = 52224 bytes | Modified Date = 6/29/2000 1:45:10 AM | Attr =    ]
(McciCMService) McciCMService [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Motive\McciCMService.exe -> Motive Communications, Inc. [Ver = 6,1,0,218 | Size = 303104 bytes | Modified Date = 1/28/2008 4:56:42 PM | Attr =    ]
(SbPF.Launcher) SbPF.Launcher [Win32_Own | Auto | Running] -> %ProgramFiles%\Sunbelt Software\Personal Firewall\SbPFLnch.exe -> Sunbelt Software, Inc. [Ver = 4.6.1845.0 | Size = 95528 bytes | Modified Date = 7/30/2008 10:36:54 AM | Attr =    ]
(SLService) SmartLinkService [Win32_Own | Auto | Running] -> %SystemRoot%\system32\slserv.exe ->   [Ver = 2.80.00(24Apr2000) | Size = 45056 bytes | Modified Date = 8/10/2003 8:28:42 PM | Attr =    ]
(SPF4) Sunbelt Personal Firewall 4 [Win32_Own | Auto | Running] -> %ProgramFiles%\Sunbelt Software\Personal Firewall\SbPFSvc.exe -> Sunbelt Software, Inc. [Ver = 4.6.1845.0 | Size = 1361192 bytes | Modified Date = 7/30/2008 10:36:56 AM | Attr =    ]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\Reader_sl.exe ["C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"] -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 39792 bytes | Modified Date = 1/11/2008 10:16:38 PM | Attr =    ]
AOL Spyware Protection -> %SystemDrive%\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe ["C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"] ->  [Ver = 1, 5, 0, 0 | Size = 83544 bytes | Modified Date = 4/11/2005 10:36:56 AM | Attr =    ]
AOLDialer -> %CommonProgramFiles%\AOL\ACS\AOLDial.exe [C:\Program Files\Common Files\AOL\ACS\AOLDial.exe] -> America Online, Inc [Ver = 2.0.20.1.US.1         | Size = 496752 bytes | Modified Date = 4/7/2004 12:07:34 PM | Attr =    ]
avast! -> %SystemDrive%\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe] -> ALWIL Software [Ver = 4, 8, 1227, 0 | Size = 78008 bytes | Modified Date = 7/19/2008 10:38:34 AM | Attr =    ]
EPSON Stylus C84 Series -> %SystemRoot%\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE [C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB002" /M "Stylus C84"] -> SEIKO EPSON CORPORATION [Ver = 3.00 | Size = 99840 bytes | Modified Date = 5/27/2003 3:00:00 AM | Attr =    ]
HelpCenter4.1 -> %ProgramFiles%\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe [C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe /P HelpCenter4.1] -> SupportSoft, Inc. [Ver = 6,9,2018,0 | Size = 198184 bytes | Modified Date = 4/12/2007 8:59:48 PM | Attr =    ]
Lexmark X6100 Series -> %ProgramFiles%\Lexmark X6100 Series\lxbfbmgr.exe ["C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"] -> Lexmark International, Inc. [Ver = 0.1.25.0 | Size = 57344 bytes | Modified Date = 4/20/2003 10:38:12 PM | Attr =    ]
Microsoft Works Update Detection -> %CommonProgramFiles%\Microsoft Shared\Works Shared\WkUFind.exe [C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe] -> Microsoft® Corporation [Ver = 9.00.0607.0 | Size = 50688 bytes | Modified Date = 6/7/2003 3:32:32 AM | Attr =    ]
PCTVOICE -> %SystemRoot%\system32\pctspk.exe [pctspk.exe] ->  [Ver = 1, 0, 0, 1 | Size = 167936 bytes | Modified Date = 7/9/2002 7:49:18 PM | Attr =    ]
PinnacleDriverCheck -> %SystemRoot%\system32\PSDrvCheck.exe [C:\WINDOWS\system32\PSDrvCheck.exe] ->  [Ver = 1.0.0.63 | Size = 406016 bytes | Modified Date = 11/10/2003 4:06:08 PM | Attr =    ]
Propel Accelerator -> %ProgramFiles%\BellSouth Accelerator Technology\trayctl.exe ["C:\Program Files\BellSouth Accelerator Technology\trayctl.exe" /STARTUPLAUNCH] -> Propel Software Corporation [Ver = 5.1.1.1007 | Size = 28672 bytes | Modified Date = 6/27/2006 5:12:44 PM | Attr =    ]
Pure Networks Port Magic -> %SystemDrive%\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe ["C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run] -> Pure Networks, Inc. [Ver = 1.2.1393.0 | Size = 99480 bytes | Modified Date = 5/27/2004 11:47:38 AM | Attr =    ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> Apple Computer, Inc. [Ver = 6.5 | Size = 98304 bytes | Modified Date = 7/2/2004 11:57:32 AM | Attr =    ]
SiS Windows KeyHook -> %SystemRoot%\System32\keyhook.exe [C:\WINDOWS\System32\keyhook.exe] -> Silicon Integrated Systems Corporation [Ver = 0.0.0.3590 | Size = 249856 bytes | Modified Date = 5/12/2004 4:22:52 PM | Attr =    ]
SoundMan -> %SystemRoot%\SOUNDMAN.EXE [SOUNDMAN.EXE] -> Realtek Semiconductor Corp. [Ver = 5.1.11 | Size = 57344 bytes | Modified Date = 10/8/2003 2:41:10 AM | Attr =    ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_07\bin\jusched.exe ["C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"] -> Sun Microsystems, Inc. [Ver = 6.0.70.6 | Size = 144784 bytes | Modified Date = 6/10/2008 4:27:04 AM | Attr =    ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe ["C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot] -> RealNetworks, Inc. [Ver = 0.1.1.45 | Size = 185896 bytes | Modified Date = 8/28/2008 10:48:06 PM | Attr =    ]
UserFaultCheck ->  [%systemroot%\system32\dumprep 0 -u] -> File not found
< RunOnceEx [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx ->
->  [] -> File not found
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
EasyLinkAdvisor -> %ProgramFiles%\Linksys EasyLink Advisor\LinksysAgent.exe ["C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup] -> Linksys, a Division of Cisco Systems, Inc. [Ver = 3, 0, 0, 197 | Size = 454784 bytes | Modified Date = 3/15/2007 6:16:42 PM | Attr =    ]
EPSON Stylus C84 Series -> %SystemRoot%\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE [C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU"] -> SEIKO EPSON CORPORATION [Ver = 3.00 | Size = 99840 bytes | Modified Date = 5/27/2003 3:00:00 AM | Attr =    ]
InstantTray -> %ProgramFiles%\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe [C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe] -> Pinnacle Systems [Ver = 1.0.0.36 | Size = 770048 bytes | Modified Date = 9/2/2004 10:37:44 AM | Attr =    ]
MoneyAgent -> %ProgramFiles%\Microsoft Money\System\mnyexpr.exe ["C:\Program Files\Microsoft Money\System\mnyexpr.exe"] -> Microsoft Corp. [Ver = 12.00.0613 | Size = 200704 bytes | Modified Date = 6/18/2003 12:00:00 PM | Attr =    ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe] -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 6/20/2007 8:22:38 PM | Attr =    ]
Uniblue RegistryBooster 2 -> %ProgramFiles%\Uniblue\RegistryBooster 2\RegistryBooster.exe [C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S] -> File not found
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersProfile%\Start Menu\Programs\Startup\Utility Tray.lnk -> %SystemRoot%\system32\sistray.exe -> Silicon Integrated Systems Corporation [Ver = 0.0.0.3590 | Size = 335872 bytes | Modified Date = 5/12/2004 4:23:42 PM | Attr =    ]
%AllUsersProfile%\Start Menu\Programs\Startup\iSchedule-it.lnk -> %ProgramFiles%\Insight Development\Net Knowledge Tools\Common\iSchedule-it.exe -> Insight Development Corporation [Ver = 2, 1, 0, 0 | Size = 221184 bytes | Modified Date = 4/25/2002 10:40:04 AM | Attr =    ]
%AllUsersProfile%\Start Menu\Programs\Startup\Digital Lifeline.lnk -> %ProgramFiles%\Digital Lifeline\bin\mpbtn.exe -> Motive Communications, Inc. [Ver = 4.03.01.1.20010830_170344 | Size = 176128 bytes | Modified Date = 8/30/2001 5:17:06 PM | Attr =    ]
%AllUsersProfile%\Start Menu\Programs\Startup\Quicken Startup.lnk -> %ProgramFiles%\Quicken\QWDLLS.EXE -> Intuit [Ver = 001.000.000.000 | Size = 36864 bytes | Modified Date = 11/19/2002 8:04:10 PM | Attr =    ]
%AllUsersProfile%\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk -> %ProgramFiles%\Quicken\bagent.exe -> Intuit Inc. [Ver = 008.000.000.000 | Size = 53248 bytes | Modified Date = 11/19/2002 8:04:06 PM | Attr =    ]
%AllUsersProfile%\Start Menu\Programs\Startup\Personal Coach.lnk -> %ProgramFiles%\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe -> TLC Education Properties LLC [Ver = 1, 0, 0, 1 | Size = 2392064 bytes | Modified Date = 8/30/2002 12:02:58 PM | Attr =    ]
%AllUsersProfile%\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk -> %ProgramFiles%\InterVideo\Common\Bin\WinCinemaMgr.exe -> InterVideo Inc. [Ver = 1.7.1 | Size = 114688 bytes | Modified Date = 12/12/2003 8:02:12 PM | Attr =    ]
%AllUsersProfile%\Start Menu\Programs\Startup\Billminder.lnk -> %ProgramFiles%\Quicken\billmind.exe -> Intuit [Ver = 008.000.000.000 | Size = 36864 bytes | Modified Date = 11/19/2002 8:03:48 PM | Attr =    ]
< Deborah Startup Folder > -> C:\Documents and Settings\Deborah\Start Menu\Programs\Startup ->
%UserProfile%\Start Menu\Programs\Startup\OpenOffice.org 1.0.lnk -> %ProgramFiles%\OpenOffice.org1.0\program\quickstart.exe ->  [Ver =  | Size = 61440 bytes | Modified Date = 4/29/2002 6:00:00 AM | Attr =    ]
%UserProfile%\Start Menu\Programs\Startup\IMVU.lnk -> %ProgramFiles%\IMVU\IMVUClient.exe -> File not found
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> %SystemRoot%\Explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 1033728 bytes | Modified Date = 4/13/2008 8:12:20 PM | Attr =    ]
*MultiFile Done* -> ->
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit ->
C:\WINDOWS\system32\userinit.exe -> %SystemRoot%\system32\userinit.exe -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 26112 bytes | Modified Date = 4/13/2008 8:12:38 PM | Attr =    ]
*MultiFile Done* -> ->
*UIHost* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost ->
logonui.exe -> %SystemRoot%\system32\logonui.exe -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 514560 bytes | Modified Date = 4/13/2008 8:12:24 PM | Attr =    ]
*MultiFile Done* -> ->
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
rundll32 shell32 -> %SystemRoot%\System32\shell32.dll -> Microsoft Corporation [Ver = 6.00.2900.5512 (xpsp.080413-2105) | Size = 8461312 bytes | Modified Date = 4/13/2008 8:12:06 PM | Attr =    ]
Control_RunDLL "sysdm.cpl" -> %SystemRoot%\system32\sysdm.cpl -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2105) | Size = 300544 bytes | Modified Date = 4/13/2008 8:12:42 PM | Attr =    ]
*MultiFile Done* -> ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\put120 -> put120.exe ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\pksetexd.exe -> %SystemRoot%\system32\pksetexd.exe [C:\WINDOWS\system32\pksetexd.exe] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\kvtrwkcc.exe -> %SystemRoot%\system32\kvtrwkcc.exe [C:\WINDOWS\system32\kvtrwkcc.exe] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticecaption ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\legalnoticetext ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\undockwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
< CDROM Autorun Setting > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup ->
SCSI miniport ->  -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\System32\DRIVERS\cdrom.sys [System32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2108) | Size = 62976 bytes | Modified Date = 4/13/2008 2:40:46 PM | Attr =    ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 ->
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable ->
NEC     MBR-7    ->  -> File not found
NEC     MBR-7.4  ->  -> File not found
PIONEER CHANGR DRM-1804X ->  -> File not found
PIONEER CD-ROM DRM-6324X ->  -> File not found
PIONEER CD-ROM DRM-624X  ->  -> File not found
TORiSAN CD-ROM CDR_C36 ->  -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> ->
< Drives with AutoRun files > ->  ->
AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ FAT32 ] ->  [Ver =  | Size = 0 bytes | Modified Date = 6/18/2004 8:05:56 AM | Attr =    ]
< HOSTS File > (391 bytes and 17 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
61.191.52.111 sdch.sdo.com
61.191.52.111 ekey.sdo.com
61.191.52.103 mir2.sdo.com
61.191.52.111 kf.sdo.com
61.191.52.103 www.mir2.com.cn
61.191.52.103 mir2.com.cn
61.191.52.103 home.mir2.sdo.com
61.191.52.103 shandacs.allyes.com
61.191.52.103 home.woool.sdo.com
61.191.52.103 woool.sdo.com
61.191.52.111 pwd.sdo.com
61.191.52.111 www.sdo.com
127.0.0.1     ie3.proxy.aol.com
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://www.google.com/ie ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\Search Bar -> http://www.google.com/ie ->
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.google.com ->
HKEY_CURRENT_USER\: Main\\Start Page -> http://my.att.net/ ->
HKEY_CURRENT_USER\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_CURRENT_USER\: Search\\SearchAssistant -> http://www.google.com/ie ->
HKEY_CURRENT_USER\: SearchURL\\ -> http://www.google.com/search?q=%s[Reg Error: Value provider does not exist or could not be read.] ->
HKEY_CURRENT_USER\: ProxyEnable -> 0 ->
HKEY_CURRENT_USER\: ProxyOverride -> <local> ->
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. ->
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Inter