Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Ave.exe problem [Solved]


  • This topic is locked This topic is locked

#1
pchu1234

pchu1234

    Member

  • Member
  • PipPip
  • 22 posts
Hi, I was on the net, and somehow the trojan file ave.exe was loading on my computer, my firewall stopped it in time, but now my Malwarebytes' Anti-Malware won't run. Can someone please assist?

Here is the hjiackthis.log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:54:33 PM, on 4/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\QvodPlayer\QvodTerminal.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.c...earch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://simonwin.home...0/eng/index.cgi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.rd.yahoo.c...earch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.c...earch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.c...earch.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BhoLock Class - {244AE512-A46A-4BEF-AAB7-1D9FFD31C2F5} - C:\Program Files\Common Files\System\NetAgent.dll
O2 - BHO: BhoLock Class - {244AE512-A46A-4BEF-AAB7-1D9FFD3AB5F4} - C:\Program Files\Common Files\System\NetAgent.dll
O2 - BHO: BhoLock Class - {244AE512-A46A-4BEF-AAB7-1D9FFD3AC2F4} - C:\Program Files\Common Files\System\NetAgent.dll
O2 - BHO: BhoLock Class - {244AE512-A46A-4BEF-AAB7-1D9FFD3AC2F5} - C:\Program Files\Common Files\System\NetAgent.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [VX6000] C:\WINDOWS\vVX6000.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [QvodPlayer] C:\Program Files\QvodPlayer\QvodTerminal.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Peter\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Peter\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} (Camera Stream Client Control Object) - http://simonwin.home.../camclictrl.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1ca32fca897c2ad) (gupdate1ca32fca897c2ad) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 12154 bytes
  • 0

Advertisements


#2
hammerman

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hello pchu1234 and welcome to GeeksToGo :)
I'm hammerman and I'm going to help you fix your problem.

Before we begin, here are some guidelines which will help us both in fixing your problem.
  • Malware removal is not instantaneous and will take a number of steps to complete. Please continue to carry out the steps requested until I let you know that your computer appears clean.
  • Please do no attach logs or post them in Quote/Code boxes unless requested.
  • I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop. If you need any help with this or further clarification, please let me know.
  • When posting logs, please ensure Word Wrap is turned off in Notepad. Open Notepad, select Format on the menu bar and make sure that Word Wrap is unchecked.
  • Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • If in doubt about anything, please ask.
Please follow these steps.

-- Step 1 --
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Custom Scan box paste this in

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    CREATERESTOREPOINT

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
-- Step 2 --

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click GMER.exe.
    Posted Image
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      Posted Image
      Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.Hello and welcome to GeeksToGo :)
  • 0

#3
pchu1234

pchu1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi, here is my OTL.txt log

OTL logfile created on: 4/25/2010 12:20:58 PM - Run 1
OTL by OldTimer - Version 3.2.2.0 Folder = C:\Documents and Settings\Peter\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

959.00 Mb Total Physical Memory | 286.00 Mb Available Physical Memory | 30.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 74.00% Paging File free
Paging file location(s): c:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 22.85 Gb Free Space | 15.33% Space Free | Partition Type: NTFS
Drive D: | 5.99 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
Drive F: | 981.05 Mb Total Space | 903.21 Mb Free Space | 92.07% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PETER-6063E7B63
Current User Name: Peter
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Peter\Desktop\OTL.com (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Windows OneCare Live\winss.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe (Microsoft Corporation)
PRC - C:\Program Files\QvodPlayer\QvodTerminal.exe (Shenzhen QVOD Technology Co.,Ltd)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe (Microsoft Corporation)
PRC - C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe (Pure Networks, Inc.)
PRC - C:\Program Files\Pure Networks\Network Magic\nmapp.exe (Pure Networks, Inc.)
PRC - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
PRC - C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (Nero AG)
PRC - C:\Program Files\Microsoft LifeCam\MSCamSvc.exe (Microsoft Corporation)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMax4.exe (Analog Devices, Inc.)
PRC - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
PRC - C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe (Cyberlink Corp.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Peter\Desktop\OTL.com (OldTimer Tools)
MOD - c:\Program Files\Real\realplayer\browserrecord\chrome\hook\rpchromebrowserrecordhelper.dll (RealPlayer)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msvcp71.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msvcr71.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (winss) -- C:\Program Files\Microsoft Windows OneCare Live\winss.exe (Microsoft Corporation)
SRV - (OcHealthMon) -- C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe (Microsoft Corporation)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (OneCareMP) -- C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe (Microsoft Corporation)
SRV - (msfwsvc) -- C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe (Microsoft Corporation)
SRV - (WLSetupSvc) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation)
SRV - (usnjsvc) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (nmservice) -- C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe (Pure Networks, Inc.)
SRV - (nmraapache) -- C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe (Pure Networks, Inc.)
SRV - (MSCamSvc) -- C:\Program Files\Microsoft LifeCam\MSCamSvc.exe (Microsoft Corporation)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\HPZipm12.exe (HP)


========== Driver Services (SafeList) ==========

DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (gmer) -- C:\WINDOWS\system32\drivers\gmer.sys (GMER)
DRV - (MpFilter) -- C:\WINDOWS\system32\drivers\MpFilter.sys (Microsoft Corporation)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (MSFWHLPR) -- C:\WINDOWS\system32\drivers\msfwhlpr.sys (Microsoft Corporation)
DRV - (MSFWDrv) -- C:\WINDOWS\system32\drivers\msfwdrv.sys (Microsoft Corporation)
DRV - (purendis) -- C:\WINDOWS\system32\drivers\purendis.sys (Pure Networks, Inc.)
DRV - (pnarp) -- C:\WINDOWS\system32\drivers\pnarp.sys (Pure Networks, Inc.)
DRV - (VX6000) -- C:\WINDOWS\system32\drivers\VX6000Xp.sys (Microsoft Corporation
)
DRV - (w810mdm) -- C:\WINDOWS\system32\drivers\w810mdm.sys (MCCI)
DRV - (w810mdfl) -- C:\WINDOWS\system32\drivers\w810mdfl.sys (MCCI)
DRV - (w810bus) Sony Ericsson W810 Driver driver (WDM) -- C:\WINDOWS\system32\drivers\w810bus.sys (MCCI)
DRV - (m5288) -- C:\WINDOWS\system32\DRIVERS\m5288.sys (ULi Electronics Inc.)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )
DRV - (ADIHdAudAddService) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys (Analog Devices, Inc.)
DRV - (SenFiltService) -- C:\WINDOWS\system32\drivers\senfilt.sys (Sensaura)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (HdAudAddService) -- C:\WINDOWS\system32\drivers\Hdaudio.sys (Windows ® Server 2003 DDK provider)
DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys ()
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (Asushwio) -- C:\WINDOWS\system32\drivers\ASUSHWIO.SYS ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.rd.yahoo.c...earch.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.c...earch.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.c...earch.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Live Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.live.c...ferrer:source?}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://simonwin.home...0/eng/index.cgi
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.startup.homepage: "http://wwwyahoo.com/...newspaper.html"
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.1.18
FF - prefs.js..extensions.enabledItems: {b749fc7c-e949-447f-926c-3f4eed6accfe}:0.6.6
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/03 12:54:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/03 12:54:55 | 000,000,000 | ---D | M]

[2008/06/22 17:27:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\Mozilla\Extensions
[2010/04/23 20:44:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\1zdpvjv8.default\extensions
[2010/03/28 12:49:52 | 000,000,000 | ---D | M] (FlashGot) -- C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\1zdpvjv8.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
[2009/09/02 23:08:57 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\1zdpvjv8.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/10/28 18:43:16 | 000,000,000 | ---D | M] (Modify Headers) -- C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\1zdpvjv8.default\extensions\{b749fc7c-e949-447f-926c-3f4eed6accfe}
[2010/03/14 18:15:10 | 000,000,000 | ---D | M] (Java Console) -- C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\1zdpvjv8.default\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
[2010/04/23 20:44:23 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/10/22 19:11:34 | 000,001,210 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\search.xml

O1 HOSTS File: ([2009/10/22 19:11:17 | 000,000,734 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll (TechSmith Corporation)
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (BhoLock Class) - {244AE512-A46A-4BEF-AAB7-1D9FFD31C2F5} - C:\Program Files\Common Files\System\NetAgent.dll ()
O2 - BHO: (BhoLock Class) - {244AE512-A46A-4BEF-AAB7-1D9FFD3AB5F4} - C:\Program Files\Common Files\System\NetAgent.dll ()
O2 - BHO: (BhoLock Class) - {244AE512-A46A-4BEF-AAB7-1D9FFD3AC2F4} - C:\Program Files\Common Files\System\NetAgent.dll ()
O2 - BHO: (BhoLock Class) - {244AE512-A46A-4BEF-AAB7-1D9FFD3AC2F5} - C:\Program Files\Common Files\System\NetAgent.dll ()
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\Program Files\Real\realplayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\HdAShCut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [nmapp] C:\Program Files\Pure Networks\Network Magic\nmapp.exe (Pure Networks, Inc.)
O4 - HKLM..\Run: [OneCareUI] C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe (Microsoft Corporation)
O4 - HKLM..\Run: [RemoteControl] C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [VX6000] C:\WINDOWS\vVX6000.exe (Microsoft Corporation
)
O4 - HKCU..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKCU..\Run: [fsm] File not found
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [QvodPlayer] C:\Program Files\QvodPlayer\QvodTerminal.exe (Shenzhen QVOD Technology Co.,Ltd)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &D&ownload &with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all video with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - C:\Program Files\BitComet\BitComet.exe (www.BitComet.com)
O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.)
O9 - Extra Button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Peter\Start Menu\Programs\UltimateBet\UltimateBet.lnk ()
O9 - Extra 'Tools' menuitem : UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Peter\Start Menu\Programs\UltimateBet\UltimateBet.lnk ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (Intertrust Technologies, Inc.)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.micr...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} http://simonwin.home.../camclictrl.cab (Camera Stream Client Control Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp3.dll (Pure Networks, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (C:\Documents and Settings\Peter\Application Data\QVOD\QvodTerminal.exe) - C:\Documents and Settings\Peter\Application Data\QVOD\QvodTerminal.exe (Shenzhen QVOD)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\WgaLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\WRNotifier: DllName - WRLogonNTF.dll - C:\WINDOWS\System32\WRLogonNtf.dll (Webroot Software, Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/06 04:11:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/04/28 21:44:36 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: OneCareMP - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe (Microsoft Corporation)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: OneCareMP - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe (Microsoft Corporation)
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: UploadMgr - Service
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - Reg Error: Value error.
ActiveX: {AA218328-0EA8-4D70-8972-E987A9190FF4} - Reg Error: Value error.
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

========== Files/Folders - Created Within 30 Days ==========

[2010/04/24 18:42:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\down
[2010/04/24 02:00:08 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/24 02:00:05 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/24 01:40:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/04/23 22:50:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/04/23 22:50:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Peter\Application Data\SUPERAntiSpyware.com
[2010/04/23 22:50:29 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/23 22:22:16 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Peter\Desktop\OTL.com
[2010/04/23 12:02:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Peter\Local Settings\Application Data\PCHealth
[2010/04/03 12:59:09 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/04/03 12:58:43 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/04/03 12:58:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/03 12:47:03 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/03/27 19:07:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[14 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/25 08:43:46 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/25 08:43:42 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/24 23:18:46 | 005,505,024 | -H-- | M] () -- C:\Documents and Settings\Peter\NTUSER.DAT
[2010/04/24 23:18:24 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Peter\ntuser.ini
[2010/04/24 18:53:51 | 000,001,984 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\HiJackThis.lnk
[2010/04/24 18:43:57 | 000,002,810 | -HS- | M] () -- C:\Documents and Settings\Peter\Local Settings\Application Data\f1pKdvbneJkm
[2010/04/24 18:43:57 | 000,002,810 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\f1pKdvbneJkm
[2010/04/24 18:42:51 | 000,221,696 | -HS- | M] () -- C:\Documents and Settings\Peter\Local Settings\Application Data\ave.exe
[2010/04/24 02:16:41 | 000,000,358 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\fix.reg
[2010/04/24 02:15:58 | 000,000,358 | ---- | M] () -- C:\fix.reg
[2010/04/24 02:00:12 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/24 01:53:39 | 000,000,619 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/24 01:53:39 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/24 01:53:39 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/04/23 22:58:52 | 002,690,502 | -H-- | M] () -- C:\Documents and Settings\Peter\Local Settings\Application Data\IconCache.db
[2010/04/23 22:50:34 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/04/23 22:38:21 | 000,015,560 | -HS- | M] () -- C:\Documents and Settings\Peter\Local Settings\Application Data\0D2HvP
[2010/04/23 22:38:21 | 000,015,560 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\0D2HvP
[2010/04/23 22:33:27 | 000,000,319 | ---- | M] () -- C:\Documents and Settings\Peter\Desktop\trojan_fakerean_exe_fix.reg
[2010/04/23 22:22:20 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Peter\Desktop\OTL.com
[2010/04/23 20:30:58 | 000,013,824 | ---- | M] () -- C:\2010.xls
[2010/04/22 21:45:16 | 000,032,768 | ---- | M] () -- C:\Documents and Settings\Peter\My Documents\NBA draft 2001.doc
[2010/04/22 19:45:20 | 001,212,108 | ---- | M] () -- C:\ThirteenHours.pdf
[2010/04/22 19:45:12 | 000,000,028 | ---- | M] () -- C:\pdfinfo.ini
[2010/04/22 19:45:02 | 000,000,036 | ---- | M] () -- C:\WINDOWS\verypdf.ini
[2010/04/22 19:44:52 | 000,224,256 | ---- | M] () -- C:\Documents and Settings\Peter\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/22 19:44:25 | 001,210,753 | ---- | M] () -- C:\esecThirteenHours.pdf
[2010/04/21 21:24:47 | 001,208,203 | ---- | M] () -- C:\pleasureset.pdf
[2010/04/21 21:22:54 | 001,203,713 | ---- | M] () -- C:\thepleasureset_pdf.pdf
[2010/04/21 20:30:26 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\Peter\My Documents\Chris Bosh.doc
[2010/04/21 20:26:03 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/20 20:20:37 | 000,152,872 | ---- | M] () -- C:\Documents and Settings\Peter\My Documents\Peter%20Chu%20-%20Tax%20Return%202009.pdf
[2010/04/20 20:19:05 | 000,001,019 | ---- | M] () -- C:\Peter Chu - Netfile Federal 2009.tax
[2010/04/20 19:52:27 | 000,002,321 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\UFile 2008.lnk
[2010/04/20 19:43:05 | 000,011,758 | ---- | M] () -- C:\Documents and Settings\Peter\My Documents\Peter Chu tax 2009.u09
[2010/04/18 17:18:37 | 000,001,384 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Buy DivX for Windows.lnk
[2010/04/14 23:12:46 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/13 21:37:53 | 000,052,736 | ---- | M] () -- C:\Documents and Settings\Peter\My Documents\2000 NBA draft.doc
[2010/04/04 08:47:09 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/03 13:00:11 | 000,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/28 21:33:22 | 000,010,685 | -HS- | M] () -- C:\Folder.jpg
[2010/03/28 21:33:22 | 000,010,685 | -HS- | M] () -- C:\AlbumArt_{C6468BCD-3C0F-4A8B-A3A4-CD07FC3B74E9}_Large.jpg
[2010/03/28 21:33:19 | 000,002,797 | -HS- | M] () -- C:\AlbumArtSmall.jpg
[2010/03/28 21:33:19 | 000,002,797 | -HS- | M] () -- C:\AlbumArt_{C6468BCD-3C0F-4A8B-A3A4-CD07FC3B74E9}_Small.jpg
[2010/03/27 18:46:33 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2010/03/27 18:46:33 | 000,000,232 | -H-- | M] () -- C:\sqmdata12.sqm
[2010/03/27 18:46:31 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2010/03/27 18:46:31 | 000,000,232 | -H-- | M] () -- C:\sqmdata11.sqm
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[14 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\debarire
[2010/04/24 18:42:51 | 000,221,696 | -HS- | C] () -- C:\Documents and Settings\Peter\Local Settings\Application Data\ave.exe
[2010/04/24 18:42:51 | 000,002,810 | -HS- | C] () -- C:\Documents and Settings\Peter\Local Settings\Application Data\f1pKdvbneJkm
[2010/04/24 18:42:51 | 000,002,810 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\f1pKdvbneJkm
[2010/04/24 02:16:41 | 000,000,358 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\fix.reg
[2010/04/24 02:15:58 | 000,000,358 | ---- | C] () -- C:\fix.reg
[2010/04/24 02:00:12 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/23 22:50:34 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/04/23 22:33:27 | 000,000,319 | ---- | C] () -- C:\Documents and Settings\Peter\Desktop\trojan_fakerean_exe_fix.reg
[2010/04/23 22:08:17 | 000,015,560 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\0D2HvP
[2010/04/23 22:08:16 | 000,015,560 | -HS- | C] () -- C:\Documents and Settings\Peter\Local Settings\Application Data\0D2HvP
[2010/04/22 21:45:15 | 000,032,768 | ---- | C] () -- C:\Documents and Settings\Peter\My Documents\NBA draft 2001.doc
[2010/04/21 21:24:47 | 001,208,203 | ---- | C] () -- C:\pleasureset.pdf
[2010/04/21 21:23:16 | 001,203,713 | ---- | C] () -- C:\thepleasureset_pdf.pdf
[2010/04/21 20:30:25 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\Peter\My Documents\Chris Bosh.doc
[2010/04/20 20:20:37 | 000,152,872 | ---- | C] () -- C:\Documents and Settings\Peter\My Documents\Peter%20Chu%20-%20Tax%20Return%202009.pdf
[2010/04/20 20:19:04 | 000,001,019 | ---- | C] () -- C:\Peter Chu - Netfile Federal 2009.tax
[2010/04/18 17:18:36 | 000,001,384 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Buy DivX for Windows.lnk
[2010/04/13 21:30:17 | 000,052,736 | ---- | C] () -- C:\Documents and Settings\Peter\My Documents\2000 NBA draft.doc
[2010/04/03 13:00:11 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/03/28 21:33:24 | 000,010,685 | -HS- | C] () -- C:\AlbumArt_{C6468BCD-3C0F-4A8B-A3A4-CD07FC3B74E9}_Large.jpg
[2010/03/28 21:33:24 | 000,002,797 | -HS- | C] () -- C:\AlbumArt_{C6468BCD-3C0F-4A8B-A3A4-CD07FC3B74E9}_Small.jpg
[2010/03/28 00:49:50 | 006,634,973 | ---- | C] () -- C:\13.Gloomy Sunday.mp3
[2010/01/13 04:21:41 | 000,000,002 | ---- | C] () -- C:\WINDOWS\gbzj.ini
[2009/11/11 21:26:00 | 000,021,504 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2009/09/19 16:11:07 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\AVERM.dll
[2009/09/19 16:11:06 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\AVEQT.dll
[2009/01/18 02:26:18 | 000,000,036 | ---- | C] () -- C:\WINDOWS\verypdf.ini
[2009/01/11 14:22:09 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/01/11 14:22:08 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/01/06 23:20:05 | 000,000,372 | ---- | C] () -- C:\WINDOWS\crackpdf.INI
[2009/01/04 12:52:04 | 000,000,250 | ---- | C] () -- C:\WINDOWS\gmer.ini
[2009/01/04 12:52:02 | 000,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll
[2009/01/01 19:48:36 | 001,294,028 | -HS- | C] () -- C:\WINDOWS\System32\afuvarul.ini
[2009/01/01 15:05:48 | 000,684,032 | ---- | C] () -- C:\WINDOWS\libeay32.dll
[2009/01/01 15:05:48 | 000,155,648 | ---- | C] () -- C:\WINDOWS\ssleay32.dll
[2009/01/01 12:55:51 | 001,294,028 | -HS- | C] () -- C:\WINDOWS\System32\uhadetul.ini
[2008/06/02 20:10:57 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2008/06/02 19:55:20 | 000,000,075 | ---- | C] () -- C:\WINDOWS\winDecrypt.INI
[2008/04/28 12:13:33 | 000,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2008/02/27 22:40:31 | 000,015,497 | ---- | C] () -- C:\WINDOWS\VX6KStd.ini
[2007/10/02 18:12:32 | 000,004,794 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/09/23 22:01:27 | 000,034,308 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2007/07/07 15:28:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\UltimateBuddy.INI
[2007/05/15 20:04:32 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/05/15 17:29:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iplayer.INI
[2007/05/15 17:17:46 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/05/14 17:05:41 | 000,000,576 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
[2007/05/14 17:05:26 | 000,001,235 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2007/04/06 04:17:40 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2007/04/06 04:17:29 | 000,016,804 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2007/04/06 04:17:25 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2004/03/03 05:06:00 | 000,221,184 | ---- | C] () -- C:\WINDOWS\System32\HP3AIOZ6.dll
[2002/05/03 15:40:32 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL

========== Custom Scans ==========


< %ALLUSERSPROFILE%\Application Data\*. >
[2009/10/22 21:01:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\865da
[2008/05/25 21:01:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/06/19 21:11:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2008/07/03 18:57:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2007/05/08 20:10:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2009/06/17 22:50:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/01/02 20:41:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/27 19:07:57 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2007/05/07 15:41:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nero
[2008/02/27 19:02:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pure Networks
[2010/03/13 00:39:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Real
[2010/04/23 22:50:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2008/07/10 21:03:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TechSmith
[2007/05/07 18:02:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2008/02/27 22:41:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WLInstaller
[2009/06/28 19:48:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo!
[2010/04/01 09:03:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2010/04/03 13:00:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/11/11 19:58:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/06/07 00:39:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2009/02/04 13:56:14 | 000,075,112 | ---- | M] (GEAR Software, Inc.) -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\DifXInstall32.exe
[2010/04/03 12:42:36 | 000,073,000 | ---- | M] (Apple Inc.) -- C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
[2008/05/12 21:14:34 | 002,923,248 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch2\HTML\item_templ\common\MSHotFix\WindowsXP-KB914882-x86.exe
[2008/08/25 16:44:29 | 014,579,000 | ---- | M] (Pure Networks, Inc.) -- C:\Documents and Settings\All Users\Application Data\Pure Networks\Network Magic\1033\Update\nmsetup.exe
[2009/05/26 21:22:10 | 000,607,472 | ---- | M] (Yahoo! Inc.) -- C:\Documents and Settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe

< %APPDATA%\*. >
[2007/06/09 15:55:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\Adobe
[2007/06/09 15:56:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\AdobeAUM
[2009/05/14 00:13:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\AdobeUM
[2007/06/09 16:37:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\Ahead
[2009/11/11 20:29:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\Apple Computer
[2007/05/08 20:11:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\CyberLink
[2008/06/02 15:12:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\DivX
[2009/09/27 00:51:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\DVD Profiler
[2009/06/17 23:00:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\Google
[2007/04/06 04:28:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\Help
[2007/04/06 04:15:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\Identities
[2008/01/06 02:58:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\InterTrust
[2009/01/01 19:39:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\Lavasoft
[2007/07/08 21:21:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\Leadertech
[2007/04/06 04:36:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\Macromedia
[2009/01/02 20:41:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\Malwarebytes
[2009/10/08 18:57:37 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Peter\Application Data\Microsoft
[2008/06/22 17:27:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\Mozilla
[2010/03/22 20:23:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\My Games
[2008/01/30 19:35:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\PDM
[2010/01/09 21:19:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\QVOD
[2009/09/11 12:30:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\Real
[2007/06/10 01:25:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\Sun
[2010/04/23 22:50:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\SUPERAntiSpyware.com
[2007/10/08 13:39:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\vlc
[2007/10/17 20:35:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\WinRAR
[2009/06/28 19:48:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Peter\Application Data\Yahoo!

< %APPDATA%\*.exe /s >
[2008/08/28 19:02:20 | 001,526,544 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\Peter\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
[2009/10/27 20:40:03 | 000,319,488 | ---- | M] (Octoshape ApS) -- C:\Documents and Settings\Peter\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
[2008/01/30 19:35:11 | 000,010,134 | R--- | M] () -- C:\Documents and Settings\Peter\Application Data\Microsoft\Installer\{1BC21146-767D-427D-BC91-2AB88B5ECE73}\_60D7210DF2C446FE508978.exe
[2008/01/30 19:35:11 | 000,094,198 | R--- | M] () -- C:\Documents and Settings\Peter\Application Data\Microsoft\Installer\{1BC21146-767D-427D-BC91-2AB88B5ECE73}\_6FEFF9B68218417F98F549.exe
[2008/01/30 19:35:11 | 000,094,198 | R--- | M] () -- C:\Documents and Settings\Peter\Application Data\Microsoft\Installer\{1BC21146-767D-427D-BC91-2AB88B5ECE73}\_777CA5B7FDE70C41562F61.exe
[2008/01/30 19:35:11 | 000,094,198 | R--- | M] () -- C:\Documents and Settings\Peter\Application Data\Microsoft\Installer\{1BC21146-767D-427D-BC91-2AB88B5ECE73}\_C0D1C7E134CE8DB8FB3CA9.exe
[2008/04/23 18:48:03 | 000,010,134 | R--- | M] () -- C:\Documents and Settings\Peter\Application Data\Microsoft\Installer\{451BB54C-8B23-4455-8BDC-14FC7D43E056}\ARPPRODUCTICON.exe
[2010/04/24 18:53:53 | 000,388,096 | R--- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Peter\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
[2009/12/08 21:28:21 | 000,177,024 | ---- | M] () -- C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\1zdpvjv8.default\FlashGot.exe
[2010/01/08 02:41:54 | 000,229,376 | ---- | M] (Shenzhen QVOD) -- C:\Documents and Settings\Peter\Application Data\QVOD\QvodTerminal.exe
[2009/06/03 18:22:12 | 000,390,664 | ---- | M] (RealNetworks, Inc.) -- C:\Documents and Settings\Peter\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
[2010/04/19 21:41:14 | 000,439,816 | ---- | M] (RealNetworks, Inc.) -- C:\Documents and Settings\Peter\Application Data\Real\Update\setup3.10\setup.exe
[2008/09/14 22:05:23 | 000,312,864 | ---- | M] (RealNetworks, Inc.) -- C:\Documents and Settings\Peter\Application Data\Real\Update\temp\~Upg0\setup.exe

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/01/25 12:27:39 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/01/25 12:27:39 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 02:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/01/25 12:27:39 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/01/25 12:27:39 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 08:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 08:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2007/04/28 14:31:22 | 000,270,336 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/04/28 18:14:51 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\security.sav
[2007/04/28 14:31:22 | 009,699,328 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/04/28 14:31:22 | 003,932,160 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/02/24 09:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010/02/11 08:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys

========== Files - Unicode (All) ==========
[2010/04/19 18:50:10 | 009,698,508 | ---- | M] ()(C:\9.????.mp3) -- C:\9.難唸的經.mp3
[2010/03/31 22:21:47 | 009,389,891 | ---- | M] ()(C:\7.?????.mp3) -- C:\7.至少還有你.mp3
[2010/03/28 00:50:03 | 009,698,508 | ---- | C] ()(C:\9.????.mp3) -- C:\9.難唸的經.mp3
[2010/03/28 00:50:01 | 008,176,240 | ---- | C] ()(C:\8.????.mp3) -- C:\8.花天走地.mp3
[2010/03/28 00:50:00 | 009,389,891 | ---- | C] ()(C:\7.?????.mp3) -- C:\7.至少還有你.mp3
[2010/03/28 00:50:00 | 005,307,092 | ---- | C] ()(C:\6.????.mp3) -- C:\6.與你無關.mp3
[2010/03/28 00:49:58 | 010,306,552 | ---- | C] ()(C:\5.??.mp3) -- C:\5.原諒.mp3
[2010/03/28 00:49:58 | 007,172,314 | ---- | C] ()(C:\4.??.mp3) -- C:\4.心動.mp3
[2010/03/28 00:49:57 | 007,629,242 | ---- | C] ()(C:\3.??? (?????).mp3) -- C:\3.你快樂 (所以我快樂).mp3
[2010/03/28 00:49:55 | 010,499,352 | ---- | C] ()(C:\2.????.mp3) -- C:\2.聖誕快樂.mp3
[2010/03/28 00:49:54 | 007,503,971 | ---- | C] ()(C:\1.??????.mp3) -- C:\1.越快樂越墮落.mp3
[2010/03/28 00:49:54 | 000,001,466 | ---- | C] ()(C:\Various Artists - ???? 2.m3u) -- C:\Various Artists - 林夕字傳 2.m3u
[2010/03/28 00:49:53 | 009,965,188 | ---- | C] ()(C:\16.????? (Live).mp3) -- C:\16.下一站天國 (Live).mp3
[2010/03/28 00:49:52 | 008,594,128 | ---- | C] ()(C:\15.?? (Live).mp3) -- C:\15.約定 (Live).mp3
[2010/03/28 00:49:51 | 010,282,352 | ---- | C] ()(C:\14.????? (Live).mp3) -- C:\14.再見二丁目 (Live).mp3
[2010/03/28 00:49:48 | 009,852,352 | ---- | C] ()(C:\12.????.mp3) -- C:\12.戲迷情人.mp3
[2010/03/28 00:49:46 | 009,579,575 | ---- | C] ()(C:\11.????.mp3) -- C:\11.戲假情真.mp3
[2010/03/28 00:49:45 | 009,391,543 | ---- | C] ()(C:\10.?? . ??.mp3) -- C:\10.神話 . 情話.mp3
[2010/03/14 16:19:14 | 000,000,000 | ---D | M](C:\?? - ?????? 2 ??? CD 2) -- C:\合輯 - 被遺忘的時光 2 老情歌 CD 2
[2010/03/14 16:19:06 | 000,000,000 | ---D | C](C:\?? - ?????? 2 ??? CD 2) -- C:\合輯 - 被遺忘的時光 2 老情歌 CD 2
[2010/03/14 14:09:07 | 000,000,000 | ---D | M](C:\??? - 903 id Club ???????? Live) -- C:\張敬軒 - 903 id Club 張敬軒拉闊變奏廳 Live
[2010/03/14 14:06:55 | 000,000,000 | ---D | C](C:\??? - 903 id Club ???????? Live) -- C:\張敬軒 - 903 id Club 張敬軒拉闊變奏廳 Live
[2010/02/13 00:45:26 | 000,000,000 | ---D | M](C:\?32????????????) -- C:\第32屆十大中文金曲頒獎音樂會
[2010/02/04 20:17:59 | 000,000,000 | ---D | C](C:\?32????????????) -- C:\第32屆十大中文金曲頒獎音樂會
[2010/01/24 03:30:54 | 000,100,352 | ---- | M] ()(C:\Documents and Settings\Peter\My Documents\???.doc) -- C:\Documents and Settings\Peter\My Documents\神無月.doc
[2010/01/24 03:28:46 | 000,100,352 | ---- | C] ()(C:\Documents and Settings\Peter\My Documents\???.doc) -- C:\Documents and Settings\Peter\My Documents\神無月.doc
[2010/01/24 02:53:06 | 000,195,584 | ---- | M] ()(C:\Documents and Settings\Peter\My Documents\??.doc) -- C:\Documents and Settings\Peter\My Documents\曖昧.doc
[2010/01/24 02:53:05 | 000,195,584 | ---- | C] ()(C:\Documents and Settings\Peter\My Documents\??.doc) -- C:\Documents and Settings\Peter\My Documents\曖昧.doc
[2010/01/20 23:48:39 | 000,000,000 | ---D | M](C:\??? - A Time For Us) -- C:\容祖兒 - A Time For Us
[2010/01/20 23:48:26 | 000,000,000 | ---D | C](C:\??? - A Time For Us) -- C:\容祖兒 - A Time For Us
[2009/11/06 23:06:25 | 009,965,188 | ---- | M] ()(C:\16.????? (Live).mp3) -- C:\16.下一站天國 (Live).mp3
[2009/11/06 23:06:25 | 000,001,466 | ---- | M] ()(C:\Various Artists - ???? 2.m3u) -- C:\Various Artists - 林夕字傳 2.m3u
[2009/11/06 23:06:12 | 008,594,128 | ---- | M] ()(C:\15.?? (Live).mp3) -- C:\15.約定 (Live).mp3
[2009/11/06 23:06:01 | 010,282,352 | ---- | M] ()(C:\14.????? (Live).mp3) -- C:\14.再見二丁目 (Live).mp3
[2009/11/06 23:05:36 | 009,852,352 | ---- | M] ()(C:\12.????.mp3) -- C:\12.戲迷情人.mp3
[2009/11/06 23:05:22 | 009,579,575 | ---- | M] ()(C:\11.????.mp3) -- C:\11.戲假情真.mp3
[2009/11/06 23:05:09 | 009,391,543 | ---- | M] ()(C:\10.?? . ??.mp3) -- C:\10.神話 . 情話.mp3
[2009/11/06 23:04:40 | 008,176,240 | ---- | M] ()(C:\8.????.mp3) -- C:\8.花天走地.mp3
[2009/11/06 23:04:09 | 005,307,092 | ---- | M] ()(C:\6.????.mp3) -- C:\6.與你無關.mp3
[2009/11/06 23:03:58 | 010,306,552 | ---- | M] ()(C:\5.??.mp3) -- C:\5.原諒.mp3
[2009/11/06 23:03:37 | 007,172,314 | ---- | M] ()(C:\4.??.mp3) -- C:\4.心動.mp3
[2009/11/06 23:03:22 | 007,629,242 | ---- | M] ()(C:\3.??? (?????).mp3) -- C:\3.你快樂 (所以我快樂).mp3
[2009/11/06 23:03:03 | 010,499,352 | ---- | M] ()(C:\2.????.mp3) -- C:\2.聖誕快樂.mp3
[2009/11/06 23:02:38 | 007,503,971 | ---- | M] ()(C:\1.??????.mp3) -- C:\1.越快樂越墮落.mp3
[2009/08/04 19:22:37 | 000,000,000 | ---D | M](C:\???) -- C:\周秀娜
[2009/08/04 19:20:09 | 000,000,000 | ---D | C](C:\???) -- C:\周秀娜
[2009/02/02 21:43:26 | 000,000,000 | ---D | M](C:\??? - ???48?? CD2) -- C:\陳奕迅 - 陳奕迅48首選 CD2
[2009/02/02 21:43:19 | 000,000,000 | ---D | C](C:\??? - ???48?? CD2) -- C:\陳奕迅 - 陳奕迅48首選 CD2
[2009/02/02 21:43:04 | 000,000,000 | ---D | M](C:\??? - ???48?? CD1) -- C:\陳奕迅 - 陳奕迅48首選 CD1
[2009/02/02 21:42:59 | 000,000,000 | ---D | C](C:\??? - ???48?? CD1) -- C:\陳奕迅 - 陳奕迅48首選 CD1
[2009/02/02 21:42:44 | 000,000,000 | ---D | M](C:\??? - Faithfully CD3) -- C:\梅艷芳 - Faithfully CD3
[2009/02/02 21:42:37 | 000,000,000 | ---D | C](C:\??? - Faithfully CD3) -- C:\梅艷芳 - Faithfully CD3
[2009/02/02 21:41:53 | 000,000,000 | ---D | M](C:\??? - Faithfully CD1) -- C:\梅艷芳 - Faithfully CD1
[2009/02/02 21:41:47 | 000,000,000 | ---D | C](C:\??? - Faithfully CD1) -- C:\梅艷芳 - Faithfully CD1
[2009/01/17 01:20:11 | 000,092,672 | ---- | M] ()(C:\Documents and Settings\Peter\My Documents\??1.doc) -- C:\Documents and Settings\Peter\My Documents\晚上1.doc
[2009/01/12 00:34:02 | 000,000,000 | ---D | M](C:\??? - ???2008 CD2) -- C:\關淑怡 - 演唱會2008 CD2
[2009/01/12 00:33:55 | 000,000,000 | ---D | C](C:\??? - ???2008 CD2) -- C:\關淑怡 - 演唱會2008 CD2
[2009/01/12 00:33:45 | 000,000,000 | ---D | M](C:\??? - ???2008 CD1) -- C:\關淑怡 - 演唱會2008 CD1
[2009/01/12 00:33:39 | 000,000,000 | ---D | C](C:\??? - ???2008 CD1) -- C:\關淑怡 - 演唱會2008 CD1
[2009/01/01 23:17:43 | 000,000,000 | ---D | M](C:\??? - ???????????07 ??? CD3) -- C:\張學友 - 學友光年世界巡迴演唱會07 香港站 CD3
[2009/01/01 23:17:37 | 000,000,000 | ---D | C](C:\??? - ???????????07 ??? CD3) -- C:\張學友 - 學友光年世界巡迴演唱會07 香港站 CD3
[2009/01/01 23:17:18 | 000,000,000 | ---D | M](C:\??? - ???????????07 ??? CD2) -- C:\張學友 - 學友光年世界巡迴演唱會07 香港站 CD2
[2009/01/01 23:17:11 | 000,000,000 | ---D | C](C:\??? - ???????????07 ??? CD2) -- C:\張學友 - 學友光年世界巡迴演唱會07 香港站 CD2
[2009/01/01 19:35:15 | 000,000,000 | ---D | M](C:\??? - ???????????07 ??? CD1) -- C:\張學友 - 學友光年世界巡迴演唱會07 香港站 CD1
[2009/01/01 19:35:06 | 000,000,000 | ---D | C](C:\??? - ???????????07 ??? CD1) -- C:\張學友 - 學友光年世界巡迴演唱會07 香港站 CD1
[2008/12/07 22:17:20 | 000,092,672 | ---- | C] ()(C:\Documents and Settings\Peter\My Documents\??1.doc) -- C:\Documents and Settings\Peter\My Documents\晚上1.doc
[2008/12/07 18:04:17 | 000,000,162 | -H-- | M] ()(C:\Documents and Settings\Peter\My Documents\~$??.doc) -- C:\Documents and Settings\Peter\My Documents\~$晚上.doc
[2008/12/07 18:04:17 | 000,000,162 | -H-- | C] ()(C:\Documents and Settings\Peter\My Documents\~$??.doc) -- C:\Documents and Settings\Peter\My Documents\~$晚上.doc
[2008/11/08 16:45:52 | 000,057,344 | ---- | M] ()(C:\Documents and Settings\Peter\My Documents\??.doc) -- C:\Documents and Settings\Peter\My Documents\晚上.doc
[2008/10/24 23:59:05 | 000,119,808 | ---- | M] ()(C:\?????????.doc) -- C:\綿綿細雨不斷飄落著.doc
[2008/10/21 21:34:18 | 000,000,000 | ---D | M](C:\???«Solidays ??+??») -- C:\陳奕迅《Solidays 新曲+精選》
[2008/10/21 21:34:17 | 000,000,000 | ---D | C](C:\???«Solidays ??+??») -- C:\陳奕迅《Solidays 新曲+精選》
[2008/10/21 21:19:32 | 006,140,587 | ---- | C] ()(C:\??? - ????.mp3) -- C:\陳奕迅 - 富士山下.mp3
[2008/10/21 21:15:49 | 006,140,587 | ---- | M] ()(C:\??? - ????.mp3) -- C:\陳奕迅 - 富士山下.mp3
[2008/10/10 23:29:44 | 000,000,000 | ---D | M](C:\081007 CD 3 BY YOU & ME 2000????) -- C:\081007 CD 3 BY YOU & ME 2000資訊論壇
[2008/10/10 23:29:36 | 000,000,000 | ---D | C](C:\081007 CD 3 BY YOU & ME 2000????) -- C:\081007 CD 3 BY YOU & ME 2000資訊論壇
[2008/10/10 23:27:06 | 000,000,000 | ---D | M](C:\081007 CD 2 BY YOU & ME 2000????) -- C:\081007 CD 2 BY YOU & ME 2000資訊論壇
[2008/10/10 23:27:01 | 000,000,000 | ---D | C](C:\081007 CD 2 BY YOU & ME 2000????) -- C:\081007 CD 2 BY YOU & ME 2000資訊論壇
[2008/10/10 23:24:32 | 000,000,000 | ---D | M](C:\081007 CD 1 BY YOU & ME 2000????) -- C:\081007 CD 1 BY YOU & ME 2000資訊論壇
[2008/10/10 23:24:25 | 000,000,000 | ---D | C](C:\081007 CD 1 BY YOU & ME 2000????) -- C:\081007 CD 1 BY YOU & ME 2000資訊論壇
[2008/09/20 19:04:09 | 000,000,000 | ---D | M](C:\??? - ??????? 07/08 CD3) -- C:\郭富城 - 舞林正傳演唱會 07/08 CD3
[2008/09/20 19:04:07 | 000,000,000 | ---D | C](C:\??? - ??????? 07/08 CD3) -- C:\郭富城 - 舞林正傳演唱會 07/08 CD3
[2008/09/20 17:07:08 | 000,000,000 | ---D | M](C:\??? - ??????? 07/08 CD2) -- C:\郭富城 - 舞林正傳演唱會 07/08 CD2
[2008/09/20 17:07:00 | 000,000,000 | ---D | C](C:\??? - ??????? 07/08 CD2) -- C:\郭富城 - 舞林正傳演唱會 07/08 CD2
[2008/09/20 16:56:29 | 000,000,000 | ---D | M](C:\??? - ??????? 07/08 CD1) -- C:\郭富城 - 舞林正傳演唱會 07/08 CD1
[2008/09/20 16:56:24 | 000,000,000 | ---D | C](C:\??? - ??????? 07/08 CD1) -- C:\郭富城 - 舞林正傳演唱會 07/08 CD1
[2008/09/07 13:24:24 | 000,000,000 | ---D | M](C:\??? - The Best Moment ?? Disc 2 - ??) -- C:\陳奕迅 - The Best Moment 精選 Disc 2 - 廣東
[2008/09/07 13:24:15 | 000,000,000 | ---D | C](C:\??? - The Best Moment ?? Disc 2 - ??) -- C:\陳奕迅 - The Best Moment 精選 Disc 2 - 廣東
[2008/09/07 13:17:33 | 000,000,000 | ---D | M](C:\??? - The Best Moment ?? Disc 1 - ??) -- C:\陳奕迅 - The Best Moment 精選 Disc 1 - 廣東
[2008/09/07 13:17:27 | 000,000,000 | ---D | C](C:\??? - The Best Moment ?? Disc 1 - ??) -- C:\陳奕迅 - The Best Moment 精選 Disc 1 - 廣東
[2008/07/29 19:16:19 | 000,057,344 | ---- | C] ()(C:\Documents and Settings\Peter\My Documents\??.doc) -- C:\Documents and Settings\Peter\My Documents\晚上.doc
[2008/05/19 21:21:28 | 000,109,056 | ---- | M] ()(C:\J????.doc) -- C:\J沒告訴妳.doc
[2008/05/19 21:21:27 | 000,109,056 | ---- | C] ()(C:\J????.doc) -- C:\J沒告訴妳.doc
[2008/04/15 22:29:25 | 009,945,064 | ---- | M] ()(C:\???.avi) -- C:\哺兒樂.avi
[2008/04/15 22:29:22 | 009,945,064 | ---- | C] ()(C:\???.avi) -- C:\哺兒樂.avi
[2008/02/14 21:00:20 | 000,170,496 | ---- | M] ()(C:\????.doc) -- C:\心若倦了.doc
[2008/01/05 23:26:44 | 000,170,496 | ---- | C] ()(C:\????.doc) -- C:\心若倦了.doc
[2007/06/10 01:40:17 | 000,107,520 | ---- | M] ()(C:\??????????.doc) -- C:\開始喜歡在電梯裡調情.doc
[2007/06/10 01:40:17 | 000,107,520 | ---- | C] ()(C:\??????????.doc) -- C:\開始喜歡在電梯裡調情.doc
[2007/06/10 00:39:36 | 000,119,808 | ---- | C] ()(C:\?????????.doc) -- C:\綿綿細雨不斷飄落著.doc
< End of report >

My Extra.txt

OTL Extras logfile created on: 4/25/2010 12:20:58 PM - Run 1
OTL by OldTimer - Version 3.2.2.0 Folder = C:\Documents and Settings\Peter\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

959.00 Mb Total Physical Memory | 412.00 Mb Available Physical Memory | 43.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): c:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 23.10 Gb Free Space | 15.50% Space Free | Partition Type: NTFS
Drive D: | 5.99 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
E: Drive not present or media not loaded
Drive F: | 981.05 Mb Total Space | 903.21 Mb Free Space | 92.07% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PETER-6063E7B63
Current User Name: Peter
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.exe [@ = secfile] -- C:\Documents and Settings\Peter\Local Settings\Application Data\ave.exe ()

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"UpdatesDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"22009:TCP" = 22009:TCP:*:Enabled:BitComet 22009 TCP
"22009:UDP" = 22009:UDP:*:Enabled:BitComet 22009 UDP
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"67:UDP" = 67:UDP:*:Enabled:DHCP Discovery Service
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\drivers\svchost.exe" = %windir%\system32\drivers\svchost.exe:*:Enabled:svchost -- File not found
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- File not found
"C:\Program Files\BitComet\BitComet.exe" = C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client -- (www.BitComet.com)
"C:\Program Files\Graboid\tools\nntp\archiver.exe" = C:\Program Files\Graboid\tools\nntp\archiver.exe:*:Enabled:nzb downloader and post processor -- File not found
"C:\Program Files\Graboid\tools\nntp\player.exe" = C:\Program Files\Graboid\tools\nntp\player.exe:*:Enabled:nzb downloader and post processor -- File not found
"C:\Program Files\Graboid\tools\media\vlc\vlc.exe" = C:\Program Files\Graboid\tools\media\vlc\vlc.exe:*:Enabled:VLC media player -- File not found
"C:\Program Files\Microsoft LifeCam\LifeCam.exe" = C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeExp.exe" = C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" = C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe:*:Enabled:winssnotify -- (Microsoft Corporation)
"C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe" = C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe:*:Enabled:NMIndexStoreSvr -- (Nero AG)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Explorer -- (Microsoft Corporation)
"%windir%\system32\drivers\svchost.exe" = %windir%\system32\drivers\svchost.exe:*:Enabled:svchost -- File not found
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)
"C:\Documents and Settings\Peter\Local Settings\Temp\xemrnscowa.tmp" = C:\Documents and Settings\Peter\Local Settings\Temp\xemrnscowa.tmp:*:Enabled:Windows System Defender -- File not found
"C:\Program Files\QvodPlayer\QvodTerminal.exe" = C:\Program Files\QvodPlayer\QvodTerminal.exe:*:Enabled:QVOD -- (Shenzhen QVOD Technology Co.,Ltd)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe" = C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe:LocalSubNet:Enabled:Pure Networks Network Magic Service -- (Pure Networks, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{17E2F183-BAC4-4D01-BD7A-59F781E17EFA}" = REALTEK PCIE NIC Driver
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1BC21146-767D-427D-BC91-2AB88B5ECE73}" = eReader
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = Multimedia Launcher
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{257EC58E-03FD-472B-A9B6-93F23A3C4CB0}" = Scan
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2A5C6AD0-F7B3-40A1-B140-23B085B1B8CE}" = UFile 2008
"{2C464EC1-2B0C-4490-9CAC-D4562DD8377A}" = Soap 3.0 Toolkit
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3851147E-5A91-4469-BA4D-13FFFCC8A920}" = Microsoft Windows OneCare Live v2.5.2900.20 Idcrl Install
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{451BB54C-8B23-4455-8BDC-14FC7D43E056}" = MSXML4SP2
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}" = Adobe® Photoshop® Album Starter Edition 3.0
"{4DEE75B1-B201-4DA3-A50F-007CDB00DA23}" = Microsoft LifeCam
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{51F96AEC-D902-4434-A0DC-B9692A21AE7C}" = MobileMe Control Panel
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5660022E-F3F2-4126-8CC5-9726C47150EB}" = Microsoft Windows Live OneCare Resources v2.5.2900.30
"{59991D18-A988-45AB-B1BF-5ADE6E64CD3F}" = SnagIt 9
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6513E869-647F-40FD-A55D-CFC92579B9BA}" = PX Engine
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76BC2442-0002-47FA-9617-43BAD82BEF4C}" = Bonjour
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)
"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{85CFDC2D-710E-49D5-B799-F3743CA506BA}" = Microsoft Protection Service
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B21B9EF-6DBF-4F63-8CC7-9F6A56D1EE8E}" = GTOneCare
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar)
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A8589680-35C1-4732-ACCA-09B78921ECE3}" = Sid Meier's Civilization 4
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAB93551-3FFE-42B2-8315-96252BBC1033}" = Nero 7 Essentials
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AC76BA86-7AD7-2447-0000-800000000003}" = Chinese Simplified Fonts Support For Adobe Reader 8
"{AC76BA86-7AD7-2448-0000-800000000003}" = Chinese Traditional Fonts Support For Adobe Reader 8
"{AC76BA86-7AD7-5760-0000-800000000003}" = Japanese Fonts Support For Adobe Reader 8
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B97CF5C3-0487-11D8-A36E-0050BAE317E1}" = DVD Solution
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C9967B5A-6E08-4E79-BFBD-BBB07DB0CA04}" = UFile Updater 2008
"{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868}" = Safari
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D07A8E7E-D324-4945-BA8C-E532AD008FF3}" = Microsoft Windows OneCare Live v2.5.2900.30
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{D5773BFA-5967-4A1C-AD0F-FFFD0D13FC36}" = Network Magic
"{D5A145FC-D00C-4F1A-9119-EB4D9D659750}" = Windows Live Toolbar
"{DD23CAA4-8872-4B95-B263-EA46FD82CF19}" = LaserAIO
"{E26B83D1-C0BB-41BC-8F44-31D5354DD6AF}" = Microsoft Windows OneCare Live AntiSpyware and AntiVirus
"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{FDC53DC6-137A-4541-BFA2-A9BAE4A7FE99}" = ULi Sata Driver
"63EE44B183E6F9261BBEDC6E0DD479A3ED939932" = Windows Driver Package - Pure Networks, Inc. Network Magic Device Discovery Driver (03/23/2007 4.1.7082.0)
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = ATI - Software Uninstall Utility
"Allok 3GP PSP MP4 iPod Video Converter_is1" = Allok 3GP PSP MP4 iPod Video Converter 6.2.0603
"ATI Display Driver" = ATI Display Driver
"BEFD16F14D4EBCB5CDB94F8C748ECA76860D7D88" = Windows Driver Package - Pure Networks, Inc. Network Magic Wireless Driver (03/23/2007 4.1.7082.0)
"BitComet" = BitComet 0.88
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"ffdshow_is1" = ffdshow [rev 2527] [2008-12-19]
"Foxit Reader" = Foxit Reader
"Google Chrome" = Google Chrome
"HijackThis" = HijackThis 2.0.2
"Hijackthis_is1" = Hijackthis 1.99.1
"hp LaserJet-all-in-one" = hp LaserJet-all-in-one
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InvelosDVDProfiler_is1" = DVD Profiler Version 3.5.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PDF Password Remover v2.5_is1" = PDF Password Remover v2.5
"PrimoPDF4.0.2.5" = PrimoPDF
"QvodPlayer" = QvodPlayer v3.5
"RealPlayer 12.0" = RealPlayer
"UltimateBet" = UltimateBet
"Windows Live Toolbar" = Windows Live Toolbar
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WinSS" = Windows Live OneCare
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Customizations" = Yahoo! Extras
"Yahoo! Internet Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/22/2010 7:57:11 PM | Computer Name = PETER-6063E7B63 | Source = Application Hang | ID = 1002
Description = Hanging application rundll32.exe, version 5.1.2600.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/26/2010 7:44:00 AM | Computer Name = PETER-6063E7B63 | Source = Application Hang | ID = 1002
Description = Hanging application YahooMessenger.exe, version 9.0.0.2162, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/27/2010 1:28:07 PM | Computer Name = PETER-6063E7B63 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16981, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/27/2010 1:28:07 PM | Computer Name = PETER-6063E7B63 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16981, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/1/2010 7:48:20 AM | Computer Name = PETER-6063E7B63 | Source = Application Hang | ID = 1002
Description = Hanging application YahooMessenger.exe, version 9.0.0.2162, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/3/2010 9:21:47 PM | Computer Name = PETER-6063E7B63 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.17023, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/8/2010 6:51:27 AM | Computer Name = PETER-6063E7B63 | Source = Application Error | ID = 1000
Description = Faulting application ati2evxx.exe, version 6.14.10.4117, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 4/16/2010 4:36:56 AM | Computer Name = PETER-6063E7B63 | Source = Application Hang | ID = 1002
Description = Hanging application YahooMessenger.exe, version 9.0.0.2162, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/19/2010 10:08:14 PM | Computer Name = PETER-6063E7B63 | Source = Application Error | ID = 1000
Description = Faulting application qvodterminal.exe, version 3.5.0.62, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 4/21/2010 5:41:03 PM | Computer Name = PETER-6063E7B63 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.17023, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ MSFWSVC Events ]
Error - 10/11/2009 12:51:10 PM | Computer Name = PETER-6063E7B63 | Source = MSFWSVC | ID = 1080
Description = OneCare Firewall failed while executing the following method: BuildAdaptersMap.
Error Code: 0x80070002, Error Message: The system cannot find the file specified.
.

[ System Events ]
Error - 4/21/2010 3:55:01 PM | Computer Name = PETER-6063E7B63 | Source = MSFWDrv | ID = 262153
Description = The device, , did not respond within the timeout period.

Error - 4/21/2010 3:55:02 PM | Computer Name = PETER-6063E7B63 | Source = MSFWDrv | ID = 262153
Description = The device, , did not respond within the timeout period.

Error - 4/21/2010 3:55:02 PM | Computer Name = PETER-6063E7B63 | Source = MSFWDrv | ID = 262153
Description = The device, , did not respond within the timeout period.

Error - 4/21/2010 3:55:02 PM | Computer Name = PETER-6063E7B63 | Source = MSFWDrv | ID = 262153
Description = The device, , did not respond within the timeout period.

Error - 4/21/2010 3:55:02 PM | Computer Name = PETER-6063E7B63 | Source = MSFWDrv | ID = 262153
Description = The device, , did not respond within the timeout period.

Error - 4/21/2010 3:55:03 PM | Computer Name = PETER-6063E7B63 | Source = MSFWDrv | ID = 262153
Description = The device, , did not respond within the timeout period.

Error - 4/21/2010 3:55:06 PM | Computer Name = PETER-6063E7B63 | Source = MSFWDrv | ID = 262153
Description = The device, , did not respond within the timeout period.

Error - 4/21/2010 3:55:16 PM | Computer Name = PETER-6063E7B63 | Source = MSFWDrv | ID = 262153
Description = The device, , did not respond within the timeout period.

Error - 4/22/2010 6:31:16 PM | Computer Name = PETER-6063E7B63 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Windows Live OneCare
service to connect.

Error - 4/23/2010 7:07:27 AM | Computer Name = PETER-6063E7B63 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Windows Live OneCare
service to connect.

[ Windows OneCare Events ]
Error - 1/1/2009 3:11:39 PM | Computer Name = PETER-6063E7B63 | Source = WinSS | ID = 8001
Description = Successfully detected a local printer failed to share it PrinterName
= SnagIt 9 MachineName = PETER-6063E7B63 ShareName = DriverName = SnagIt 9 Printer
Driver
FileName = UNIDRV.DLL Driver Version = 3 Driver File Creation date = 0 Driver Port
= FILE Eligibility For Sharing = 1 Shared By OneCare = 0 Pre-OneCare Status = 1 Local
Printer = 0 Sharing Status = 1 Error Type = 5 Error Code = 0x0 EventID = 1 TelemetryAutoGuid
= {4D8B7168-2F40-4F38-964F-3647D89A013D}

Error - 1/1/2009 3:11:39 PM | Computer Name = PETER-6063E7B63 | Source = WinSS | ID = 8001
Description = Successfully detected a local printer failed to share it PrinterName
= PrimoPDF MachineName = PETER-6063E7B63 ShareName = DriverName = PrimoPDF Driver
FileName = pscript5.dll Driver Version = 3 Driver File Creation date = 0 Driver Port
= PrimoPort: Eligibility For Sharing = 1 Shared By OneCare = 0 Pre-OneCare Status
= 1 Local Printer = 0 Sharing Status = 1 Error Type = 5 Error Code = 0x0 EventID = 1 TelemetryAutoGuid
= {4D8B7168-2F40-4F38-964F-3647D89A013D}

Error - 7/26/2009 7:14:13 AM | Computer Name = PETER-6063E7B63 | Source = WinSS | ID = 7001
Description = Failed executing wireless security check process. Error Code = 0xc0000142.

Error - 8/21/2009 12:20:13 AM | Computer Name = PETER-6063E7B63 | Source = WinSS | ID = 8001
Description = Successfully detected a local printer failed to share it PrinterName
= Microsoft XPS Document Writer MachineName = PETER-6063E7B63 ShareName = DriverName
= Microsoft XPS Document Writer Driver FileName = mxdwdrv.dll Driver Version = 3 Driver
File Creation date = 0 Driver Port = XPSPort: Eligibility For Sharing = 1 Shared By
OneCare = 0 Pre-OneCare Status = 1 Local Printer = 0 Sharing Status = 1 Error Type
= 5 Error Code = 0x0 EventID = 1 TelemetryAutoGuid = {4D8B7168-2F40-4F38-964F-3647D89A013D}


< End of report >
  • 0

#4
pchu1234

pchu1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I have problems with GMER.exe. It shuts down my system a couple of times. Both saying something about Remote Procedural call and system shutdown in process. I tried to get this to work for more than half a day, and can't.
  • 0

#5
hammerman

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hi,

Can you try running GMER from Safe mode.

To enter Safe Mode, restart your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight SafeMode then hit enter.
  • 0

#6
pchu1234

pchu1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Here it is:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-28 03:15:42
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Peter\LOCALS~1\Temp\fxliqkow.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\winlogon.exe[204] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\system32\winlogon.exe[204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\system32\winlogon.exe[204] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\system32\winlogon.exe[204] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\system32\winlogon.exe[204] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\system32\winlogon.exe[204] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\system32\winlogon.exe[204] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\system32\winlogon.exe[204] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\system32\services.exe[256] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\system32\services.exe[256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\system32\services.exe[256] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\system32\services.exe[256] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\system32\services.exe[256] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\system32\services.exe[256] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\system32\services.exe[256] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\system32\services.exe[256] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\system32\lsass.exe[268] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\system32\lsass.exe[268] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\system32\lsass.exe[268] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\system32\lsass.exe[268] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\system32\lsass.exe[268] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\system32\lsass.exe[268] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\system32\lsass.exe[268] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\system32\lsass.exe[268] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\system32\svchost.exe[436] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\system32\svchost.exe[436] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\system32\svchost.exe[436] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\system32\svchost.exe[436] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\system32\svchost.exe[436] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\system32\svchost.exe[436] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\system32\svchost.exe[436] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\system32\svchost.exe[436] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe[556] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe[556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe[556] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe[556] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe[556] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe[556] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe[556] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe[556] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\system32\svchost.exe[616] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\system32\svchost.exe[616] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\system32\svchost.exe[616] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\system32\svchost.exe[616] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\system32\svchost.exe[616] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\system32\svchost.exe[616] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\system32\svchost.exe[616] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\WINDOWS\Explorer.EXE[924] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\WINDOWS\Explorer.EXE[924] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\WINDOWS\Explorer.EXE[924] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\WINDOWS\Explorer.EXE[924] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\WINDOWS\Explorer.EXE[924] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\WINDOWS\Explorer.EXE[924] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\WINDOWS\Explorer.EXE[924] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\WINDOWS\Explorer.EXE[924] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C
.text C:\Program Files\WinRAR\WinRAR.exe[1500] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4
.text C:\Program Files\WinRAR\WinRAR.exe[1500] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C
.text C:\Program Files\WinRAR\WinRAR.exe[1500] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78
.text C:\Program Files\WinRAR\WinRAR.exe[1500] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0
.text C:\Program Files\WinRAR\WinRAR.exe[1500] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264
.text C:\Program Files\WinRAR\WinRAR.exe[1500] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8
.text C:\Program Files\WinRAR\WinRAR.exe[1500] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C
.text C:\Program Files\WinRAR\WinRAR.exe[1500] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C

---- EOF - GMER 1.0.15 ----
  • 0

#7
hammerman

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hi,

Do you recognise all the files in the log above like these?

C:\9.難唸的經.mp3
C:\7.至少還有你.mp3
C:\9.難唸的經.mp3
C:\8.花天走地.mp3
C:\7.至少還有你.mp3
C:\6.與你無關.mp3
C:\5.原諒.mp3
C:\4.心動.mp3 .....


Please follow these steps.

-- Step 1 --

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O2 - BHO: (BhoLock Class) - {244AE512-A46A-4BEF-AAB7-1D9FFD31C2F5} - C:\Program Files\Common Files\System\NetAgent.dll ()
    O2 - BHO: (BhoLock Class) - {244AE512-A46A-4BEF-AAB7-1D9FFD3AB5F4} - C:\Program Files\Common Files\System\NetAgent.dll ()
    O2 - BHO: (BhoLock Class) - {244AE512-A46A-4BEF-AAB7-1D9FFD3AC2F4} - C:\Program Files\Common Files\System\NetAgent.dll ()
    O2 - BHO: (BhoLock Class) - {244AE512-A46A-4BEF-AAB7-1D9FFD3AC2F5} - C:\Program Files\Common Files\System\NetAgent.dll ()
    [2010/04/24 18:43:57 | 000,002,810 | -HS- | M] () -- C:\Documents and Settings\Peter\Local Settings\Application Data\f1pKdvbneJkm
    [2010/04/24 18:43:57 | 000,002,810 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\f1pKdvbneJkm
    [2010/04/24 18:42:51 | 000,221,696 | -HS- | M] () -- C:\Documents and Settings\Peter\Local Settings\Application Data\ave.exe
    [2010/04/23 22:38:21 | 000,015,560 | -HS- | M] () -- C:\Documents and Settings\Peter\Local Settings\Application Data\0D2HvP
    [2010/04/23 22:38:21 | 000,015,560 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\0D2HvP
    [2009/01/01 19:48:36 | 001,294,028 | -HS- | C] () -- C:\WINDOWS\System32\afuvarul.ini
    [2009/01/01 12:55:51 | 001,294,028 | -HS- | C] () -- C:\WINDOWS\System32\uhadetul.ini
    
    :Services
    
    :Reg
    [-HKEY_CURRENT_USER\SOFTWARE\Classes\secfile]
    
    :Files
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • This fix will produce a report. Please add this to your reply.
-- Step 2 --

Run Malwarebytes' Anti-Malware.
  • Select the Update tab and then click Check for Updates. If an update is found, it will download and install the latest version.
  • Select the Scanner tab, select "Perform Quick Scan", then click Scan
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
  • 0

#8
pchu1234

pchu1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I do recognize those MP3 files, should I delete them?

Here is the OTL log.

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{244AE512-A46A-4BEF-AAB7-1D9FFD31C2F5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD31C2F5}\ deleted successfully.
C:\Program Files\Common Files\System\NetAgent.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB5F4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AB5F4}\ deleted successfully.
File C:\Program Files\Common Files\System\NetAgent.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{244AE512-A46A-4BEF-AAB7-1D9FFD3AC2F4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AC2F4}\ deleted successfully.
File C:\Program Files\Common Files\System\NetAgent.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{244AE512-A46A-4BEF-AAB7-1D9FFD3AC2F5}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{244AE512-A46A-4BEF-AAB7-1D9FFD3AC2F5}\ deleted successfully.
File C:\Program Files\Common Files\System\NetAgent.dll not found.
C:\Documents and Settings\Peter\Local Settings\Application Data\f1pKdvbneJkm moved successfully.
C:\Documents and Settings\All Users\Application Data\f1pKdvbneJkm moved successfully.
C:\Documents and Settings\Peter\Local Settings\Application Data\ave.exe moved successfully.
C:\Documents and Settings\Peter\Local Settings\Application Data\0D2HvP moved successfully.
C:\Documents and Settings\All Users\Application Data\0D2HvP moved successfully.
C:\WINDOWS\system32\afuvarul.ini moved successfully.
C:\WINDOWS\system32\uhadetul.ini moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\secfile\ not found.
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 200270 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Peter
->Temp folder emptied: 30444154 bytes
->Temporary Internet Files folder emptied: 21109389 bytes
->Java cache emptied: 8300941 bytes
->FireFox cache emptied: 45418981 bytes
->Google Chrome cache emptied: 16544463 bytes
->Apple Safari cache emptied: 22048739 bytes
->Flash cache emptied: 3459800 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 7972050 bytes
%systemroot%\System32 .tmp files removed: 2775569 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 13314891 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23942476 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 20074 bytes

Total Files Cleaned = 187.00 mb


[EMPTYFLASH]

User: All Users

User: Default User

User: LocalService

User: NetworkService

User: Peter
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.2.0 log created on 04282010_182508

Files\Folders moved on Reboot...
C:\Documents and Settings\Peter\Local Settings\Temp\Google Toolbar\GoogleToolbarWelcome.log moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temp\~DF83F7.tmp moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\QP4BCDZ4\check[1].cab moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\QP4BCDZ4\favicon[4].ico moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\QP4BCDZ4\im[1].htm moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\QP4BCDZ4\maps[1].htm moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\QP4BCDZ4\phone[1].htm moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\LPFPFOJC\default[1].htm moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\LPFPFOJC\default[2].htm moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\LPFPFOJC\email[1].htm moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\LPFPFOJC\filters[1].bin moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\LPFPFOJC\Generic[1].htm moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\LPFPFOJC\InboxLight[1].htm moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\LPFPFOJC\start[1].cab moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\LPFPFOJC\url[1].htm moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\AGWZE0AH\BuddyList[1].htm moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\AGWZE0AH\iframe[1].htm moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\AGWZE0AH\map[1].bmp moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\AGWZE0AH\parameters[1].bin moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\AGWZE0AH\phone[1].bmp moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\AGWZE0AH\stocks[1].bmp moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\AGWZE0AH\stocks[1].htm moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\AGWZE0AH\ToastFull[1].htm moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\70H02GO6\01[1].htm moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\70H02GO6\Ave-exe-problem-t275149[1].htm moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\70H02GO6\default[1].bmp moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\70H02GO6\email[1].bmp moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\70H02GO6\favicon[4].ico moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\70H02GO6\ToastMini[1].htm moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\70H02GO6\url[1].bmp moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.
C:\WINDOWS\temp\Perflib_Perfdata_db8.dat moved successfully.

Registry entries deleted on Reboot...

I still can't run Malwarebytes. Please advise.
  • 0

#9
hammerman

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hi,

No need to delete them if you recognise them.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#10
pchu1234

pchu1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Here it is. Please let me know if I need to do anything else. I thought I disabled OneCare, by ending processing on one of the files, but didn't happen. Luckily it didn't cause any harm.

ComboFix 10-04-28.03 - Peter 04/28/2010 19:32:25.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.491 [GMT -4:00]
Running from: c:\documents and settings\Peter\Desktop\ComboFix.exe
AV: Windows Live OneCare *On-access scanning enabled* (Outdated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
c:\documents and settings\Peter\Recent\ANTIGEN.exe
c:\documents and settings\Peter\Recent\cb.drv
c:\documents and settings\Peter\Recent\CLSV.dll
c:\documents and settings\Peter\Recent\CLSV.sys
c:\documents and settings\Peter\Recent\delfile.dll
c:\documents and settings\Peter\Recent\eb.dll
c:\documents and settings\Peter\Recent\eb.sys
c:\documents and settings\Peter\Recent\eb.tmp
c:\documents and settings\Peter\Recent\energy.dll
c:\documents and settings\Peter\Recent\exec.dll
c:\documents and settings\Peter\Recent\grid.drv
c:\documents and settings\Peter\Recent\hymt.drv
c:\documents and settings\Peter\Recent\pal.dll
c:\documents and settings\Peter\Recent\PE.sys
c:\documents and settings\Peter\Recent\runddlkey.sys
c:\documents and settings\Peter\Recent\tempdoc.dll
c:\documents and settings\Peter\Recent\tempdoc.drv
c:\documents and settings\Peter\Recent\tjd.exe
c:\program files\Mozilla Firefox\searchplugins\search.xml
C:\smp.bat
c:\windows\jestertb.dll
c:\windows\system32\drivers\down

.
((((((((((((((((((((((((( Files Created from 2010-03-28 to 2010-04-28 )))))))))))))))))))))))))))))))
.

2010-04-28 22:25 . 2010-04-28 22:25 -------- d-----w- C:\_OTL
2010-04-24 22:53 . 2010-04-24 22:53 388096 ----a-r- c:\documents and settings\Peter\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-04-24 06:15 . 2010-04-24 06:15 358 ----a-w- C:\fix.reg
2010-04-24 06:00 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-24 06:00 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 02:51 . 2010-04-24 02:51 52224 ----a-w- c:\documents and settings\Peter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-24 02:50 . 2010-04-24 02:50 117760 ----a-w- c:\documents and settings\Peter\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-24 02:50 . 2010-04-24 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-24 02:50 . 2010-04-24 02:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-24 02:50 . 2010-04-24 02:50 -------- d-----w- c:\documents and settings\Peter\Application Data\SUPERAntiSpyware.com
2010-04-23 16:02 . 2010-04-23 16:02 -------- d-----w- c:\documents and settings\Peter\Local Settings\Application Data\PCHealth
2010-04-07 01:40 . 2010-04-20 01:41 439816 ----a-w- c:\documents and settings\Peter\Application Data\Real\Update\setup3.10\setup.exe
2010-04-05 03:11 . 2010-04-05 03:11 288256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OneCare Protection\LocalCopy\{77410C9D-0BE6-5F2F-08EB-F7F4D28A8456}-exeHelper.com
2010-04-03 16:59 . 2010-04-03 16:59 -------- d-----w- c:\program files\iPod
2010-04-03 16:58 . 2010-04-03 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-03 16:58 . 2010-04-03 17:00 -------- d-----w- c:\program files\iTunes
2010-04-03 16:47 . 2010-04-03 16:47 -------- d-----w- c:\program files\Bonjour
2010-04-03 16:42 . 2010-04-03 16:42 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-28 07:31 . 2008-05-13 01:02 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2010-04-28 01:00 . 2007-04-08 19:20 -------- d-----w- c:\program files\Full Tilt Poker
2010-04-27 19:13 . 2010-01-10 01:18 -------- d-----w- c:\program files\QvodPlayer
2010-04-24 06:08 . 2009-01-03 00:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-24 02:50 . 2008-07-11 01:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-03 16:59 . 2008-07-03 22:53 -------- d-----w- c:\program files\Common Files\Apple
2010-04-03 16:54 . 2010-02-04 01:40 -------- d-----w- c:\program files\QuickTime
2010-04-01 13:03 . 2007-04-08 07:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-03-27 23:07 . 2010-03-27 23:07 -------- d-----w- c:\program files\Common Files\Windows Live
2010-03-23 00:31 . 2007-04-06 08:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-23 00:23 . 2007-07-28 02:55 -------- d-----w- c:\documents and settings\Peter\Application Data\My Games
2010-03-22 23:59 . 2008-04-23 22:47 -------- d-----w- c:\program files\UFile 2007
2010-03-22 23:58 . 2009-11-01 02:36 -------- d-----w- c:\program files\Rogers
2010-03-22 23:57 . 2008-04-30 01:44 -------- d-----w- c:\program files\Badongo
2010-03-18 23:47 . 2010-03-18 23:46 -------- d-----w- c:\program files\UFile 2009
2010-03-11 12:38 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2004-08-04 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 15:46 . 2010-02-12 15:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46 . 2010-02-12 15:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-07 05:15 . 2010-02-07 05:15 27164 ---ha-w- c:\windows\system32\mlfcache.dat
2008-01-07 22:57 . 2007-08-12 23:59 19456 ----a-w- c:\program files\2007movies.xls
2004-10-01 20:00 . 2007-05-08 01:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-18 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-29 344064]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 61952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 321088]
"VX6000"="c:\windows\vVX6000.exe" [2006-06-29 994096]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-05 65256]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-11 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-06-29 269104]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 03:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-10-21 00:22 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2006-12-24 01:05 143360 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 22:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QvodPlayer]
2009-12-31 10:15 557056 ----a-w- c:\program files\QvodPlayer\QvodTerminal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 01:24 32768 ----a-w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-06-18 02:51 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Windows OneCare Live\\winssnotify.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexStoreSvr.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\QvodPlayer\\QvodTerminal.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22009:TCP"= 22009:TCP:BitComet 22009 TCP
"22009:UDP"= 22009:UDP:BitComet 22009 UDP
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 m5288;m5288;c:\windows\system32\drivers\m5288.sys [4/6/2007 4:19 AM 210304]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2/5/2010 5:19 PM 26120]
R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2/27/2008 10:40 PM 2383152]
S2 gupdate1ca32fca897c2ad;Google Update Service (gupdate1ca32fca897c2ad);c:\program files\Google\Update\GoogleUpdate.exe [9/11/2009 12:26 PM 133104]
S3 Asushwio;Asushwio;c:\windows\system32\drivers\ASUSHWIO.SYS [4/6/2007 4:17 AM 5824]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 utexmtm2;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\utexmtm2.sys --> c:\windows\system32\Drivers\utexmtm2.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://simonwin.homeip.net:8000/eng/index.cgi
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mStart Page = hxxp://ca.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://ca.search.yahoo.com
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Peter\Start Menu\Programs\UltimateBet\UltimateBet.lnk
DPF: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} - hxxp://simonwin.homeip.net:8000/camclictrl.cab
FF - ProfilePath - c:\documents and settings\Peter\Application Data\Mozilla\Firefox\Profiles\1zdpvjv8.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://wwwyahoo.com/|http://www.89890.com/list/comic_1_1.htm|http://www.mpfinance.com/htm/Finance/main.htm|http://www.singtao.com/yesterday/fin/d_index.html|http://news.g4team.com/p_newspaper.html
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
Notify-WgaLogon - (no file)
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Peter\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\wininet.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\wininet.dll
.
Completion time: 2010-04-28 19:46:56
ComboFix-quarantined-files.txt 2010-04-28 23:46

Pre-Run: 24,900,509,696 bytes free
Post-Run: 24,868,458,496 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 0E27EA733844ADC694CCD8483A35DC19
  • 0

Advertisements


#11
hammerman

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hi,

Please follow these steps.

-- Step 1 --

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

-- Step 2 --

Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter
    .

  • Double click the setup file to run it.
  • Accept the agreement and click Next to continue.
  • It will by default install it to your desktop folder. Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box. There will be a tab that says Autoscan.
  • Under Autoscan make sure these are checked.

  • Hidden startup Objects
  • System memory
  • Disk boot sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)


After that click on Recommended to the right of Security level. Select Settings.. and then click on the tab that says Additional then under Rootkit scan. Turn on Deep scan then choose OK.

  • Then click on Start Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.


  • 0

#12
pchu1234

pchu1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Can you please give me a new link to Kaspersky, it got a HTTP 501/HTTP 505 version not Supported page when I clicked on it.

Also if you can tell me how long does this scan usually takes?

Thanks

Edited by pchu1234, 29 April 2010 - 05:12 PM.

  • 0

#13
pchu1234

pchu1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Ok the link is good now. However, I probably can't scan until the weekend, I will let you know. Thanks
  • 0

#14
hammerman

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts

However, I probably can't scan until the weekend, I will let you know


OK. Thanks for letting me know.
  • 0

#15
pchu1234

pchu1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Ok, here it is:

Autoscan: completed 9 minutes ago (events: 30, objects: 364079, time: 02:09:27)
5/1/2010 10:56:51 AM Task started
5/1/2010 11:13:36 AM Detected: Trojan-PSW.Win32.Kates.eo C:\Documents and Settings\Peter\Local Settings\temp\yndv.bak
5/1/2010 11:15:13 AM Deleted: Trojan-PSW.Win32.Kates.eo C:\Documents and Settings\Peter\Local Settings\temp\yndv.bak
5/1/2010 11:18:22 AM Detected: Trojan.Win32.VB.kan C:\Downloads\PDF Password Remover v.3.0 -crack PDF's.rar/PDF Password Remover v.3.0 -crack PDF's/Portable PDF Password Remover 3.0.exe
5/1/2010 11:28:25 AM Detected: Trojan.Win32.BHO.afql C:\System Volume Information\_restore{760E7128-8640-4B43-9414-0B07DB1F2153}\RP200\A0070564.dll
5/1/2010 11:28:59 AM Detected: Trojan.Win32.BHO.afql C:\System Volume Information\_restore{760E7128-8640-4B43-9414-0B07DB1F2153}\RP208\A0070876.dll
5/1/2010 11:29:02 AM Detected: Trojan.Win32.BHO.afti C:\System Volume Information\_restore{760E7128-8640-4B43-9414-0B07DB1F2153}\RP208\A0070903.dll
5/1/2010 11:30:38 AM Deleted: Trojan.Win32.VB.kan C:\Downloads\PDF Password Remover v.3.0 -crack PDF's.rar
5/1/2010 11:30:38 AM Deleted: Trojan.Win32.BHO.afql C:\System Volume Information\_restore{760E7128-8640-4B43-9414-0B07DB1F2153}\RP208\A0070876.dll
5/1/2010 11:30:39 AM Deleted: Trojan.Win32.BHO.afti C:\System Volume Information\_restore{760E7128-8640-4B43-9414-0B07DB1F2153}\RP208\A0070903.dll
5/1/2010 11:30:39 AM Deleted: Trojan.Win32.BHO.afql C:\System Volume Information\_restore{760E7128-8640-4B43-9414-0B07DB1F2153}\RP200\A0070564.dll
5/1/2010 11:31:00 AM Detected: Trojan.Win32.BHO.afti C:\System Volume Information\_restore{760E7128-8640-4B43-9414-0B07DB1F2153}\RP208\A0071225.dll
5/1/2010 11:31:45 AM Detected: Trojan.Win32.BHO.afti C:\System Volume Information\_restore{760E7128-8640-4B43-9414-0B07DB1F2153}\RP209\A0071871.dll
5/1/2010 11:36:55 AM Detected: Packed.Win32.Katusha.j C:\System Volume Information\_restore{760E7128-8640-4B43-9414-0B07DB1F2153}\RP224\A0079008.exe
5/1/2010 11:38:14 AM Deleted: Trojan.Win32.BHO.afti C:\System Volume Information\_restore{760E7128-8640-4B43-9414-0B07DB1F2153}\RP208\A0071225.dll
5/1/2010 11:38:16 AM Deleted: Trojan.Win32.BHO.afti C:\System Volume Information\_restore{760E7128-8640-4B43-9414-0B07DB1F2153}\RP209\A0071871.dll
5/1/2010 11:38:16 AM Deleted: Packed.Win32.Katusha.j C:\System Volume Information\_restore{760E7128-8640-4B43-9414-0B07DB1F2153}\RP224\A0079008.exe
5/1/2010 11:38:33 AM Detected: Packed.Win32.Katusha.j C:\System Volume Information\_restore{760E7128-8640-4B43-9414-0B07DB1F2153}\RP225\A0081346.exe
5/1/2010 11:38:38 AM Detected: Packed.Win32.Katusha.j C:\System Volume Information\_restore{760E7128-8640-4B43-9414-0B07DB1F2153}\RP226\A0082365.exe
5/1/2010 11:46:24 AM Deleted: Packed.Win32.Katusha.j C:\System Volume Information\_restore{760E7128-8640-4B43-9414-0B07DB1F2153}\RP225\A0081346.exe
5/1/2010 11:46:25 AM Deleted: Packed.Win32.Katusha.j C:\System Volume Information\_restore{760E7128-8640-4B43-9414-0B07DB1F2153}\RP226\A0082365.exe
5/1/2010 11:48:51 AM Detected: Packed.Win32.Katusha.j C:\_OTL\MovedFiles\04282010_182508\C_Documents and Settings\Peter\Local Settings\Application Data\ave.exe
5/1/2010 11:57:28 AM Deleted: Packed.Win32.Katusha.j C:\_OTL\MovedFiles\04282010_182508\C_Documents and Settings\Peter\Local Settings\Application Data\ave.exe
5/1/2010 11:58:22 AM Detected: Trojan-PSW.Win32.Kates.eo C:\Documents and Settings\Peter\Local Settings\temp\yndv.bak
5/1/2010 12:32:19 PM Task stopped
5/1/2010 12:39:52 PM Task started
5/1/2010 12:42:35 PM Task stopped
5/1/2010 12:45:49 PM Task started
5/1/2010 1:09:25 PM Detected: HEUR:Trojan-Downloader.Win32.Generic C:\Documents and Settings\Peter\Desktop\Maria Chan\My Documents\My download\telus2006enwp.exe/data0001/data0000.cab/GetFlash.exe
5/1/2010 2:55:16 PM Task completed
Disinfect active threats: completed 2 hours ago (events: 7, objects: 1400, time: 00:05:00)
5/1/2010 12:32:19 PM Task started
5/1/2010 12:32:21 PM Detected: Trojan-PSW.Win32.Kates.eo C:\Documents and Settings\Peter\Local Settings\temp\yndv.bak
5/1/2010 12:32:26 PM Deleted: Trojan-PSW.Win32.Kates.eo C:\Documents and Settings\Peter\Local Settings\temp\yndv.bak
5/1/2010 12:33:20 PM Detected: Trojan-PSW.Win32.Kates.eo C:\Documents and Settings\Peter\Local Settings\temp\yndv.bak
5/1/2010 12:34:26 PM Deleted: Trojan-PSW.Win32.Kates.eo C:\Documents and Settings\Peter\Local Settings\temp\yndv.bak
5/1/2010 12:34:26 PM Deleted: Trojan-PSW.Win32.Kates.eo C:\Documents and Settings\Peter\Local Settings\temp\yndv.bak
5/1/2010 12:37:19 PM Task completed
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP