13 replies to this topic

[omigod]

Hi, there. My computer recently got infected with this virus/trojan. I have Kaspersky Anti-Virus 7.0.0125 installed and updated, but the virus somehow managed to get past the anti-virus. This virus redirects a lot of the links on my browser and periodically generates pop-up browser windows to random sites.
When the computer was first infected, I had run a full scan using Malwarebytes and managed to removed two Trojan viruses (first mbam log), but unforunately the problem still exists. Now Malwarebytes is not picking up anything (2nd mbam log). For some odd reason, the Kaspersky Anti-Virus does give me warnings about a trojan virus regularly. The warning is as follows:
"Malicious HTTP object <http://212.117.183.13/Fbhe8fehw82.exe>: detected Trojan program 'Trojan.Win32.Buzus.ckxp'"
I guess it is telling me that the Trojan is trying to run external program on my computer, but is detected by my anti-virus.
So I wonder if anyone can help me remove this Trojan virus.
Thanks in advance


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:13 AM, on 11/3/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kingsoft\PowerWord 2005\XDICT.EXE
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Powerword 2005.lnk = C:\Program Files\Kingsoft\PowerWord 2005\XDICT.EXE
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.alipay.com
O15 - Trusted Zone: http://*.alisoft.com
O15 - Trusted Zone: http://*.taobao.com
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Virtual PDF Printer (Service1) - Unknown owner - C:\Program Files\Virtual PDF Printer\VirtualPrinting.exe

--
End of file - 6276 bytes



First MBAM log:
Malwarebytes' Anti-Malware 1.41
Database version: 3077
Windows 6.0.6000

11/1/2009 12:15:34 PM
mbam-log-2009-11-01 (12-15-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 190122
Time elapsed: 2 hour(s), 13 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\future.mynshandler (Spyware.AdaEbook) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e8cfc029-8420-4eae-adef-915bdc77e1dc} (Spyware.AdaEbook) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\Temp\cch~3698e6248c.htp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Temp\eqhb.tmp (Trojan.Buzus) -> Quarantined and deleted successfully.


2nd MBAM log (the most recent one):
Malwarebytes' Anti-Malware 1.41
Database version: 3090
Windows 6.0.6000

11/2/2009 10:10:01 PM
mbam-log-2009-11-02 (22-10-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 190047
Time elapsed: 43 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[chamber]

Hi,

• Download OTL to your desktop.
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Check the boxes beside LOP Check and Purity Check.
  
• Under the Custom Scan box paste this in
  
  netsvcs
  msconfig
  safebootminimal
  safebootnetwork
  activex
  drivers32
  %SYSTEMDRIVE%\*.exe
  HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions
  %SYSTEMDRIVE%\eventlog.dll /s /md5
  %SYSTEMDRIVE%\scecli.dll /s /md5
  %SYSTEMDRIVE%\netlogon.dll /s /md5
  %SYSTEMDRIVE%\cngaudit.dll /s /md5
  %SYSTEMDRIVE%\sceclt.dll /s /md5
  %SYSTEMDRIVE%\ntelogon.dll /s /md5
  %SYSTEMDRIVE%\logevent.dll /s /md5
  %SYSTEMDRIVE%\iaStor.sys /s /md5
  %SYSTEMDRIVE%\nvstor.sys /s /md5
  %SYSTEMDRIVE%\atapi.sys /s /md5
  %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
  %SYSTEMDRIVE%\viasraid.sys /s /md5
  %SYSTEMDRIVE%\AGP440.sys /s /md5
  %SYSTEMDRIVE%\vaxscsi.sys /s /md5
  
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Download NoMD5 to your root drive ( usually C:\ )

• NB : It is important you put the tool in your root directory, C:\
  
• Click Start > Run > Paste the following in %SYSTEMDRIVE%\NoMD5Sys -full > Click ok
  
• A window will pop up and perform a scan, let it run uninterrupted. It should only take a few minutes.
  
• A log will pop up, it will also be saved in the same location as NoMD5, which should be in your C:\ drive. Post the contents of the log in your reply

Post back with the 3 requested logs please.

[omigod]

OTL logfile created on: 11/3/2009 5:31:24 PM - Run 1
OTL by OldTimer - Version 3.1.3.3 Folder = C:\Users\TZ Fang\Downloads
Windows Vista Business Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18828)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.51 Gb Available Physical Memory | 75.70% Memory free
4.00 Gb Paging File | 3.93 Gb Available in Paging File | 98.24% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 1.07 Gb Free Space | 0.96% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TZFANG-PC
Current User Name: TZ Fang
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\TZ Fang\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe (Stardock)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
PRC - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
PRC - C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
PRC - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe (Kaspersky Lab)
PRC - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe (Kaspersky Lab)
PRC - C:\Program Files\Kingsoft\PowerWord 2005\XDICT.EXE (Kingsoft Co, Ltd.)


========== Modules (SafeList) ==========

MOD - C:\Users\TZ Fang\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\scrchpg.dll (Kaspersky Lab)
MOD - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\r3hook.dll (Kaspersky Lab)
MOD - C:\Program Files\Stardock\ObjectDock\DockShellHook.dll ()
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_5d07289e07e1d100\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (iPod Service) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (WinHttpAutoProxySvc) -- winhttp.dll (Microsoft Corporation)
SRV - (NetTcpPortSharing) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (idsvc) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (FontCache3.0.0.0) -- C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (Bonjour Service) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (odserv) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (Microsoft Office Groove Audit Service) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (AVP) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe (Kaspersky Lab)
SRV - (WMPNetworkSvc) -- C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
SRV - (ose) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (Service1) -- C:\Program Files\Virtual PDF Printer\VirtualPrinting.exe ()


========== Driver Services (SafeList) ==========

DRV - (taphss) -- C:\Windows\System32\drivers\taphss.sys (AnchorFree Inc)
DRV - (BCM43XX) -- C:\Windows\System32\drivers\BCMWL6.SYS (Broadcom Corporation)
DRV - (BCM43XV) -- C:\Windows\System32\drivers\BCMWL6.SYS (Broadcom Corporation)
DRV - (kl1) -- C:\Windows\System32\drivers\kl1.sys (Kaspersky Lab)
DRV - (KLIF) -- C:\Windows\System32\drivers\klif.sys (Kaspersky Lab)
DRV - (SCDEmu) -- C:\Windows\System32\drivers\scdemu.sys (PowerISO Computing, Inc.)
DRV - (GEARAspiWDM) -- C:\Windows\System32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (nvsmu) -- C:\Windows\System32\drivers\nvsmu.sys (NVIDIA Corporation)
DRV - (nvstor32) -- C:\Windows\system32\DRIVERS\nvstor32.sys ()
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation)
DRV - (Alidevice) -- C:\Windows\System32\drivers\alidevice.sys (alipay.com)
DRV - (CnxtHdAudService) -- C:\Windows\System32\drivers\CHDRT32.sys (Conexant Systems Inc.)
DRV - (SynTP) -- C:\Windows\System32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (KLIM6) -- C:\Windows\System32\drivers\klim6.sys (Kaspersky Lab)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (Brserid) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (HSF_DPV) -- C:\Windows\System32\drivers\VSTDPV3.SYS (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\Windows\System32\drivers\VSTAZL3.SYS (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\Windows\System32\drivers\VSTCNXT3.SYS (Conexant Systems, Inc.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (E1G60) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (secdrv) -- C:\Windows\System32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (HBtnKey) -- C:\Windows\System32\drivers\CPQBttn.sys (Hewlett-Packard Development Company, L.P.)
DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Wikipedia (en)"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.6.4
FF - prefs.js..extensions.enabledItems: {463F6CA5-EE3C-4be1-B7E6-7FEE11953374}:3.5.9
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.4

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/13 02:04:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.4\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/10/27 23:47:45 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.4\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/10/27 23:47:45 | 00,000,000 | ---D | M]

[2009/09/12 04:43:02 | 00,000,000 | ---D | M] -- C:\Users\TZ Fang\AppData\Roaming\Mozilla\Extensions
[2009/09/11 16:23:58 | 00,000,000 | ---D | M] -- C:\Users\TZ Fang\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/09/12 04:43:02 | 00,000,000 | ---D | M] -- C:\Users\TZ Fang\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2009/11/02 12:45:30 | 00,000,000 | ---D | M] -- C:\Users\TZ Fang\AppData\Roaming\Mozilla\Firefox\Profiles\0ad6e590.default\extensions
[2009/09/13 11:43:48 | 00,000,000 | ---D | M] -- C:\Users\TZ Fang\AppData\Roaming\Mozilla\Firefox\Profiles\0ad6e590.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/09/11 17:15:27 | 00,000,000 | ---D | M] -- C:\Users\TZ Fang\AppData\Roaming\Mozilla\Firefox\Profiles\0ad6e590.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}
[2009/10/09 15:27:23 | 00,000,000 | ---D | M] -- C:\Users\TZ Fang\AppData\Roaming\Mozilla\Firefox\Profiles\0ad6e590.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2009/10/29 20:12:53 | 00,002,639 | ---- | M] () -- C:\Users\TZ Fang\AppData\Roaming\Mozilla\Firefox\Profiles\0ad6e590.default\searchplugins\alexa-traffic-details.xml
[2009/11/01 09:23:40 | 00,001,148 | ---- | M] () -- C:\Users\TZ Fang\AppData\Roaming\Mozilla\Firefox\Profiles\0ad6e590.default\searchplugins\dictionarycom.xml
[2009/11/01 15:31:51 | 00,003,007 | ---- | M] () -- C:\Users\TZ Fang\AppData\Roaming\Mozilla\Firefox\Profiles\0ad6e590.default\searchplugins\imdb.xml
[2009/10/27 21:15:47 | 00,002,061 | ---- | M] () -- C:\Users\TZ Fang\AppData\Roaming\Mozilla\Firefox\Profiles\0ad6e590.default\searchplugins\investopedia.xml
[2009/11/01 09:23:40 | 00,000,891 | ---- | M] () -- C:\Users\TZ Fang\AppData\Roaming\Mozilla\Firefox\Profiles\0ad6e590.default\searchplugins\merriam-webster-dictionary.xml
[2009/11/01 09:23:40 | 00,005,810 | ---- | M] () -- C:\Users\TZ Fang\AppData\Roaming\Mozilla\Firefox\Profiles\0ad6e590.default\searchplugins\the-free-dictionary.xml
[2009/11/01 09:23:40 | 00,002,339 | ---- | M] () -- C:\Users\TZ Fang\AppData\Roaming\Mozilla\Firefox\Profiles\0ad6e590.default\searchplugins\urban-dictionary.xml
[2009/11/02 12:45:30 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/10/27 23:47:45 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/09/11 19:43:19 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/09/11 23:48:33 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009/10/27 23:47:22 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/10/27 23:47:22 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2007/04/10 16:21:08 | 00,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
[2008/12/15 14:05:50 | 00,234,496 | ---- | M] (Alipay.com co.,ltd) -- C:\Program Files\Mozilla Firefox\plugins\npaliedit.dll
[2009/07/25 07:23:01 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2009/10/27 23:47:24 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2006/10/26 22:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
[2009/02/27 12:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2009/09/11 17:09:29 | 00,144,960 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
[2009/09/11 17:42:24 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2009/09/11 17:42:24 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2009/09/11 17:42:25 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2009/09/11 17:42:25 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2009/09/11 17:42:25 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2009/09/11 17:42:25 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2009/09/11 17:42:25 | 00,159,744 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2009/09/11 17:10:25 | 00,008,192 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
[2009/09/11 17:09:15 | 00,094,208 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
[2009/08/24 13:45:46 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/08/24 13:45:46 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/08/24 13:45:46 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/08/24 13:45:46 | 00,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/08/24 13:45:46 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/08/24 13:45:46 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/08/24 13:45:46 | 00,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (761 bytes) - C:\Windows\System32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Windows Defender] File not found
O4 - Startup: C:\Users\TZ Fang\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Powerword 2005.lnk = C:\Program Files\Kingsoft\PowerWord 2005\XDICT.EXE (Kingsoft Co, Ltd.)
O4 - Startup: C:\Users\TZ Fang\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe (Stardock)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll (Kaspersky Lab)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: alipay.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: alipay.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: alisoft.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: alisoft.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: taobao.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: taobao.com ([]https in Trusted sites)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/C/B.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.71.255.198
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ic32pp {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\Windows\wc98pp.dll ()
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\r3hook.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\Windows\system32\klogon.dll - C:\Windows\System32\klogon.dll (Kaspersky Lab)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (credssp.dll) - credssp.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2006/11/02 06:18:47 | 00,000,000 | ---D | M]
NetSvcs: Irmon - C:\Windows\System32\irmon.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

MsConfig - State: "startup" - 0

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: NTDS - File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: HelpSvc - Service
SafeBootNet: Messenger - Service
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: NTDS - File not found
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: rdsessmgr - Service
SafeBootNet: sacsvr - Service
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\System32\Microsoft
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - C:\Windows\System32\Microsoft
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32: aux - wdmaud.drv (Microsoft Corporation)
Drivers32: midi - wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - midimap.dll (Microsoft Corporation)
Drivers32: mixer - wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.imaadpcm - imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - msg711.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.siren - sirenacm.dll (Microsoft Corporation)
Drivers32: MSVideo8 - VfWWDM32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - iccvid.dll (Radius Inc.)
Drivers32: vidc.i420 - iyuv_32.dll (Microsoft Corporation)
Drivers32: VIDC.IYUV - iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.mrle - msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - msvidc32.dll (Microsoft Corporation)
Drivers32: VIDC.UYVY - msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.WMV3 - WMV9VCM.dll (Microsoft Corporation)
Drivers32: VIDC.YUY2 - msyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVU9 - tsbyuv.dll (Microsoft Corporation)
Drivers32: VIDC.YVYU - msyuv.dll (Microsoft Corporation)
Drivers32: wave - wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - msacm32.drv (Microsoft Corporation)

========== Files/Folders - Created Within 30 Days ==========

[2009/11/03 00:54:10 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/11/03 00:23:16 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/11/02 22:34:52 | 00,093,360 | ---- | C] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2009/11/02 22:30:16 | 00,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2009/11/02 22:30:16 | 00,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2009/11/02 22:30:16 | 00,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2009/11/01 16:59:36 | 00,000,000 | ---D | C] -- C:\Program Files\a-squared Anti-Malware
[2009/10/31 22:41:22 | 00,000,000 | ---D | C] -- C:\Program Files\MSSOAP
[2009/10/31 22:41:22 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\MSSoap
[2009/10/31 22:00:31 | 00,573,440 | ---- | C] (NCT Company Ltd.) -- C:\Windows\System32\NCTAudioInformation2.dll
[2009/10/31 22:00:31 | 00,491,520 | ---- | C] (NCT Company) -- C:\Windows\System32\NCTAudioFile.dll
[2009/10/31 22:00:31 | 00,344,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvcr70.dll
[2009/10/31 22:00:31 | 00,286,720 | ---- | C] (NCT Company Ltd.) -- C:\Windows\System32\NCTWMAFile2.dll
[2009/10/31 22:00:31 | 00,168,448 | ---- | C] (NCT Company) -- C:\Windows\System32\NCTAudioPlayer.dll
[2009/10/31 22:00:31 | 00,143,872 | ---- | C] (NCT Company) -- C:\Windows\System32\NCTWMAFile.dll
[2009/10/31 22:00:29 | 00,000,000 | ---D | C] -- C:\Program Files\4U Computing
[2009/10/31 12:06:32 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/10/31 12:06:19 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/10/31 11:37:52 | 00,000,000 | ---D | C] -- C:\Users\TZ Fang\Incomplete
[2009/10/29 17:46:46 | 00,000,000 | ---D | C] -- C:\PPSDownload
[2009/10/28 09:54:59 | 10,622,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmp.dll
[2009/10/28 09:54:52 | 00,311,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\unregmp2.exe
[2009/10/28 09:54:50 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\spwmp.dll
[2009/10/28 09:54:48 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdxm.ocx
[2009/10/28 09:54:48 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxmasf.dll
[2009/10/28 09:54:44 | 08,147,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmploc.DLL
[2009/10/27 21:35:50 | 00,000,000 | -HSD | C] -- C:\Windows\ftpcache
[2009/10/27 21:31:00 | 00,000,000 | ---D | C] -- C:\Users\TZ Fang\AppData\Local\Axialis
[2009/10/19 23:41:03 | 00,000,000 | ---D | C] -- C:\ProgramData\Windows Genuine Advantage
[2009/10/19 23:41:03 | 00,000,000 | ---D | C] -- C:\ProgramData\Windows Genuine Advantage
[2009/10/16 01:20:39 | 00,000,000 | ---D | C] -- C:\Users\TZ Fang\AppData\Roaming\Delayed Shutdown
[2009/10/14 06:54:05 | 00,000,000 | ---D | C] -- C:\Users\TZ Fang\Office Genuine Advantage
[2009/10/13 18:49:14 | 00,000,000 | ---D | C] -- C:\Program Files\LimeWire
[2009/10/13 15:51:29 | 00,216,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msv1_0.dll
[2009/10/13 15:51:19 | 03,502,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2009/10/13 15:51:19 | 03,467,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2009/10/13 15:51:04 | 05,940,224 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.dll
[2009/10/13 15:51:03 | 11,069,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieframe.dll
[2009/10/13 15:51:02 | 01,985,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iertutil.dll
[2009/10/13 15:51:01 | 01,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2009/10/13 15:51:01 | 01,208,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\urlmon.dll
[2009/10/13 15:51:01 | 00,916,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wininet.dll
[2009/10/13 15:51:01 | 00,594,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2009/10/13 15:51:01 | 00,387,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2009/10/13 15:51:01 | 00,206,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\occache.dll
[2009/10/13 15:51:01 | 00,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2009/10/13 15:51:00 | 01,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2009/10/13 15:51:00 | 00,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2009/10/13 15:51:00 | 00,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2009/10/13 15:51:00 | 00,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2009/10/13 15:51:00 | 00,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2009/10/13 15:51:00 | 00,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2009/10/13 15:51:00 | 00,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2009/10/13 15:51:00 | 00,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2009/10/13 15:51:00 | 00,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2009/10/13 15:51:00 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2009/10/13 15:50:57 | 00,060,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msasn1.dll
[2009/10/13 15:50:51 | 00,130,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\srv2.sys
[2009/10/13 15:50:46 | 00,604,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WMSPDMOD.DLL
[2009/10/12 20:56:11 | 00,000,000 | ---D | C] -- C:\Users\TZ Fang\AppData\Roaming\SEGA
[2009/10/09 21:04:10 | 00,000,000 | ---D | C] -- C:\Users\TZ Fang\dwhelper
[2009/10/06 19:24:17 | 00,000,000 | ---D | C] -- C:\Program Files\PowerISO
[2009/10/06 18:33:01 | 00,000,000 | ---D | C] -- C:\ProgramData\Office Genuine Advantage
[2009/10/06 18:33:01 | 00,000,000 | ---D | C] -- C:\ProgramData\Office Genuine Advantage

========== Files - Modified Within 30 Days ==========

[2018/07/10 17:19:36 | 00,292,484 | ---- | M] (Styopkin Software) -- C:\Users\TZ Fang\Desktop\Delayed Shutdown.exe
[2009/11/03 17:33:33 | 20,916,256 | -HS- | M] () -- C:\Windows\System32\drivers\fidbox.dat
[2009/11/03 17:31:34 | 02,883,584 | -HS- | M] () -- C:\Users\TZ Fang\NTUSER.DAT
[2009/11/03 17:27:31 | 00,013,119 | ---- | M] () -- C:\Users\TZ Fang\AppData\Roaming\nvModes.dat
[2009/11/03 17:27:31 | 00,013,119 | ---- | M] () -- C:\Users\TZ Fang\AppData\Roaming\nvModes.001
[2009/11/03 17:27:17 | 00,004,064 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/11/03 17:27:17 | 00,004,064 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/11/03 16:45:00 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/11/03 16:30:55 | 00,720,952 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/11/03 16:30:55 | 00,621,552 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/11/03 16:30:55 | 00,104,868 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/11/03 16:25:31 | 00,000,422 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{4B95F238-DF64-4932-8907-EEE7DFBCD9EE}.job
[2009/11/03 16:24:02 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/11/03 01:35:10 | 00,286,256 | -HS- | M] () -- C:\Windows\System32\drivers\fidbox.idx
[2009/11/03 01:34:39 | 01,339,603 | -H-- | M] () -- C:\Users\TZ Fang\AppData\Local\IconCache.db
[2009/11/03 00:23:16 | 00,001,874 | ---- | M] () -- C:\Users\TZ Fang\Desktop\HijackThis.lnk
[2009/11/02 22:34:43 | 00,093,360 | ---- | M] (Sunbelt Software) -- C:\Windows\System32\drivers\SBREDrv.sys
[2009/11/02 17:16:01 | 00,473,389 | ---- | M] () -- C:\Users\TZ Fang\Desktop\WilliamsonEtAl2008.pdf
[2009/11/02 17:15:16 | 01,654,122 | ---- | M] () -- C:\Users\TZ Fang\Desktop\ForrestEtAl2000.pdf
[2009/11/01 20:45:13 | 00,000,042 | ---- | M] () -- C:\Windows\PCDNSetting.ini
[2009/11/01 20:45:10 | 00,002,073 | ---- | M] () -- C:\Windows\psnetwork.ini
[2009/11/01 20:45:09 | 00,001,813 | ---- | M] () -- C:\Windows\powerplayer.ini
[2009/11/01 20:11:58 | 00,000,083 | ---- | M] () -- C:\Windows\powerlist.ini
[2009/11/01 20:10:56 | 00,000,060 | ---- | M] () -- C:\Windows\MediaList.ini
[2009/11/01 12:11:09 | 00,000,761 | ---- | M] () -- C:\Windows\System32\drivers\etc\HOSTS
[2009/10/31 22:49:34 | 00,000,331 | ---- | M] () -- C:\Windows\win.ini
[2009/10/31 22:40:07 | 00,000,164 | ---- | M] () -- C:\Windows\install.dat
[2009/10/30 09:39:47 | 00,634,519 | ---- | M] () -- C:\Users\TZ Fang\Desktop\4 - A Crohn’s disease–associated NOD2 mutation suppresses transcription of human IL10 by inhibiting activity of the nuclear ribonucleoprotein hnRNP-A1 Nature Immunology.pdf
[2009/10/30 09:38:46 | 00,578,040 | ---- | M] () -- C:\Users\TZ Fang\Desktop\3 - Identification of prostate cancer mRNA markers by averaged differential expression and their detection in biopsies, blood and urine.pdf
[2009/10/30 09:37:01 | 00,602,928 | ---- | M] () -- C:\Users\TZ Fang\Desktop\1 - Rhesus Macaque Genome Sequencing Consortium (2007) Evolutionary and biomedical insights from the rhesus macaque genome.pdf
[2009/10/30 09:35:33 | 00,565,480 | ---- | M] () -- C:\Users\TZ Fang\Desktop\2 - G protein-coupled receptor P2Y5 and its ligand LPA are involved in maintenance of human hair growth.pdf
[2009/10/30 09:19:30 | 00,013,196 | ---- | M] () -- C:\Users\TZ Fang\Desktop\Research Article 2.docx
[2009/10/29 00:30:04 | 00,000,013 | ---- | M] () -- C:\Windows\msgtn.ini
[2009/10/28 17:29:20 | 06,050,863 | ---- | M] () -- C:\Windows\Explodin.scr
[2009/10/28 17:29:20 | 00,230,818 | ---- | M] () -- C:\Windows\uninstall Explodin.exe
[2009/10/28 09:40:12 | 00,373,592 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/10/27 20:14:58 | 00,037,376 | ---- | M] () -- C:\Users\TZ Fang\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/23 18:08:22 | 00,000,113 | ---- | M] () -- C:\Windows\PPSMediaList.ini
[2009/10/21 11:46:58 | 00,496,566 | ---- | M] () -- C:\Users\TZ Fang\Desktop\EC361_L7w.pdf
[2009/10/21 10:28:23 | 00,522,683 | ---- | M] () -- C:\Users\TZ Fang\Desktop\Final exam schedule.pdf
[2009/10/15 08:26:10 | 03,875,467 | ---- | M] () -- C:\Users\TZ Fang\Desktop\Zerbe_Ch5.pdf
[2009/10/14 12:33:47 | 00,108,059 | ---- | M] () -- C:\Windows\System32\drivers\klin.dat
[2009/10/14 12:33:47 | 00,095,259 | ---- | M] () -- C:\Windows\System32\drivers\klick.dat
[2009/10/08 21:02:28 | 00,013,323 | ---- | M] () -- C:\Users\TZ Fang\Desktop\convo with cindy.rtf

========== Files Created - No Company Name ==========

[2009/11/03 00:23:16 | 00,001,874 | ---- | C] () -- C:\Users\TZ Fang\Desktop\HijackThis.lnk
[2009/11/02 17:16:01 | 00,473,389 | ---- | C] () -- C:\Users\TZ Fang\Desktop\WilliamsonEtAl2008.pdf
[2009/11/02 17:15:16 | 01,654,122 | ---- | C] () -- C:\Users\TZ Fang\Desktop\ForrestEtAl2000.pdf
[2009/10/31 22:40:02 | 00,000,164 | ---- | C] () -- C:\Windows\install.dat
[2009/10/31 22:00:31 | 00,120,832 | ---- | C] () -- C:\Windows\System32\lame_enc.dll
[2009/10/30 09:39:47 | 00,634,519 | ---- | C] () -- C:\Users\TZ Fang\Desktop\4 - A Crohn’s disease–associated NOD2 mutation suppresses transcription of human IL10 by inhibiting activity of the nuclear ribonucleoprotein hnRNP-A1 Nature Immunology.pdf
[2009/10/30 09:38:46 | 00,578,040 | ---- | C] () -- C:\Users\TZ Fang\Desktop\3 - Identification of prostate cancer mRNA markers by averaged differential expression and their detection in biopsies, blood and urine.pdf
[2009/10/30 09:37:01 | 00,602,928 | ---- | C] () -- C:\Users\TZ Fang\Desktop\1 - Rhesus Macaque Genome Sequencing Consortium (2007) Evolutionary and biomedical insights from the rhesus macaque genome.pdf
[2009/10/30 09:35:33 | 00,565,480 | ---- | C] () -- C:\Users\TZ Fang\Desktop\2 - G protein-coupled receptor P2Y5 and its ligand LPA are involved in maintenance of human hair growth.pdf
[2009/10/30 09:19:29 | 00,013,196 | ---- | C] () -- C:\Users\TZ Fang\Desktop\Research Article 2.docx
[2009/10/28 17:29:20 | 06,050,863 | ---- | C] () -- C:\Windows\Explodin.scr
[2009/10/28 17:29:20 | 00,230,818 | ---- | C] () -- C:\Windows\uninstall Explodin.exe
[2009/10/27 21:32:12 | 02,545,692 | ---- | C] () -- C:\Windows\System32\Soccer.scr
[2009/10/23 18:09:44 | 00,000,060 | ---- | C] () -- C:\Windows\MediaList.ini
[2009/10/21 11:46:58 | 00,496,566 | ---- | C] () -- C:\Users\TZ Fang\Desktop\EC361_L7w.pdf
[2009/10/21 10:28:23 | 00,522,683 | ---- | C] () -- C:\Users\TZ Fang\Desktop\Final exam schedule.pdf
[2009/10/15 08:26:10 | 03,875,467 | ---- | C] () -- C:\Users\TZ Fang\Desktop\Zerbe_Ch5.pdf
[2009/10/08 21:02:28 | 00,013,323 | ---- | C] () -- C:\Users\TZ Fang\Desktop\convo with cindy.rtf
[2009/09/30 20:51:13 | 00,051,712 | ---- | C] () -- C:\Windows\wc98pp.dll
[2009/09/13 01:14:58 | 00,000,042 | ---- | C] () -- C:\Windows\PCDNSetting.ini
[2009/09/13 01:13:22 | 00,000,013 | ---- | C] () -- C:\Windows\msgtn.ini
[2009/09/12 21:15:20 | 00,000,067 | ---- | C] () -- C:\Windows\XDICT.INI
[2009/09/12 12:47:36 | 00,000,031 | ---- | C] () -- C:\Windows\System32\Days5.ini
[2009/09/12 01:55:30 | 00,037,376 | ---- | C] () -- C:\Users\TZ Fang\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/12 01:41:11 | 00,000,083 | ---- | C] () -- C:\Windows\powerlist.ini
[2009/09/12 01:41:10 | 00,000,113 | ---- | C] () -- C:\Windows\PPSMediaList.ini
[2009/09/12 01:40:42 | 00,002,073 | ---- | C] () -- C:\Windows\psnetwork.ini
[2009/09/12 01:40:42 | 00,001,813 | ---- | C] () -- C:\Windows\powerplayer.ini
[2009/09/11 22:34:00 | 00,013,119 | ---- | C] () -- C:\Users\TZ Fang\AppData\Roaming\nvModes.001
[2009/09/11 22:33:57 | 00,013,119 | ---- | C] () -- C:\Users\TZ Fang\AppData\Roaming\nvModes.dat
[2009/09/11 18:46:41 | 01,339,603 | -H-- | C] () -- C:\Users\TZ Fang\AppData\Local\IconCache.db
[2009/09/11 17:44:29 | 00,000,002 | ---- | C] () -- C:\Windows\System32\msvcrt16.dll
[2009/09/11 17:44:29 | 00,000,000 | ---- | C] () -- C:\Windows\System32\msvcrt17.dll
[2009/09/11 17:42:58 | 00,010,240 | ---- | C] () -- C:\Windows\System32\virport.dll
[2009/09/11 16:00:59 | 00,101,432 | ---- | C] () -- C:\Users\TZ Fang\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/09/11 16:00:35 | 00,000,680 | ---- | C] () -- C:\Users\TZ Fang\AppData\Local\d3d9caps.dat
[2009/08/03 14:07:42 | 00,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.DLL
[2008/08/18 20:58:00 | 00,145,952 | ---- | C] () -- C:\Windows\System32\drivers\nvstor32.sys
[2006/11/02 07:50:56 | 00,000,174 | -HS- | C] () -- C:\Program Files\desktop.ini
[2006/11/02 07:37:40 | 00,030,808 | ---- | C] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont
[2006/11/02 07:37:40 | 00,029,779 | ---- | C] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2006/11/02 07:37:40 | 00,026,489 | ---- | C] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006/11/02 07:37:40 | 00,026,040 | ---- | C] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006/11/02 05:23:31 | 00,000,331 | ---- | C] () -- C:\Windows\win.ini
[2006/11/02 05:23:31 | 00,000,219 | ---- | C] () -- C:\Windows\system.ini
[2006/11/02 02:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/03/09 11:58:00 | 01,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2005/05/06 21:06:00 | 00,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll

========== LOP Check ==========

[2009/10/16 01:20:39 | 00,000,000 | ---D | M] -- C:\Users\TZ Fang\AppData\Roaming\Delayed Shutdown
[2009/09/14 20:23:29 | 00,000,000 | ---D | M] -- C:\Users\TZ Fang\AppData\Roaming\Easy Macro Recorder
[2009/09/19 21:54:31 | 00,000,000 | ---D | M] -- C:\Users\TZ Fang\AppData\Roaming\Hot Keyboard
[2009/09/19 21:53:59 | 00,000,000 | ---D | M] -- C:\Users\TZ Fang\AppData\Roaming\Hot Keyboard Pro Backup
[2009/09/12 21:15:19 | 00,000,000 | ---D | M] -- C:\Users\TZ Fang\AppData\Roaming\Kingsoft
[2009/10/31 11:43:55 | 00,000,000 | ---D | M] -- C:\Users\TZ Fang\AppData\Roaming\LimeWire
[2009/10/23 18:10:17 | 00,000,000 | ---D | M] -- C:\Users\TZ Fang\AppData\Roaming\PPStream
[2009/10/12 20:56:11 | 00,000,000 | ---D | M] -- C:\Users\TZ Fang\AppData\Roaming\SEGA
[2009/11/03 16:24:02 | 00,000,006 | -H-- | M] () -- C:\Windows\Tasks\SA.DAT
[2009/11/03 01:34:49 | 00,032,600 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2009/11/03 16:25:31 | 00,000,422 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{4B95F238-DF64-4932-8907-EEE7DFBCD9EE}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions >
"{20a82645-c095-46ed-80e3-08825760534b}" = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ -- [2009/09/13 02:04:48 | 00,000,000 | ---D | M]

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2006/11/02 04:46:12 | 00,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\System32\scecli.dll
[2006/11/02 04:46:12 | 00,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2006/11/02 04:46:11 | 00,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\System32\netlogon.dll
[2006/11/02 04:46:11 | 00,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >
[2006/11/02 04:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 04:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >
[2006/11/02 04:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2006/11/02 04:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2009/09/12 03:20:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\drivers\atapi.sys
[2009/09/12 03:20:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2006/11/02 04:49:36 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2009/09/12 03:20:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2009/09/12 03:20:29 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2006/11/02 04:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\drivers\AGP440.sys
[2006/11/02 04:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >
< End of report >



OTL Extras logfile created on: 11/3/2009 5:31:24 PM - Run 1
OTL by OldTimer - Version 3.1.3.3 Folder = C:\Users\TZ Fang\Downloads
Windows Vista Business Edition (Version = 6.0.6000) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18828)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.51 Gb Available Physical Memory | 75.70% Memory free
4.00 Gb Paging File | 3.93 Gb Available in Paging File | 98.24% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 1.07 Gb Free Space | 0.96% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TZFANG-PC
Current User Name: TZ Fang
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SystemRoot%\hh.exe" %1
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SystemRoot%\hh.exe" %1 File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Users\TZ Fang\Downloads\ppstreamsetup.exe" = C:\Users\TZ Fang\Downloads\ppstreamsetup.exe:*:Enabled:PPStream Installer -- File not found
"C:\Program Files\PPStream\PPStream.exe" = C:\Program Files\PPStream\PPStream.exe:*:Enabled:PPS???? -- (PPStream Inc.)
"C:\Program Files\PPStream\PPSAP.exe" = C:\Program Files\PPStream\PPSAP.exe:*:Enabled:PPS ????? -- (PPStream Inc)


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{26020B7A-E7E5-439E-AD21-1ED156C28383}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |
"{87707762-C7B8-40E3-ACC0-31596348584D}" = lport=2869 | protocol=6 | dir=in | app=system |
"{DADD1D77-ED26-42FE-ACAA-BD6CF5F004CA}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{088CAACC-066B-4B98-8195-BD66170E872A}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{19A68BFC-7B81-45DA-9941-F4A12D984254}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{4F804483-CFA0-4E80-B1BD-14713B323F30}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{6511E408-1279-4C56-95C8-75CB7603876F}" = protocol=58 | dir=in | app=system |
"{6945BB4F-762A-453C-B71C-265A2B9D752A}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{6D79B22C-6377-4F3D-82FE-7E2F1FD8BC42}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{8E0DBE1D-8A31-4E02-A74B-6A9924333542}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{C63B552B-457B-4740-83BF-0CFEEFDB8368}" = protocol=58 | dir=out | app=system |
"{EE178757-FD2E-4B41-8AC7-4DD0EBDD9AAD}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{F1627DB0-C5A9-4A0F-868B-AADE42F7EEF6}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{F1B99D57-9834-4170-B594-DB83FD519A1A}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"TCP Query User{42AA369C-3B71-43F2-A5B1-252F3DB6B8F6}C:\program files\kingsoft\powerword 2005\xdict.exe" = protocol=6 | dir=in | app=c:\program files\kingsoft\powerword 2005\xdict.exe |
"TCP Query User{5793E747-F7CB-4836-AC24-9A4036597913}C:\program files\ppstream\ppstream.exe" = protocol=6 | dir=in | app=c:\program files\ppstream\ppstream.exe |
"TCP Query User{A46A360C-6642-4B42-B5C0-9F0F5B95D0FB}C:\program files\limewire\limewire.exe" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"UDP Query User{7B956C65-49E6-456C-96A4-69D514B98595}C:\program files\kingsoft\powerword 2005\xdict.exe" = protocol=17 | dir=in | app=c:\program files\kingsoft\powerword 2005\xdict.exe |
"UDP Query User{B1B1B526-E66C-46F1-86FC-D94E2CFA6D7F}C:\program files\limewire\limewire.exe" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"UDP Query User{E3245E39-F552-48A7-BFDC-9268E757FB3E}C:\program files\ppstream\ppstream.exe" = protocol=17 | dir=in | app=c:\program files\ppstream\ppstream.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 15
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{394BE3D9-7F57-4638-A8D1-1D88671913B7}" = Microsoft AppLocale
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}" = Kaspersky Anti-Virus 7.0
"{5071F84A-FF33-4D2D-BD96-FCF45A201FF4}" = Powerword 2005
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AC76BA86-7AD7-2447-0000-900000000003}" = Chinese Simplified Fonts Support For Adobe Reader 9
"{AC76BA86-7AD7-2448-0000-900000000003}" = Chinese Traditional Fonts Support For Adobe Reader 9
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb" = Microsoft Windows Application Compatibility Database
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"4U WMA MP3 Converter_is1" = 4U WMA MP3 Converter 6.2.8
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"CCleaner" = CCleaner
"CNXT_AUDIO_HDA" = Conexant HD Audio
"Easy Video Joiner_is1" = Easy Video Joiner 5.21
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Exploding Cube" = Exploding Cube
"FinePrint" = FinePrint
"FoxyTunesForFirefox" = FoxyTunes for Firefox
"HijackThis" = HijackThis 2.0.2
"InstallWIX_{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}" = Kaspersky Anti-Virus 7.0
"LimeWire" = LimeWire PRO 5.3.6
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.4)" = Mozilla Firefox (3.5.4)
"NVIDIA Drivers" = NVIDIA Drivers
"ObjectDock Plus" = ObjectDock Plus
"PowerISO" = PowerISO
"PPStream" = PPStream V2.6.86.8972 Final
"RealPlayer 6.0" = RealPlayer
"Revo Uninstaller" = Revo Uninstaller 1.83
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TagRunner_is1" = TagRunner 2.0.1.2
"Virtual PDF Printer_is1" = Virtual PDF Printer 1.01
"VLC media player" = VLC media player 1.0.3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"支付宝插件_is1" = 支付宝插件 1.2.0.2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/29/2009 12:42:54 PM | Computer Name = TZFang-PC | Source = Application Error | ID = 1000
Description = Faulting application sidebar.exe, version 6.0.6000.16615, time stamp
0x4764fba1, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0x01b74181, process id 0x8dc, application start time
0x01ca58b6b1dd993d.

Error - 10/29/2009 12:43:59 PM | Computer Name = TZFang-PC | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.1.3576, time stamp 0x4ad8b0e7,
faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code
0xc0000005, fault offset 0x05f4f1bc, process id 0x9e4, application start time 0x01ca58b6f4547dbd.

Error - 10/29/2009 12:44:00 PM | Computer Name = TZFang-PC | Source = Application Error | ID = 1000
Description = Faulting application Dwm.exe, version 6.0.6000.16386, time stamp 0x4549aed1,
faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code
0xc0000005, fault offset 0x0469ef5c, process id 0x764, application start time 0x01ca58b6af3bf41d.

Error - 10/29/2009 12:44:40 PM | Computer Name = TZFang-PC | Source = Application Error | ID = 1000
Description = Faulting application cleanmgr.exe, version 6.0.6000.16386, time stamp
0x4549b0a8, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0x0196f09c, process id 0xa50, application start time
0x01ca58b70f9ca70d.

Error - 10/29/2009 2:42:39 PM | Computer Name = TZFang-PC | Source = Application Error | ID = 1000
Description = Faulting application sidebar.exe, version 6.0.6000.16615, time stamp
0x4764fba1, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception
code 0xc0000005, fault offset 0x03074145, process id 0x8d4, application start time
0x01ca58c774fdaa64.

Error - 10/29/2009 5:00:55 PM | Computer Name = TZFang-PC | Source = Application Hang | ID = 1002
Description = The program Explorer.EXE version 6.0.6000.16771 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 784 Start Time: 01ca58c7724698e4 Termination Time: 62

Error - 11/1/2009 1:08:48 PM | Computer Name = TZFang-PC | Source = VSS | ID = 8194
Description =

Error - 11/1/2009 1:09:15 PM | Computer Name = TZFang-PC | Source = System Restore | ID = 8193
Description =

Error - 11/2/2009 9:15:42 PM | Computer Name = TZFang-PC | Source = System Restore | ID = 8193
Description =

Error - 11/2/2009 11:33:04 PM | Computer Name = TZFang-PC | Source = Lavasoft Ad-Aware Service | ID = 0
Description =

[ System Events ]
Error - 10/27/2009 8:54:34 AM | Computer Name = TZFang-PC | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot
3, function 0. Please contact your system vendor for technical assistance.

Error - 10/27/2009 8:56:35 AM | Computer Name = TZFang-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 10/27/2009 3:49:16 PM | Computer Name = TZFang-PC | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot
2, function 0. Please contact your system vendor for technical assistance.

Error - 10/27/2009 3:49:16 PM | Computer Name = TZFang-PC | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot
3, function 0. Please contact your system vendor for technical assistance.

Error - 10/27/2009 3:51:14 PM | Computer Name = TZFang-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 10/27/2009 5:08:44 PM | Computer Name = TZFang-PC | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot
2, function 0. Please contact your system vendor for technical assistance.

Error - 10/27/2009 5:08:44 PM | Computer Name = TZFang-PC | Source = ACPI | ID = 327686
Description = IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot
3, function 0. Please contact your system vendor for technical assistance.

Error - 10/27/2009 5:10:43 PM | Computer Name = TZFang-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 10/27/2009 7:43:06 PM | Computer Name = TZFang-PC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.14 for the Network Card with network
address 001A73418D2C has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 10/28/2009 10:41:25 AM | Computer Name = TZFang-PC | Source = Service Control Manager | ID = 7000
Description =


< End of report >


NoMD5Sys by jpshortstuff (29.10.09.1)
Log created at 18:02 on 03/11/2009 (TZ Fang)

C:\pagefile.sys
----------------------------------------

-=E.O.F=-



I think I correctly followed your instructions.
These are the logs I got.

[chamber]

Hi,

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link HERE
  
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

[omigod]

ComboFix 09-11-03.03 - TZ Fang 11/04/2009 11:14.1.2 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.2430.1422 [GMT -5:00]
Running from: c:\users\TZ Fang\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-918056312-2952985149-2686913973-500
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\msvcrt16.dll
c:\windows\system32\msvcrt17.dll
c:\windows\system32\NCTAudioInformation2.dll
c:\windows\system32\sdra64.exe
c:\progra~1\KASPER~1\KASPER~1.0\r3hook.dll . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-03 22:29 . 2009-11-03 22:29 30527 ----a-w- C:\NoMD5Sys.exe
2009-11-03 05:23 . 2009-11-03 05:23 -------- d-----w- c:\program files\Trend Micro
2009-11-03 03:34 . 2009-11-03 03:34 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-03 03:30 . 2009-11-03 05:54 -------- d-----w- c:\programdata\Lavasoft
2009-11-03 03:30 . 2009-11-03 03:30 -------- d-----w- c:\program files\Lavasoft
2009-11-01 21:59 . 2009-11-03 04:46 -------- d-----w- c:\program files\a-squared Anti-Malware
2009-11-01 03:41 . 2009-11-01 03:41 -------- d-----w- c:\program files\MSSOAP
2009-11-01 03:40 . 2009-11-01 03:40 164 ----a-w- c:\windows\install.dat
2009-11-01 03:00 . 2003-03-25 19:08 286720 ----a-w- c:\windows\system32\NCTWMAFile2.dll
2009-11-01 03:00 . 2002-12-03 07:11 143872 ----a-w- c:\windows\system32\NCTWMAFile.dll
2009-11-01 03:00 . 2002-12-03 07:07 168448 ----a-w- c:\windows\system32\NCTAudioPlayer.dll
2009-11-01 03:00 . 2002-12-03 07:02 491520 ----a-w- c:\windows\system32\NCTAudioFile.dll
2009-11-01 03:00 . 2002-03-19 11:18 120832 ----a-w- c:\windows\system32\lame_enc.dll
2009-11-01 03:00 . 2002-01-05 11:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
2009-11-01 03:00 . 2009-11-01 03:00 -------- d-----w- c:\program files\4U Computing
2009-10-31 17:06 . 2009-10-31 17:06 -------- d-----w- c:\program files\iPod
2009-10-31 17:06 . 2009-10-31 17:08 -------- d-----w- c:\program files\iTunes
2009-10-31 16:37 . 2009-10-31 16:37 -------- d-----w- c:\users\TZ Fang\Incomplete
2009-10-29 22:46 . 2009-10-29 22:46 -------- d-----w- C:\PPSDownload
2009-10-28 22:29 . 2009-10-28 22:29 6050863 ----a-w- c:\windows\Explodin.scr
2009-10-28 22:29 . 2009-10-28 22:29 230818 ----a-w- c:\windows\uninstall Explodin.exe
2009-10-28 14:54 . 2009-09-10 15:29 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 14:54 . 2009-09-10 17:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-10-28 14:54 . 2009-09-10 17:40 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-10-28 14:54 . 2009-09-10 15:29 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-28 02:35 . 2009-10-28 02:35 -------- d-sh--w- c:\windows\ftpcache
2009-10-28 02:32 . 2009-08-13 20:13 2545692 ----a-w- c:\windows\system32\Soccer.scr
2009-10-28 02:31 . 2009-10-28 02:31 -------- d-----w- c:\users\TZ Fang\AppData\Local\Axialis
2009-10-16 06:20 . 2009-10-16 06:20 -------- d-----w- c:\users\TZ Fang\AppData\Roaming\Delayed Shutdown
2009-10-14 11:54 . 2009-10-14 11:54 -------- d-----w- c:\users\TZ Fang\Office Genuine Advantage
2009-10-13 23:49 . 2009-10-31 16:35 -------- d-----w- c:\program files\LimeWire
2009-10-13 20:50 . 2009-09-04 12:38 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-13 20:50 . 2009-09-14 09:50 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-13 20:50 . 2009-04-02 11:50 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-13 01:56 . 2009-10-13 01:56 -------- d-----w- c:\users\TZ Fang\AppData\Roaming\SEGA
2009-10-10 02:04 . 2009-10-10 02:04 -------- d-----w- c:\users\TZ Fang\dwhelper
2009-10-07 00:24 . 2009-10-07 00:24 -------- d-----w- c:\program files\PowerISO
2009-10-06 23:33 . 2009-10-06 23:33 -------- d-----w- c:\programdata\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 16:29 . 2009-09-11 21:14 21100832 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-04 16:27 . 2009-09-11 21:14 288800 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-04 15:51 . 2009-09-12 03:33 13119 ----a-w- c:\users\TZ Fang\AppData\Roaming\nvModes.dat
2009-11-04 15:51 . 2009-09-11 21:14 -------- d-----w- c:\programdata\Kaspersky Lab
2009-11-04 03:23 . 2009-09-29 18:55 -------- d-----w- c:\users\TZ Fang\AppData\Roaming\vlc
2009-11-02 01:11 . 2009-09-12 06:40 -------- d-----w- c:\program files\PPStream
2009-11-01 17:23 . 2009-09-11 21:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 17:06 . 2009-09-11 22:35 -------- d-----w- c:\program files\Common Files\Apple
2009-10-31 17:06 . 2009-09-11 22:41 -------- d-----w- c:\programdata\Apple Computer
2009-10-31 16:43 . 2009-09-12 09:38 -------- d-----w- c:\users\TZ Fang\AppData\Roaming\LimeWire
2009-10-27 13:24 . 2009-09-11 21:49 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-23 23:10 . 2009-09-12 06:40 -------- d-----w- c:\users\TZ Fang\AppData\Roaming\PPStream
2009-10-17 21:37 . 2009-09-12 04:16 -------- d-----w- c:\programdata\Microsoft Help
2009-10-17 02:46 . 2009-09-14 21:48 -------- d-----w- c:\users\TZ Fang\AppData\Roaming\dvdcss
2009-10-14 17:33 . 2009-09-11 21:15 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-10-14 17:33 . 2009-09-11 21:15 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-10-13 21:46 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-01 14:29 . 2009-10-02 22:22 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-01 01:51 . 2009-10-01 01:51 51712 ----a-w- c:\windows\wc98pp.dll
2009-09-27 02:38 . 2009-09-12 00:29 -------- d-----w- c:\program files\MP3Gain
2009-09-25 05:00 . 2009-09-25 05:00 -------- d-----w- c:\program files\opera
2009-09-20 02:54 . 2009-09-20 02:54 -------- d-----w- c:\users\TZ Fang\AppData\Roaming\Hot Keyboard
2009-09-20 02:53 . 2009-09-20 02:53 -------- d-----w- c:\users\TZ Fang\AppData\Roaming\Hot Keyboard Pro Backup
2009-09-15 20:04 . 2009-09-15 20:04 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2009-09-15 01:23 . 2009-09-14 15:56 -------- d-----w- c:\users\TZ Fang\AppData\Roaming\Easy Macro Recorder
2009-09-14 04:15 . 2009-09-14 04:15 -------- d-----w- c:\program files\Easy Video Joiner
2009-09-13 14:22 . 2009-09-11 21:00 101432 ----a-w- c:\users\TZ Fang\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-13 07:02 . 2009-09-13 07:02 -------- d-----w- c:\program files\MSXML 4.0
2009-09-13 02:15 . 2009-09-13 02:15 -------- d-----w- c:\users\TZ Fang\AppData\Roaming\Kingsoft
2009-09-13 01:51 . 2009-09-13 01:50 -------- d-----w- c:\program files\Common Files\kingsoft
2009-09-13 01:50 . 2009-09-13 01:50 -------- d-----w- c:\program files\Kingsoft
2009-09-12 18:53 . 2009-09-12 18:53 -------- d-----w- c:\programdata\NVIDIA
2009-09-12 09:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-12 09:58 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-12 09:57 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-12 09:46 . 2009-09-12 09:46 2048 ----a-w- c:\windows\system32\tzres.dll
2009-09-12 09:42 . 2009-09-12 09:42 61440 ----a-w- c:\windows\system32\winipsec.dll
2009-09-12 09:42 . 2009-09-12 09:42 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2009-09-12 09:42 . 2009-09-12 09:42 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-09-12 09:42 . 2009-09-12 09:42 272896 ----a-w- c:\windows\system32\polstore.dll
2009-09-12 09:36 . 2009-09-12 09:36 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-09-12 09:36 . 2009-09-12 09:36 95232 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-09-12 09:36 . 2009-09-12 09:36 160768 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-09-12 09:34 . 2009-09-12 09:34 39424 ----a-w- c:\windows\system32\ACCTRES.dll
2009-09-12 09:34 . 2009-09-12 09:34 87040 ----a-w- c:\windows\system32\msoert2.dll
2009-09-12 09:34 . 2009-09-12 09:34 205824 ----a-w- c:\windows\system32\msoeacct.dll
2009-09-12 09:32 . 2009-09-12 09:32 -------- d-----w- c:\program files\VideoLAN
2009-09-12 09:27 . 2009-09-12 09:27 704000 ----a-w- c:\windows\system32\PhotoScreensaver.scr
2009-09-12 09:27 . 2009-09-12 09:27 356352 ----a-w- c:\windows\system32\wbem\wbemcomn.dll
2009-09-12 09:27 . 2009-09-12 09:27 24064 ----a-w- c:\windows\system32\wtsapi32.dll
2009-09-12 09:27 . 2009-09-12 09:27 20920 ----a-w- c:\windows\system32\drivers\compbatt.sys
2009-09-12 09:27 . 2009-09-12 09:27 11264 ----a-w- c:\windows\system32\drivers\wmiacpi.sys
2009-09-12 09:27 . 2009-09-12 09:27 258232 ----a-w- c:\windows\system32\drivers\acpi.sys
2009-09-12 09:27 . 2009-09-12 09:27 14208 ----a-w- c:\windows\system32\drivers\CmBatt.sys
2009-09-12 09:27 . 2009-09-12 09:27 28344 ----a-w- c:\windows\system32\drivers\battc.sys
2009-09-12 09:27 . 2009-09-12 09:27 542720 ----a-w- c:\windows\system32\sysmain.dll
2009-09-12 09:24 . 2009-09-12 09:24 194560 ----a-w- c:\windows\system32\WebClnt.dll
2009-09-12 09:24 . 2009-09-12 09:24 110080 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2009-09-12 09:22 . 2009-09-12 09:22 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2009-09-12 09:22 . 2009-09-12 09:22 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2009-09-12 09:22 . 2009-09-12 09:22 47104 ----a-w- c:\windows\system32\wlanapi.dll
2009-09-12 09:22 . 2009-09-12 09:22 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2009-09-12 09:22 . 2009-09-12 09:22 502272 ----a-w- c:\windows\system32\wlansvc.dll
2009-09-12 09:22 . 2009-09-12 09:22 297984 ----a-w- c:\windows\system32\wlansec.dll
2009-09-12 09:22 . 2009-09-11 22:46 -------- d-----w- c:\users\TZ Fang\AppData\Roaming\Apple Computer
2009-09-12 09:20 . 2009-09-12 09:20 2028032 ----a-w- c:\windows\system32\win32k.sys
2009-09-12 09:17 . 2009-09-12 09:17 156160 ----a-w- c:\windows\system32\t2embed.dll
2009-09-12 09:17 . 2009-09-12 09:17 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-09-12 09:17 . 2009-09-12 09:17 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-09-12 09:17 . 2009-09-12 09:17 24064 ----a-w- c:\windows\system32\lpk.dll
2009-09-12 09:17 . 2009-09-12 09:17 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-09-12 09:17 . 2009-09-12 09:17 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-09-12 09:14 . 2009-09-12 09:14 49664 ----a-w- c:\windows\system32\csrsrv.dll
2009-09-12 09:14 . 2009-09-12 09:14 376320 ----a-w- c:\windows\system32\winsrv.dll
2009-09-12 09:11 . 2009-09-12 09:11 2855424 ----a-w- c:\windows\system32\mf.dll
2009-09-12 09:11 . 2009-09-12 09:11 98816 ----a-w- c:\windows\system32\mfps.dll
2009-09-12 09:11 . 2009-09-12 09:11 52736 ----a-w- c:\windows\system32\rrinstaller.exe
2009-09-12 09:11 . 2009-09-12 09:11 2048 ----a-w- c:\windows\system32\mferror.dll
2009-09-12 09:11 . 2009-09-12 09:11 24576 ----a-w- c:\windows\system32\mfpmp.exe
2009-09-12 09:02 . 2009-09-12 09:02 376832 ----a-w- c:\windows\system32\winhttp.dll
2009-09-12 08:59 . 2009-09-12 08:59 71680 ----a-w- c:\windows\system32\atl.dll
2009-09-12 08:54 . 2009-09-12 08:54 297472 ----a-w- c:\windows\system32\gdi32.dll
2009-09-12 08:52 . 2009-09-12 08:52 1060920 ----a-w- c:\windows\system32\drivers\ntfs.sys
2009-09-12 08:52 . 2009-09-12 08:52 41984 ----a-w- c:\windows\system32\drivers\monitor.sys
2009-09-12 08:45 . 2009-09-12 08:45 211456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-09-12 08:43 . 2009-09-12 08:43 500736 ----a-w- c:\windows\system32\msdtcprx.dll
2009-09-12 08:43 . 2009-09-12 08:43 30208 ----a-w- c:\windows\system32\xolehlp.dll
2009-09-12 08:40 . 2009-09-12 08:40 156160 ----a-w- c:\windows\system32\wkssvc.dll
2009-09-12 08:37 . 2009-09-12 08:37 36352 ----a-w- c:\windows\system32\tsgqec.dll
2009-09-12 08:37 . 2009-09-12 08:37 116736 ----a-w- c:\windows\system32\aaclient.dll
2009-09-12 08:37 . 2009-09-12 08:37 1871872 ----a-w- c:\windows\system32\mstscax.dll
2009-09-12 08:35 . 2009-09-12 08:35 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-09-12 08:34 . 2009-09-12 08:34 1194496 ----a-w- c:\windows\system32\msxml3.dll
2009-09-12 08:34 . 2009-09-12 08:34 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-09-12 08:32 . 2009-09-12 08:32 414208 ----a-w- c:\windows\system32\msscp.dll
2009-09-12 08:31 . 2009-09-12 08:31 356864 ----a-w- c:\windows\system32\MediaMetadataHandler.dll
2009-09-12 08:29 . 2009-09-12 08:29 392192 ----a-w- c:\windows\system32\FirewallAPI.dll
2009-09-12 08:29 . 2009-09-12 08:29 86016 ----a-w- c:\windows\system32\icfupgd.dll
2009-09-12 08:29 . 2009-09-12 08:29 63488 ----a-w- c:\windows\system32\drivers\mpsdrv.sys
2009-09-12 08:29 . 2009-09-12 08:29 396800 ----a-w- c:\windows\system32\MPSSVC.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-01-14 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-14 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-14 81920]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-11 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2009-09-12 1006264]
"Virtual PDF Printer"="c:\program files\Virtual PDF Printer\VirtualPDFPrinter.exe" [2003-09-29 688128]

c:\users\TZ Fang\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Powerword 2005.lnk - c:\program files\Kingsoft\PowerWord 2005\XDICT.EXE [2004-6-10 426496]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-9-12 3581680]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\System32\drivers\klim6.sys [4/4/2007 4:59 PM 20760]
R3 Alidevice;Alidevice;c:\windows\System32\drivers\alidevice.sys [9/25/2009 12:00 AM 6656]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2009-11-04 c:\windows\Tasks\User_Feed_Synchronization-{4B95F238-DF64-4932-8907-EEE7DFBCD9EE}.job
- c:\windows\system32\msfeedssync.exe [2009-10-13 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: taobao.com
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
FF - ProfilePath - c:\users\TZ Fang\AppData\Roaming\Mozilla\Firefox\Profiles\0ad6e590.default\
FF - component: c:\users\TZ Fang\AppData\Roaming\Mozilla\Firefox\Profiles\0ad6e590.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npaliedit.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 11:29
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8572750C]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3904)
c:\program files\Stardock\ObjectDock\DockShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\rundll32.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-11-04 11:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-04 16:41

Pre-Run: 2,084,405,248 bytes free
Post-Run: 1,802,149,888 bytes free

[chamber]

Hi,

Please uninstall LimeWire.

1) OTM

Please download OTM

• Save it to your desktop.
  
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes
  
  :Services
  
  :Reg
  
  :Files
  c:\program files\LimeWire
  c:\users\TZ Fang\AppData\Roaming\LimeWire
  
  :Commands
  [purity]
  [emptytemp]
  [Reboot]

  
  
• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

2) Malwarebytes

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

In your reply I would like to see copied and pasted,

1) OTM log
2) Malwarebytes log

[omigod]

1) OTM log

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder c:\program files\LimeWire not found.
c:\users\TZ Fang\AppData\Roaming\LimeWire moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: TZ Fang
->Temp folder emptied: 1472909 bytes
->Temporary Internet Files folder emptied: 3338456 bytes
->Java cache emptied: 27205039 bytes
->FireFox cache emptied: 63890121 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 19418 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 91.48 mb


OTM by OldTimer - Version 3.0.0.6 log created on 11042009_123007

Files moved on Reboot...

Registry entries deleted on Reboot...



2) Malwarebytes' Log

Malwarebytes' Anti-Malware 1.41
Database version: 3099
Windows 6.0.6000

11/4/2009 12:47:17 PM
mbam-log-2009-11-04 (12-47-17).txt

Scan type: Quick Scan
Objects scanned: 93574
Time elapsed: 9 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\47599539 (Rogue.WindowsSmartSecurity) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\ProgramData\47599539 (Rogue.Multiple) -> Delete on reboot.

Files Infected:
C:\ProgramData\47599539\47599539.exe (Rogue.Multiple) -> Delete on reboot.

[chamber]

Hi,

1) JavaRa

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  
• Accept any prompts.
  
• Open JavaRa.exe again and select Search For Updates.
  
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

2) Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  
  • Spyware, adware, dialers, and other riskware
    
  • Archives
    
  • E-mail databases
• Click on My Computer under the green Scan bar to the left to start the scan.
  
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Click View report... at the bottom.
  
• Click the Save report... button.
  
  
  
  
  
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

In your reply I would like to see copied and pasted,

1) Kaspersky log

[omigod]

Ok, shortly after my last post, my Kaspersky Anti-virus notified me of a threat and suggested me that I should neutralize it. I followed instruction and proceeded to neutralize the threat. The next thing I know, my computer crashed and was not able to load Windows. Luckily for me, I was able to restore my system using the Windows installation disk and no personal file was lost during the crash. So to avoid crash from happening again, I uninstalled KAV. Also, I did a quick scan using Malwarebytes just to make sure everything is fine. Nothing was detected. I also went online did a scan using the Kapsersky Online scanner as you asked.

Kaspersky Online Scanner Log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, November 4, 2009
Operating system: Microsoft Windows Vista Business Edition, 32-bit (build 6000)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, November 04, 2009 18:56:43
Records in database: 3132573
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 86312
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:33:55


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Windows\System32\_sdra64_.exe.zip Infected: Trojan.Win32.Buzus.ckxp 1

Selected area has been scanned.



I also noticed that I am no longer getting redirected on my browser. Does that mean at this point the virus has been removed?

[chamber]

It looks like it.

Download Security Check by screen317 from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Please download DDS and save it to your desktop.

• Disable any script blocking protection
  
• Double click dds.scr to run the tool.
  
• When done, DDS.txt will open.
  
• Click Yes at the next prompt for Optional Scan.
  
• Save both reports to your desktop.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:

• Under the reply panel is the Attachments Panel
  
• Browse for the attachment file you want to upload, then click the green Upload button
  
• Once it has uploaded, click the Manage Current Attachments drop down box
  
• Click on to insert the attachment into your post

[omigod]

Results of screen317's Security Check version 0.99.0
Windows Vista (UAC is disabled!)
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
CCleaner
Java™ 6 Update 17
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.2
Chinese Simplified Fonts Support For Adobe Reader 9
Chinese Traditional Fonts Support For Adobe Reader 9
``````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSASCui.exe
``````````````````````````````
DNS Vulnerability Check:

`````````End of Log```````````



DDS (Ver_09-10-26.01) - NTFSx86
Run by TZ Fang at 1:24:47.10 on Fri 11/06/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1033.18.2430.1627 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kingsoft\PowerWord 2005\XDICT.EXE
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Users\TZ Fang\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\tzfang~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\powerw~1.lnk - c:\program files\kingsoft\powerword 2005\XDICT.EXE
StartupFolder: c:\users\tzfang~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: taobao.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\tzfang~1\appdata\roaming\mozilla\firefox\profiles\0ad6e590.default\
FF - prefs.js: browser.search.selectedEngine - IMDb
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\users\tz fang\appdata\roaming\mozilla\firefox\profiles\0ad6e590.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npaliedit.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R3 Alidevice;Alidevice;c:\windows\system32\drivers\alidevice.sys [2009-9-25 6656]
S3 taphss;Anchorfree HSS Adapter;c:\windows\system32\drivers\taphss.sys [2009-9-15 32768]

=============== Created Last 30 ================

2009-11-06 04:22:23 0 d-----w- c:\program files\iPod
2009-11-06 04:22:04 0 d-----w- c:\program files\iTunes
2009-11-04 19:18:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 18:46:45 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-03 05:23:16 0 d-----w- c:\program files\Trend Micro
2009-11-03 03:30:16 0 d-----w- c:\programdata\Lavasoft
2009-11-01 17:11:09 0 ---ha-w- C:\ProgramData.LOG2
2009-11-01 17:11:09 0 ---ha-w- C:\ProgramData.LOG1
2009-11-01 03:00:29 0 d-----w- c:\program files\4U Computing
2009-10-31 17:06:19 0 d-----w- c:\program files\iTunes(50)
2009-10-31 16:37:52 0 d-----w- c:\users\tz fang\Incomplete
2009-10-29 22:46:46 0 d-----w- C:\PPSDownload
2009-10-28 22:29:20 6050863 ----a-w- c:\windows\Explodin.scr
2009-10-28 22:29:20 230818 ----a-w- c:\windows\uninstall Explodin.exe
2009-10-28 14:54:52 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 14:54:50 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-10-28 14:54:48 4096 ----a-w- c:\windows\system32\msdxm.ocx
2009-10-28 14:54:48 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-10-28 14:54:44 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-28 02:35:50 0 d-sh--w- c:\windows\ftpcache
2009-10-28 02:32:12 2545692 ----a-w- c:\windows\system32\Soccer.scr
2009-10-23 23:09:44 60 ----a-w- c:\windows\MediaList.ini
2009-10-20 04:41:03 0 d-----w- c:\programdata\Windows Genuine Advantage
2009-10-16 06:20:39 0 d-----w- c:\users\tzfang~1\appdata\roaming\Delayed Shutdown
2009-10-14 11:54:05 0 d-----w- c:\users\tz fang\Office Genuine Advantage
2009-10-13 20:50:57 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-13 20:50:51 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-13 20:50:46 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-13 01:56:11 0 d-----w- c:\users\tzfang~1\appdata\roaming\SEGA
2009-10-10 02:04:10 0 d-----w- c:\users\tz fang\dwhelper

==================== Find3M ====================

2009-11-06 06:22:41 13119 ----a-w- c:\users\tzfang~1\appdata\roaming\nvModes.dat
2009-11-06 06:13:57 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-11-06 06:13:57 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-06 06:13:57 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-04 18:56:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 14:29:14 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-01 01:51:13 51712 ----a-w- c:\windows\wc98pp.dll
2009-09-15 20:04:58 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2009-09-12 17:48:43 174 --sha-w- c:\program files\desktop.ini
2009-09-12 09:57:41 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-09-12 09:46:01 2048 ----a-w- c:\windows\system32\tzres.dll
2009-09-12 09:42:09 61440 ----a-w- c:\windows\system32\winipsec.dll
2009-09-12 09:42:09 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2009-09-12 09:42:08 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-09-12 09:42:08 272896 ----a-w- c:\windows\system32\polstore.dll
2009-09-12 09:36:56 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-09-12 09:36:55 95232 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-09-12 09:36:54 160768 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-09-12 09:34:37 39424 ----a-w- c:\windows\system32\ACCTRES.dll
2009-09-12 09:34:36 87040 ----a-w- c:\windows\system32\msoert2.dll
2009-09-12 09:34:36 205824 ----a-w- c:\windows\system32\msoeacct.dll
2009-09-12 09:27:34 704000 ----a-w- c:\windows\system32\PhotoScreensaver.scr
2009-09-12 09:27:33 356352 ----a-w- c:\windows\system32\wbem\wbemcomn.dll
2009-09-12 09:27:30 24064 ----a-w- c:\windows\system32\wtsapi32.dll
2009-09-12 09:27:28 20920 ----a-w- c:\windows\system32\drivers\compbatt.sys
2009-09-12 09:27:28 11264 ----a-w- c:\windows\system32\drivers\wmiacpi.sys
2009-09-12 09:27:27 258232 ----a-w- c:\windows\system32\drivers\acpi.sys
2009-09-12 09:27:25 14208 ----a-w- c:\windows\system32\drivers\CmBatt.sys
2009-09-12 09:27:24 28344 ----a-w- c:\windows\system32\drivers\battc.sys
2009-09-12 09:27:18 542720 ----a-w- c:\windows\system32\sysmain.dll
2009-09-12 09:24:33 194560 ----a-w- c:\windows\system32\WebClnt.dll
2009-09-12 09:24:33 110080 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2009-09-12 09:22:51 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2009-09-12 09:22:49 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2009-09-12 09:22:49 47104 ----a-w- c:\windows\system32\wlanapi.dll
2009-09-12 09:22:49 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2009-09-12 09:22:48 502272 ----a-w- c:\windows\system32\wlansvc.dll
2009-09-12 09:22:48 297984 ----a-w- c:\windows\system32\wlansec.dll
2009-09-12 09:20:21 2028032 ----a-w- c:\windows\system32\win32k.sys
2009-09-12 09:17:15 156160 ----a-w- c:\windows\system32\t2embed.dll
2009-09-12 09:17:14 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-09-12 09:17:14 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-09-12 09:17:13 24064 ----a-w- c:\windows\system32\lpk.dll
2009-09-12 09:17:13 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-09-12 09:17:12 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-09-12 09:14:01 49664 ----a-w- c:\windows\system32\csrsrv.dll
2009-09-12 09:14:00 376320 ----a-w- c:\windows\system32\winsrv.dll
2009-09-12 09:11:35 2855424 ----a-w- c:\windows\system32\mf.dll
2009-09-12 09:11:34 98816 ----a-w- c:\windows\system32\mfps.dll
2009-09-12 09:11:33 52736 ----a-w- c:\windows\system32\rrinstaller.exe
2009-09-12 09:11:33 2048 ----a-w- c:\windows\system32\mferror.dll
2009-09-12 09:11:32 24576 ----a-w- c:\windows\system32\mfpmp.exe
2009-09-12 09:02:40 376832 ----a-w- c:\windows\system32\winhttp.dll
2009-09-12 08:59:37 71680 ----a-w- c:\windows\system32\atl.dll
2009-09-12 08:54:52 297472 ----a-w- c:\windows\system32\gdi32.dll
2009-09-12 08:52:48 1060920 ----a-w- c:\windows\system32\drivers\ntfs.sys
2009-09-12 08:52:47 41984 ----a-w- c:\windows\system32\drivers\monitor.sys
2009-09-12 08:45:10 211456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-09-12 08:43:10 500736 ----a-w- c:\windows\system32\msdtcprx.dll
2009-09-12 08:43:10 30208 ----a-w- c:\windows\system32\xolehlp.dll
2009-09-12 08:40:22 156160 ----a-w- c:\windows\system32\wkssvc.dll
2009-09-12 08:37:40 36352 ----a-w- c:\windows\system32\tsgqec.dll
2009-09-12 08:37:40 116736 ----a-w- c:\windows\system32\aaclient.dll
2009-09-12 08:37:39 1871872 ----a-w- c:\windows\system32\mstscax.dll
2009-09-12 08:35:53 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-09-12 08:34:07 1194496 ----a-w- c:\windows\system32\msxml3.dll
2009-09-12 08:34:06 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-09-12 08:32:39 414208 ----a-w- c:\windows\system32\msscp.dll
2009-09-12 08:31:00 356864 ----a-w- c:\windows\system32\MediaMetadataHandler.dll
2009-09-12 08:29:17 392192 ----a-w- c:\windows\system32\FirewallAPI.dll
2009-09-12 08:29:16 86016 ----a-w- c:\windows\system32\icfupgd.dll
2009-09-12 08:29:16 63488 ----a-w- c:\windows\system32\drivers\mpsdrv.sys
2009-09-12 08:29:16 396800 ----a-w- c:\windows\system32\MPSSVC.dll
2009-09-12 08:29:16 16896 ----a-w- c:\windows\system32\wfapigp.dll
2009-09-12 08:29:15 61952 ----a-w- c:\windows\system32\cmifw.dll
2009-09-12 08:29:15 23040 ----a-w- c:\windows\system32\drivers\tunnel.sys
2009-09-12 08:29:15 178688 ----a-w- c:\windows\system32\iphlpsvc.dll
2009-09-12 08:29:15 15360 ----a-w- c:\windows\system32\drivers\TUNMP.SYS
2009-09-12 08:23:15 696832 ----a-w- c:\windows\system32\localspl.dll
2009-09-12 08:21:56 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-09-12 08:21:55 88576 ----a-w- c:\windows\system32\avifil32.dll
2009-09-12 08:21:55 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-09-12 08:21:55 31232 ----a-w- c:\windows\system32\msvidc32.dll
2009-09-12 08:21:55 12800 ----a-w- c:\windows\system32\msrle32.dll
2009-09-12 08:21:55 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-09-12 08:20:30 45112 ----a-w- c:\windows\system32\drivers\pciidex.sys
2009-09-12 08:20:30 21560 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-09-12 08:20:29 15928 ----a-w- c:\windows\system32\drivers\pciide.sys
2009-09-12 08:20:29 109624 ----a-w- c:\windows\system32\drivers\ataport.sys
2009-09-12 08:20:28 211000 ----a-w- c:\windows\system32\drivers\volsnap.sys
2009-09-12 08:20:27 154624 ----a-w- c:\windows\system32\drivers\nwifi.sys
2009-09-12 08:19:35 104448 ----a-w- c:\windows\system32\DWWIN.EXE
2009-09-12 08:18:28 2923520 ----a-w- c:\windows\explorer.exe
2009-09-12 08:15:56 494592 ----a-w- c:\windows\system32\kerberos.dll
2009-09-12 08:15:56 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-09-12 08:15:55 7680 ----a-w- c:\windows\system32\lsass.exe
2009-09-12 08:15:55 72704 ----a-w- c:\windows\system32\secur32.dll
2009-09-12 08:15:55 408136 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-09-12 08:15:55 1233920 ----a-w- c:\windows\system32\lsasrv.dll
2009-09-12 08:15:54 272384 ----a-w- c:\windows\system32\schannel.dll

============= FINISH: 1:25:39.77 ===============


 Attach.txt   4.31K   40 downloads

[chamber]

Hi,

1) No anti virus

I don't see an anitivirus program installed.

Today's internet is simply suicide without an up to date antivirus, you pleave yourself wide open to any attacks and infections.

Not much point in you and I cleaning up the system if you don't protect yourself after.

However -- if you don't understand or cannot install an antivirus -- please let me know.

Please download ONE of the following antivirus programs and install it.

• Avast!
  
• Avira
  
• AVG Free

Once installed, Update it, run full system scan with it and allow it to fix up what it finds.

Reboot if it fixed anything.


I would also update your system as you are behind a service pack and re enable UAC.

[omigod]

yeah, I re-installed my anti-virus program. Now everything is running nice and smooth.
Thanks a lot for your help. I really appreciate it.

[chamber]

Good to know,

Congratulations your logs appear clean!! :thumbsup:

Clean up

Follow these steps to uninstall Combofix and tools used in the removal of malware

Uninstall ComboFix

Remove Combofix now that we're done with it.

• Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  
• Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  
  
• Please follow the prompts to uninstall Combofix.
  
• You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

• Download OTC to your desktop and run it
  
• Click Yes to beginning the Cleanup process and remove these components, including this application.
  
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  
• From within Internet Explorer click on the Tools menu and then click on Options.
  
• Click once on the Security tab
  
• Click once on the Internet icon so it becomes highlighted.
  
• Click once on the Custom Level button.
  
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  
• Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

You should have a good anti spyware program - We recommend MalwareBytes Anti-Malware and SUPERAntiSpyware

MVPS Hosts file The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Spring Cleaning

TFC - Temp File Cleaner by OldTimer - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders

Auslogics Disc Defrag or JKDefrag - Two good disc defragmenters for you to choose from.