TechSpot

Hard drive clusters are partly damaged

By dancingchunli
Nov 29, 2011
  1. I believe my computer may be infected with virus.

    Here's a message that has been popping up on my screen:

    "Hard drive clusters are partly damaged"

    Please help.....
     
  2. dancingchunli

    dancingchunli TS Rookie Topic Starter Posts: 22

    MBAM log

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8271

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    11/29/2011 9:30:47 PM
    mbam-log-2011-11-29 (21-30-47).txt

    Scan type: Quick scan
    Objects scanned: 176254
    Time elapsed: 9 minute(s), 8 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 2
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 5

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\BLOCK_READER (Trojan.LdPinch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kmCiLdhHPnMcPi.exe (Trojan.FakeAlert) -> Value: kmCiLdhHPnMcPi.exe -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\block_reader\DisplayName (Trojan.LdPinch) -> Value: DisplayName -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\programdata\kmcildhhpnmcpi.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\programdata\hsprahzoqqduyt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Users\CHINA\downloads\codec-c (1).exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
    c:\Users\CHINA\downloads\codec-c (62).exe (Affiliate.Downloader) -> Quarantined and deleted successfully.
    c:\Users\CHINA\downloads\installer_adobe_acrobat_7_0_professional_7_0_english.exe (PUP.SmsPay.PGen) -> Quarantined and deleted successfully.
     
  3. dancingchunli

    dancingchunli TS Rookie Topic Starter Posts: 22

    gmer log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-11-29 22:11:36
    Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK2035GSS rev.DK022A
    Running: rwr6icjr.exe; Driver: C:\Users\CHINA\AppData\Local\Temp\ugloqpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT 8DE53346 ZwCreateSection
    SSDT 8DE5334B ZwSetContextThread
    SSDT 8DE532E7 ZwTerminateProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A57579 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A7BF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text ntkrnlpa.exe!RtlSidHashLookup + 340 82A83840 4 Bytes [46, 33, E5, 8D]
    .text ntkrnlpa.exe!RtlSidHashLookup + 6E0 82A83BE0 4 Bytes [4B, 33, E5, 8D]
    .text ntkrnlpa.exe!RtlSidHashLookup + 7B8 82A83CB8 4 Bytes [E7, 32, E5, 8D] {OUT 0x32, EAX; IN EAX, 0x8d}

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe[2916] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [754B5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe[2916] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [754B5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe[2916] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [754B5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe[2916] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [754B5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe[2916] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [754B5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6134745C] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6134738E] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [613473CE] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61346CD9] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\USER32.dll [GDI32.dll!GetStockObject] [61346178] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6134745C] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExA] [6134740E] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61346CD9] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [613473CE] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [613473CE] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6134738E] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6134745C] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61346CD9] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6134740E] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61346178] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [613460B3] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [613468F0] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [613468F0] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [6134617E] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61345FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61346020] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61346213] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColor] [613460B3] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [613468F0] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61346178] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6134738E] C:\Program Files\Yahoo!\Messenger\yui.dll
    IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[3052] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [613473CE] C:\Program Files\Yahoo!\Messenger\yui.dll

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)

    Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
     
  4. dancingchunli

    dancingchunli TS Rookie Topic Starter Posts: 22

    dds error

    During the scanning of dds, my computer hangs up in the middle of the process.
    I need to shut down my computer using the automatic power shut off since everything is not working.

    What shall I do? Please help me...
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry for delay- I picked up the thread and was called away before I got anything in.

    This infection is classified as a rogue program because it uses false security alerts and fake scan results to try and trick you into thinking that your computer is infected so that you will then purchase it. It scans then goes on to display a variety of fake security alerts and warnings that are designed to make you think your computer has a serious security problem.
    ==============================================
    Please do the following to help you run other programs: Read all of the directions before you start. Print them out to help you follow the list.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, using your up/down arrows to reach it and then press ENTER.

    This infection may change your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software, we will first need need to fix this: Launch Internet Explorer
    • Access Internet Options through Tools> Connections tab
    • Click on the Lan Settings at the bottom
    • Proxy Server section> uncheck the box labeled 'Use a proxy server for your LAN.
    • Then click on OK> and OK again to close Internet Options.
    ===============================
    This malware frequently comes with the TDSS rootkit, so do the following:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ====================================
    If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
    ====================================
    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 3 different versions. If one of them won't run then download and try to run the other one. (Vista and Win7 users need to right click Rkill and choose Run as Administrator)

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
    Do not reboot until instructed. as it will start the malware again
    ==================================
    You will run another scan with Mbam, after it updates, but this time, on the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.

    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ========================================
    Now try to run the DDS scan It should work.
    =======================================
    TDSSKiller
    RKill
    New Malwarebytes
    2 logs from DDS
     
  6. dancingchunli

    dancingchunli TS Rookie Topic Starter Posts: 22

    sorry for the delay

    Sorry for the delay as I was experiencing technical difficulties on my internet connection at home...

    Thank you so much for your reply..I'll keep you posted..
     
  7. dancingchunli

    dancingchunli TS Rookie Topic Starter Posts: 22

    rkill log

    As I download and run the tdsskiller, there were no infections found..

    This was the log appeared when I run the rkill...

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 12/03/2011 at 22:38:52.
    Operating System: Windows 7 Professional


    Processes terminated by Rkill or while it was running:



    Rkill completed on 12/03/2011 at 22:38:55.


    Shall I proceed with DDS?
     
  8. dancingchunli

    dancingchunli TS Rookie Topic Starter Posts: 22

    dds error

    As I ran again the dds, the same problem occured..It would stuck up in the middle of process and my whole computer hangs up..

    What shall I do?
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No problem> my ISP gives me a fit sometimes too!

    Please go ahead with DDS- hopefully you haven't rebooted since you ran RKill.
    -------------------------------
    This is one of the files quarantined by Mbam:
    c:\Users\CHINA\downloads\installer_adobe_acrobat_7_0_professional_7_0_engli sh.exe (PUP.SmsPay.PGen)

    Where did you get this installer? Malware authors frequently use installers for popular software, making the download site appear to be related to the product. If a user downloads the infected installer, they will have the malware written in it. One of the reasons that we insist on members using the links we give for the scans or updates is because we know they are legitimate and safe.

    Another infected file found by Mbam was this Registry entry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\block_reader\DisplayName (Trojan.LdPinch)
    Infostealer.Ldpinch is a Trojan horse that attempts to steal information from the compromised computer and send it to the remote attacker. This is also knows as PWSteal.Ldpinch. The Payload- aka- 'Damage: Attempts to steal confidential information from the compromised computer > Send gathered information to a remote attacker.

    You also got 'codecs' using Affiliate.Downloader This is more malware that may allow remote attackers to take control of compromised user systems.
    ====================================
    The bottom line is that your system may already be compromised. Although we may be able to remove some entries, that is not going to guarantee that your passwords and/or private information hasn't already be passed on to the attacker.
    =====================================
    If you cannot run DDS still, run HijackThis.- this isn't "either run DDS or HJT." This is try to run DDS. If it still won't run, then run HJT:

    First, set up a Directory for HijackThis as follows:
    Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
    Exit Explorer
    You now have a folder C:\HijackThis
    -----------------------------------------
    Download HijackThis and save to your desktop.
    • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
    • Extract it to the directory on your hard drive you created C:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.
    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    ===============================================
    You can also go ahead with Combofix: I don't know what AV you have and if it's AVG, you will have to uninstall it temporarily. If the AV is AVG, run the App Remover. If it's not, skip the App Remover.
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ================================
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =====================================
    Logs in next reply please. Advise of any new problems.
    Summary:
    1. Run DDS if able.
    2. If DDS won't run, run HikackThis.
    3. Rescan with Malwarebytes using the Full Scan option
    4. Uninstall AVG is using it
    5. Run Combofix.
    6. Run the CK Scan
     
  10. dancingchunli

    dancingchunli TS Rookie Topic Starter Posts: 22

    hijackthis log

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:59:33 AM, on 12/4/2011
    Platform: Windows 7 (WinNT 6.00.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\TeamViewer\Version6\TeamViewer.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\CrossriderWebApps\Crossrider.exe
    C:\Program Files\STOPzilla!\STOPzilla.exe
    C:\Program Files\Hotspot Shield\bin\openvpntray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10o_ActiveX.exe
    C:\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.hotspotshield.com/g/?c=h
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - (no file)
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
    O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
    O2 - BHO: facemoods Helper - {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Program Files\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GR469A~1.DLL
    O2 - BHO: CrossRider - {A876E312-7D08-401a-B7A6-FAFC5DC2F292} - C:\Program Files\CrossriderWebApps\Crossrider.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\HssIE\HssIE.dll
    O3 - Toolbar: PandoraTV Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (file missing)
    O3 - Toolbar: facemoods Toolbar - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [facemoods] "C:\Program Files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe" /md I
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [Google Update] "C:\Users\CHINA\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [CrossRiderPlugin] C:\Program Files\CrossriderWebApps\Crossrider.exe
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GRA32A~1.DLL
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Hotspot Shield Service (hshld) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
    O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
    O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
    O23 - Service: Hotspot Shield Monitoring Service (HssWd) - Unknown owner - C:\Program Files\Hotspot Shield\bin\hsswd.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
    O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
    O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe

    --
    End of file - 10160 bytes
     
  11. dancingchunli

    dancingchunli TS Rookie Topic Starter Posts: 22

    MBAM log

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8307

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    12/4/2011 7:43:19 PM
    mbam-log-2011-12-04 (19-43-19).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 262760
    Time elapsed: 1 hour(s), 12 minute(s), 43 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\CHINA\AppData\Local\Google\Chrome\user data\Default\Cache\f_000293 (PUP.SmsPay.PGen) -> Quarantined and deleted successfully.
    c:\Users\CHINA\AppData\Local\Google\Chrome\user data\Default\Cache\f_000898 (Affiliate.Downloader) -> Quarantined and deleted successfully.
     
  12. dancingchunli

    dancingchunli TS Rookie Topic Starter Posts: 22

    Combofix error

    Since my DDS won't ran, hijackthis was running properly and post the log.
    Then I rescan the Malwarebytes using the full scan and post the log.
    Since I am using the AVIRA ANTIVIR PERSONAL FREE ANTIVIRUS, no need to uninstall and proceed to Combofix.

    Downloading of combofix was not a problem but as it started to scan, my computer hangs again during the scanning process below.

    "Scanning for infected files..This typically doesn't take more than 10 minutes.
    However, scan times for badly infected machines may easily double."


    Was there something I missed? Am I on the right steps following your procedures?
     
  13. dancingchunli

    dancingchunli TS Rookie Topic Starter Posts: 22

    Hello Bobbye!! Are you still there??..I need your help..

    Thank you in advance..
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm here. Please run the following:

    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ====================================
    • Download OTL from either of the links below and save it to your desktop.
      Link 1
      Link 2
    • Double click the OTL icon to run it.[​IMG]
    • The opened console will resemble this: [​IMG]
    • Set Output at the top to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Copy the entries in the Codebox below> Paste in the Custom Scan box.
      Code:
      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      explorer.exe
      winlogon.exe
      userinit.exe
      /md5stop
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      Make sure all other windows are closed and to let it run uninterrupted.
    • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

    Please post the logs in your next reply.
     
  15. dancingchunli

    dancingchunli TS Rookie Topic Starter Posts: 22

    ..Thank you for your response..I really really appreciate it...I'll keep you posted...
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, post when you can.
     
  17. dancingchunli

    dancingchunli TS Rookie Topic Starter Posts: 22

    I wanna THANK YOU for everything. I really really appreciate for your generous time and kind assistance..

    This is the ESET log...

    C:\Program Files\GridinSoft Trojan Killer\trojankiller.exe a variant of Win32/1AntiVirus application
    C:\Program Files\Loaris\Trojan Remover 1.2\ltr12.exe a variant of Win32/1AntiVirus application
    C:\Users\CHINA\Downloads\Unlocker1.9.1.exe a variant of Win32/Toolbar.Babylon application
     
  18. dancingchunli

    dancingchunli TS Rookie Topic Starter Posts: 22

    OTL.txt log

    OTL logfile created on: 12/10/2011 9:54:55 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\CHINA\Downloads
    Professional (Version = 6.1.7600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7600.16385)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.99 Gb Total Physical Memory | 0.94 Gb Available Physical Memory | 47.19% Memory free
    3.98 Gb Paging File | 2.70 Gb Available in Paging File | 67.71% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 178.83 Gb Total Space | 75.67 Gb Free Space | 42.31% Space Free | Partition Type: NTFS
    Drive D: | 4.06 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

    Computer Name: CHINA-PC | User Name: CHINA | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - C:\Users\CHINA\Downloads\OTL.exe (OldTimer Tools)
    PRC - C:\Windows\System32\Macromed\Flash\FlashUtil11e_ActiveX.exe (Adobe Systems, Inc.)
    PRC - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
    PRC - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ytbb.exe (Yahoo! Inc.)
    PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
    PRC - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
    PRC - C:\Program Files\CrossriderWebApps\Crossrider.exe (Crossrider)
    PRC - C:\Program Files\Avira\AntiVir Desktop\avshadow.exe (Avira GmbH)
    PRC - C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
    PRC - C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe (TeamViewer GmbH)
    PRC - C:\Program Files\TeamViewer\Version6\TeamViewer.exe (TeamViewer GmbH)
    PRC - C:\Program Files\TeamViewer\Version6\tv_w32.exe (TeamViewer GmbH)
    PRC - C:\Program Files\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc.)
    PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
    PRC - C:\Windows\explorer.exe (Microsoft Corporation)
    PRC - C:\Windows\System32\conhost.exe (Microsoft Corporation)
    PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
    PRC - C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe (Adobe Systems Inc.)


    ========== Modules (No Company Name) ==========

    MOD - C:\Program Files\Yahoo!\Messenger\yui.dll ()
    MOD - C:\Program Files\Yahoo!\Messenger\pcre.dll ()
    MOD - C:\Users\CHINA\AppData\Local\Google\Chrome\Application\15.0.874.121\ppgooglenaclpluginchrome.dll ()
    MOD - C:\Users\CHINA\AppData\Local\Google\Chrome\Application\15.0.874.121\pdf.dll ()
    MOD - C:\Users\CHINA\AppData\Local\Google\Chrome\Application\15.0.874.121\avutil-51.dll ()
    MOD - C:\Users\CHINA\AppData\Local\Google\Chrome\Application\15.0.874.121\avformat-53.dll ()
    MOD - C:\Users\CHINA\AppData\Local\Google\Chrome\Application\15.0.874.121\avcodec-53.dll ()
    MOD - C:\Program Files\CrossriderWebApps\Crossrider.dll ()
    MOD - C:\Program Files\DivX\DivX Plus Web Player\libxml2.dll ()
    MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()


    ========== Win32 Services (SafeList) ==========

    SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
    SRV - (AntiVirService) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe (Avira GmbH)
    SRV - (AntiVirSchedulerService) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe (Avira GmbH)
    SRV - (TeamViewer6) -- C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe (TeamViewer GmbH)
    SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation)
    SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
    SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
    SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
    SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
    SRV - (VcmXmlIfHelper) -- C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe (Sony Corporation)


    ========== Driver Services (SafeList) ==========

    DRV - (MBAMProtector) -- C:\Windows\System32\drivers\mbam.sys (Malwarebytes Corporation)
    DRV - (avipbb) -- C:\Windows\System32\drivers\avipbb.sys (Avira GmbH)
    DRV - (avgntflt) -- C:\Windows\System32\drivers\avgntflt.sys (Avira GmbH)
    DRV - (taphss) -- C:\Windows\System32\drivers\taphss.sys (AnchorFree Inc)
    DRV - (ssmdrv) -- C:\Windows\System32\drivers\ssmdrv.sys (Avira GmbH)
    DRV - (vmbus) -- C:\Windows\system32\DRIVERS\vmbus.sys (Microsoft Corporation)
    DRV - (storflt) -- C:\Windows\system32\DRIVERS\vmstorfl.sys (Microsoft Corporation)
    DRV - (storvsc) -- C:\Windows\system32\DRIVERS\storvsc.sys (Microsoft Corporation)
    DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
    DRV - (s3cap) -- C:\Windows\system32\DRIVERS\vms3cap.sys (Microsoft Corporation)
    DRV - (VMBusHID) -- C:\Windows\system32\DRIVERS\VMBusHID.sys (Microsoft Corporation)
    DRV - (netw5v32) Intel(R) -- C:\Windows\System32\drivers\netw5v32.sys (Intel Corporation)
    DRV - (RTL8187) -- C:\Windows\System32\drivers\RTL8187.sys (Realtek Semiconductor Corporation )
    DRV - (R5U870FLx86) -- C:\Windows\System32\drivers\R5U870FLx86.sys (Ricoh)
    DRV - (R5U870FUx86) -- C:\Windows\System32\drivers\R5U870FUx86.sys (Ricoh)
    DRV - (ti21sony) -- C:\Windows\System32\drivers\ti21sony.sys (Texas Instruments)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT1561552
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 06 D7 D7 40 C4 FA CB 01 [binary data]
    IE - HKCU\..\URLSearchHook: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - No CLSID value found
    IE - HKCU\..\URLSearchHook: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - No CLSID value found
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..browser.search.selectedEngine: "Creative Commons"
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: toolbar@ask.com:3.9.1.14019
    FF - prefs.js..extensions.enabledItems: {23fcfd51-4958-4f00-80a3-ae97e717ed8b}:2.1.1.94
    FF - prefs.js..extensions.enabledItems: {6904342A-8307-11DF-A508-4AE2DFD72085}:2.1.1.94
    FF - prefs.js..extensions.enabledItems: ffxtlbr@Facemoods.com:1.4.1
    FF - prefs.js..extensions.enabledItems: crossriderapp435@crossrider.com:0.72.17
    FF - prefs.js..network.proxy.no_proxies_on: "*.local"
    FF - prefs.js..browser.search.defaultenginename: "Google"


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
    FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
    FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.450: C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.448: C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\CHINA\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\CHINA\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/06/15 19:55:34 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/06/15 19:55:34 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\crossriderapp435@crossrider.com: C:\ProgramData\CodecCheck\firefox [2011/11/16 00:07:30 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/28 22:46:23 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/16 23:57:30 | 000,000,000 | ---D | M]

    [2011/01/26 18:27:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\CHINA\AppData\Roaming\Mozilla\Extensions
    [2011/12/07 19:56:12 | 000,000,000 | ---D | M] (No name found) -- C:\Users\CHINA\AppData\Roaming\Mozilla\Firefox\Profiles\cwp3daqv.default\extensions
    [2011/12/07 19:56:13 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\CHINA\AppData\Roaming\Mozilla\Firefox\Profiles\cwp3daqv.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    [2011/12/05 20:08:55 | 000,000,000 | ---D | M] (Hotspot Shield Community Toolbar) -- C:\Users\CHINA\AppData\Roaming\Mozilla\Firefox\Profiles\cwp3daqv.default\extensions\{c95a4e8e-816d-4655-8c79-d736da1adb6d}
    [2011/12/05 20:08:56 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Users\CHINA\AppData\Roaming\Mozilla\Firefox\Profiles\cwp3daqv.default\extensions\engine@conduit.com
    [2011/12/07 21:43:45 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/01/25 20:36:24 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    [2011/01/25 20:35:55 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    [2011/06/15 19:55:34 | 000,000,000 | ---D | M] (DivX Plus Web Player HTML5 &lt;video&gt;) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\HTML5VIDEO
    [2011/06/15 19:55:34 | 000,000,000 | ---D | M] (DivX HiQ) -- C:\PROGRAM FILES\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\WPA
    [2011/11/16 00:07:30 | 000,000,000 | ---D | M] ("Premiumplay Codec-C") -- C:\PROGRAMDATA\CODECCHECK\FIREFOX
    File not found (No name found) -- C:\USERS\CHINA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CWP3DAQV.DEFAULT\EXTENSIONS\FFXTLBR@FACEMOODS.COM
    File not found (No name found) -- C:\USERS\CHINA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\CWP3DAQV.DEFAULT\EXTENSIONS\TOOLBAR@ASK.COM
    [2011/01/25 20:35:46 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

    ========== Chrome ==========

    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
    CHR - plugin: Shockwave Flash (Enabled) = C:\Users\CHINA\AppData\Local\Google\Chrome\Application\15.0.874.121\gcswf32.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
    CHR - plugin: Java Deployment Toolkit 6.0.200.2 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    CHR - plugin: Java(TM) Platform SE 6 U20 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
    CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
    CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
    CHR - plugin: DivX Web Player (Enabled) = C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
    CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll
    CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll
    CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Users\CHINA\AppData\Local\Google\Chrome\Application\15.0.874.121\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\CHINA\AppData\Local\Google\Chrome\Application\15.0.874.121\pdf.dll
    CHR - plugin: DivX VOD Helper Plug-in (Enabled) = C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll
    CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
    CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    CHR - plugin: Google Update (Enabled) = C:\Users\CHINA\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll
    CHR - plugin: Default Plug-in (Enabled) = default_plugin
    CHR - Extension: DivX HiQ = C:\Users\CHINA\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnjbmmemklcjgepojigaapkoodmkgbae\2.1.1.94_0\
    CHR - Extension: Premiumplay Codec-C = C:\Users\CHINA\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpnbdefcbnoefmmcpelplabbkfmfhlho\1.13.21_0\
    CHR - Extension: DivX Plus Web Player HTML5 \u003Cvideo\u003E = C:\Users\CHINA\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm\2.1.1.94_0\

    O1 HOSTS File: ([2011/11/29 20:36:32 | 000,000,860 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O1 - Hosts: ::1 localhost
    O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
    O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
    O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
    O2 - BHO: (no name) - {64182481-4F71-486b-A045-B233BD0DA8FC} - No CLSID value found.
    O2 - BHO: (CrossRider) - {A876E312-7D08-401a-B7A6-FAFC5DC2F292} - C:\Program Files\CrossriderWebApps\Crossrider.dll ()
    O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O2 - BHO: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
    O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKLM\..\Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
    O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [] File not found
    O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
    O4 - HKCU..\Run: [CrossRiderPlugin] C:\Program Files\CrossriderWebApps\Crossrider.exe (Crossrider)
    O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 213.42.20.20 195.229.241.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5C40D96B-3B8B-445A-970E-0BE2B8879BC0}: DhcpNameServer = 213.42.20.20 195.229.241.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C9C28D55-C72D-48EF-89B9-CB120C0777D3}: DhcpNameServer = 192.168.254.254
    O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/11 01:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O33 - MountPoints2\{7fd9d173-2f85-11e0-9e54-001a8040a472}\Shell - "" = AutoRun
    O33 - MountPoints2\{7fd9d173-2f85-11e0-9e54-001a8040a472}\Shell\AutoRun\command - "" = "E:\WD SmartWare.exe" autoplay=true
    O33 - MountPoints2\{f3197f3d-8621-11e0-ae3d-e0d8d184ce50}\Shell - "" = AutoRun
    O33 - MountPoints2\{f3197f3d-8621-11e0-ae3d-e0d8d184ce50}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
    NetSvcs: Nla - File not found
    NetSvcs: Ntmssvc - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/12/10 19:08:56 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
    [2011/12/07 23:05:06 | 000,000,000 | ---D | C] -- C:\Users\CHINA\Desktop\Sophie Kinsella (as Madeleine Wickham) - The Tennis Party (html)
    [2011/12/07 21:35:05 | 000,000,000 | ---D | C] -- C:\Users\CHINA\AppData\Roaming\GetRightToGo
    [2011/12/07 21:35:05 | 000,000,000 | ---D | C] -- C:\Users\CHINA\Documents\Downloads
    [2011/12/07 19:55:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Yahoo! Companion
    [2011/12/07 19:55:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Yahoo! Messenger
    [2011/12/07 19:23:00 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2011/12/07 19:23:00 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2011/12/07 19:23:00 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2011/12/07 19:22:50 | 000,000,000 | --SD | C] -- C:\ComboFix
    [2011/12/05 20:08:22 | 000,000,000 | ---D | C] -- C:\Hotspot Shield
    [2011/12/04 21:00:38 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/12/04 21:00:24 | 000,000,000 | --SD | C] -- C:\32788R22FWJFW
    [2011/12/04 21:00:20 | 004,331,784 | R--- | C] (Swearware) -- C:\Users\CHINA\Desktop\ComboFix.exe
    [2011/12/04 03:09:38 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2011/12/04 02:55:48 | 000,000,000 | ---D | C] -- C:\Hijack This
    [2011/12/03 23:51:31 | 001,566,512 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\CHINA\Desktop\TDSSKiller.exe
    [2011/12/03 23:25:05 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\CHINA\Desktop\dds.scr
    [2011/11/29 21:16:42 | 000,000,000 | ---D | C] -- C:\Users\CHINA\AppData\Roaming\Malwarebytes
    [2011/11/29 21:16:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/11/29 21:16:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2011/11/29 21:16:25 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2011/11/29 21:16:24 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/11/29 21:10:12 | 009,852,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\CHINA\Desktop\mbam-setup-1.51.2.1300.exe
    [2011/11/29 18:34:15 | 000,000,000 | ---D | C] -- C:\Program Files\Loaris
    [2011/11/27 22:18:49 | 000,000,000 | ---D | C] -- C:\Windows\Sun
    [2011/11/27 20:48:47 | 000,000,000 | ---D | C] -- C:\Program Files\GridinSoft Trojan Killer
    [2011/11/27 19:59:08 | 000,000,000 | ---D | C] -- C:\Users\CHINA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix
    [2011/11/26 23:44:43 | 000,000,000 | ---D | C] -- C:\microsoft
    [2011/11/26 19:30:24 | 000,000,000 | ---D | C] -- C:\temp
    [2011/11/21 19:10:45 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
    [2011/11/20 19:00:01 | 000,000,000 | ---D | C] -- C:\Windows\System32\appmgmt
    [2011/11/16 23:59:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe Systems
    [2011/11/16 23:59:02 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe Systems Shared
    [2011/11/16 23:56:14 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Adobe PDF
    [2011/11/16 23:28:27 | 000,000,000 | ---D | C] -- C:\Users\CHINA\Calibre Library
    [2011/11/16 23:28:22 | 000,000,000 | ---D | C] -- C:\Users\CHINA\AppData\Roaming\calibre
    [2011/11/16 23:27:49 | 000,000,000 | ---D | C] -- C:\Program Files\Calibre2
    [2011/11/16 23:26:02 | 000,000,000 | ---D | C] -- C:\Program Files\ABC Amber LIT Converter
    [2011/11/16 00:07:44 | 000,000,000 | ---D | C] -- C:\Program Files\CrossriderWebApps
    [2011/11/16 00:07:24 | 000,000,000 | ---D | C] -- C:\ProgramData\CodecCheck
    [2011/11/16 00:07:21 | 000,000,000 | ---D | C] -- C:\codec-info
    [2011/11/16 00:06:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Premium
    [2011/11/16 00:06:45 | 000,000,000 | ---D | C] -- C:\ProgramData\InstallMate
    [2011/11/15 22:00:22 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker
    [1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/12/10 21:31:14 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2886469913-3916006163-435472159-1000UA.job
    [2011/12/10 18:53:46 | 000,020,512 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2011/12/10 18:53:46 | 000,020,512 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2011/12/10 18:45:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2011/12/10 18:45:53 | 1603,084,288 | -HS- | M] () -- C:\hiberfil.sys
    [2011/12/08 00:31:36 | 000,042,093 | ---- | M] () -- C:\Users\CHINA\Desktop\wedding.jpg
    [2011/12/07 23:59:00 | 000,207,285 | ---- | M] () -- C:\Users\CHINA\Desktop\mini.jpg
    [2011/12/07 22:56:16 | 000,045,341 | ---- | M] () -- C:\Users\CHINA\Desktop\tennis.jpg
    [2011/12/07 22:45:06 | 000,408,936 | ---- | M] () -- C:\Users\CHINA\Desktop\Sophie Kinsella (as Madeleine Wickham) - The Tennis Party (html) (1).rar
    [2011/12/07 19:55:27 | 000,001,131 | ---- | M] () -- C:\Users\CHINA\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
    [2011/12/07 19:55:27 | 000,001,107 | ---- | M] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
    [2011/12/07 19:22:21 | 004,331,784 | R--- | M] (Swearware) -- C:\Users\CHINA\Desktop\ComboFix.exe
    [2011/12/07 18:31:02 | 000,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2886469913-3916006163-435472159-1000Core.job
    [2011/12/05 22:11:28 | 000,615,360 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2011/12/05 22:11:28 | 000,103,702 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2011/12/05 18:42:06 | 000,346,570 | ---- | M] () -- C:\Users\CHINA\Desktop\unhide_files.exe
    [2011/12/04 02:56:43 | 000,305,771 | ---- | M] () -- C:\Users\CHINA\Desktop\HijackThis.zip
    [2011/12/03 23:58:40 | 001,008,114 | ---- | M] () -- C:\Users\CHINA\Desktop\rkill.scr
    [2011/12/03 23:25:19 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\CHINA\Desktop\dds.scr
    [2011/12/03 22:32:19 | 001,547,774 | ---- | M] () -- C:\Users\CHINA\Desktop\tdsskiller.zip
    [2011/11/29 21:43:31 | 000,302,592 | ---- | M] () -- C:\Users\CHINA\Desktop\rwr6icjr.exe
    [2011/11/29 21:16:32 | 000,001,091 | ---- | M] () -- C:\Users\CHINA\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
    [2011/11/29 21:16:32 | 000,001,067 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/11/29 21:15:34 | 009,852,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\CHINA\Desktop\mbam-setup-1.51.2.1300.exe
    [2011/11/27 19:59:14 | 000,000,320 | ---- | M] () -- C:\ProgramData\~HSPrahzOqQdUyT
    [2011/11/27 19:59:14 | 000,000,224 | ---- | M] () -- C:\ProgramData\~HSPrahzOqQdUyTr
    [2011/11/27 19:59:08 | 000,000,673 | ---- | M] () -- C:\Users\CHINA\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
    [2011/11/27 19:59:08 | 000,000,649 | ---- | M] () -- C:\Users\CHINA\Desktop\System Fix.lnk
    [2011/11/27 19:57:59 | 000,000,336 | ---- | M] () -- C:\ProgramData\HSPrahzOqQdUyT
    [2011/11/24 12:33:42 | 001,566,512 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\CHINA\Desktop\TDSSKiller.exe
    [2011/11/22 22:17:48 | 000,000,000 | ---- | M] () -- C:\Windows\System32\cd.dat
    [2011/11/19 18:32:05 | 000,002,359 | ---- | M] () -- C:\Users\CHINA\Desktop\Google Chrome.lnk
    [2011/11/18 22:01:04 | 000,412,464 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [2011/11/17 00:33:55 | 000,064,570 | ---- | M] () -- C:\Users\CHINA\Documents\rememberme.jpg
    [2011/11/17 00:33:02 | 000,033,686 | ---- | M] () -- C:\Users\CHINA\Documents\Twenties Girl.jpg
    [2011/11/17 00:16:20 | 000,007,464 | ---- | M] () -- C:\Users\CHINA\Documents\beauty's release.jpg
    [2011/11/17 00:14:21 | 000,043,959 | ---- | M] () -- C:\Users\CHINA\Documents\confessions-of-a-shopaholic-book-review-sophie-kinsella-the-idea-girl-says.jpg
    [2011/11/17 00:06:18 | 000,092,906 | ---- | M] () -- C:\Users\CHINA\Documents\secret.jpg
    [2011/11/17 00:01:31 | 000,527,403 | ---- | M] () -- C:\Users\CHINA\Documents\Sophie Kinsella - Shopaholic Abroad 0552999407.pdf
    [2011/11/17 00:00:58 | 000,492,083 | ---- | M] () -- C:\Users\CHINA\Documents\Sophie Kinsella - Secret Dreamworld of a Shopaholic 0552998877.pdf
    [2011/11/16 23:59:03 | 000,032,402 | ---- | M] () -- C:\Users\CHINA\Documents\abroad.jpg
    [2011/11/16 23:55:42 | 000,010,139 | ---- | M] () -- C:\Users\CHINA\Documents\secret world.jpg
    [2011/11/16 23:41:59 | 000,037,438 | ---- | M] () -- C:\Users\CHINA\Documents\shopaholic_and_baby.jpg
    [2011/11/16 23:40:10 | 000,037,483 | ---- | M] () -- C:\Users\CHINA\Documents\shopaholic_sister.jpg
    [2011/11/16 23:39:34 | 000,055,599 | ---- | M] () -- C:\Users\CHINA\Documents\shopaholic takes manhattan.jpg
    [2011/11/16 23:37:51 | 000,062,863 | ---- | M] () -- C:\Users\CHINA\Documents\ties the knot.jpg
    [2011/11/16 23:33:06 | 000,155,949 | ---- | M] () -- C:\Users\CHINA\Documents\Undomestic-Goddess.jpg
    [2011/11/16 23:26:05 | 000,001,018 | ---- | M] () -- C:\Users\CHINA\Desktop\ABC Amber LIT Converter.lnk
    [2011/11/16 23:08:03 | 000,020,655 | ---- | M] () -- C:\Users\CHINA\Documents\shopaholic ties the knot.jpg
    [2011/11/16 19:10:23 | 000,003,584 | ---- | M] () -- C:\Users\CHINA\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/11/12 22:43:00 | 000,000,436 | ---- | M] () -- C:\Windows\tasks\Norton Security Scan for CHINA.job
    [1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011/12/08 00:31:43 | 000,042,093 | ---- | C] () -- C:\Users\CHINA\Desktop\wedding.jpg
    [2011/12/07 23:59:05 | 000,207,285 | ---- | C] () -- C:\Users\CHINA\Desktop\mini.jpg
    [2011/12/07 22:56:21 | 000,045,341 | ---- | C] () -- C:\Users\CHINA\Desktop\tennis.jpg
    [2011/12/07 22:45:01 | 000,408,936 | ---- | C] () -- C:\Users\CHINA\Desktop\Sophie Kinsella (as Madeleine Wickham) - The Tennis Party (html) (1).rar
    [2011/12/07 19:55:27 | 000,001,131 | ---- | C] () -- C:\Users\CHINA\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
    [2011/12/07 19:55:27 | 000,001,107 | ---- | C] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
    [2011/12/07 19:23:00 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2011/12/05 18:42:02 | 000,346,570 | ---- | C] () -- C:\Users\CHINA\Desktop\unhide_files.exe
    [2011/12/04 21:02:48 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2011/12/04 21:02:48 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2011/12/04 21:02:48 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2011/12/04 21:02:48 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2011/12/04 02:56:42 | 000,305,771 | ---- | C] () -- C:\Users\CHINA\Desktop\HijackThis.zip
    [2011/12/03 23:58:30 | 001,008,114 | ---- | C] () -- C:\Users\CHINA\Desktop\rkill.scr
    [2011/12/03 22:32:20 | 001,547,774 | ---- | C] () -- C:\Users\CHINA\Desktop\tdsskiller.zip
    [2011/11/29 21:43:29 | 000,302,592 | ---- | C] () -- C:\Users\CHINA\Desktop\rwr6icjr.exe
    [2011/11/29 21:16:32 | 000,001,091 | ---- | C] () -- C:\Users\CHINA\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
    [2011/11/29 21:16:32 | 000,001,067 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/11/27 19:59:14 | 000,000,224 | ---- | C] () -- C:\ProgramData\~HSPrahzOqQdUyTr
    [2011/11/27 19:59:13 | 000,000,320 | ---- | C] () -- C:\ProgramData\~HSPrahzOqQdUyT
    [2011/11/27 19:59:08 | 000,000,673 | ---- | C] () -- C:\Users\CHINA\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
    [2011/11/27 19:59:08 | 000,000,649 | ---- | C] () -- C:\Users\CHINA\Desktop\System Fix.lnk
    [2011/11/27 19:57:59 | 000,000,336 | ---- | C] () -- C:\ProgramData\HSPrahzOqQdUyT
    [2011/11/22 22:17:48 | 000,000,000 | ---- | C] () -- C:\Windows\System32\cd.dat
    [2011/11/17 00:33:57 | 000,064,570 | ---- | C] () -- C:\Users\CHINA\Documents\rememberme.jpg
    [2011/11/17 00:33:05 | 000,033,686 | ---- | C] () -- C:\Users\CHINA\Documents\Twenties Girl.jpg
    [2011/11/17 00:16:23 | 000,007,464 | ---- | C] () -- C:\Users\CHINA\Documents\beauty's release.jpg
    [2011/11/17 00:14:24 | 000,043,959 | ---- | C] () -- C:\Users\CHINA\Documents\confessions-of-a-shopaholic-book-review-sophie-kinsella-the-idea-girl-says.jpg
    [2011/11/17 00:06:24 | 000,092,906 | ---- | C] () -- C:\Users\CHINA\Documents\secret.jpg
    [2011/11/17 00:01:31 | 000,527,403 | ---- | C] () -- C:\Users\CHINA\Documents\Sophie Kinsella - Shopaholic Abroad 0552999407.pdf
    [2011/11/17 00:00:58 | 000,492,083 | ---- | C] () -- C:\Users\CHINA\Documents\Sophie Kinsella - Secret Dreamworld of a Shopaholic 0552998877.pdf
    [2011/11/16 23:59:08 | 000,032,402 | ---- | C] () -- C:\Users\CHINA\Documents\abroad.jpg
    [2011/11/16 23:55:54 | 000,010,139 | ---- | C] () -- C:\Users\CHINA\Documents\secret world.jpg
    [2011/11/16 23:42:02 | 000,037,438 | ---- | C] () -- C:\Users\CHINA\Documents\shopaholic_and_baby.jpg
    [2011/11/16 23:40:13 | 000,037,483 | ---- | C] () -- C:\Users\CHINA\Documents\shopaholic_sister.jpg
    [2011/11/16 23:39:37 | 000,055,599 | ---- | C] () -- C:\Users\CHINA\Documents\shopaholic takes manhattan.jpg
    [2011/11/16 23:38:01 | 000,062,863 | ---- | C] () -- C:\Users\CHINA\Documents\ties the knot.jpg
    [2011/11/16 23:33:12 | 000,155,949 | ---- | C] () -- C:\Users\CHINA\Documents\Undomestic-Goddess.jpg
    [2011/11/16 23:26:05 | 000,001,018 | ---- | C] () -- C:\Users\CHINA\Desktop\ABC Amber LIT Converter.lnk
    [2011/11/16 23:08:22 | 000,020,655 | ---- | C] () -- C:\Users\CHINA\Documents\shopaholic ties the knot.jpg
    [2011/02/11 21:09:16 | 000,000,056 | ---- | C] () -- C:\Windows\System32\ezsidmv.dat
    [2011/02/10 22:54:22 | 000,003,584 | ---- | C] () -- C:\Users\CHINA\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/01/26 18:27:31 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
    [2011/01/25 20:17:02 | 000,165,376 | ---- | C] () -- C:\Windows\System32\unrar.dll
    [2011/01/25 20:17:02 | 000,000,038 | ---- | C] () -- C:\Windows\avisplitter.ini
    [2011/01/25 20:17:01 | 000,790,528 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
    [2011/01/25 20:17:01 | 000,134,144 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
    [2011/01/25 20:17:01 | 000,108,032 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
    [2011/01/25 20:09:23 | 000,000,268 | ---- | C] () -- C:\Windows\_delis32.ini
    [2009/07/14 08:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
    [2009/07/14 08:33:53 | 000,412,464 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
    [2009/07/14 06:05:48 | 000,615,360 | ---- | C] () -- C:\Windows\System32\perfh009.dat
    [2009/07/14 06:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
    [2009/07/14 06:05:48 | 000,103,702 | ---- | C] () -- C:\Windows\System32\perfc009.dat
    [2009/07/14 06:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
    [2009/07/14 06:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
    [2009/07/14 06:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
    [2009/07/14 04:19:49 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
    [2009/07/14 03:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
    [2009/07/14 03:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
    [2009/07/14 03:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
    [2009/07/14 02:09:19 | 001,498,564 | ---- | C] () -- C:\Windows\System32\igkrng400.bin
    [2009/06/11 01:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

    ========== LOP Check ==========

    [2011/12/08 00:50:18 | 000,000,000 | ---D | M] -- C:\Users\CHINA\AppData\Roaming\calibre
    [2011/12/07 21:44:51 | 000,000,000 | ---D | M] -- C:\Users\CHINA\AppData\Roaming\GetRightToGo
    [2011/09/27 19:44:00 | 000,000,000 | ---D | M] -- C:\Users\CHINA\AppData\Roaming\Gygan
    [2011/06/15 20:09:29 | 000,000,000 | ---D | M] -- C:\Users\CHINA\AppData\Roaming\LimeWireTurbo
    [2011/04/22 16:51:59 | 000,000,000 | ---D | M] -- C:\Users\CHINA\AppData\Roaming\TeamViewer
    [2011/05/29 19:09:58 | 000,032,568 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.exe >


    < MD5 for: EXPLORER.EXE >
    [2009/07/14 05:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\explorer.exe
    [2009/07/14 05:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe

    < MD5 for: USERINIT.EXE >
    [2009/07/14 05:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\System32\userinit.exe
    [2009/07/14 05:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe

    < MD5 for: WINLOGON.EXE >
    [2009/07/14 05:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\System32\winlogon.exe
    [2009/07/14 05:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe

    < %systemroot%\*. /mp /s >

    < End of report >
     
  19. dancingchunli

    dancingchunli TS Rookie Topic Starter Posts: 22

    Extras.txt

    OTL Extras logfile created on: 12/10/2011 9:54:55 PM - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\CHINA\Downloads
    Professional (Version = 6.1.7600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7600.16385)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.99 Gb Total Physical Memory | 0.94 Gb Available Physical Memory | 47.19% Memory free
    3.98 Gb Paging File | 2.70 Gb Available in Paging File | 67.71% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 178.83 Gb Total Space | 75.67 Gb Free Space | 42.31% Space Free | Partition Type: NTFS
    Drive D: | 4.06 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

    Computer Name: CHINA-PC | User Name: CHINA | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .exe [@ = exefile] -- Reg Error: Key error. File not found
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
    Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
    Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
    "{3EB47E4E-AEA2-4DCD-BC4C-7191D4E1B3EF}" = VAIO Content Metadata XML Interface Library
    "{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google Earth
    "{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
    "{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
    "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{714DAA5E-803F-44A2-8512-64F26E681030}_is1" = Gygan
    "{75770886-B51A-4FE9-B1D4-14F8E5C63741}" = calibre
    "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
    "{853A4763-6643-4604-8D64-28BDD8925F4C}" = Apple Application Support
    "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
    "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
    "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
    "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
    "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
    "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
    "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
    "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
    "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
    "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
    "{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
    "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
    "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
    "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
    "{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
    "{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
    "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
    "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
    "{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
    "{A63E7492-A0BC-4BB9-89A7-352965222380}" = VAIO Original Function Setting
    "{AC76BA86-1033-F400-8796-100000000002}" = Adobe Acrobat 7.0 - Tryout Professional - English, Français, Deutsch
    "{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.4
    "{AEBB1D78-EB8C-4F8B-B57E-459958979C3B}" = VAIO Content Metadata XML Interface Library
    "{C1FCDCA1-2759-4E5E-84EE-3A665BB2F513}" = iPhoneBrowser
    "{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour
    "{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
    "{F59A9E08-A6A4-4ACF-91F2-D0344956C30B}" = iTunes
    "ABC Amber LIT Converter" = ABC Amber LIT Converter
    "Adobe Acrobat 7.0 - Tryout Professional - English, Français, Deutsch" = Adobe Acrobat 7.0 - Tryout Professional - English, Français, Deutsch
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Adobe Photoshop 7.0" = Adobe Photoshop 7.0
    "Adobe Shockwave Player" = Adobe Shockwave Player 11.5
    "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
    "Bookworm Adventures Deluxe 1.00" = Bookworm Adventures Deluxe 1.00
    "CCleaner" = CCleaner (remove only)
    "Crossrider" = Crossrider Web Apps
    "DivX Setup.divx.com" = DivX Setup
    "DreamAqua" = Dream Aquarium
    "ENTERPRISE" = Microsoft Office Enterprise 2007
    "ESET Online Scanner" = ESET Online Scanner v3
    "facemoods" = Facemoods Toolbar
    "HaaliMkx" = Haali Media Splitter
    "KLiteCodecPack_is1" = K-Lite Codec Pack 6.6.0 (Full)
    "LimeWireTurbo" = LimeWireTurbo
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
    "Matroska Pack" = Matroska Pack
    "Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
    "NSS" = Norton Security Scan
    "RealAlt_is1" = Real Alternative 2.0.2
    "TeamViewer 6" = TeamViewer 6
    "The KMPlayer" = The KMPlayer (remove only)
    "Winamp" = Winamp
    "WinRAR archiver" = WinRAR archiver
    "Yahoo! Companion" = Yahoo! Toolbar
    "Yahoo! Messenger" = Yahoo! Messenger
    "Yahoo! Software Update" = Yahoo! Software Update

    ========== HKEY_CURRENT_USER Uninstall List ==========

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Google Chrome" = Google Chrome

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 12/3/2011 3:43:47 PM | Computer Name = CHINA-PC | Source = hshld | ID = 10103
    Description =

    Error - 12/3/2011 3:43:48 PM | Computer Name = CHINA-PC | Source = hshld | ID = 10103
    Description =

    Error - 12/3/2011 3:43:48 PM | Computer Name = CHINA-PC | Source = hshld | ID = 10106
    Description =

    Error - 12/5/2011 2:09:21 PM | Computer Name = CHINA-PC | Source = Application Error | ID = 1000
    Description = Faulting application name: DllHost.exe, version: 6.1.7600.16385, time
    stamp: 0x4a5bc6b7 Faulting module name: MSVCR71.dll, version: 7.10.3052.4, time
    stamp: 0x3e561eac Exception code: 0xc0000005 Fault offset: 0x00010440 Faulting process
    id: 0x1c5c Faulting application start time: 0x01ccb378ff553c34 Faulting application
    path: C:\Windows\system32\DllHost.exe Faulting module path: C:\Windows\system32\MSVCR71.dll
    Report
    Id: 40e7ab0a-1f6c-11e1-b4a0-d496efd11a42

    Error - 12/6/2011 10:45:11 AM | Computer Name = CHINA-PC | Source = VSS | ID = 8194
    Description =

    Error - 12/7/2011 11:18:04 AM | Computer Name = CHINA-PC | Source = Application Error | ID = 1000
    Description = Faulting application name: iexplore.exe, version: 0.0.0.0, time stamp:
    0x4e06cfe8 Faulting module name: iexplore.exe, version: 0.0.0.0, time stamp: 0x4e06cfe8
    Exception
    code: 0x40000015 Fault offset: 0x0008d1c0 Faulting process id: 0xe58 Faulting application
    start time: 0x01ccb4f364f2738c Faulting application path: C:\32788R22FWJFW\License\iexplore.exe
    Faulting
    module path: C:\32788R22FWJFW\License\iexplore.exe Report Id: a8509e9e-20e6-11e1-a29e-c4c6699f646b

    Error - 12/7/2011 3:05:26 PM | Computer Name = CHINA-PC | Source = Application Error | ID = 1000
    Description = Faulting application name: WinRAR.exe, version: 4.65.0.0, time stamp:
    0x00000000 Faulting module name: ntdll.dll, version: 6.1.7600.16385, time stamp:
    0x4a5bdadb Exception code: 0xc0000374 Fault offset: 0x000c283b Faulting process id:
    0x15b0 Faulting application start time: 0x01ccb513196b3e52 Faulting application path:
    C:\Program Files\WinRAR\WinRAR.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report
    Id: 6b9b007f-2106-11e1-94a6-e932fbc95f7f

    Error - 12/7/2011 3:06:32 PM | Computer Name = CHINA-PC | Source = Application Error | ID = 1000
    Description = Faulting application name: WinRAR.exe, version: 4.65.0.0, time stamp:
    0x00000000 Faulting module name: ntdll.dll, version: 6.1.7600.16385, time stamp:
    0x4a5bdadb Exception code: 0xc0000374 Fault offset: 0x000c283b Faulting process id:
    0x1b4 Faulting application start time: 0x01ccb513514b0a43 Faulting application path:
    C:\Program Files\WinRAR\WinRAR.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report
    Id: 92f12873-2106-11e1-94a6-e932fbc95f7f

    Error - 12/7/2011 4:34:44 PM | Computer Name = CHINA-PC | Source = Application Error | ID = 1000
    Description = Faulting application name: WinRAR.exe, version: 4.65.0.0, time stamp:
    0x00000000 Faulting module name: ntdll.dll, version: 6.1.7600.16385, time stamp:
    0x4a5bdadb Exception code: 0xc0000374 Fault offset: 0x000c283b Faulting process id:
    0xfac Faulting application start time: 0x01ccb51f95b77568 Faulting application path:
    C:\Program Files\WinRAR\WinRAR.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report
    Id: e521f2b2-2112-11e1-94a6-e932fbc95f7f

    Error - 12/7/2011 4:36:37 PM | Computer Name = CHINA-PC | Source = Application Error | ID = 1000
    Description = Faulting application name: WinRAR.exe, version: 4.65.0.0, time stamp:
    0x00000000 Faulting module name: ntdll.dll, version: 6.1.7600.16385, time stamp:
    0x4a5bdadb Exception code: 0xc0000374 Fault offset: 0x000c283b Faulting process id:
    0xaac Faulting application start time: 0x01ccb51fe5a7bbbd Faulting application path:
    C:\Program Files\WinRAR\WinRAR.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
    Report
    Id: 2892458c-2113-11e1-94a6-e932fbc95f7f

    [ System Events ]
    Error - 12/7/2011 11:39:21 AM | Computer Name = CHINA-PC | Source = EventLog | ID = 6008
    Description = The previous system shutdown at 7:23:32 PM on ?12/?7/?2011 was unexpected.

    Error - 12/7/2011 11:39:47 AM | Computer Name = CHINA-PC | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    is3srv SBRE

    Error - 12/7/2011 1:43:28 PM | Computer Name = CHINA-PC | Source = Service Control Manager | ID = 7034
    Description = The Hotspot Shield Routing Service service terminated unexpectedly.
    It has done this 1 time(s).

    Error - 12/7/2011 1:43:45 PM | Computer Name = CHINA-PC | Source = Service Control Manager | ID = 7034
    Description = The Hotspot Shield Monitoring Service service terminated unexpectedly.
    It has done this 1 time(s).

    Error - 12/7/2011 1:46:48 PM | Computer Name = CHINA-PC | Source = Service Control Manager | ID = 7011
    Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
    response from the szserver service.

    Error - 12/7/2011 4:41:07 PM | Computer Name = CHINA-PC | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    SBRE

    Error - 12/7/2011 7:48:50 PM | Computer Name = CHINA-PC | Source = bowser | ID = 8003
    Description =

    Error - 12/9/2011 1:56:09 PM | Computer Name = CHINA-PC | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    SBRE

    Error - 12/9/2011 9:45:51 PM | Computer Name = CHINA-PC | Source = bowser | ID = 8003
    Description =

    Error - 12/10/2011 10:46:27 AM | Computer Name = CHINA-PC | Source = Service Control Manager | ID = 7026
    Description = The following boot-start or system-start driver(s) failed to load:
    SBRE


    < End of report >
     
  20. dancingchunli

    dancingchunli TS Rookie Topic Starter Posts: 22

    ..That completes the log...
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Considering what I've had you run so far, the system is full of malware, particularly entries for System Fix.. I'm going to get some of it out, then I'll directly what to do after:

    1. For Eset: Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
       
      :Files 
      C:\Program Files\GridinSoft Trojan Killer\trojankiller.exe 
      C:\Program Files\Loaris\Trojan Remover 1.2\ltr12.exe 
      C:\Users\CHINA\Downloads\Unlocker1.9.1.exe
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =======================================
    2. For HijackThis: Please reopen HJT to do system scan only. Check each of the following, if found:
    R3 - URLSearchHook: (no name) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - (no file)
    O2 - BHO: facemoods Helper - {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Program Files\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (file missing)
    O3 - Toolbar: PandoraTV Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (file missing)
    O3 - Toolbar: facemoods Toolbar - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [facemoods] "C:\Program Files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe" /md I
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" /MINIMIZED


    Close all Windows except HJT and click on Fix Checked.
    =========================================
    Please go ahead and run these. I'll be back in the morning with the OTL fix. There were so many entries to remove I had to set up another fix- I'm going to try and get all the System Fix entries off the system, then I'll have you run Combofix. It is on your system and has set up the Qoobox which is the Quarantine folder.

    I am just beat and am going to close down early tomight.
     
  22. dancingchunli

    dancingchunli TS Rookie Topic Starter Posts: 22

    OTM log

    Thank you so much again for your support and help on this..I really appreciate your assistance..

    Here is the OTM log..


    All processes killed
    ========== FILES ==========
    C:\Program Files\GridinSoft Trojan Killer\trojankiller.exe moved successfully.
    C:\Program Files\Loaris\Trojan Remover 1.2\ltr12.exe moved successfully.
    C:\Users\CHINA\Downloads\Unlocker1.9.1.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: CHINA
    ->Temp folder emptied: 22832067 bytes
    ->Temporary Internet Files folder emptied: 47358481 bytes
    ->Java cache emptied: 13746 bytes
    ->FireFox cache emptied: 60774979 bytes
    ->Google Chrome cache emptied: 352585524 bytes
    ->Flash cache emptied: 32618 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 56502 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Guest
    ->Temp folder emptied: 369188 bytes
    ->Temporary Internet Files folder emptied: 8573500 bytes
    ->Flash cache emptied: 56958 bytes

    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 37376 bytes
    Windows Temp folder emptied: 693913 bytes
    RecycleBin emptied: 995091 bytes

    Total Files Cleaned = 471.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 12142011_185327
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Are you by any chance using an ISP in the Arab Emirates? This is a global board, so I have to ask.
    IP 213.42.20.20 > country: AE
    IP 195.229.241.222> AE
    IP 168.254.254 > unknown
    DhcpNameServer = 213.42.20.20 195.229.241.222
    -------------------------------------------
    If the answer is NO, please do the following:
    You will need to do a DNS Flush, then reset your router.
    Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

    Exit the Command prompt when finished and shut the system down.-

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [3]. Unplug the router. Wait sixty seconds.
      [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
      [5].With the router unplugged, start your computer.
      [6].Connect to the router again. The turn the router back on.
      [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
      [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
    =======================================
    Please see the end of my Reply #9 for these instructions:
    Download CKScanner and save to your desktop.
    ======================================
    OTL Custom Scan Fixes
    • Run OTL
    • Copy the contents of the Code box and paste in the Custom Scans/Fixes box at the bottom:
      Code:
      :OTL
      IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSour...ctid=CT1561552
      IE - HKCU\..\URLSearchHook: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - No CLSID value found
      IE - HKCU\..\URLSearchHook: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - No CLSID value found
      FF - prefs.js..extensions.enabledItems: toolbar@ask.com:3.9.1.14019
      FF - prefs.js..extensions.enabledItems: ffxtlbr@Facemoods.com:1.4.1
      O3 - HKLM\..\Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
      O3 - HKLM\..\Toolbar: (no name) - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - No CLSID value found.
      O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
      O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
      O33 - MountPoints2\{7fd9d173-2f85-11e0-9e54-001a8040a472}\Shell - "" = AutoRun
      O33 - MountPoints2\{7fd9d173-2f85-11e0-9e54-001a8040a472}\Shell\AutoRun\command - "" = "E:\WD SmartWare.exe" autoplay=true
      O33 - MountPoints2\{f3197f3d-8621-11e0-ae3d-e0d8d184ce50}\Shell - "" = AutoRun
      O33 - MountPoints2\{f3197f3d-8621-11e0-ae3d-e0d8d184ce50}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
      O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found
      [2011/11/29 18:34:15 | 000,000,000 | ---D | C] -- C:\Program Files\Loaris
      [2011/11/27 22:18:49 | 000,000,000 | ---D | C] -- C:\Windows\Sun
      [2011/11/27 20:48:47 | 000,000,000 | ---D | C] -- C:\Program Files\GridinSoft Trojan Killer
      [2011/11/27 19:59:08 | 000,000,000 | ---D | C] -- C:\Users\CHINA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix
      [2011/11/26 23:44:43 | 000,000,000 | ---D | C] -- C:\microsoft
      [2011/11/26 19:30:24 | 000,000,000 | ---D | C] -- C:\temp
      [2011/11/15 22:00:22 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker
      [2011/11/29 21:43:31 | 000,302,592 | ---- | M] () -- C:\Users\CHINA\Desktop\rwr6icjr.exe
      [2011/11/27 19:59:14 | 000,000,320 | ---- | M] () -- C:\ProgramData\~HSPrahzOqQdUyT
      [2011/11/27 19:59:14 | 000,000,224 | ---- | M] () -- C:\ProgramData\~HSPrahzOqQdUyTr
      [2011/11/27 19:59:08 | 000,000,673 | ---- | M] () -- C:\Users\CHINA\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
      [2011/11/27 19:59:08 | 000,000,649 | ---- | M] () -- C:\Users\CHINA\Desktop\System Fix.lnk
      [2011/11/27 19:57:59 | 000,000,336 | ---- | M] () -- C:\ProgramData\HSPrahzOqQdUyT
      [2011/11/16 19:10:23 | 000,003,584 | ---- | M] () -- C:\Users\CHINA\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
      [2011/11/12 22:43:00 | 000,000,436 | ---- | M] () -- C:\Windows\tasks\Norton Security Scan for CHINA.job
      [2011/12/04 21:02:48 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
      [2011/11/27 19:59:14 | 000,000,224 | ---- | C] () -- C:\ProgramData\~HSPrahzOqQdUyTr
      [2011/11/27 19:59:13 | 000,000,320 | ---- | C] () -- C:\ProgramData\~HSPrahzOqQdUyT
      [2011/11/27 19:59:08 | 000,000,673 | ---- | C] () -- C:\Users\CHINA\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
      [2011/11/27 19:59:08 | 000,000,649 | ---- | C] () -- C:\Users\CHINA\Desktop\System Fix.lnk
      [2011/11/27 19:57:59 | 000,000,336 | ---- | C] () -- C:\ProgramData\HSPrahzOqQdUyT
      [2011/06/15 20:09:29 | 000,000,000 | ---D | M] -- C:\Users\CHINA\AppData\Roaming\LimeWireTurbo
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
      helpfile [open] -- Reg Error: Key error.
      regfile [merge] -- Reg Error: Key error.
      txtfile [edit] -- Reg Error: Key error.
      Folder [explore] -- Reg Error: Value error.
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
      "VistaSp1" = Reg Error: Unknown registry data type -- File not found
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
      "LimeWireTurbo" = LimeWireTurbo
      "NSS" = Norton Security Scan
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run uninterrupted, reboot the PC when it is done
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
    =============================================
    When you have completed the instructions in the previous reply and this current reply, please reboot the computer.Make an attempt to scan with Combofix again> give it time to complete- the more files on a system, the longer it takes. If it won't run, please tell me exactly what happens when you try>
    If you get an expired notice when you attempt to use Combofix, uninstall the program you now have

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

      Then go back to the instructions in Reply #8, download again, run the scan.
     
  24. dancingchunli

    dancingchunli TS Rookie Topic Starter Posts: 22

    Yes I am currently using an ISP in the Arab Emirates..
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, thanks. Then skip the part for the DNS flush and resetting the router and go on with the rest.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...