click.giftload and bluescreens

randman111

New member
Hi. Like many others, my computer has been infected with click.giftload and the "microsoft.windowssecuritycenter_disabled" problem. I found both after running SSD but whenever I try to reboot, I always encountered a bluescreen (either IRQL or Internal Power Supply BOD). The only time I didn't encounter a bluescreen was when I tried to do a system restore, but of course I got a message saying that system restore failed. Unfortunately, neither giftload nor the windowssecuritycenter_disabled problems have been fixed and are still being found by SSD

THANK YOU IN ADVANCE FOR ALL YOUR HELP! I notice a lot of other people having similar problems so I'm glad you guys are here.

Here is my dds:

DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 21:35:32.58 on Tue 04/26/2011
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_23
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3326.2258 [GMT -4:00]
.
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Analog Devices\SoundMAX\SoundTray.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Razer\Reclusa\razerhid.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Razer\Reclusa\razertra.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Users\Owner\Desktop\dds.scr
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.5.0.125\coIEPlg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [SoundTray] c:\program files\analog devices\soundmax\SoundTray.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Reclusa] c:\program files\razer\reclusa\razerhid.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: mysoros.com\www
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {8A922AEB-17B1-46BA-A1D3-07A38C9F344A} = 8.8.8.8,8.8.4.4
TCP: {E2A39950-BE22-4D80-B17B-2487235659E2} = 8.8.8.8,8.8.4.4
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\13mzop8p.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\owner\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1205000.07d\symds.sys [2010-12-9 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1205000.07d\symefa.sys [2010-12-9 652336]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110419.001\BHDrvx86.sys [2011-4-19 802936]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110425.001\IDSvix86.sys [2011-4-25 353912]
R1 NEOFLTR_650_14951;Juniper Networks TDI Filter Driver (NEOFLTR_650_14951);c:\windows\system32\drivers\NEOFLTR_650_14951.SYS [2010-6-30 85288]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1205000.07d\ironx86.sys [2010-12-9 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1205000.07d\symtdiv.sys [2010-12-9 330360]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.5.0.125\ccsvchst.exe [2010-12-9 130000]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-2-22 102448]
R3 RecFltr;Reclusa Keyboard;c:\windows\system32\drivers\RecFltr.sys [2008-7-25 41984]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2007-11-21 569344]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
.
=============== Created Last 30 ================
.
2011-04-27 00:05:46 -------- d-sh--w- C:\$RECYCLE.BIN
2011-04-26 23:52:38 -------- d-----w- c:\users\owner\appdata\local\temp
2011-04-26 23:42:50 -------- d-----w- C:\ComboFix
2011-04-22 01:39:52 98816 ----a-w- c:\windows\sed.exe
2011-04-22 01:39:52 89088 ----a-w- c:\windows\MBR.exe
2011-04-22 01:39:52 256512 ----a-w- c:\windows\PEV.exe
2011-04-22 01:39:52 161792 ----a-w- c:\windows\SWREG.exe
2011-04-20 00:06:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-20 00:05:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-20 00:05:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-19 02:53:50 123392 --sha-r- c:\windows\system32\cryptuiw.dll
2011-04-15 20:02:43 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-04-15 19:52:18 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{5eaed8d6-91fa-4019-9529-a682830eb8bc}\mpengine.dll
2011-04-14 07:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-04-14 07:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2011-03-30 11:00:41 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
.
==================== Find3M ====================
.
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42:03 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 14:13:01 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33:12 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33:09 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-16 16:16:37 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-16 14:02:23 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-02-12 08:39:53 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 21:38:32.02 ===============
 
combofix log

i think i just found it. Thanks again.



ComboFix 11-04-25.01 - Owner 04/26/2011 19:45:56.2.4 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.3326.1897 [GMT -4:00]
Running from: C:\Users\Owner\Desktop\ComboFix.exe
Command switches used :: /u
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


c:\windows\system32\drivers\ytukbxys.sys
C:\Windows\TEMP\logishrd\LVPrcInj01.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_wcdlb


((((((((((((((((((((((((( Files Created from 2011-03-27 to 2011-04-27 )))))))))))))))))))))))))))))))


2011-04-26 23:52:38 . 2011-04-27 00:02:36 -------- d-----w- C:\Users\Owner\AppData\Local\temp
2011-04-26 23:52:38 . 2011-04-26 23:52:38 -------- d-----w- C:\Users\Randy\AppData\Local\temp
2011-04-20 00:06:00 . 2010-12-20 22:09:00 38224 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys
2011-04-20 00:05:12 . 2011-04-20 00:06:35 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2011-04-20 00:05:12 . 2010-12-20 22:08:40 20952 ----a-w- C:\Windows\system32\drivers\mbam.sys
2011-04-19 17:32:24 . 2011-04-19 17:32:24 -------- d-----w- C:\Users\Owner\AppData\Roaming\HPAppData
2011-04-19 11:38:03 . 2011-04-19 11:38:03 -------- d-----w- C:\Users\Default\AppData\Roaming\Apple Computer
2011-04-19 11:38:03 . 2011-04-19 11:38:03 -------- d-----w- C:\Users\Default\AppData\Local\Apple Computer
2011-04-19 02:53:50 . 2011-04-19 02:53:53 123392 --sha-r- C:\Windows\system32\cryptuiw.dll
2011-04-15 20:02:43 . 2011-03-02 15:44:27 86528 ----a-w- C:\Windows\system32\dnsrslvr.dll
2011-04-15 19:52:18 . 2011-03-15 04:05:43 6792528 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5EAED8D6-91FA-4019-9529-A682830EB8BC}\mpengine.dll
2011-04-14 07:39:02 . 2011-04-14 07:39:02 103864 ----a-w- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
2011-04-14 07:39:02 . 2011-04-14 07:39:02 103864 ----a-w- C:\Program Files\Internet Explorer\Plugins\nppdf32.dll
2011-03-30 11:00:41 . 2009-08-20 04:50:31 22872 ----a-r- C:\Windows\system32\AdobePDFUI.dll
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-04-09 19:34:47 . 2010-06-24 15:33:56 18328 ----a-w- C:\ProgramData\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-22 14:13:01 . 2011-03-23 00:27:07 288768 ----a-w- C:\Windows\system32\XpsGdiConverter.dll
2011-02-22 13:33:12 . 2011-03-23 00:27:07 1068544 ----a-w- C:\Windows\system32\DWrite.dll
2011-02-22 13:33:09 . 2011-03-23 00:27:07 797696 ----a-w- C:\Windows\system32\FntCache.dll
2011-02-18 21:36:58 . 2011-02-18 21:36:58 41984 ----a-w- C:\Windows\system32\drivers\usbaapl.sys
2011-02-18 21:36:58 . 2011-02-18 21:36:58 4184352 ----a-w- C:\Windows\system32\usbaaplrc.dll
2011-02-02 22:11:20 . 2010-01-04 17:21:27 222080 ------w- C:\Windows\system32\MpSigStub.exe
2008-09-03 22:45:54 . 2008-09-03 22:45:54 8192 ----a-w- C:\Program Files\mozilla firefox\plugins\cgpcfg.dll
2008-09-03 22:44:36 . 2008-09-03 22:44:36 81920 ----a-w- C:\Program Files\mozilla firefox\plugins\CgpCore.dll
2008-09-03 22:44:58 . 2008-09-03 22:44:58 86016 ----a-w- C:\Program Files\mozilla firefox\plugins\confmgr.dll
2008-09-03 22:44:48 . 2008-09-03 22:44:48 16384 ----a-w- C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
2008-09-03 22:43:36 . 2008-09-03 22:43:36 200704 ----a-w- C:\Program Files\mozilla firefox\plugins\ctxmui.dll
2008-09-03 22:44:48 . 2008-09-03 22:44:48 26112 ----a-w- C:\Program Files\mozilla firefox\plugins\icafile.dll
2008-09-03 22:45:42 . 2008-09-03 22:45:42 34816 ----a-w- C:\Program Files\mozilla firefox\plugins\icalogon.dll
2008-02-07 23:19:26 . 2008-02-07 23:19:26 479232 ----a-w- C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2008-02-07 23:19:26 . 2008-02-07 23:19:26 548864 ----a-w- C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2008-02-07 23:19:28 . 2008-02-07 23:19:28 626688 ----a-w- C:\Program Files\mozilla firefox\plugins\msvcr80.dll
2008-06-12 17:49:34 . 2008-06-12 17:49:34 981170 ----a-w- C:\Program Files\mozilla firefox\plugins\sslsdk_b.dll
2008-09-03 22:44:38 . 2008-09-03 22:44:38 18944 ----a-w- C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
2011-03-18 17:53:24 . 2011-03-23 00:05:59 142296 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 00:03:40 152872]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-21 02:23:22 125952]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2009-04-11 06:28:03 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundTray"="C:\Program Files\Analog Devices\SoundMAX\SoundTray.exe" [2007-05-21 19:53:42 49152]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 20:57:24 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 13:47:24 1629480]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 13:47:02 1057064]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 01:24:46 32768]
"Reclusa"="C:\Program Files\Razer\Reclusa\razerhid.exe" [2007-03-07 22:49:28 167936]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 19:01:21 1037736]
"RemoteControl8"="C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-21 00:23:22 83240]
"PDVD8LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 15:36:42 50472]
"Adobe Acrobat Speed Launcher"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-01-31 05:36:36 38840]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 22:11:26 640440]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-06-06 06:35:18 1261568]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 17:08:54 49208]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 18:37:40 932288]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 17:36:56 2793304]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 04:28:52 47904]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 08:44:43 35760]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2010-11-29 22:38:18 421888]
"Microsoft Default Manager"="C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 22:43:04 288088]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2011-03-07 20:33:40 421160]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\Windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-164121268-3062729603-3089187675-1000]
"EnableNotificationsRef"=dword:00000001

R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 17:16:28 130384]
R3 BBSvc;Bing Bar Update Service;C:\Program Files\Microsoft\BingBar\BBSvc.EXE [2011-02-28 22:44:14 183560]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;C:\Windows\system32\DRIVERS\netr28u.sys [2007-11-21 08:35:06 569344]
R3 SYMNDISV;Symantec Network Filter Driver;C:\Windows\System32\Drivers\NIS\1008000.029\SYMNDISV.SYS [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 17:16:28 753504]
R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 02:21:30 16896]
S0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NIS\1205000.07D\SYMDS.SYS [2010-10-21 02:28:36 340016]
S0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NIS\1205000.07D\SYMEFA.SYS [2010-11-18 02:59:55 652336]
S1 BHDrvx86;BHDrvx86;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20110419.001\BHDrvx86.sys [2011-04-15 20:29:05 802936]
S1 IDSVix86;IDSVix86;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20110425.001\IDSvix86.sys [2011-03-14 18:58:33 353912]
S1 NEOFLTR_650_14951;Juniper Networks TDI Filter Driver (NEOFLTR_650_14951);C:\Windows\system32\Drivers\NEOFLTR_650_14951.SYS [2009-12-09 13:28:04 85288]
S1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NIS\1205000.07D\Ironx86.SYS [2010-11-16 01:45:33 136312]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;C:\Windows\System32\Drivers\NIS\1205000.07D\SYMTDIV.SYS [2010-12-01 05:23:59 330360]
S2 NIS;Norton Internet Security;C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe [2010-11-24 02:21:18 130000]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-11-20 06:00:00 102448]
S3 RecFltr;Reclusa Keyboard;C:\Windows\system32\Drivers\RecFltr.sys [2007-01-18 14:21:38 41984]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc


------- Supplementary Scan -------

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: mysoros.com\www
TCP: {8A922AEB-17B1-46BA-A1D3-07A38C9F344A} = 8.8.8.8,8.8.4.4
TCP: {E2A39950-BE22-4D80-B17B-2487235659E2} = 8.8.8.8,8.8.4.4
FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\13mzop8p.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
 
Thanks for the info. We will use combofix again to remove a file.

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

Code:
File::
C:\Windows\system32\cryptuiw.dll

Name the Notepad file CFScript.txt and Save it to your desktop.
Now locate the file you just saved and the combofix icon, both on your desktop.
Using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log. Post the new log.

Is a updated malwareybytes coming up clean after a scan?
please post the new combofix log
 
Hi Shelflife--

Thank you very much for your time. . .it's greatly appreciated.

So I did as you instructed in terms of creating and dragging the .txt file over CF and it ran. However, I am getting a IRQL-related blue screen whenever CF attempts to run.

I ran TDSSKILLer it reported zero problems. I also ran Malware but it found no problems other than deleting two AV programs (the log is below). I also ran SB and it continued to find the click.giftload infection.

Any suggestions on how to fix the BSOD so we can get CF working?

Thanks again.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6417

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

5/6/2011 5:28:40 PM
mbam-log-2011-05-06 (17-28-40).txt

Scan type: Quick scan
Objects scanned: 174389
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Owner\Desktop\uSeRiNiT.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
c:\Users\Owner\Desktop\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
 
Try using the combofix CFScript.txt while you are in safe mode. To reach safe mode you would tap the f8 key during a computer reboot, chose the first option on the list: safe mode. Log into your usual account. once at the safe mode desktop try using combofix.
Are these BSOD all resent happenings?

Download aswMBR.exe to your desktop. You may have to right click and "run as admin."

Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply.
 
The bsods started after I caught the click.giftload virus. I tried to run CF under safe mode but was still getting a BSOD as CF was attempting to load.

I ran aswMBR.exe as you suggested. Here is the log:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-05-09 07:03:51
-----------------------------
07:03:51.637 OS Version: Windows 6.0.6002 Service Pack 2
07:03:51.637 Number of processors: 4 586 0x1707
07:03:51.637 ComputerName: RANDY-MAIN UserName: Owner
07:03:52.667 Initialize success
07:03:58.782 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
07:03:58.782 Disk 0 Vendor: ST31000340NS SN05 Size: 953869MB BusType: 3
07:03:58.798 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T1L0-9
07:03:58.798 Disk 1 Vendor: ST31000340NS SN04 Size: 953869MB BusType: 3
07:03:58.798 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP5T0L0-6
07:03:58.798 Disk 2 Vendor: WDC_WD1002FBYS-02A6B0 03.00C06 Size: 953869MB BusType: 3
07:03:58.798 Disk 0 MBR read error
07:03:58.798 Disk 0 MBR scan
07:03:58.798 MBR BIOS signature not found 0
07:03:58.798 Disk 0 scanning sectors +1953521664
07:03:58.813 Disk 0 scanning C:\Windows\system32\drivers
07:04:02.479 Service scanning
07:04:03.447 Disk 0 trace - called modules:
07:04:03.447 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85e4f4f0]<<
07:04:03.447 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85e18270]
07:04:03.447 3 CLASSPNP.SYS[8b5cf8b3] -> nt!IofCallDriver -> [0x85ba4918]
07:04:03.447 5 acpi.sys[828996bc] -> nt!IofCallDriver -> [0x85155b98]
07:04:03.462 \Driver\atapi[0x85e34d68] -> IRP_MJ_CREATE -> 0x85e4f4f0
07:04:03.462 Scan finished successfully
07:04:06.863 Disk 0 MBR fix error
 
See if you can generate a Gmer log. Before running it please shut down any running Antivirus or antimalware. If it gives you problems you can also try running it in safe mode.
See step 8 here.
Are you getting redirected when your on the internet?
 
Yes, I am getting redirected on the internet. I'm trying to run GMER but it keeps crashing on me. I'll give it a few more attempts.

Thanks
 
I would suggest you use the machine as little as possible. Once you download tdsskiller and post the log you should lose the network connectivity. If your not sure how to do this I would just power it off.

You can try running gmer in safe mode. To reach safe mode you would tap the f8 key during a computer restart. Chose the first option: safe mode, log in to your usual account.
You can also get another download;

Please download TDSS Killer.exe and save it to your desktop

Double click to launch the utility. Vista and Windows 7 right click as "run as admin.." After it initializes click the start scan button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

A report can also be found in your Root drive Local Disk (C) as TDSSKiller.2.4.12.0_02.01.2011_17.32.21_log.txt (name, version, date, time, log.txt)

Please post the log report
 
I was able to run TDSSKILLER under normal mode. Here is the log:

2011/05/12 23:03:55.0275 4256 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/05/12 23:03:55.0291 4256 ================================================================================
2011/05/12 23:03:55.0291 4256 SystemInfo:
2011/05/12 23:03:55.0291 4256
2011/05/12 23:03:55.0291 4256 OS Version: 6.0.6002 ServicePack: 2.0
2011/05/12 23:03:55.0291 4256 Product type: Workstation
2011/05/12 23:03:55.0291 4256 ComputerName: RANDY-MAIN
2011/05/12 23:03:55.0291 4256 UserName: Owner
2011/05/12 23:03:55.0291 4256 Windows directory: C:\Windows
2011/05/12 23:03:55.0291 4256 System windows directory: C:\Windows
2011/05/12 23:03:55.0291 4256 Processor architecture: Intel x86
2011/05/12 23:03:55.0291 4256 Number of processors: 4
2011/05/12 23:03:55.0291 4256 Page size: 0x1000
2011/05/12 23:03:55.0291 4256 Boot type: Normal boot
2011/05/12 23:03:55.0291 4256 ================================================================================
2011/05/12 23:03:56.0086 4256 Initialize success
2011/05/12 23:03:57.0771 4332 ================================================================================
2011/05/12 23:03:57.0771 4332 Scan started
2011/05/12 23:03:57.0771 4332 Mode: Manual;
2011/05/12 23:03:57.0771 4332 ================================================================================
2011/05/12 23:04:01.0515 4332 ================================================================================
2011/05/12 23:04:01.0515 4332 Scan finished
2011/05/12 23:04:01.0515 4332 ================================================================================
 
I was able to finally get GMER to complete under normal mode (took about 10 tries). I need to break up the log into several pieces. Thanks again for your patience!

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-13 20:36:13
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort3 ST31000340NS rev.SN05
Running: gmer.exe; Driver: C:\Users\Owner\AppData\Local\Temp\fgryrpob.sys


---- System - GMER 1.0.15 ----

SSDT 886B00B0 ZwAlertResumeThread
SSDT 8860AFA0 ZwAlertThread
SSDT 885903D0 ZwAllocateVirtualMemory
SSDT 882BEDE8 ZwAlpcConnectPort
SSDT 884D73C0 ZwAssignProcessToJobObject
SSDT 8816CDC8 ZwCreateMutant
SSDT 88219618 ZwCreateSymbolicLinkObject
SSDT 88252248 ZwCreateThread
SSDT 88738A28 ZwDebugActiveProcess
SSDT 8812EC28 ZwDuplicateObject
SSDT 88240718 ZwFreeVirtualMemory
SSDT 88EDDA70 ZwImpersonateAnonymousToken
SSDT 88533328 ZwImpersonateThread
SSDT 882BED70 ZwLoadDriver
SSDT 88404098 ZwMapViewOfSection
SSDT 885DB908 ZwOpenEvent
SSDT 886EE310 ZwOpenProcess
SSDT 8850D300 ZwOpenProcessToken
SSDT 88576298 ZwOpenSection
SSDT 88102008 ZwOpenThread
SSDT 881450F8 ZwProtectVirtualMemory
SSDT 886E1358 ZwResumeThread
SSDT 8853A3C0 ZwSetContextThread
SSDT 881CD838 ZwSetInformationProcess
SSDT 885DB970 ZwSetSystemInformation
SSDT 88586898 ZwSuspendProcess
SSDT 88DC5FD0 ZwSuspendThread
SSDT 884862C0 ZwTerminateProcess
SSDT 88E2DFD0 ZwTerminateThread
SSDT 88486218 ZwUnmapViewOfSection
SSDT 88404110 ZwWriteVirtualMemory
SSDT 883FB098 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 822F78A0 8 Bytes [B0, 00, 6B, 88, A0, AF, 60, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 822F78B4 4 Bytes [D0, 03, 59, 88]
.text ntkrnlpa.exe!KeSetEvent + 13D 822F78C0 4 Bytes CALL C5B7A4B2
.text ntkrnlpa.exe!KeSetEvent + 191 822F7914 4 Bytes [C0, 73, 4D, 88] {SAL BYTE [EBX+0x4d], 0x88}
.text ntkrnlpa.exe!KeSetEvent + 1F5 822F7978 4 Bytes [C8, CD, 16, 88] {ENTER 0x16cd, 0x88}
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtProtectVirtualMemory 775E4B84 5 Bytes JMP 001B000A
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtWriteVirtualMemory 775E54C4 5 Bytes JMP 0020000A
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!KiUserExceptionDispatcher 775E5BF8 5 Bytes JMP 0018000A
.text C:\Windows\system32\svchost.exe[1116] ole32.dll!CoCreateInstance 77219F3E 5 Bytes JMP 005C000A
.text C:\Windows\system32\svchost.exe[1116] USER32.dll!GetCursorPos 776F0B88 5 Bytes JMP 00F6000A
.text C:\Windows\Explorer.EXE[1688] ntdll.dll!NtProtectVirtualMemory 775E4B84 5 Bytes JMP 0063000A
.text C:\Windows\Explorer.EXE[1688] ntdll.dll!NtWriteVirtualMemory 775E54C4 5 Bytes JMP 0064000A
.text C:\Windows\Explorer.EXE[1688] ntdll.dll!KiUserExceptionDispatcher 775E5BF8 5 Bytes JMP 0060000A

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Digital Pictures\Mobile Phone\IMG_0001.JPG 431593 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0003.JPG 423507 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0005.JPG 350230 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0006.JPG 380542 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0007.JPG 400070 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0008.JPG 396007 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0009.JPG 350807 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0010.JPG 598010 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0011.JPG 611759 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0012.JPG 410922 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0013.JPG 408213 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0014.JPG 377315 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0015.JPG 451658 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0016.JPG 432756 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0017.JPG 441048 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0020.JPG 461141 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0025.JPG 290208 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0026.JPG 532188 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0027.JPG 492038 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0029.JPG 600477 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0030.JPG 441165 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0031.JPG 439829 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0032.JPG 506567 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0033.JPG 466063 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0034.JPG 498111 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0042.JPG 578327 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0043.JPG 440559 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0044.JPG 436912 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0045.JPG 450276 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0046.JPG 522628 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0047.JPG 485123 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0048.JPG 336629 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0049.JPG 432790 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0050.JPG 497914 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0051.JPG 505280 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0052.JPG 506248 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0054.JPG 533477 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0055.JPG 517519 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0056.JPG 519354 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0057.JPG 507456 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0058.JPG 466616 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0059.JPG 465408 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0060.JPG 444875 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0061.JPG 351371 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0062.JPG 440506 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0063.JPG 384813 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0064.JPG 414115 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0065.JPG 452271 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0067.JPG 465306 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0068.JPG 534693 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0069.JPG 536986 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0070.JPG 559273 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0071.JPG 495638 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0073.JPG 465358 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0074.JPG 497247 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0075.JPG 475023 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0076.JPG 406502 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0077.JPG 385370 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0079.JPG 455183 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0080.JPG 412716 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0081.JPG 440101 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0082.JPG 416361 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0083.JPG 416122 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0084.JPG 467880 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0085.JPG 461956 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0086.JPG 470611 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0087.JPG 462544 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0088.JPG 464087 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0089.JPG 715060 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0090.JPG 721077 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0092.JPG 602784 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0093.JPG 611039 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0111.MOV 9425594 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0112.JPG 1564041 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0113.JPG 1537876 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0116.JPG 1125640 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0117.JPG 1245844 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0118.JPG 1026103 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0119.JPG 1086371 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0120.JPG 1282288 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0121.JPG 1329140 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0122.JPG 1347656 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0123.JPG 1312046 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0124.JPG 1331222 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0125.JPG 1281676 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0127.MOV 11347439 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0128.JPG 1104217 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0129.JPG 1192158 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0130.JPG 1200858 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0131.JPG 1212251 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0132.JPG 1215057 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0133.JPG 1307361 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0134.JPG 1238503 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0135.JPG 1231766 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0136.JPG 1170779 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0137.MOV 17015172 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0139.JPG 1180275 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0140.JPG 1111095 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0141.JPG 1395911 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0142.JPG 1205533 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0143.JPG 1223423 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0146.JPG 1284752 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0149.JPG 1309853 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0150.JPG 1309762 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0152.JPG 1114489 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0153.JPG 1154478 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0154.JPG 1145409 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0155.JPG 1123870 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0156.JPG 1160983 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0157.JPG 782072 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0158.JPG 1052375 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0159.JPG 986411 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0161.JPG 990755 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0162.JPG 1203173 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0163.JPG 1214005 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0164.JPG 1113520 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0165.JPG 1143452 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0166.JPG 1182155 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0167.JPG 1039880 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0172.JPG 975821 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0173.JPG 1085087 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0174.JPG 1015786 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0175.JPG 1537405 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0176.JPG 1252987 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0177.JPG 1248965 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0178.JPG 1307096 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0179.JPG 1260463 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0180.JPG 975413 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0181.JPG 1168240 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0182.JPG 1153503 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0183.JPG 1152456 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0184.JPG 1054737 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0185.JPG 921691 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0186.JPG 1299628 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0187.JPG 1257894 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0188.JPG 1300205 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0190.JPG 1328776 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0191.JPG 1389477 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0192.JPG 1443789 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0194.JPG 1248688 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0196.JPG 1382357 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0197.JPG 1415485 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0198.JPG 1148414 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0199.JPG 1160444 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0200.JPG 1198819 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0201.JPG 1325319 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0202.JPG 1335913 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0203.JPG 976023 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0204.JPG 1118407 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0205.JPG 951543 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0206.JPG 1575718 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0207.JPG 1492439 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0208.JPG 888934 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0212.JPG 1225283 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0219.JPG 1007351 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0220.JPG 1023512 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0221.JPG 1377057 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0222.JPG 1320065 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0223.JPG 1318416 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0224.JPG 951278 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0225.JPG 1364718 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0226.JPG 1062499 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0227.JPG 1050620 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0228.JPG 1223564 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0229.JPG 1242012 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0230.JPG 1253267 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0231.JPG 1126984 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0232.JPG 1325963 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0233.JPG 1262778 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0235.JPG 1335186 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0237.JPG 1264046 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0238.JPG 1340702 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0239.JPG 1133095 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0240.JPG 1014354 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0241.JPG 1054172 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0242.JPG 837325 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0243.JPG 714270 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0244.JPG 1356175 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0246.MOV 14592531 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0247.JPG 928033 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0248.JPG 1034742 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0004.JPG 436879 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0028.JPG 487434 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0053.JPG 538301 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0072.JPG 463105 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0091.JPG 701483 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0126.JPG 1093253 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0147.JPG 1263243 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0171.JPG 1015093 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0189.JPG 1311708 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0211.JPG 1130773 bytes
File C:\Digital Pictures\Mobile Phone\IMG_0236.JPG 1312239 bytes
File C:\$RECYCLE.BIN\S-1-5-21-164121268-3062729603-3089187675-1002 0 bytes
File C:\Backup Files 0 bytes
File C:\Backup Files\Notebook backup 0 bytes
File C:\Backup Files\Notebook backup\notebook outlook certificate.pfx 2598 bytes
File C:\Backup Files\Notebook backup\notebook outlook me again.pfx 2630 bytes
File C:\Backup Files\Notebook backup\notebook outlook me.pfx 2678 bytes
File C:\Backup Files\Notebook backup\Schwab 0 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout 0 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Backup 0 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Backup\01222009Trader.lyt 390815 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Backup\01222009traderreference.lyt 393106 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Backup\01232009traderreference.lyt 393083 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Backup\02112009Randy.lyt 393853 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Backup\02122009Randy.lyt 393863 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Backup\02162009Randy.lyt 393857 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Options.lyt 390570 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Randy.lyt 393830 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Randynew.lyt 393863 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Sector.lyt 390763 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Technical.lyt 391999 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Trader.lyt 390815 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\traderreference.lyt 392539 bytes
File C:\Backup Files\Notebook backup\Schwab\Layout\Velocity.lyt 174191 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup 0 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook 0 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404 0 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml 1488 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\52f7c457-cefd-11dd-a881-002186a2108e.vhd 847461888 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\52f7c45e-cefd-11dd-a881-002186a2108e.vhd 1443495424 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml 3188 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_Components.xml 13852 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_RegistryExcludes.xml 5266 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml 2344 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml 1484 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml 4732 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml 5556 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml 7686 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Backup 2009-01-03 051404\84539bcb-2370-4c4a-bb85-a4ea48052080_Writere8132975-6f93-4464-a53e-1050253ae220.xml 2095626 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Catalog 0 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Catalog\BackupGlobalCatalog 4590 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\Catalog\GlobalCatalog 6256 bytes
File C:\Backup Files\Notebook backup\WindowsImageBackup\Randy-Notebook\MediaId 16 bytes
File C:\Backup Files\Office backup 0 bytes
File C:\Backup Files\Office backup\MMfiles 0 bytes
File C:\Backup Files\Office backup\MMfiles\jfonda8.jpg 54400 bytes
File C:\Backup Files\Office backup\MMfiles\scan0001.jpg 8049610 bytes
File C:\Backup Files\Office backup\MMfiles\scan0003.jpg 4627907 bytes
File C:\Backup Files\Office backup\MMfiles\scccourtneysimpson_512k.wmv 63948601 bytes
File C:\Backup Files\Office backup\MMfiles\scene 1_domination.avi 340520960 bytes
File C:\Backup Files\Office backup\MMfiles\scorp-disc3.rm 6468276 bytes
File C:\Backup Files\Office backup\MMfiles\scorp-disc3204.rm 6030393 bytes
File C:\Backup Files\Office backup\MMfiles\scorp-disc3399.rm 6559163 bytes
File C:\Backup Files\Office backup\MMfiles\scorp-disc3461.rm 6498495 bytes
File C:\Backup Files\Office backup\MMfiles\scorp-disc3522.rm 5985461 bytes
File C:\Backup Files\Office backup\MMfiles\scorp-disc3629.rm 6076925 bytes
File C:\Backup Files\Office backup\MMfiles\scrow.jpg 38812 bytes
File C:\Backup Files\Office backup\MMfiles\0466_02.wmv 119352188 bytes
File C:\Backup Files\Office backup\MMfiles\0466_03.wmv 74302160 bytes
File C:\Backup Files\Office backup\MMfiles\0466_04.wmv 147481448 bytes
File C:\Backup Files\Office backup\MMfiles\0468_01.wmv 87150736 bytes
 
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Data\mcsubdb.dat 359 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Data\mcvsps.dll 173384 bytes executable
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Data\mvsscan.dll 451912 bytes executable
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Data\mytilus3.dll 66880 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Data\mytilus3_worker.dll 251200 bytes executable
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Data\Settings.dat 364 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Data\signlic.txt 6163 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Data\vsusbinfolog.log 1484 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\Exec 0 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\9CAC5930-4010-4AD6-ABF7-CE2778969B13\McVsUStb_3.0.144.7.u3p 12887647 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50 0 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\CruzerSync_U3Edition_v6_2_040_0.u3p 11354394 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Data 0 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Exec 0 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Exec\CruzerSync_EN.chm 891589 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Exec\CruzerSync_FR.chm 641604 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Exec\CruzerSync_GE.chm 1002100 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Exec\CruzerSync_IT.chm 946386 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Exec\CruzerSync_JP.chm 921517 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Exec\CruzerSync_SC.chm 419029 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Exec\CruzerSync_SP.chm 980519 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\EC30627F-0195-44d4-8C24-1B09F3C02C50\Exec\CruzerSync_TC.chm 593815 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\ED241DFF-CBD5-41ad-975B-4B162A35BFF7 0 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\ED241DFF-CBD5-41ad-975B-4B162A35BFF7\Data 0 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\ED241DFF-CBD5-41ad-975B-4B162A35BFF7\Data\affcode.inf 40 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\ED241DFF-CBD5-41ad-975B-4B162A35BFF7\Data\settings.txt 3040 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\ED241DFF-CBD5-41ad-975B-4B162A35BFF7\Data\source.inf 16 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\ED241DFF-CBD5-41ad-975B-4B162A35BFF7\Exec 0 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\ED241DFF-CBD5-41ad-975B-4B162A35BFF7\sudoku.u3p 3502717 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\LPDB.xml 1063 bytes
File C:\Backup Files\Office backup\MMfiles\System\Apps\LPGDB.xml File C:\Backup Files\Office backup\MMfiles\0786_07.wmv 83062550 bytes
File C:\Backup Files\Office backup\MMfiles\0786_09.wmv 61765596 bytes
File C:\Backup Files\Office backup\MMfiles\0832_03.wmv 52677194 bytes
File C:\Backup Files\Office backup\MMfiles\0844_01.wmv 154649784 bytes
File C:\Backup Files\Office backup\Outlook Files 0 bytes
File C:\Backup Files\Office backup\Outlook Files\bookmark.htm 12758 bytes
File C:\Backup Files\Office backup\Outlook Files\cookies.txt 1838301 bytes
File C:\Backup Files\Office backup\Outlook Files\Outlook backup.pst 49030144 bytes
File C:\Backup Files\Office backup\Outlook Files\Outlook.pst 99566592 bytes
File C:\Backup Files\Office backup\Outlook Files\outlook12-31.pst 729367552 bytes
File C:\Backup Files\Office backup\Outlook Files\outlookpersonalfolder1-2-09.pst 87376896 bytes
File C:\Backup Files\Office backup\Outlook Files\outlookyuenr@me1-2-09.pst 672482304 bytes
File C:\Backup Files\Office backup\Outlook Files\OutlYuenR@me.com-00000002 backup.pst -1745910784 bytes
File C:\Backup Files\Office backup\SaveData.MIG -775667683 bytes
File C:\Documents\Art\Art\Art S.lnk 381 bytes
File C:\Documents\Art\Art\Art's Ntwk Files.lnk 431 bytes
File C:\Documents\Art\Art\emssetup121.exe 6068775 bytes executable
File C:\Documents\Art\Art S.lnk 381 bytes
File C:\Documents\Art\emssetup121.exe 6068775 bytes executable
File C:\Documents\Art\Shortcut to Art.lnk 290 bytes
File C:\Documents\Shortcut to Northwind.lnk 419 bytes
File C:\Documents\WRDFILES\Netg123.com 64512 bytes
File C:\Home\Favorites\desktop.ini 156 bytes
File C:\Install Files\Vista\197.45_desktop_win7_winvista_32bit_english_whql.exe 93869296 bytes executable
File C:\Install Files\Vista\Firefox Setup 4.0.exe 12580112 bytes executable
File C:\Install Files\Vista\hosts 759 bytes
File C:\Install Files\Vista\install_flash_player.exe (size mismatch) 2568656/2790864 bytes executable
File C:\Install Files\Vista\iTunesSetup.exe (size mismatch) 74840872/68756776 bytes executable
File C:\Install Files\Vista\MobileMeSetup.exe (size mismatch) 5291808/1688864 bytes executable
File C:\Install Files\Vista\OJP8500vA909_full_12_en.exe 230858208 bytes executable
File C:\Install Files\Vista\ReadMe.txt 4212 bytes
File C:\Install Files\Vista\setup.exe 676816 bytes
File C:\Install Files\Vista\Setup_QuickBooks_Premier_2008.exe 559128 bytes executable
File C:\Install Files\Vista\sotrt0107.exe 184108805 bytes executable
File C:\Install Files\Vista\sotrt050710.exe 221512993 bytes executable
File C:\Install Files\XviD_1.0alpha.dmg 4337967 bytes
File C:\Music Files\Install Files 0 bytes
File C:\Music Files\Install Files\Vista 0 bytes
File C:\Music Files\Install Files\Vista\ac3filter_1_51a.exe 2462200 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015 0 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15 0 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi 0 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\AsAcpiIns.exe 36864 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\install.ini 419 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\WIN2000 0 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\WIN2000\2000UNIN.EXE 45056 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\WIN2000\asacpi.sys 5810 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\WIN2000\ATK2000.CAT 7790 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\WIN2000\ATK2000.INF 2093 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\WINVISTA 0 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\WINVISTA\asacpi.cat 8014 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\WINVISTA\AsAcpi.inf 1465 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi\WINVISTA\AsAcpi.sys 7680 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64 0 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\AsAcpiIns.exe 38400 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\install.ini 419 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\win2000 0 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\win2000\Asacpi.sys 8192 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\win2000\ATK2000.CAT 7814 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\win2000\ATK2000.INF 2160 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\WINVISTA 0 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\WINVISTA\asacpi.cat 8014 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\WINVISTA\AsAcpi.inf 1532 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Acpi64\WINVISTA\Asacpi.sys 15680 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\AsusSetup.exe 495616 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\AsusSetup.ini 2310 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\data1.cab 808250 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\data1.hdr 21661 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\data2.cab 3355637 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\English.ini 172 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\French.ini 175 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\German.ini 175 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\ikernel.ex_ 346602 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Io 0 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Io\AsIO.dll 24576 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Io\AsIO.VXD 5764 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Io\AsIO32.sys 12664 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Io\AsIO64.sys 13632 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Io\AsIoIns.exe 106496 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Io\AsIoUnins.exe 122880 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Io\Version.ini 57 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Japanese.ini 172 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\layout.bin 417 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\SChinese.ini 348 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Setup.exe 168448 bytes executable
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\Setup.ini 201 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\setup.inx 140991 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\setup.iss 410 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\setup.log 168 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\TChinese.ini 346 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015\AI Remote 1.00.15\usetup.iss 498 bytes
File C:\Music Files\Install Files\Vista\AIRemote_10015.zip 5033989 bytes
File C:\Music Files\Install Files\Vista\BL06.zip 847473 bytes
File C:\Music Files\Install Files\Vista\bridge 0 bytes
File C:\Music Files\Install Files\Vista\bridge\Autorun.inf 27 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation 0 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_DataFieldDefinitions.pdf 406131 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_BDDE_RefGuide.pdf 218942 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_BDDE_UserGuide.pdf 510176 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_ControlObjects.pdf 422372 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_ConvertUtility.pdf 267238 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_DataWallDesign.pdf 177448 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_DesignMode.pdf 352662 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_EXE&OCXTrees.pdf 355963 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_GettingStarted.pdf 766546 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_InitializationFiles.pdf 269960 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_InstallationGuide.pdf 653451 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_MsgWindows.pdf 276585 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_Optimization.pdf 229110 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_PortfolioFields.pdf 124839 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_Publishers.pdf 163176 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_RDIFConfigUtility.pdf 280400 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_RelNotes.pdf 133228 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_RListEditor.pdf 363499 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_SSL&RMDSConfigFile.pdf 124733 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_Troubleshooting.pdf 156526 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_VBAGuide.pdf 809290 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Rbws83_VBA_RbwsObjects.pdf 622788 bytes
File C:\Music Files\Install Files\Vista\bridge\Documentation\Reuters83_Est_and_RAS.pdf 476202 bytes
File C:\Music Files\Install Files\Vista\bridge\EXPORT.TXT 267 bytes
File C:\Music Files\Install Files\Vista\bridge\RS83.msi 81783168 bytes
File C:\Music Files\Install Files\Vista\bridge\setup.exe 2084780 bytes executable
File C:\Music Files\Install Files\Vista\bridge\Workspace Converter 0 bytes
File C:\Music Files\Install Files\Vista\bridge\Workspace Converter\No 6x Converter v511.exe 1281179 bytes executable
File C:\Music Files\Install Files\Vista\bridge\Workspace Converter\Rbws83_ConvertUtility.pdf 267238 bytes
File C:\Music Files\Install Files\Vista\bridge\Workspace Converter\Read_Me_First.txt 276 bytes
File C:\Music Files\Install Files\Vista\CyberLink.PowerDVD.8.Deluxe.1730D(b).080611.exe 90379152 bytes executable
File C:\Music Files\Install Files\Vista\dfxInstall-Real.exe 1808992 bytes executable
File C:\Music Files\Install Files\Vista\dfxInstall-WMP.exe 2029464 bytes executable
File C:\Music Files\Install Files\Vista\exports 0 bytes
File C:\Music Files\Install Files\Vista\exports\bookmark.htm 167710 bytes
File C:\Music Files\Install Files\Vista\exports\cookies.txt 620588 bytes
File C:\Music Files\Install Files\Vista\FontPack90_ja_JP.msi 10486272 bytes
File C:\Music Files\Install Files\Vista\FontPack90_ko_KR.msi 4136448 bytes
File C:\Music Files\Install Files\Vista\FontPack90_zh_TW.msi 7208960 bytes
File C:\Music Files\Install Files\Vista\NIS081550.exe 71665576 bytes executable
File C:\Music Files\Install Files\Vista\Norton_Removal_Tool.exe 667648 bytes
File C:\Music Files\Install Files\Vista\pse_300_enu.exe 17580000 bytes executable
File C:\Music Files\Install Files\WinXP 0 bytes
File C:\Music Files\Install Files\WinXP\Macros.EXE 434808 bytes executable
File C:\Music Files\Install Files\WinXP\aaw6plus.exe 2336899 bytes executable
File C:\Music Files\Install Files\WinXP\aawseplus.exe 4229261 bytes executable
File C:\Music Files\Install Files\WinXP\AutoCorrect Backup Document.doc 273920 bytes
File C:\Music Files\Install Files\WinXP\cso_eula.htm 33123 bytes
File C:\Music Files\Install Files\WinXP\dfxInstall-Musicmatch.exe 1799720 bytes executable
File C:\Music Files\Install Files\WinXP\dm_3089135165120142225236.exe 171088 bytes executable
File C:\Music Files\Install Files\WinXP\FileFormatConverters.exe 28868320 bytes
File C:\Music Files\Install Files\WinXP\Installing-Diskeeper-English.rtf 844885 bytes
File C:\Music Files\Install Files\WinXP\IP5_0ENG.exe 6530272 bytes executable
File C:\Music Files\Install Files\WinXP\mmsetup_10004033_ENU_PROMO_MIG1.exe 27519384 bytes executable
File C:\Music Files\Install Files\WinXP\Norton_Removal_Tool.exe 1000792 bytes executable
File C:\Music Files\Install Files\WinXP\PalmDesktopWin414e.zip 43423968 bytes
File C:\Music Files\Install Files\WinXP\palmoutlook2007conduits.zip 7573054 bytes
File C:\Music Files\Install Files\WinXP\Professional 0 bytes
File C:\Music Files\Install Files\WinXP\Professional\License.dal 1209 bytes
File C:\Music Files\Install Files\WinXP\Professional\X64 0 bytes
File C:\Music Files\Install Files\WinXP\Professional\X64\License.rtf 9045 bytes
File C:\Music Files\Install Files\WinXP\Professional\X64\Readme.txt 21176 bytes
File C:\Music Files\Install Files\WinXP\Professional\X86 0 bytes
File C:\Music Files\Install Files\WinXP\Professional\X86\License.rtf 9045 bytes
File C:\Music Files\Install Files\WinXP\Professional\X86\Readme.txt 21176 bytes
File C:\Music Files\Install Files\WinXP\sites.txt 112825 bytes
File C:\Music Files\Install Files\WinXP\ucr61s2b.zip 1495970 bytes
File C:\Music Files\Install Files\WinXP\vis_gforce_1s.mmz 771274 bytes
File C:\Music Files\Install Files\WinXP\vis_whitecap_1s.mmz 814099 bytes
File C:\Music Files\Install Files\WinXP\vivopwrp.exe 3198733 bytes
File C:\Music Files\Install Files\WinXP\WindowsDesktopSearch-KB917013-V301-XP-x86-enu.exe 4880248 bytes executable
File C:\Music Files\Tricky\Vulnerable\07 - Tricky - What Is Wrong - Vulnerable.mp3 4281660 bytes
File C:\Music Files\Tricky\Vulnerable\01 - Tricky - Stay - Vulnerable.mp3 4600312 bytes
File C:\Music Files\Tricky\Vulnerable\02 - Tricky - Antimatter - Vulnerable.mp3 3603082 bytes
File C:\Music Files\Tricky\Vulnerable\03 - Tricky - Ice Pick - Vulnerable.mp3 3788510 bytes
File C:\Music Files\Tricky\Vulnerable\04 - Tricky - Car Crash - Vulnerable.mp3 4467129 bytes
File C:\Music Files\Tricky\Vulnerable\05 - Tricky - Dear God - Vulnerable.mp3 4567398 bytes
File C:\Music Files\Tricky\Vulnerable\06 - Tricky - How High - Vulnerable.mp3 3875759 bytes
File C:\Music Files\Tricky\Vulnerable\08 - Tricky - Hollow - Vulnerable.mp3 5034425 bytes
File C:\Music Files\Tricky\Vulnerable\09 - Tricky - Moody - Vulnerable.mp3 4036151 bytes
File C:\Music Files\Tricky\Vulnerable\10 - Tricky - Wait For God - Vulnerable.mp3 4868328 bytes
File C:\Music Files\Tricky\Vulnerable\11 - Tricky - Where I'm From - Vulnerable.mp3 3384176 bytes
File C:\Music Files\Tricky\Vulnerable\12 - Tricky - The Love Cats - Vulnerable.mp3 3467246 bytes
File C:\Music Files\Tricky\Vulnerable\13 - Tricky - Search, Search, Survive - Vulnerable.mp3 3755073 bytes
File C:\System Volume Information\{056a1607-392a-11df-a8d7-39ddaf4bb433}{3808876b-c176-4e48-b7ae-04046e6cc752} 1665773568 bytes
File C:\System Volume Information\{0c475673-2daf-11de-8abc-0015af4bb433}{3808876b-c176-4e48-b7ae-04046e6cc752} 301690880 bytes
File C:\System Volume Information\{8ce3e76e-3e4a-11df-8cce-001e8c1089b5}{3808876b-c176-4e48-b7ae-04046e6cc752} 545259520 bytes
File C:\System Volume Information\{d6b33952-8f1b-11de-a297-0015af4bb433}{3808876b-c176-4e48-b7ae-04046e6cc752} -325722112 bytes
File C:\WindowsImageBackup 0 bytes
File C:\WindowsImageBackup\randy-main 0 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033 0 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml 1484 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\49384ebf-57c9-11dd-9faa-806e6f6e6963.vhd 1431448576 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml 3188 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_Components.xml 14090 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_RegistryExcludes.xml 6944 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml 3582 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml 1488 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml 4732 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml 5560 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml 7686 bytes
File C:\WindowsImageBackup\randy-main\Backup 2010-04-02 185033\b4813319-e189-45a4-a677-688f3e338616_Writere8132975-6f93-4464-a53e-1050253ae220.xml 2180360 bytes
File C:\WindowsImageBackup\randy-main\Catalog 0 bytes
File C:\WindowsImageBackup\randy-main\Catalog\BackupGlobalCatalog 10554 bytes
File C:\WindowsImageBackup\randy-main\Catalog\GlobalCatalog 11338 bytes
File C:\WindowsImageBackup\randy-main\MediaId 16 bytes

---- EOF - GMER 1.0.15 ----
 
All inconclusive, other than your still getting redirected. Shutdown any running antivirus or antimalware first, then try running combofix again after a normal boot up, not safe mode. If your connected combofix will probably update itself and restart.
If you have a router check its DNS setting and make sure they havn't been changed in the router set up from:
8.8.8.8 and 8.8.8.4
I assume you changed these to use google public DNS?
 
You're right, I changed the connectivity settings to use the google DNS.

I keep getting an "IRQL not less or equal" bsod every time I run CF either under normal or safe mode. Any suggestions?

Thanks
 
Combofix not running isnt helpful.
It also looks like combofix ran successfully one time. That BSOD is recent I think you said? Does your AV, malwarebytes and SpyBot run ok? Only combofix causes a BSOD?

Download mbr.exe to your desktop. Right click and "run as Admin" It will create a txt file on your desktop. Please post the log.

TDsskiller has been updated. please delete your current copy and get the new one:

TDSSkiller.exe
 
Last edited:
Yes, I was able to run cf successfully once, but never again. Every time I run CF, as it gets close to finish loading (green progress bar near the end), I get a bsod IRQL crash. I've tried both under safe and normal mode

I ran mbr.exe. Here is the log:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: ST31000340NS rev.SN05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2

device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
user & kernel MBR OK


Thanks!
 
Back
Top