Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista - Security Antivirus


  • This topic is locked This topic is locked
24 replies to this topic

#1 ChuckLHead

ChuckLHead

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 20 February 2010 - 11:41 AM

This isn't my PC but my soon to be daughter-in-laws running Vista Home Premium.

I ran MBAM to remove the most severe visible problems stemming from what I believe was a Security Antivirus infection. However, I'm still seeing a popup / task-bar icon for "Check you computer security. There are multiple security problems with your computer. Click here..."

Below is the DDS log and I'm attaching the attach.txt. I tried running GMER twice. The first time resulted in a page fault error in a nonpaged area and the second time it stopped and tried to connect to the internet but that didn't help.

The PC has ZoneAlarm and no active anti-virus (yeah...I know).

Here's the DDS log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Heather at 10:31:36.51 on Sat 02/20/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1012.247 [GMT -5:00]

SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_FATICLA.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Heather\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uLocal Page = \blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: Holidays Toolbar Loader: {8008a5bc-8bdc-41b2-88c8-5e8e0a6d64ad} - c:\program files\holidays toolbar\holidaystb.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Holidays Toolbar: {3dd02f89-4590-4dd7-b14c-e2444f7d9915} - c:\program files\holidays toolbar\holidaystb.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
uRun: [EPSON Stylus Photo RX595 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticla.exe /fu "c:\windows\temp\E_SB338.tmp" /EF "HKCU"
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_01\bin\jusched.exe"
mRun: [<NO NAME>]
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Holidays Toolbar Search - c:\programdata\holidays toolbar\ietoolbar\resources\en-us\local\search.html
IE: &Search
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: image file execution options - svchost.exe
Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 protected.maxisoftwaremart.com
Hosts: 88.198.198.206 google.com
Hosts: 88.198.198.206 google.com.au

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\users\heather\appdata\roaming\mozilla\firefox\profiles\beg49i1f.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZLxdm012YYUS&fl=0&ptb=MoN5ZLRE5bTa_hCblVPPbg&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&si=18159&searchfor=
FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\programdata\realarcade\npraclient.dll
FF - plugin: c:\programdata\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-11-23 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 66632]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-5-24 501248]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 12872]

=============== Created Last 30 ================

2010-02-20 04:01:45 0 d-----w- c:\programdata\WinZip
2010-02-20 00:51:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-20 00:51:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-20 00:51:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-18 01:07:43 0 d-sh--w- c:\programdata\SAMJVMV
2010-02-18 01:07:05 0 d-sh--w- c:\programdata\e4d6741
2010-02-17 05:11:58 0 d-----w- c:\program files\Conduit
2010-02-17 05:11:57 0 d-----w- c:\program files\Zynga

==================== Find3M ====================

2010-02-20 10:59:09 350192 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2010-02-20 00:18:18 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-20 00:18:17 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-12 03:26:31 4704 ----a-w- c:\users\heather\appdata\roaming\wklnhst.dat
2010-01-14 16:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-28 12:35:50 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-28 12:35:00 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-28 12:32:34 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-28 12:32:32 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-28 12:32:32 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-28 12:32:25 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-28 12:31:22 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-28 12:31:01 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-28 12:28:43 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-28 12:28:43 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-12-18 13:05:50 833024 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 13:01:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 10:14:30 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-08 20:52:17 3597912 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:52:16 3546200 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:57:51 438272 ----a-w- c:\windows\system32\IKEEXT.DLL
2009-12-08 19:57:29 595456 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2009-12-08 19:55:41 328704 ----a-w- c:\windows\system32\BFE.DLL
2009-11-27 03:47:47 86016 ----a-w- c:\windows\inf\infstor.dat
2008-11-19 14:45:11 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 10:32:31.56 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:30 PM

Posted 21 February 2010 - 05:36 AM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif

***************************************************

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open on your desktop.
  • At the top of the window, click Settings, then Options.
  • Click the Ssdt & Shadow Ssdt Tab.
  • Make sure the box next to "Only display hooked functions." is checked.
  • Click the "X" in the top right corner of the Settings window to close it.
  • Click the tab.
  • Click the button.
  • Check all seven boxes:
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 21 February 2010 - 08:08 AM

Hello Blade,

Below is the report from RootRepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/02/21 07:27
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0x8A67B000 Size: 32768 File Visible: No Signed: -
Status: -

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x861D6000 Size: 45056 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xAB32A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\{84f76573-0f9d-11df-b04c-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{93e7d957-f433-11de-aa08-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{93e7d978-f433-11de-aa08-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{965d68ea-1a97-11df-ae0a-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{9d4ba7d5-0c64-11df-92d0-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a02d7c82-0e9a-11df-a186-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{559835cb-f723-11de-af52-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{707c34dd-1ce6-11df-835c-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{76ba2774-f9a6-11de-8bd5-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{793096e1-018d-11df-ac6b-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{7a8ef939-0917-11df-839c-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{7e2171f7-087c-11df-b55b-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{4eaeebd7-f66d-11de-b18f-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{80d59158-0454-11df-8cf7-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b49d06f5-009c-11df-a517-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{b9d0dcd5-0b9d-11df-8ae7-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{C7935~1
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c7941de0-1e3c-11df-b00c-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c936b8cc-fbe3-11de-8197-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{d4a4bd5b-ff1a-11de-8613-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ddccbdcb-0912-11df-afbf-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{04fbb664-ff35-11de-8a44-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{0b500b57-f19d-11de-8562-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{128A4~1
Status: Locked to the Windows API!

Path: C:\System Volume Information\{1483dfcc-1dbc-11df-a50d-000e3b0aba43}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{2955a27e-ffca-11de-820e-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3dead8cd-1982-11df-b544-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{40a583d8-14d3-11df-a971-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{4653714c-1dd1-11df-83c2-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{4e605b76-11e6-11df-acff-001d92b70751}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Program Files\Windows Media Player\Network Sharing\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\Microsoft.NET\Framework\NETFXS~1.HKF
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PRINTF~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\amd64_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_3da38fdebd0e6822.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3ce6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11df268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_99b61f5e8371c1d4.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_db5f5c9d98cb161f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_91949b06671d08ae.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_8550c6b5d18a9128.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_58b1a5ca663317c4.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_dc9917e997f80c63.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_58843c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_5c400d5e63e93b68.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.0.6002.18005_none_04642e8a80bb8b27\MI2095~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.0.6002.18005_none_04642e8a80bb8b27\MIC237~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.0.6000.16830_none_29a6eeebde589a97\PRINTF~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.0.6000.21023_none_2a3e34a2f76b9db7\PRINTF~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.0.6001.18226_none_2b9dff39db71a7a1\PRINTF~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.0.6001.22389_none_2be9bd5af4bd3b16\PRINTF~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.0.6002.18005_none_2d991295d888a8b3\PRINTF~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE7561~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE4BA2~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE5F3C~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SECURI~4.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE5FBC~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE6DB5~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE9AEB~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6002.18005_none_4cec3f51e92bbb79\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6002.18005_none_4cec3f51e92bbb79\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6002.18005_none_4cec3f51e92bbb79\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_6.0.6000.16708_en-us_b9851a92245b1b73\TRACKI~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_6.0.6000.20864_en-us_b9c9d6ad3dacfd87\TRACKI~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_6.0.6001.18096_en-us_bb08077221cc7808\TRACKI~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_6.0.6001.22208_en-us_bbf4f6033a9f4c2e\TRACKI~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_6.0.6002.18005_en-us_bd4ece0e1eaaafd1\TRACKI~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6000.16720_none_c39efe8a3f927437\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6000.20883_none_acd7152e5934b92a\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6001.18111_none_c379e3403fe480d8\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6001.22230_none_acae53dc5989f9eb\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.6000.16720_none_b103fb905f6db0d9\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.6000.20883_none_9a3c1234790ff5cc\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.6001.18111_none_b0dee0465fbfbd7a\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmintrust_config_b03f5f7f11d50a3a_6.0.6000.16720_none_e2c358ab062e054b\WEB_MI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmintrust_config_b03f5f7f11d50a3a_6.0.6000.20883_none_cbfb6f4f1fd04a3e\WEB_MI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmintrust_config_b03f5f7f11d50a3a_6.0.6001.18111_none_e29e3d61068011ec\WEB_MI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmintrust_config_b03f5f7f11d50a3a_6.0.6001.22230_none_cbd2adfd20258aff\WEB_MI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.6001.22230_none_9a1350e27965368d\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_6.0.6001.18111_none_a335242e0936a3fd\INSTAL~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_6.0.6001.18111_none_a335242e0936a3fd\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-uninstallsqlstate_sql_b03f5f7f11d50a3a_6.0.6000.16720_none_a2f69a4627a6df36\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-uninstallsqlstate_sql_b03f5f7f11d50a3a_6.0.6000.20883_none_8c2eb0ea41492429\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-uninstallsqlstate_sql_b03f5f7f11d50a3a_6.0.6001.18111_none_a2d17efc27f8ebd7\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-uninstallsqlstate_sql_b03f5f7f11d50a3a_6.0.6001.22230_none_8c05ef98419e64ea\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-vbc_exe_config_b03f5f7f11d50a3a_6.0.6000.16720_none_32a2a55c0f70152b\VBCEXE~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-vbc_exe_config_b03f5f7f11d50a3a_6.0.6000.20883_none_1bdabc0029125a1e\VBCEXE~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-vbc_exe_config_b03f5f7f11d50a3a_6.0.6001.18111_none_327d8a120fc221cc\VBCEXE~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-webhightrust_config_b03f5f7f11d50a3a_6.0.6000.16720_none_a05f40e791345747\WEB_HI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-webhightrust_config_b03f5f7f11d50a3a_6.0.6000.20883_none_8997578baad69c3a\WEB_HI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-webhightrust_config_b03f5f7f11d50a3a_6.0.6001.18111_none_a03a259d918663e8\WEB_HI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-webhightrust_config_b03f5f7f11d50a3a_6.0.6001.22230_none_896e9639ab2bdcfb\WEB_HI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-xpthemes_manifest_b03f5f7f11d50a3a_6.0.6000.16720_none_1e9c83dead284b26\XPTHEM~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-xpthemes_manifest_b03f5f7f11d50a3a_6.0.6000.20883_none_07d49a82c6ca9019\XPTHEM~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-xpthemes_manifest_b03f5f7f11d50a3a_6.0.6001.18111_none_1e776894ad7a57c7\XPTHEM~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-xpthemes_manifest_b03f5f7f11d50a3a_6.0.6001.22230_none_07abd930c71fd0da\XPTHEM~1.MAN
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6000.16708_none_1dbee32b03599791\PERFCO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6000.20864_none_1e039f461cab79a5\PERFCO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6001.18096_none_1f41d00b00caf426\PERFCO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6001.22208_none_202ebe9c199dc84c\PERFCO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cperfcnt_31bf3856ad364e35_6.0.6002.18005_none_218896a6fda92bef\PERFCO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cwetargets_i_31bf3856ad364e35_6.0.6000.16708_none_9e7d8c92dbaad42f\WORKFL~1.TAR
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cwetargets_i_31bf3856ad364e35_6.0.6000.20864_none_9ec248adf4fcb643\WORKFL~1.TAR
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cwetargets_i_31bf3856ad364e35_6.0.6001.18096_none_a0007972d91c30c4\WORKFL~1.TAR
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16885_none_09320a57522f812d\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21083_none_09b97eb06b4f218b\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18289_none_0b1c4a254f52777a\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_6.0.6001.22230_none_8c6994ca22dc1d10\INSTAL~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webevent_sqlprov_b03f5f7f11d50a3a_6.0.6001.22230_none_8c6994ca22dc1d10\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmedtrust_config_b03f5f7f11d50a3a_6.0.6000.16720_none_2c88b9b71ca44e71\WEB_ME~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmedtrust_config_b03f5f7f11d50a3a_6.0.6000.20883_none_15c0d05b36469364\WEB_ME~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmedtrust_config_b03f5f7f11d50a3a_6.0.6001.18111_none_2c639e6d1cf65b12\WEB_ME~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmedtrust_config_b03f5f7f11d50a3a_6.0.6001.22230_none_15980f09369bd425\WEB_ME~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_roles_b03f5f7f11d50a3a_6.0.6001.22230_none_5efce545badd1f03\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_roles_res_b03f5f7f11d50a3a_6.0.6000.16720_none_87d39b55197883e6\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_roles_res_b03f5f7f11d50a3a_6.0.6000.16720_none_87d39b55197883e6\MANAGE~2.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_roles_res_b03f5f7f11d50a3a_6.0.6000.20883_none_710bb1f9331ac8d9\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_roles_res_b03f5f7f11d50a3a_6.0.6000.20883_none_710bb1f9331ac8d9\MANAGE~2.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_roles_res_b03f5f7f11d50a3a_6.0.6001.18111_none_87ae800b19ca9087\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_roles_res_b03f5f7f11d50a3a_6.0.6001.18111_none_87ae800b19ca9087\MANAGE~2.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_roles_res_b03f5f7f11d50a3a_6.0.6001.22230_none_70e2f0a73370099a\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_roles_res_b03f5f7f11d50a3a_6.0.6001.22230_none_70e2f0a73370099a\MANAGE~2.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_security_b03f5f7f11d50a3a_6.0.6000.16720_none_62b207ce0c996d96\SETUPA~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_security_b03f5f7f11d50a3a_6.0.6000.20883_none_4bea1e72263bb289\SETUPA~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_security_b03f5f7f11d50a3a_6.0.6001.18111_none_628cec840ceb7a37\SETUPA~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_security_b03f5f7f11d50a3a_6.0.6001.22230_none_4bc15d202690f34a\SETUPA~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-vbc_exe_config_b03f5f7f11d50a3a_6.0.6001.22230_none_1bb1faae29679adf\VBCEXE~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_wizard_b03f5f7f11d50a3a_6.0.6000.16720_none_66f75d098c217f33\WIZARD~2.ASC
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_wizard_b03f5f7f11d50a3a_6.0.6000.16720_none_66f75d098c217f33\WIZARD~3.ASC
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_wizard_b03f5f7f11d50a3a_6.0.6000.16720_none_66f75d098c217f33\WIZARD~4.ASC
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_wizard_b03f5f7f11d50a3a_6.0.6000.16720_none_66f75d098c217f33\WI1344~1.ASC
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_wizard_b03f5f7f11d50a3a_6.0.6000.16720_none_66f75d098c217f33\WI5BF5~1.ASC
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_wizard_b03f5f7f11d50a3a_6.0.600Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1204 Status: Locked to the Windows API!

SSDT
-------------------
#: 280 Function Name: NtRestoreKey
Status: Hooked by "C:\Windows\system32\DRIVERS\vsdatant.sys" at address 0x8a130880

==EOF==


Thanks,

ChuckLHead

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:30 PM

Posted 22 February 2010 - 02:11 PM

Hello ChuckLHead

First, as this computer does not have an antivirus installed on it currently, it would be wise to have this machine disconnected from the internet at all times other than when following instructions given. Please do not install an Antivirus on the machine yet! Some of the fixes we will be doing will require all antivirus software to be disabled anyways, and it will be much easier to just hold off on installing the AV until later. We will definitely take care of that before we're finished though.

***************************************************

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 22 February 2010 - 06:46 PM

Blade,

I've tried shutting down ZoneAlarm but ComboFix still reports that ZoneAlarm AntiSpyware is running. I can't find a process for it in Task Manager.

Is it alright to proceed with ComboFix or do you have a suggestion for getting ZA closed.

Thanks,

ChuckLHead

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:30 PM

Posted 22 February 2010 - 10:23 PM

Hi ChuckLHead.

Go ahead and proceed with ComboFix

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 23 February 2010 - 08:52 PM

Blade,

Here is the log from from ComboFix:

ComboFix 10-02-23.03 - Heather 02/23/2010 20:33:28.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1012.415 [GMT -5:00]
Running from: c:\users\Heather\Desktop\renamed.exe
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3965509881-1155817591-967737219-500
c:\program files\Fast Browser Search
c:\program files\Fast Browser Search\IE\about.html
c:\program files\Fast Browser Search\IE\affid.dat
c:\program files\Fast Browser Search\IE\basis.xml
c:\program files\Fast Browser Search\IE\ClearRecycleBin.exe
c:\program files\Fast Browser Search\IE\error.html
c:\program files\Fast Browser Search\IE\FastBrowserSearchProtection.exe
c:\program files\Fast Browser Search\IE\FBSPlugin.dll
c:\program files\Fast Browser Search\IE\fbsProtection.xml
c:\program files\Fast Browser Search\IE\FbsSearchProtectionUnInstall.exe
c:\program files\Fast Browser Search\IE\FBStoolbar.dll
c:\program files\Fast Browser Search\IE\icons.bmp
c:\program files\Fast Browser Search\IE\info.txt
c:\program files\Fast Browser Search\IE\local.xml
c:\program files\Fast Browser Search\IE\MTWBtoolbar.html
c:\program files\Fast Browser Search\IE\options.html
c:\program files\Fast Browser Search\IE\searchbutton1.gif
c:\program files\Fast Browser Search\IE\searchbutton2.gif
c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js
c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js
c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js
c:\program files\Fast Browser Search\IE\Toolbar Help.htm
c:\program files\Fast Browser Search\IE\uninstall.exe
c:\program files\Fast Browser Search\IE\Unreg.dll
c:\program files\Fast Browser Search\IE\update.exe
c:\program files\Fast Browser Search\IE\version.txt
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf

.
((((((((((((((((((((((((( Files Created from 2010-01-24 to 2010-02-24 )))))))))))))))))))))))))))))))
.

2010-02-24 01:40 . 2010-02-24 01:40 -------- d-----w- c:\users\Heather\AppData\Local\temp
2010-02-24 01:40 . 2010-02-24 01:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-20 04:01 . 2010-02-20 04:02 -------- d-----w- c:\programdata\WinZip
2010-02-20 03:44 . 2010-02-20 03:44 -------- d-----w- c:\windows\Sun
2010-02-20 01:20 . 2010-02-20 01:20 52224 ----a-w- c:\users\Heather\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-20 00:51 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-20 00:51 . 2010-02-20 00:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 00:51 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 03:05 . 2010-02-19 03:05 12 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\FS.sys
2010-02-19 02:07 . 2010-02-19 02:07 41 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.dll
2010-02-19 01:34 . 2010-02-19 01:34 72 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.exe
2010-02-19 01:01 . 2010-02-19 01:01 48 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\exec.sys
2010-02-18 23:38 . 2010-02-18 23:38 79 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\PE.sys
2010-02-18 23:38 . 2010-02-18 23:38 48 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\snl2w.exe
2010-02-18 23:38 . 2010-02-18 23:38 43 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\CLSV.drv
2010-02-18 01:08 . 2010-02-18 01:08 80 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll
2010-02-18 01:08 . 2010-02-18 01:08 57 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\cid.drv
2010-02-18 01:08 . 2010-02-18 01:08 51 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\eb.drv
2010-02-18 01:08 . 2010-02-18 01:08 43 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\pal.dll
2010-02-18 01:08 . 2010-02-18 01:08 19 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\runddl.exe
2010-02-18 01:08 . 2010-02-18 01:08 66 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\tjd.exe
2010-02-18 01:08 . 2010-02-18 01:08 25 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\hymt.dll
2010-02-18 01:08 . 2010-02-18 01:08 15 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\PE.drv
2010-02-18 01:08 . 2010-02-18 01:08 49 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.sys
2010-02-18 01:08 . 2010-02-18 01:08 13 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\gid.drv
2010-02-18 01:08 . 2010-02-18 01:08 14 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\fan.sys
2010-02-18 01:08 . 2010-02-18 01:08 3 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\kernel32.drv
2010-02-18 01:07 . 2010-02-18 01:07 -------- d-sh--w- c:\programdata\SAMJVMV
2010-02-18 01:07 . 2009-06-24 23:15 395768 ----a-w- c:\programdata\e4d6741\sqlite3.dll
2010-02-18 01:07 . 2009-06-24 23:15 710136 ----a-w- c:\programdata\e4d6741\mozcrt19.dll
2010-02-18 01:07 . 2010-02-20 01:04 -------- d-sh--w- c:\programdata\e4d6741
2010-02-17 05:11 . 2010-02-17 05:11 -------- d-----w- c:\program files\Conduit
2010-02-17 05:11 . 2010-02-17 05:11 -------- d-----w- c:\program files\Zynga

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-22 23:41 . 2009-11-27 03:46 350192 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2010-02-20 03:39 . 2009-11-29 22:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-20 03:37 . 2010-02-20 03:37 1501184 ----a-w- c:\windows\Internet Logs\xDB6175.tmp
2010-02-20 01:20 . 2009-11-29 22:48 117760 ----a-w- c:\users\Heather\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-18 03:44 . 2010-02-19 03:28 1490944 ----a-w- c:\windows\Internet Logs\xDBCCE5.tmp
2010-02-18 01:15 . 2009-11-28 18:47 15638165 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-02-12 03:26 . 2008-11-25 16:34 4704 ----a-w- c:\users\Heather\AppData\Roaming\wklnhst.dat
2010-02-10 08:24 . 2010-02-10 08:25 1481728 ----a-w- c:\windows\Internet Logs\xDBA49C.tmp
2010-02-10 08:23 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-05 02:50 . 2010-02-05 02:50 1474560 ----a-w- c:\windows\Internet Logs\xDB5B5D.tmp
2010-02-04 02:00 . 2010-02-04 02:00 1473536 ----a-w- c:\windows\Internet Logs\xDB5DBE.tmp
2010-01-29 02:40 . 2010-01-30 04:05 1470976 ----a-w- c:\windows\Internet Logs\xDB5A83.tmp
2010-01-14 16:12 . 2009-10-03 08:56 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-14 04:29 . 2008-11-26 01:29 -------- d-----w- c:\users\Heather\AppData\Roaming\ArcSoft
2010-01-14 04:18 . 2010-01-14 04:21 1451520 ----a-w- c:\windows\Internet Logs\xDB6270.tmp
2010-01-14 01:52 . 2010-01-14 00:29 -------- d-----w- c:\programdata\NOS
2010-01-14 00:31 . 2009-02-03 01:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-14 00:29 . 2010-01-14 00:29 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-01-14 00:29 . 2010-01-14 00:29 -------- d-----w- c:\program files\NOS
2010-01-13 23:37 . 2010-01-13 23:38 1447424 ----a-w- c:\windows\Internet Logs\xDB5F74.tmp
2010-01-13 01:47 . 2010-01-13 01:50 1445888 ----a-w- c:\windows\Internet Logs\xDB9C62.tmp
2010-01-12 22:30 . 2010-01-12 22:31 1443840 ----a-w- c:\windows\Internet Logs\xDB5E80.tmp
2010-01-12 01:35 . 2010-01-12 01:36 1442816 ----a-w- c:\windows\Internet Logs\xDB5A82.tmp
2010-01-11 06:46 . 2010-01-11 06:47 1440256 ----a-w- c:\windows\Internet Logs\xDB74C8.tmp
2010-01-05 02:59 . 2010-01-05 03:00 1433600 ----a-w- c:\windows\Internet Logs\xDB7A79.tmp
2010-01-03 18:35 . 2010-01-03 18:36 1432064 ----a-w- c:\windows\Internet Logs\xDB6EAE.tmp
2010-01-02 06:02 . 2010-01-02 06:02 1428992 ----a-w- c:\windows\Internet Logs\xDB588F.tmp
2009-12-30 05:48 . 2009-12-30 05:49 1424384 ----a-w- c:\windows\Internet Logs\xDB5110.tmp
2009-12-28 12:35 . 2010-02-10 06:50 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-28 12:35 . 2010-02-10 06:50 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-28 12:32 . 2010-02-10 06:50 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-28 12:32 . 2010-02-10 06:50 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-28 12:32 . 2010-02-10 06:50 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-28 12:32 . 2010-02-10 06:50 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-28 12:31 . 2010-02-10 06:50 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-28 12:31 . 2010-02-10 06:50 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-28 12:28 . 2010-02-10 06:50 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-12-28 12:28 . 2010-02-10 06:50 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-22 06:20 . 2009-12-22 06:20 1420288 ----a-w- c:\windows\Internet Logs\xDB7386.tmp
2009-12-21 06:36 . 2009-12-21 06:37 1420800 ----a-w- c:\windows\Internet Logs\xDB8320.tmp
2009-12-18 13:05 . 2010-01-24 00:28 833024 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 13:01 . 2010-01-24 00:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 10:14 . 2010-01-24 00:28 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-17 04:51 . 2009-12-17 04:51 1416704 ----a-w- c:\windows\Internet Logs\xDB608B.tmp
2009-12-17 02:44 . 2009-12-17 02:45 1416192 ----a-w- c:\windows\Internet Logs\xDB5C76.tmp
2009-12-14 00:10 . 2009-12-14 00:11 1412096 ----a-w- c:\windows\Internet Logs\xDB859A.tmp
2009-12-11 12:07 . 2010-02-10 06:50 301568 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 12:07 . 2010-02-10 06:50 98304 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-12-09 03:43 . 2009-12-09 03:44 1402368 ----a-w- c:\windows\Internet Logs\xDBC758.tmp
2009-12-08 20:52 . 2010-02-10 06:50 3597912 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:52 . 2010-02-10 06:50 3546200 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 20:37 . 2010-02-10 06:50 900696 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 20:36 . 2010-02-10 06:50 220248 ----a-w- c:\windows\system32\drivers\netio.sys
2009-12-08 20:36 . 2010-02-10 06:50 98392 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2009-12-08 19:57 . 2010-02-10 06:50 438272 ----a-w- c:\windows\system32\IKEEXT.DLL
2009-12-08 19:57 . 2010-02-10 06:50 595456 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2009-12-08 19:55 . 2010-02-10 06:50 328704 ----a-w- c:\windows\system32\BFE.DLL
2009-12-07 16:34 . 2009-12-08 01:11 1401344 ----a-w- c:\windows\Internet Logs\xDB5DBD.tmp
2009-12-07 03:54 . 2009-12-07 03:55 1400832 ----a-w- c:\windows\Internet Logs\xDB5F36.tmp
2009-12-07 01:44 . 2009-12-07 01:48 1400320 ----a-w- c:\windows\Internet Logs\xDB5DCD.tmp
2009-12-05 04:13 . 2009-12-05 04:13 1397248 ----a-w- c:\windows\Internet Logs\xDB5786.tmp
2009-12-04 19:21 . 2009-12-04 19:22 1396736 ----a-w- c:\windows\Internet Logs\xDB7D6D.tmp
2009-12-04 16:12 . 2010-02-10 06:50 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-04 16:12 . 2010-02-10 06:50 105472 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-03 22:48 . 2009-12-03 22:49 1396224 ----a-w- c:\windows\Internet Logs\xDB5F05.tmp
2009-12-03 04:06 . 2009-12-03 04:07 1395712 ----a-w- c:\windows\Internet Logs\xDB739E.tmp
2009-12-02 22:28 . 2009-12-02 22:29 1395200 ----a-w- c:\windows\Internet Logs\xDB5ED8.tmp
2009-11-30 16:13 . 2009-11-30 16:14 1391616 ----a-w- c:\windows\Internet Logs\xDB8156.tmp
2009-11-28 18:45 . 2009-11-28 18:47 1364992 ----a-w- c:\windows\Internet Logs\xDBBFD9.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-04 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-04 16:59 2349592 ----a-w- c:\program files\Zynga\tbZyng.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-04 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-04 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-20 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-04-07 132760]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-25 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-25 133656]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/23/2009 8:43 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 66632]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\System32\drivers\netr73.sys [5/24/2009 6:36 AM 501248]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
uLocal Page = \blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
IE: &Holidays Toolbar Search - c:\programdata\Holidays Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
FF - ProfilePath - c:\users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\beg49i1f.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZLxdm012YYUS&fl=0&ptb=MoN5ZLRE5bTa_hCblVPPbg&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&si=18159&searchfor=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\programdata\RealArcade\npraclient.dll
FF - plugin: c:\programdata\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-23 20:43:51
ComboFix-quarantined-files.txt 2010-02-24 01:43

Pre-Run: 210,737,516,544 bytes free
Post-Run: 210,923,421,696 bytes free

- - End Of File - - FBFFE7F6F6CC7668905EDC98256EC58B


Thanks,

ChuckLHead

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:30 PM

Posted 24 February 2010 - 06:24 PM

Hello ChuckLHead

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=-

Firefox::
FF - ProfilePath - c:\users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\beg49i1f.default\
FF - prefs.js: keyword.URL -


Save this as CFScript.txt, in the same location as renamed.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into renamed.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade


In your next reply, please include the following:
ComboFix Log

Edited by Blade Zephon, 24 February 2010 - 06:26 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 24 February 2010 - 08:34 PM

Blade,

Here is the new log from ComboFix:

ComboFix 10-02-23.03 - Heather 02/24/2010 20:20:51.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1012.507 [GMT -5:00]
Running from: c:\users\Heather\Desktop\renamed.exe
Command switches used :: c:\users\Heather\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
.

((((((((((((((((((((((((( Files Created from 2010-01-25 to 2010-02-25 )))))))))))))))))))))))))))))))
.

2010-02-25 01:28 . 2010-02-25 01:28 -------- d-----w- c:\users\Heather\AppData\Local\temp
2010-02-25 01:28 . 2010-02-25 01:28 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-25 01:28 . 2010-02-25 01:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-25 01:18 . 2010-02-25 01:19 -------- d-----w- C:\32788R22FWJFW
2010-02-24 01:32 . 2010-02-24 01:45 -------- d-----w- C:\renamed
2010-02-20 04:01 . 2010-02-20 04:02 -------- d-----w- c:\programdata\WinZip
2010-02-20 03:44 . 2010-02-20 03:44 -------- d-----w- c:\windows\Sun
2010-02-20 01:20 . 2010-02-20 01:20 52224 ----a-w- c:\users\Heather\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-20 00:51 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-20 00:51 . 2010-02-20 00:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 00:51 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 03:05 . 2010-02-19 03:05 12 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\FS.sys
2010-02-19 02:07 . 2010-02-19 02:07 41 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.dll
2010-02-19 01:34 . 2010-02-19 01:34 72 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.exe
2010-02-19 01:01 . 2010-02-19 01:01 48 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\exec.sys
2010-02-18 23:38 . 2010-02-18 23:38 79 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\PE.sys
2010-02-18 23:38 . 2010-02-18 23:38 48 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\snl2w.exe
2010-02-18 23:38 . 2010-02-18 23:38 43 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\CLSV.drv
2010-02-18 01:08 . 2010-02-18 01:08 80 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll
2010-02-18 01:08 . 2010-02-18 01:08 57 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\cid.drv
2010-02-18 01:08 . 2010-02-18 01:08 51 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\eb.drv
2010-02-18 01:08 . 2010-02-18 01:08 43 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\pal.dll
2010-02-18 01:08 . 2010-02-18 01:08 19 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\runddl.exe
2010-02-18 01:08 . 2010-02-18 01:08 66 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\tjd.exe
2010-02-18 01:08 . 2010-02-18 01:08 25 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\hymt.dll
2010-02-18 01:08 . 2010-02-18 01:08 15 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\PE.drv
2010-02-18 01:08 . 2010-02-18 01:08 49 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.sys
2010-02-18 01:08 . 2010-02-18 01:08 13 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\gid.drv
2010-02-18 01:08 . 2010-02-18 01:08 14 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\fan.sys
2010-02-18 01:08 . 2010-02-18 01:08 3 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\kernel32.drv
2010-02-18 01:07 . 2010-02-18 01:07 -------- d-sh--w- c:\programdata\SAMJVMV
2010-02-18 01:07 . 2009-06-24 23:15 395768 ----a-w- c:\programdata\e4d6741\sqlite3.dll
2010-02-18 01:07 . 2009-06-24 23:15 710136 ----a-w- c:\programdata\e4d6741\mozcrt19.dll
2010-02-18 01:07 . 2010-02-20 01:04 -------- d-sh--w- c:\programdata\e4d6741
2010-02-17 05:11 . 2010-02-17 05:11 -------- d-----w- c:\program files\Conduit
2010-02-17 05:11 . 2010-02-17 05:11 -------- d-----w- c:\program files\Zynga

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-24 13:18 . 2008-11-19 14:11 72760 ----a-w- c:\users\Heather\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 13:17 . 2009-11-27 03:46 350192 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2010-02-20 03:39 . 2009-11-29 22:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-20 03:37 . 2010-02-20 03:37 1501184 ----a-w- c:\windows\Internet Logs\xDB6175.tmp
2010-02-20 01:20 . 2009-11-29 22:48 117760 ----a-w- c:\users\Heather\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-18 03:44 . 2010-02-19 03:28 1490944 ----a-w- c:\windows\Internet Logs\xDBCCE5.tmp
2010-02-18 01:15 . 2009-11-28 18:47 15638165 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-02-12 03:26 . 2008-11-25 16:34 4704 ----a-w- c:\users\Heather\AppData\Roaming\wklnhst.dat
2010-02-10 08:24 . 2010-02-10 08:25 1481728 ----a-w- c:\windows\Internet Logs\xDBA49C.tmp
2010-02-10 08:23 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-05 02:50 . 2010-02-05 02:50 1474560 ----a-w- c:\windows\Internet Logs\xDB5B5D.tmp
2010-02-04 02:00 . 2010-02-04 02:00 1473536 ----a-w- c:\windows\Internet Logs\xDB5DBE.tmp
2010-01-29 02:40 . 2010-01-30 04:05 1470976 ----a-w- c:\windows\Internet Logs\xDB5A83.tmp
2010-01-14 16:12 . 2009-10-03 08:56 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-14 04:29 . 2008-11-26 01:29 -------- d-----w- c:\users\Heather\AppData\Roaming\ArcSoft
2010-01-14 04:18 . 2010-01-14 04:21 1451520 ----a-w- c:\windows\Internet Logs\xDB6270.tmp
2010-01-14 01:52 . 2010-01-14 00:29 -------- d-----w- c:\programdata\NOS
2010-01-14 00:31 . 2009-02-03 01:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-14 00:29 . 2010-01-14 00:29 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-01-14 00:29 . 2010-01-14 00:29 -------- d-----w- c:\program files\NOS
2010-01-13 23:37 . 2010-01-13 23:38 1447424 ----a-w- c:\windows\Internet Logs\xDB5F74.tmp
2010-01-13 01:47 . 2010-01-13 01:50 1445888 ----a-w- c:\windows\Internet Logs\xDB9C62.tmp
2010-01-12 22:30 . 2010-01-12 22:31 1443840 ----a-w- c:\windows\Internet Logs\xDB5E80.tmp
2010-01-12 01:35 . 2010-01-12 01:36 1442816 ----a-w- c:\windows\Internet Logs\xDB5A82.tmp
2010-01-11 06:46 . 2010-01-11 06:47 1440256 ----a-w- c:\windows\Internet Logs\xDB74C8.tmp
2010-01-05 02:59 . 2010-01-05 03:00 1433600 ----a-w- c:\windows\Internet Logs\xDB7A79.tmp
2010-01-03 18:35 . 2010-01-03 18:36 1432064 ----a-w- c:\windows\Internet Logs\xDB6EAE.tmp
2010-01-02 06:02 . 2010-01-02 06:02 1428992 ----a-w- c:\windows\Internet Logs\xDB588F.tmp
2009-12-30 05:48 . 2009-12-30 05:49 1424384 ----a-w- c:\windows\Internet Logs\xDB5110.tmp
2009-12-28 12:35 . 2010-02-10 06:50 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-28 12:35 . 2010-02-10 06:50 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-28 12:32 . 2010-02-10 06:50 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-28 12:32 . 2010-02-10 06:50 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-28 12:32 . 2010-02-10 06:50 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-28 12:32 . 2010-02-10 06:50 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-28 12:31 . 2010-02-10 06:50 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-28 12:31 . 2010-02-10 06:50 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-28 12:28 . 2010-02-10 06:50 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-12-28 12:28 . 2010-02-10 06:50 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-22 06:20 . 2009-12-22 06:20 1420288 ----a-w- c:\windows\Internet Logs\xDB7386.tmp
2009-12-21 06:36 . 2009-12-21 06:37 1420800 ----a-w- c:\windows\Internet Logs\xDB8320.tmp
2009-12-18 13:05 . 2010-01-24 00:28 833024 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 13:01 . 2010-01-24 00:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 10:14 . 2010-01-24 00:28 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-17 04:51 . 2009-12-17 04:51 1416704 ----a-w- c:\windows\Internet Logs\xDB608B.tmp
2009-12-17 02:44 . 2009-12-17 02:45 1416192 ----a-w- c:\windows\Internet Logs\xDB5C76.tmp
2009-12-14 00:10 . 2009-12-14 00:11 1412096 ----a-w- c:\windows\Internet Logs\xDB859A.tmp
2009-12-11 12:07 . 2010-02-10 06:50 301568 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 12:07 . 2010-02-10 06:50 98304 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-12-09 03:43 . 2009-12-09 03:44 1402368 ----a-w- c:\windows\Internet Logs\xDBC758.tmp
2009-12-08 20:52 . 2010-02-10 06:50 3597912 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:52 . 2010-02-10 06:50 3546200 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 20:37 . 2010-02-10 06:50 900696 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 20:36 . 2010-02-10 06:50 220248 ----a-w- c:\windows\system32\drivers\netio.sys
2009-12-08 20:36 . 2010-02-10 06:50 98392 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2009-12-08 19:57 . 2010-02-10 06:50 438272 ----a-w- c:\windows\system32\IKEEXT.DLL
2009-12-08 19:57 . 2010-02-10 06:50 595456 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2009-12-08 19:55 . 2010-02-10 06:50 328704 ----a-w- c:\windows\system32\BFE.DLL
2009-12-07 16:34 . 2009-12-08 01:11 1401344 ----a-w- c:\windows\Internet Logs\xDB5DBD.tmp
2009-12-07 03:54 . 2009-12-07 03:55 1400832 ----a-w- c:\windows\Internet Logs\xDB5F36.tmp
2009-12-07 01:44 . 2009-12-07 01:48 1400320 ----a-w- c:\windows\Internet Logs\xDB5DCD.tmp
2009-12-05 04:13 . 2009-12-05 04:13 1397248 ----a-w- c:\windows\Internet Logs\xDB5786.tmp
2009-12-04 19:21 . 2009-12-04 19:22 1396736 ----a-w- c:\windows\Internet Logs\xDB7D6D.tmp
2009-12-04 16:12 . 2010-02-10 06:50 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-04 16:12 . 2010-02-10 06:50 105472 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-03 22:48 . 2009-12-03 22:49 1396224 ----a-w- c:\windows\Internet Logs\xDB5F05.tmp
2009-12-03 04:06 . 2009-12-03 04:07 1395712 ----a-w- c:\windows\Internet Logs\xDB739E.tmp
2009-12-02 22:28 . 2009-12-02 22:29 1395200 ----a-w- c:\windows\Internet Logs\xDB5ED8.tmp
2009-11-30 16:13 . 2009-11-30 16:14 1391616 ----a-w- c:\windows\Internet Logs\xDB8156.tmp
2009-11-28 18:45 . 2009-11-28 18:47 1364992 ----a-w- c:\windows\Internet Logs\xDBBFD9.tmp
.

((((((((((((((((((((((((((((( SnapShot@2010-02-24_01.40.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2010-02-24 13:19 51398 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-02-24 13:19 71480 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-11-19 14:00 . 2010-02-24 13:17 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-19 14:00 . 2010-02-24 01:29 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-19 14:00 . 2010-02-24 13:17 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-19 14:00 . 2010-02-24 01:29 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-19 14:00 . 2010-02-24 13:17 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-19 14:00 . 2010-02-24 01:29 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-11-19 14:49 . 2010-02-24 13:19 9494 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3965509881-1155817591-967737219-1000_UserData.bin
+ 2010-02-24 13:16 . 2010-02-24 13:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-02-22 23:41 . 2010-02-22 23:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-02-22 23:41 . 2010-02-22 23:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-02-24 13:16 . 2010-02-24 13:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-11-19 16:49 . 2010-02-24 13:15 230178 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
- 2006-11-02 10:33 . 2010-02-22 23:45 595446 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-02-24 13:23 595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-02-22 23:45 101144 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-02-24 13:23 101144 c:\windows\System32\perfc009.dat
+ 2006-11-02 12:47 . 2010-02-24 13:17 288272 c:\windows\System32\FNTCACHE.DAT
+ 2006-11-02 10:22 . 2010-02-24 13:21 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2006-11-02 10:22 . 2010-02-11 04:13 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2010-02-25 01:20 . 2010-02-25 01:20 6328320 c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
+ 2009-06-13 18:00 . 2010-02-24 13:23 229992285 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-04 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-04 16:59 2349592 ----a-w- c:\program files\Zynga\tbZyng.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-04 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-04 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-20 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-04-07 132760]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-25 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-25 133656]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/23/2009 8:43 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 66632]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\System32\drivers\netr73.sys [5/24/2009 6:36 AM 501248]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
uLocal Page = \blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
IE: &Holidays Toolbar Search - c:\programdata\Holidays Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
FF - ProfilePath - c:\users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\beg49i1f.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\programdata\RealArcade\npraclient.dll
FF - plugin: c:\programdata\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-24 20:28
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-24 20:31:26
ComboFix-quarantined-files.txt 2010-02-25 01:31
ComboFix2.txt 2010-02-24 01:43

Pre-Run: 209,655,099,392 bytes free
Post-Run: 209,617,719,296 bytes free

- - End Of File - - D874A04D140C66AEAD285212F0000E06


Thanks,

ChuckLHead

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:30 PM

Posted 24 February 2010 - 08:39 PM

Hi ChuckLHead

One more script

1. Open notepad and copy/paste the text in the codebox below into it:

CODE
Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-


Save this as CFScript.txt, in the same location as renamed.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into renamed.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade


In your next reply, please include the following:
ComboFix Log
How is the computer running now?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 25 February 2010 - 10:15 PM

Blade,

Here is the latest log from ComboFix:

ComboFix 10-02-25.02 - Heather 02/25/2010 21:53:05.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1012.419 [GMT -5:00]
Running from: c:\users\Heather\Desktop\renamed.exe
Command switches used :: c:\users\Heather\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
.

((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))
.

2010-02-26 03:01 . 2010-02-26 03:01 -------- d-----w- c:\users\Heather\AppData\Local\temp
2010-02-26 03:01 . 2010-02-26 03:01 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-26 03:01 . 2010-02-26 03:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-26 02:51 . 2010-02-26 02:52 -------- d-----w- C:\32788R22FWJFW
2010-02-24 13:25 . 2010-01-23 09:44 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 13:25 . 2010-01-25 08:35 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 13:25 . 2010-01-25 08:34 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 13:25 . 2010-01-25 12:48 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 13:25 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 13:25 . 2010-01-25 12:48 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 13:25 . 2010-01-25 12:48 472064 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 13:25 . 2010-01-25 12:45 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 13:25 . 2010-01-25 08:35 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 13:25 . 2010-01-25 08:34 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 01:32 . 2010-02-24 01:45 -------- d-----w- C:\renamed
2010-02-20 04:01 . 2010-02-20 04:02 -------- d-----w- c:\programdata\WinZip
2010-02-20 03:44 . 2010-02-20 03:44 -------- d-----w- c:\windows\Sun
2010-02-20 01:20 . 2010-02-20 01:20 52224 ----a-w- c:\users\Heather\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-20 00:51 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-20 00:51 . 2010-02-20 00:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 00:51 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 03:05 . 2010-02-19 03:05 12 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\FS.sys
2010-02-19 02:07 . 2010-02-19 02:07 41 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.dll
2010-02-19 01:34 . 2010-02-19 01:34 72 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.exe
2010-02-19 01:01 . 2010-02-19 01:01 48 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\exec.sys
2010-02-18 23:38 . 2010-02-18 23:38 79 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\PE.sys
2010-02-18 23:38 . 2010-02-18 23:38 48 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\snl2w.exe
2010-02-18 23:38 . 2010-02-18 23:38 43 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\CLSV.drv
2010-02-18 01:08 . 2010-02-18 01:08 80 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll
2010-02-18 01:08 . 2010-02-18 01:08 57 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\cid.drv
2010-02-18 01:08 . 2010-02-18 01:08 51 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\eb.drv
2010-02-18 01:08 . 2010-02-18 01:08 43 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\pal.dll
2010-02-18 01:08 . 2010-02-18 01:08 19 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\runddl.exe
2010-02-18 01:08 . 2010-02-18 01:08 66 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\tjd.exe
2010-02-18 01:08 . 2010-02-18 01:08 25 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\hymt.dll
2010-02-18 01:08 . 2010-02-18 01:08 15 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\PE.drv
2010-02-18 01:08 . 2010-02-18 01:08 49 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.sys
2010-02-18 01:08 . 2010-02-18 01:08 13 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\gid.drv
2010-02-18 01:08 . 2010-02-18 01:08 14 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\fan.sys
2010-02-18 01:08 . 2010-02-18 01:08 3 ----a-w- c:\users\Heather\AppData\Roaming\Microsoft\Windows\Recent\kernel32.drv
2010-02-18 01:07 . 2010-02-18 01:07 -------- d-sh--w- c:\programdata\SAMJVMV
2010-02-18 01:07 . 2009-06-24 23:15 395768 ----a-w- c:\programdata\e4d6741\sqlite3.dll
2010-02-18 01:07 . 2009-06-24 23:15 710136 ----a-w- c:\programdata\e4d6741\mozcrt19.dll
2010-02-18 01:07 . 2010-02-20 01:04 -------- d-sh--w- c:\programdata\e4d6741
2010-02-17 05:11 . 2010-02-17 05:11 -------- d-----w- c:\program files\Conduit
2010-02-17 05:11 . 2010-02-17 05:11 -------- d-----w- c:\program files\Zynga

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 01:36 . 2009-11-27 03:46 350192 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2010-02-24 13:18 . 2008-11-19 14:11 72760 ----a-w- c:\users\Heather\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-20 03:39 . 2009-11-29 22:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-20 03:37 . 2010-02-20 03:37 1501184 ----a-w- c:\windows\Internet Logs\xDB6175.tmp
2010-02-20 01:20 . 2009-11-29 22:48 117760 ----a-w- c:\users\Heather\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-18 03:44 . 2010-02-19 03:28 1490944 ----a-w- c:\windows\Internet Logs\xDBCCE5.tmp
2010-02-18 01:15 . 2009-11-28 18:47 15638165 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-02-12 03:26 . 2008-11-25 16:34 4704 ----a-w- c:\users\Heather\AppData\Roaming\wklnhst.dat
2010-02-10 08:24 . 2010-02-10 08:25 1481728 ----a-w- c:\windows\Internet Logs\xDBA49C.tmp
2010-02-10 08:23 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-05 02:50 . 2010-02-05 02:50 1474560 ----a-w- c:\windows\Internet Logs\xDB5B5D.tmp
2010-02-04 02:00 . 2010-02-04 02:00 1473536 ----a-w- c:\windows\Internet Logs\xDB5DBE.tmp
2010-01-29 02:40 . 2010-01-30 04:05 1470976 ----a-w- c:\windows\Internet Logs\xDB5A83.tmp
2010-01-14 16:12 . 2009-10-03 08:56 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-14 04:29 . 2008-11-26 01:29 -------- d-----w- c:\users\Heather\AppData\Roaming\ArcSoft
2010-01-14 04:18 . 2010-01-14 04:21 1451520 ----a-w- c:\windows\Internet Logs\xDB6270.tmp
2010-01-14 01:52 . 2010-01-14 00:29 -------- d-----w- c:\programdata\NOS
2010-01-14 00:31 . 2009-02-03 01:41 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-14 00:29 . 2010-01-14 00:29 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-01-14 00:29 . 2010-01-14 00:29 -------- d-----w- c:\program files\NOS
2010-01-13 23:37 . 2010-01-13 23:38 1447424 ----a-w- c:\windows\Internet Logs\xDB5F74.tmp
2010-01-13 01:47 . 2010-01-13 01:50 1445888 ----a-w- c:\windows\Internet Logs\xDB9C62.tmp
2010-01-12 22:30 . 2010-01-12 22:31 1443840 ----a-w- c:\windows\Internet Logs\xDB5E80.tmp
2010-01-12 01:35 . 2010-01-12 01:36 1442816 ----a-w- c:\windows\Internet Logs\xDB5A82.tmp
2010-01-11 06:46 . 2010-01-11 06:47 1440256 ----a-w- c:\windows\Internet Logs\xDB74C8.tmp
2010-01-05 02:59 . 2010-01-05 03:00 1433600 ----a-w- c:\windows\Internet Logs\xDB7A79.tmp
2010-01-03 18:35 . 2010-01-03 18:36 1432064 ----a-w- c:\windows\Internet Logs\xDB6EAE.tmp
2010-01-02 06:02 . 2010-01-02 06:02 1428992 ----a-w- c:\windows\Internet Logs\xDB588F.tmp
2009-12-30 05:48 . 2009-12-30 05:49 1424384 ----a-w- c:\windows\Internet Logs\xDB5110.tmp
2009-12-28 12:35 . 2010-02-10 06:50 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-28 12:35 . 2010-02-10 06:50 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-28 12:32 . 2010-02-10 06:50 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-28 12:32 . 2010-02-10 06:50 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-28 12:32 . 2010-02-10 06:50 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-28 12:32 . 2010-02-10 06:50 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-28 12:31 . 2010-02-10 06:50 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-28 12:31 . 2010-02-10 06:50 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-28 12:28 . 2010-02-10 06:50 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-12-28 12:28 . 2010-02-10 06:50 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-22 06:20 . 2009-12-22 06:20 1420288 ----a-w- c:\windows\Internet Logs\xDB7386.tmp
2009-12-21 06:36 . 2009-12-21 06:37 1420800 ----a-w- c:\windows\Internet Logs\xDB8320.tmp
2009-12-18 13:05 . 2010-01-24 00:28 833024 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 13:01 . 2010-01-24 00:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 10:14 . 2010-01-24 00:28 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-17 04:51 . 2009-12-17 04:51 1416704 ----a-w- c:\windows\Internet Logs\xDB608B.tmp
2009-12-17 02:44 . 2009-12-17 02:45 1416192 ----a-w- c:\windows\Internet Logs\xDB5C76.tmp
2009-12-14 00:10 . 2009-12-14 00:11 1412096 ----a-w- c:\windows\Internet Logs\xDB859A.tmp
2009-12-11 12:07 . 2010-02-10 06:50 301568 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-11 12:07 . 2010-02-10 06:50 98304 ----a-w- c:\windows\system32\drivers\srvnet.sys
2009-12-09 03:43 . 2009-12-09 03:44 1402368 ----a-w- c:\windows\Internet Logs\xDBC758.tmp
2009-12-08 20:52 . 2010-02-10 06:50 3597912 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:52 . 2010-02-10 06:50 3546200 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 20:37 . 2010-02-10 06:50 900696 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-08 20:36 . 2010-02-10 06:50 220248 ----a-w- c:\windows\system32\drivers\netio.sys
2009-12-08 20:36 . 2010-02-10 06:50 98392 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2009-12-08 19:57 . 2010-02-10 06:50 438272 ----a-w- c:\windows\system32\IKEEXT.DLL
2009-12-08 19:57 . 2010-02-10 06:50 595456 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2009-12-08 19:55 . 2010-02-10 06:50 328704 ----a-w- c:\windows\system32\BFE.DLL
2009-12-07 16:34 . 2009-12-08 01:11 1401344 ----a-w- c:\windows\Internet Logs\xDB5DBD.tmp
2009-12-07 03:54 . 2009-12-07 03:55 1400832 ----a-w- c:\windows\Internet Logs\xDB5F36.tmp
2009-12-07 01:44 . 2009-12-07 01:48 1400320 ----a-w- c:\windows\Internet Logs\xDB5DCD.tmp
2009-12-05 04:13 . 2009-12-05 04:13 1397248 ----a-w- c:\windows\Internet Logs\xDB5786.tmp
2009-12-04 19:21 . 2009-12-04 19:22 1396736 ----a-w- c:\windows\Internet Logs\xDB7D6D.tmp
2009-12-04 16:12 . 2010-02-10 06:50 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-12-04 16:12 . 2010-02-10 06:50 105472 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-12-03 22:48 . 2009-12-03 22:49 1396224 ----a-w- c:\windows\Internet Logs\xDB5F05.tmp
2009-12-03 04:06 . 2009-12-03 04:07 1395712 ----a-w- c:\windows\Internet Logs\xDB739E.tmp
2009-12-02 22:28 . 2009-12-02 22:29 1395200 ----a-w- c:\windows\Internet Logs\xDB5ED8.tmp
2009-11-30 16:13 . 2009-11-30 16:14 1391616 ----a-w- c:\windows\Internet Logs\xDB8156.tmp
2009-11-28 18:45 . 2009-11-28 18:47 1364992 ----a-w- c:\windows\Internet Logs\xDBBFD9.tmp
.

((((((((((((((((((((((((((((( SnapShot@2010-02-24_01.40.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-24 13:25 . 2010-01-23 09:20 19456 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6002.22320_none_17a1cecf1fe62f76\tzupd.exe
+ 2010-02-24 13:25 . 2010-01-23 09:26 19456 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6002.18192_none_16ce813e06ff88ca\tzupd.exe
+ 2010-02-24 13:25 . 2010-01-23 09:43 19456 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6001.22612_none_15c82d6722b5f10f\tzupd.exe
+ 2010-02-24 13:25 . 2010-01-23 09:44 19456 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6001.18410_none_153c8e22099a2170\tzupd.exe
+ 2010-02-24 13:25 . 2010-01-23 09:39 19456 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6000.21209_none_13f396ef25812ba9\tzupd.exe
+ 2010-02-24 13:25 . 2010-01-23 09:58 19456 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6000.17007_none_1367f7aa0c655c0a\tzupd.exe
+ 2008-01-21 01:58 . 2010-02-24 13:19 51398 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-02-24 13:19 71480 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-11-19 14:00 . 2010-02-25 08:01 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-19 14:00 . 2010-02-24 01:29 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-19 14:00 . 2010-02-24 01:29 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-19 14:00 . 2010-02-25 08:01 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-19 14:00 . 2010-02-25 08:01 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-19 14:00 . 2010-02-24 01:29 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-24 13:25 . 2010-01-23 09:44 19456 c:\windows\servicing\GC32\tzupd.exe
+ 2010-02-24 13:25 . 2010-01-23 09:20 2048 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6002.22320_none_17a1cecf1fe62f76\tzres.dll
+ 2010-02-24 13:25 . 2010-01-23 09:26 2048 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6002.18192_none_16ce813e06ff88ca\tzres.dll
+ 2010-02-24 13:25 . 2010-01-23 09:43 2048 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6001.22612_none_15c82d6722b5f10f\tzres.dll
+ 2010-02-24 13:25 . 2010-01-23 09:44 2048 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6001.18410_none_153c8e22099a2170\tzres.dll
+ 2010-02-24 13:25 . 2010-01-23 07:54 2048 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6000.21209_none_13f396ef25812ba9\tzres.dll
+ 2010-02-24 13:25 . 2010-01-23 08:05 2048 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6000.17007_none_1367f7aa0c655c0a\tzres.dll
+ 2008-11-19 14:49 . 2010-02-24 13:19 9494 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3965509881-1155817591-967737219-1000_UserData.bin
+ 2010-02-24 13:16 . 2010-02-24 13:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-02-22 23:41 . 2010-02-22 23:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-02-22 23:41 . 2010-02-22 23:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-02-24 13:16 . 2010-02-24 13:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-02-24 13:25 . 2010-01-25 12:37 471552 c:\windows\winsxs\x86_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_6.0.6002.22321_none_a350e80647cb55d4\secproc.dll
+ 2010-02-24 13:25 . 2010-01-25 08:28 518144 c:\windows\winsxs\x86_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_6.0.6002.22321_none_a350e80647cb55d4\RMActivate.exe
+ 2010-02-24 13:25 . 2010-01-25 12:00 471552 c:\windows\winsxs\x86_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_6.0.6002.18193_none_a27d9a752ee4af28\secproc.dll
+ 2010-02-24 13:25 . 2010-01-25 08:21 518144 c:\windows\winsxs\x86_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_6.0.6002.18193_none_a27d9a752ee4af28\RMActivate.exe
+ 2010-02-24 13:25 . 2010-01-25 12:32 472576 c:\windows\winsxs\x86_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_6.0.6001.22613_none_a177469e4a9b176d\secproc.dll
+ 2010-02-24 13:25 . 2010-01-25 08:34 518144 c:\windows\winsxs\x86_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_6.0.6001.22613_none_a177469e4a9b176d\RMActivate.exe
+ 2010-02-24 13:25 . 2010-01-25 12:48 472064 c:\windows\winsxs\x86_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_6.0.6001.18411_none_a0eba759317f47ce\secproc.dll
+ 2010-02-24 13:25 . 2010-01-25 08:34 511488 c:\windows\winsxs\x86_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_6.0.6001.18411_none_a0eba759317f47ce\RMActivate.exe
+ 2010-02-24 13:25 . 2010-01-25 12:35 472576 c:\windows\winsxs\x86_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_6.0.6000.21210_none_9f8ddd564d777092\secproc.dll
+ 2010-02-24 13:25 . 2010-01-25 08:27 515584 c:\windows\winsxs\x86_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_6.0.6000.21210_none_9f8ddd564d777092\RMActivate.exe
+ 2010-02-24 13:25 . 2010-01-25 12:58 472576 c:\windows\winsxs\x86_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_6.0.6000.17008_none_9f1710e1344a8268\secproc.dll
+ 2010-02-24 13:25 . 2010-01-25 08:36 515584 c:\windows\winsxs\x86_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_6.0.6000.17008_none_9f1710e1344a8268\RMActivate.exe
+ 2010-02-24 13:25 . 2010-01-25 12:38 152576 c:\windows\winsxs\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_6.0.6002.22321_none_721a38317a650774\secproc_ssp.dll
+ 2010-02-24 13:25 . 2010-01-25 08:28 347136 c:\windows\winsxs\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_6.0.6002.22321_none_721a38317a650774\RMActivate_ssp.exe
+ 2010-02-24 13:25 . 2010-01-25 12:00 152064 c:\windows\winsxs\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_6.0.6002.18193_none_7146eaa0617e60c8\secproc_ssp.dll
+ 2010-02-24 13:25 . 2010-01-25 08:21 347136 c:\windows\winsxs\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_6.0.6002.18193_none_7146eaa0617e60c8\RMActivate_ssp.exe
+ 2010-02-24 13:25 . 2010-01-25 12:33 152576 c:\windows\winsxs\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_6.0.6001.22613_none_704096c97d34c90d\secproc_ssp.dll
+ 2010-02-24 13:25 . 2010-01-25 08:34 347136 c:\windows\winsxs\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_6.0.6001.22613_none_704096c97d34c90d\RMActivate_ssp.exe
+ 2010-02-24 13:25 . 2010-01-25 12:48 151040 c:\windows\winsxs\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_6.0.6001.18411_none_6fb4f7846418f96e\secproc_ssp.dll
+ 2010-02-24 13:25 . 2010-01-25 08:34 347136 c:\windows\winsxs\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_6.0.6001.18411_none_6fb4f7846418f96e\RMActivate_ssp.exe
+ 2010-02-24 13:25 . 2010-01-25 12:35 154112 c:\windows\winsxs\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_6.0.6000.21210_none_6e572d8180112232\secproc_ssp.dll
+ 2010-02-24 13:25 . 2010-01-25 08:27 435712 c:\windows\winsxs\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_6.0.6000.21210_none_6e572d8180112232\RMActivate_ssp.exe
+ 2010-02-24 13:25 . 2010-01-25 12:58 154112 c:\windows\winsxs\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_6.0.6000.17008_none_6de0610c66e43408\secproc_ssp.dll
+ 2010-02-24 13:25 . 2010-01-25 08:36 435712 c:\windows\winsxs\x86_microsoft-windows-s..or-native-serverbox_31bf3856ad364e35_6.0.6000.17008_none_6de0610c66e43408\RMActivate_ssp.exe
+ 2010-02-24 13:25 . 2010-01-25 12:38 475648 c:\windows\winsxs\x86_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_6.0.6002.22321_none_ebad56a205fcee15\secproc_isv.dll
+ 2010-02-24 13:25 . 2010-01-25 08:28 526336 c:\windows\winsxs\x86_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_6.0.6002.22321_none_ebad56a205fcee15\RMActivate_isv.exe
+ 2010-02-24 13:25 . 2010-01-25 12:00 471552 c:\windows\winsxs\x86_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_6.0.6002.18193_none_eada0910ed164769\secproc_isv.dll
+ 2010-02-24 13:25 . 2010-01-25 08:21 526336 c:\windows\winsxs\x86_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_6.0.6002.18193_none_eada0910ed164769\RMActivate_isv.exe
+ 2010-02-24 13:25 . 2010-01-25 12:33 476672 c:\windows\winsxs\x86_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_6.0.6001.22613_none_e9d3b53a08ccafae\secproc_isv.dll
+ 2010-02-24 13:25 . 2010-01-25 08:34 526336 c:\windows\winsxs\x86_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_6.0.6001.22613_none_e9d3b53a08ccafae\RMActivate_isv.exe
+ 2010-02-24 13:25 . 2010-01-25 12:48 472576 c:\windows\winsxs\x86_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_6.0.6001.18411_none_e94815f4efb0e00f\secproc_isv.dll
+ 2010-02-24 13:25 . 2010-01-25 08:35 523776 c:\windows\winsxs\x86_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_6.0.6001.18411_none_e94815f4efb0e00f\RMActivate_isv.exe
+ 2010-02-24 13:25 . 2010-01-25 12:35 473088 c:\windows\winsxs\x86_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_6.0.6000.21210_none_e7ea4bf20ba908d3\secproc_isv.dll
+ 2010-02-24 13:25 . 2010-01-25 08:28 523776 c:\windows\winsxs\x86_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_6.0.6000.21210_none_e7ea4bf20ba908d3\RMActivate_isv.exe
+ 2010-02-24 13:25 . 2010-01-25 12:58 473088 c:\windows\winsxs\x86_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_6.0.6000.17008_none_e7737f7cf27c1aa9\secproc_isv.dll
+ 2010-02-24 13:25 . 2010-01-25 08:35 523776 c:\windows\winsxs\x86_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_6.0.6000.17008_none_e7737f7cf27c1aa9\RMActivate_isv.exe
+ 2010-02-24 13:25 . 2010-01-25 12:38 153088 c:\windows\winsxs\x86_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.0.6002.22321_none_f772482c14c2182f\secproc_ssp_isv.dll
+ 2010-02-24 13:25 . 2010-01-25 08:28 346624 c:\windows\winsxs\x86_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.0.6002.22321_none_f772482c14c2182f\RMActivate_ssp_isv.exe
+ 2010-02-24 13:25 . 2010-01-25 12:00 152576 c:\windows\winsxs\x86_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.0.6002.18193_none_f69efa9afbdb7183\secproc_ssp_isv.dll
+ 2010-02-24 13:25 . 2010-01-25 08:21 346624 c:\windows\winsxs\x86_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.0.6002.18193_none_f69efa9afbdb7183\RMActivate_ssp_isv.exe
+ 2010-02-24 13:25 . 2010-01-25 12:33 153088 c:\windows\winsxs\x86_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.0.6001.22613_none_f598a6c41791d9c8\secproc_ssp_isv.dll
+ 2010-02-24 13:25 . 2010-01-25 08:34 346624 c:\windows\winsxs\x86_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.0.6001.22613_none_f598a6c41791d9c8\RMActivate_ssp_isv.exe
+ 2010-02-24 13:25 . 2010-01-25 12:48 151040 c:\windows\winsxs\x86_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.0.6001.18411_none_f50d077efe760a29\secproc_ssp_isv.dll
+ 2010-02-24 13:25 . 2010-01-25 08:35 346624 c:\windows\winsxs\x86_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.0.6001.18411_none_f50d077efe760a29\RMActivate_ssp_isv.exe
+ 2010-02-24 13:25 . 2010-01-25 12:35 154624 c:\windows\winsxs\x86_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.0.6000.21210_none_f3af3d7c1a6e32ed\secproc_ssp_isv.dll
+ 2010-02-24 13:25 . 2010-01-25 08:28 431104 c:\windows\winsxs\x86_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.0.6000.21210_none_f3af3d7c1a6e32ed\RMActivate_ssp_isv.exe
+ 2010-02-24 13:25 . 2010-01-25 12:58 154624 c:\windows\winsxs\x86_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.0.6000.17008_none_f3387107014144c3\secproc_ssp_isv.dll
+ 2010-02-24 13:25 . 2010-01-25 08:36 431104 c:\windows\winsxs\x86_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.0.6000.17008_none_f3387107014144c3\RMActivate_ssp_isv.exe
+ 2010-02-24 13:25 . 2010-01-25 12:35 352768 c:\windows\winsxs\x86_microsoft-windows-r..ement-client-v1-api_31bf3856ad364e35_6.0.6002.22321_none_ea59157ba997c9d0\msdrm.dll
+ 2010-02-24 13:25 . 2010-01-25 11:58 332288 c:\windows\winsxs\x86_microsoft-windows-r..ement-client-v1-api_31bf3856ad364e35_6.0.6002.18193_none_e985c7ea90b12324\msdrm.dll
+ 2010-02-24 13:25 . 2010-01-25 12:31 336384 c:\windows\winsxs\x86_microsoft-windows-r..ement-client-v1-api_31bf3856ad364e35_6.0.6001.22613_none_e87f7413ac678b69\msdrm.dll
+ 2010-02-24 13:25 . 2010-01-25 12:45 329216 c:\windows\winsxs\x86_microsoft-windows-r..ement-client-v1-api_31bf3856ad364e35_6.0.6001.18411_none_e7f3d4ce934bbbca\msdrm.dll
+ 2010-02-24 13:25 . 2010-01-25 12:34 312832 c:\windows\winsxs\x86_microsoft-windows-r..ement-client-v1-api_31bf3856ad364e35_6.0.6000.21210_none_e6960acbaf43e48e\msdrm.dll
+ 2010-02-24 13:25 . 2010-01-25 12:56 312320 c:\windows\winsxs\x86_microsoft-windows-r..ement-client-v1-api_31bf3856ad364e35_6.0.6000.17008_none_e61f3e569616f664\msdrm.dll
+ 2008-11-19 16:49 . 2010-02-26 02:47 230540 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2006-11-02 10:33 . 2010-02-24 13:23 595446 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-02-22 23:45 595446 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-02-24 13:23 101144 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2010-02-22 23:45 101144 c:\windows\System32\perfc009.dat
+ 2006-11-02 12:47 . 2010-02-24 13:17 288272 c:\windows\System32\FNTCACHE.DAT
- 2006-11-02 10:22 . 2010-02-11 04:13 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2006-11-02 10:22 . 2010-02-25 08:01 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2010-02-25 01:20 . 2010-02-26 02:52 6328320 c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
+ 2009-06-13 18:00 . 2010-02-25 08:01 230003377 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-04 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-04 16:59 2349592 ----a-w- c:\program files\Zynga\tbZyng.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-04 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-04 2349592]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-20 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-04-07 132760]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-25 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-25 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-25 133656]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/23/2009 8:43 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 66632]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\System32\drivers\netr73.sys [5/24/2009 6:36 AM 501248]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
uLocal Page = \blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
IE: &Holidays Toolbar Search - c:\programdata\Holidays Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
FF - ProfilePath - c:\users\Heather\AppData\Roaming\Mozilla\Firefox\Profiles\beg49i1f.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\programdata\RealArcade\npraclient.dll
FF - plugin: c:\programdata\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-25 22:01
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-25 22:04:12
ComboFix-quarantined-files.txt 2010-02-26 03:04
ComboFix2.txt 2010-02-25 01:31
ComboFix3.txt 2010-02-24 01:43

Pre-Run: 207,597,191,168 bytes free
Post-Run: 206,827,700,224 bytes free

- - End Of File - - F9E302ADFF7E529F45B2E8890FCF1E7F


The computer seems to be running pretty well.

It's still displaying the warning (the icon is a red shield with a silver 'X' in it):

"Check you computer security. There are multiple security problems with your computer. Click this notification to fix these problems."

Should I assume that this is a legitimate warning from Windows? I've held off clicking on it so far.

Thanks,

ChuckLHead

#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:30 PM

Posted 26 February 2010 - 12:37 AM

Yes. . . this is a legitimate windows warning. It is caused by you not having an antivirus installed. We will address that now.

You are missing one critical kind of program on your computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as possible and run a complete scan of the computer. Without an antivirus you will become infected on a regular basis.

Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Let me know if the warning is still there after installing and updating your antivirus of choice

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 27 February 2010 - 07:04 AM

Hi Blade,

I installed, updated and ran AntiVir.

Whether it was coincidence or something more, the computer suffered a BSOD for a REFERENCE_BY_POINTER during the Antivir scan.

I've rebooted and will try scanning again.

A question about the system configuration: Currently, Windows Security Center, under the Malware Protection heading, shows that Antivir and Windows Defender are both turned on. I set WinDefender to never run but is there more that I should do to ensure that only AntiVir is running. (I also removed Super AntiSpyware from this machine to make AntiVir the only antivirus product that is running.)

I shut off Windows Firewall and have ZoneAlarm running.

Thanks,

ChuckLHead

Edited by ChuckLHead, 27 February 2010 - 07:07 AM.


#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:30 PM

Posted 02 March 2010 - 01:13 PM

Hi ChuckLHead

sorry for the delay.

It sounds like you've got it set up correctly. Just a little bit more to do here.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

***************************************************

Your Adobe Reader is out of date. Please uninstall it through Add/Remove Programs and download the latest version from Adobe: Download
Please untick all proposed toolbars unless you really want them.

***************************************************

Also, please generate a new DDS.txt and Attach.txt log using the DDS tool.

~Blade

In your next reply, please include the following:
DDS.txt
Attach.txt

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 ChuckLHead

ChuckLHead
  • Topic Starter

  • Members
  • 119 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 02 March 2010 - 09:35 PM

Blade,

I updated Java and Acrobat Reader.

I'm attaching the atttach.txt file from DDS. Below is dds.txt:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Heather at 21:29:29.61 on Tue 03/02/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1012.354 [GMT -5:00]

SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Heather\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com
uLocal Page = \blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: Holidays Toolbar Loader: {8008a5bc-8bdc-41b2-88c8-5e8e0a6d64ad} - c:\program files\holidays toolbar\holidaystb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Holidays Toolbar: {3dd02f89-4590-4dd7-b14c-e2444f7d9915} - c:\program files\holidays toolbar\holidaystb.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe" -delete
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Holidays Toolbar Search - c:\programdata\holidays toolbar\ietoolbar\resources\en-us\local\search.html
IE: &Search
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 protected.maxisoftwaremart.com
Hosts: 88.198.198.206 google.com
Hosts: 88.198.198.206 google.com.au

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\users\heather\appdata\roaming\mozilla\firefox\profiles\beg49i1f.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - plugin: c:\programdata\realarcade\npraclient.dll
FF - plugin: c:\programdata\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-26 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-26 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-26 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-2-26 55656]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-5-24 501248]

=============== Created Last 30 ================

2010-03-03 02:20:14 0 d-----w- c:\programdata\Sun
2010-03-03 02:19:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-27 21:15:13 0 d-----w- c:\users\heather\appdata\roaming\WinPatrol
2010-02-27 21:15:05 0 d-----w- c:\program files\BillP Studios
2010-02-27 21:14:25 0 d-----w- C:\home
2010-02-27 02:38:30 0 d-----w- c:\programdata\WindowsSearch
2010-02-27 01:17:19 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-02-27 01:17:15 0 d-----w- c:\programdata\Avira
2010-02-27 01:17:15 0 d-----w- c:\program files\Avira
2010-02-26 03:03:44 0 d-sh--w- C:\$RECYCLE.BIN
2010-02-24 13:25:41 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 13:25:22 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 13:25:22 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 13:25:21 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 13:25:21 472064 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 13:25:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 13:25:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 13:25:21 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 13:25:21 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 13:25:21 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 01:32:33 0 d-----w- C:\renamed
2010-02-24 01:31:01 98816 ----a-w- c:\windows\sed.exe
2010-02-24 01:31:01 77312 ----a-w- c:\windows\MBR.exe
2010-02-24 01:31:01 261632 ----a-w- c:\windows\PEV.exe
2010-02-24 01:31:01 161792 ----a-w- c:\windows\SWREG.exe
2010-02-20 04:01:45 0 d-----w- c:\programdata\WinZip
2010-02-20 00:51:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-20 00:51:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-20 00:51:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-18 01:07:43 0 d-sh--w- c:\programdata\SAMJVMV
2010-02-18 01:07:05 0 d-sh--w- c:\programdata\e4d6741
2010-02-17 05:11:58 0 d-----w- c:\program files\Conduit
2010-02-17 05:11:57 0 d-----w- c:\program files\Zynga

==================== Find3M ====================

2010-03-03 02:24:12 350192 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 00:18:18 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-20 00:18:17 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-12 03:26:31 4704 ----a-w- c:\users\heather\appdata\roaming\wklnhst.dat
2009-12-28 12:35:50 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-28 12:35:00 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-28 12:32:34 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-28 12:32:32 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-28 12:32:32 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-28 12:32:25 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-28 12:31:22 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-28 12:31:01 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-28 12:28:43 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-28 12:28:43 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-12-18 13:05:50 833024 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 13:01:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 10:14:30 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-08 20:52:17 3597912 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 20:52:16 3546200 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:57:51 438272 ----a-w- c:\windows\system32\IKEEXT.DLL
2009-12-08 19:57:29 595456 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2009-12-08 19:55:41 328704 ----a-w- c:\windows\system32\BFE.DLL
2009-11-27 03:47:47 86016 ----a-w- c:\windows\inf\infstor.dat
2008-11-19 14:45:11 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 21:30:51.20 ===============

Thanks,

ChuckLHead

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users