Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirector/ Suspicious IP's hitting firewall


  • This topic is locked This topic is locked
17 replies to this topic

#1 Chameleon Jim

Chameleon Jim

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 16 April 2010 - 03:55 AM

Hello All,

I am having a bit of trouble with my PC.(Win 7 Professional 32) I recently came in contact with a browser redirector (approx April 9th 2010). I restored back to an old registry configuration and it seemed to go away.

However, shortly after that I began getting constant hits on my firewall from various IP's.

The Ip's are as follows:

78.47.248.116
213.163.89.105
213.163.89.106

Any one of those three IP's will fire off every time I use google or open the internet. I used netstat-ano to try to find out what process was causing them to launch, as peerblocker was recording the source as my computer and one of the above listed IP's as the destination.

The PID matched whatever browser I was using, whether it be IE, Opera or Firefox. The IP's would fire off from within the PID of each individual browser.

I have tried everything that I can think of with my current experience level. Below I will list what I have tried so far, as well as post the relevant logs.

My Protection:
ESET NOD 32 antivirus.
Spyware Doctor active protection.
Malwarebytes active protection.
Sypbot S&D active Protection.
SuperAntiSpyware active protection.
Peerblocker currently running blocks on 1,100,000,000+ IP's.

Scans and tools I have used:
TuneUp Utilities
Sophos Anti-Rootkit
CCleaner
Spybot Search and Destroy
SuperAntiSpyware
Trojan Remover
Ad-Aware
Malwarebytes scan
SpywareDoctor Scan
Eset Nod 32 Scan

All of the above listed are coming back with clean scans. I have run them all both in and out of safemode. I have also checked my Host file and the only IP's listed are the Local Host and the list that was added by Spybot S&D.

Now, along with the IP's hitting my firewall every time I access the internet, the browser redirector has returned. Any time I click a link on google it randomly jumps to another page. I am not sure what the pages are as peerblock and my firewall block them before they can load so it just says "unable to connect". I have no idea why the scans are all coming back clean.

I appreciate your Time and your help.

Thanks in advance.


Here is my DDS log, Attach.txt and Ark.txt are attached to post as well.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Austin at 1:09:13.67 on Fri 04/16/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_15
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2814.1633 [GMT -7:00]

SP: Spyware Doctor *enabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Smith Micro\StuffIt 2009\ArcNameService.exe
C:\Windows\system32\Wacom_Tablet.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WTablet\Wacom_TabletUser.exe
C:\Windows\system32\Wacom_Tablet.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Windows\System32\CtHelper.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskhost.exe
C:\Users\Austin\Downloads\Defogger.exe
C:\Windows\system32\conhost.exe
C:\Users\Austin\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = 127.0.0.1:8081
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:

\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files

\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files

\java\jre6\bin\jp2ssv.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh

networks\veohwebplayer\VeohIEToolbar.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks

\veoh video compass\SearchRecsPlugin.dll
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:

\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:

\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:

\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -

hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-

1719D1177202/LegitCheckControl.cab
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} -

hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} -

hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15

-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15

-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15

-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft

office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files

\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files

\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\austin\appdata\roaming\mozilla\firefox\profiles\zrs4kg80.default\
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b}

- c:\windows\microsoft.net\framework\v3.5\windows presentation foundation

\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox

\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox

\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing",

true);
c:\program files\mozilla firefox\greprefs\all.js - pref

("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark",

32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",

1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm",

false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",

false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize",

604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref

("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref

("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref

("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref

("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha",

true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref

("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref

("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref

("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474

-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474

-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add",

"addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36",

"getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews",

false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser",

false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max",

20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref

("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2010-3-4 42376]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-15 64288]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2010-3-4 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2010-3-4 81288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-4-9 731840]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-4-9 93312]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware

\AAWService.exe [2010-2-4 1228208]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy

\SDWinSec.exe [2010-4-15 1153368]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-3-4

747912]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-3-4

948616]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-9-13 2789672]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities

2010\TuneUpUtilitiesService32.exe [2009-10-30 1021256]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common

\ViewpointService.exe [2009-4-26 24652]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2009-12-3 16472]
R3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [2008-4-4 136832]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities

2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers

\b57nd60x.sys [2009-7-13 229888]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-3-4 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program

files\common files\creative labs shared\service\CTAELicensing.exe [2010-3-1 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-3-4 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-3-4 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-3-4 566296]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\lavalys\everest ultimate edition

\kerneld.wnt [2009-4-26 26224]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\DDC1.tmp [2010-4-16 6144]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-9-13

15656]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe

[2010-3-6 1343400]

=============== Created Last 30 ================

2010-04-16 08:08:47 20 ----a-w- c:\users\austin\defogger_reenable
2010-04-16 07:14:32 6144 ------w- c:\windows\system32\DDC1.tmp
2010-04-16 07:12:43 6144 ------w- c:\windows\system32\313C.tmp
2010-04-16 05:28:27 699904 ----a-w- c:\windows\isRS-000.tmp
2010-04-16 04:37:36 0 d-----w- c:\program files\TrendMicro
2010-04-15 23:00:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-15 21:53:08 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-15 21:52:07 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-

F30C1B031AC6}
2010-04-15 21:51:39 0 d-----w- c:\program files\Lavasoft
2010-04-15 21:51:38 0 d-----w- c:\programdata\Lavasoft
2010-04-15 21:36:50 0 dc-h--w- c:\programdata\{83C91755-2546-441D-AC40-

9A6B4B860800}
2010-04-15 21:24:38 0 d-----w- c:\program files\Safer Networking
2010-04-15 20:37:14 0 d-----w- c:\program files\MSXML 4.0
2010-04-15 20:30:44 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-15 20:30:42 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-14 23:43:49 0 d-----w- c:\users\austin\Office Genuine Advantage
2010-04-14 06:04:28 0 d-----w- c:\program files\Avanquest update
2010-04-14 06:04:27 0 d-----w- c:\programdata\BVRP Software
2010-04-14 06:03:53 0 d-----w- c:\program files\Avanquest
2010-04-14 05:00:32 0 d-sh--r- C:\_Backup.RC
2010-04-14 05:00:24 0 d--h--w- C:\_Backup
2010-04-14 04:57:36 0 d-----w- c:\users\austin\appdata\roaming\Avanquest
2010-04-14 04:57:36 0 d-----w- c:\programdata\Avanquest
2010-04-14 04:57:30 0 d-----w- c:\program files\common files\AntiVirus
2010-04-14 04:27:20 0 d-----w- c:\programdata\Office Genuine Advantage
2010-04-13 23:42:52 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-13 23:42:52 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-13 23:42:52 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-13 23:42:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-13 23:42:52 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-04-13 07:43:17 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-13 07:43:17 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-13 05:33:40 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-13 05:33:22 0 d-----w- c:\users\austin\appdata\roaming

\SUPERAntiSpyware.com
2010-04-13 05:33:22 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-12 04:05:46 0 d-----w- c:\programdata\Sun
2010-04-11 20:30:24 0 d-----w- c:\users\austin\appdata\roaming\Simply Super

Software
2010-04-11 20:30:24 0 d-----w- c:\programdata\Simply Super Software
2010-04-11 20:30:24 0 d-----w- c:\program files\Trojan Remover
2010-03-31 09:09:47 88 --sh--r- c:\programdata\D45C5AEB80.sys
2010-03-31 09:09:47 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2010-03-30 19:27:33 977920 ----a-w- c:\windows\system32\wininet.dll
2010-03-27 07:06:18 0 d-----w- c:\program files\bitComposer Games
2010-03-21 19:06:04 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-03-21 19:06:04 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-03-21 19:06:04 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-03-21 19:06:04 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-03-19 05:55:57 0 d-sh--w- c:\programdata\SecuROM

==================== Find3M ====================

2010-04-13 23:46:27 710720 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-03-30 07:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-06 05:25:33 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-03-06 05:25:32 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-03-01 22:55:17 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-01 15:45:57 0 ---ha-w- c:\windows\system32\drivers

\Msft_User_WpdFs_01_09_00.Wdf
2010-02-28 01:50:14 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-28 01:14:59 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-02-28 01:14:59 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-02-24 17:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-02 07:45:54 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-18 23:29:31 85504 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-18 23:29:31 85504 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-18 23:29:31 365568 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-18 23:29:30 369152 ----a-w- c:\windows\system32\secproc.dll
2010-01-18 23:28:33 324608 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-18 23:28:33 277504 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-18 23:28:30 320512 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-18 23:28:30 280064 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-

app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 1:10:20.89 ===============








Attached Files

  • Attached File  ark.txt   294.47KB   2 downloads


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:33 AM

Posted 19 April 2010 - 07:47 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Chameleon Jim

Chameleon Jim
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 19 April 2010 - 08:20 PM

I am here. Isolated a virus with ESET since I posted the logs and stuff.

ESEt found this, was unable to remove.

Unable to isolate with other programs.

C:\Windows\System32\drivers\ndis.sys - Win32/Olmarik.XG trojan - error while cleaning

C:\Windows\winsxs\x86_microsoft-windows-ndis_31bf3856ad364e35_6.1.7600.16385_none_a79d81ea7d62a289\ndis.sys - Win32/Olmarik.XG trojan - error while cleaning

Also, I noticed I did not attach the attach.txt

It has been a while since I did those so just let me know what you need me to do, I am ready to go.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:33 AM

Posted 20 April 2010 - 12:53 PM

Olmarik is nasty trojan with rogue antivirus properties.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Then

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.

Finally run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 Chameleon Jim

Chameleon Jim
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 20 April 2010 - 04:02 PM

Okay, I turned off my virtual drive with defogger, disconnected from the internet, turned off all of my system protection sofware and ran the programs.

Here are the results.



exeHelper by Raktor
Build 20100414
Run at 13:23:26 on 04/20/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--










This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Austin on 04/20/2010 at 13:24:48.


Processes terminated by Rkill or while it was running:


C:\Users\Austin\Desktop\rkill.pif


Rkill completed on 04/20/2010 at 13:24:53.







And the COMBOFIX log

ComboFix 10-04-19.08 - Austin 04/20/2010 13:38:52.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2814.1826 [GMT -7:00]
Running from: c:\users\Austin\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Spyware Doctor *disabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))
.

2010-04-20 20:44 . 2010-04-20 20:44 -------- d-----w- c:\users\Austin\AppData\Local\temp
2010-04-20 20:44 . 2010-04-20 20:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-20 20:44 . 2010-04-20 20:44 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-04-20 20:44 . 2010-04-20 20:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-19 07:52 . 2010-04-19 07:52 -------- d-----w- c:\users\Austin\AppData\Local\AOL OCP
2010-04-19 07:52 . 2010-04-19 07:52 -------- d-----w- c:\users\Austin\AppData\Local\AOL
2010-04-18 21:15 . 2010-04-18 21:15 -------- d-----w- c:\program files\Enigma Software Group
2010-04-18 21:00 . 2010-04-18 21:08 -------- d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP
2010-04-16 20:43 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-16 20:43 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-16 20:43 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-16 20:42 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-16 20:42 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-16 20:42 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-16 07:15 . 2010-04-19 07:28 -------- d-----w- c:\users\Austin\AppData\Local\Adobe
2010-04-16 05:28 . 2010-04-16 05:28 5918776 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-16 04:37 . 2010-04-16 04:37 388096 ----a-r- c:\users\Austin\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-16 04:37 . 2010-04-16 04:37 -------- d-----w- c:\program files\TrendMicro
2010-04-15 21:53 . 2010-04-20 02:25 -------- dc----w- c:\windows\system32\DRVSTORE
2010-04-15 21:51 . 2010-04-20 02:25 -------- d-----w- c:\programdata\Lavasoft
2010-04-15 21:36 . 2010-04-15 21:36 -------- dc-h--w- c:\programdata\{83C91755-2546-441D-AC40-9A6B4B860800}
2010-04-15 21:24 . 2010-04-15 21:24 -------- d-----w- c:\program files\Safer Networking
2010-04-15 20:37 . 2010-04-15 20:37 -------- d-----w- c:\program files\MSXML 4.0
2010-04-15 20:30 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-15 20:30 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-14 23:43 . 2010-04-14 23:43 -------- d-----w- c:\users\Austin\Office Genuine Advantage
2010-04-14 06:04 . 2010-04-14 06:04 -------- d-----w- c:\program files\Avanquest update
2010-04-14 06:04 . 2010-04-14 06:04 -------- d-----w- c:\programdata\BVRP Software
2010-04-14 06:03 . 2010-04-14 06:03 -------- d-----w- c:\program files\Avanquest
2010-04-14 05:00 . 2010-04-14 05:00 -------- d-----r- C:\_Backup.RC
2010-04-14 05:00 . 2010-04-15 02:16 -------- d-----w- C:\_Backup
2010-04-14 04:57 . 2010-04-14 05:26 -------- d-----w- c:\programdata\Avanquest
2010-04-14 04:57 . 2010-04-14 05:05 -------- d-----w- c:\users\Austin\AppData\Roaming\Avanquest
2010-04-14 04:57 . 2010-04-15 21:40 -------- d-----w- c:\program files\Common Files\AntiVirus
2010-04-14 04:27 . 2010-04-14 04:27 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-04-14 04:22 . 2010-04-14 04:24 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-13 22:42 . 2010-04-13 22:42 52224 ----a-w- c:\users\Austin\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-13 22:42 . 2010-04-13 22:47 117760 ----a-w- c:\users\Austin\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-13 07:43 . 2010-04-18 21:39 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-13 07:43 . 2010-04-15 20:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-13 05:33 . 2010-04-13 05:33 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-13 05:33 . 2010-04-13 22:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-13 05:33 . 2010-04-13 05:33 -------- d-----w- c:\users\Austin\AppData\Roaming\SUPERAntiSpyware.com
2010-04-12 04:05 . 2010-04-12 04:05 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 09:09 . 2010-03-31 09:10 88 --sh--r- c:\programdata\D45C5AEB80.sys
2010-03-31 09:09 . 2010-03-31 09:10 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2010-03-30 19:27 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll
2010-03-27 07:06 . 2010-03-27 07:06 -------- d-----w- c:\program files\bitComposer Games
2010-03-24 08:04 . 2010-03-24 18:17 952768 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\AdobeARM.exe
2010-03-24 08:04 . 2010-03-24 18:17 70584 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\AdobeExtractFiles.dll
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\ReaderUpdater.exe
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\AcrobatUpdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 20:30 . 2009-09-13 20:00 -------- d-----w- c:\users\Austin\AppData\Roaming\WTablet
2010-04-20 16:49 . 2009-12-04 04:49 -------- d-----w- c:\program files\PeerBlock
2010-04-18 22:05 . 2009-07-13 23:12 710720 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-04-18 21:13 . 2010-03-07 02:07 -------- d-----w- c:\users\Austin\AppData\Roaming\uTorrent
2010-04-18 21:00 . 2009-04-26 00:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-18 20:01 . 2010-03-04 20:34 -------- d-----w- c:\program files\Spyware Doctor
2010-04-18 18:32 . 2009-04-26 07:11 -------- d-----w- c:\program files\Steam
2010-04-18 08:56 . 2009-05-04 06:15 -------- d-----w- c:\programdata\Microsoft Help
2010-04-16 06:58 . 2010-03-06 01:08 -------- d-----w- c:\users\Austin\AppData\Roaming\InstallShield Installation Information
2010-04-16 06:54 . 2009-06-06 08:09 -------- d-----w- c:\program files\Common Files\BioWare
2010-04-16 06:53 . 2009-04-26 02:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-16 05:34 . 2010-03-04 20:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-15 02:17 . 2010-03-01 15:46 109264 ----a-w- c:\users\Austin\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-13 08:46 . 2009-05-15 02:35 -------- d-----w- c:\users\Austin\AppData\Roaming\vlc
2010-04-13 08:46 . 2010-02-28 01:17 -------- d-----w- c:\programdata\NVIDIA
2010-04-13 08:46 . 2009-05-08 20:30 -------- d-----w- c:\programdata\FLEXnet
2010-04-13 08:46 . 2009-05-25 00:55 -------- d-----w- c:\program files\Java
2010-03-30 07:46 . 2010-03-04 20:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2010-03-04 20:36 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-21 19:09 . 2010-02-28 01:16 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-19 05:55 . 2010-03-19 05:55 -------- d-sh--w- c:\programdata\SecuROM
2010-03-13 06:26 . 2010-03-13 06:26 -------- d-----w- c:\program files\uTorrent
2010-03-07 04:00 . 2010-03-07 03:49 -------- d-----w- c:\program files\BitComet
2010-03-07 04:00 . 2010-03-07 03:50 -------- d-----w- c:\users\Austin\AppData\Roaming\BitComet
2010-03-07 03:45 . 2010-03-07 03:44 -------- d-----w- c:\users\Austin\AppData\Roaming\deluge
2010-03-06 05:25 . 2010-03-06 05:25 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-03-06 05:25 . 2010-03-06 05:25 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-03-05 21:30 . 2010-03-05 21:30 -------- d-----w- c:\program files\MediaMonkey
2010-03-04 21:06 . 2010-03-04 21:01 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-03-04 21:01 . 2009-09-10 02:45 -------- d-----w- c:\programdata\TuneUp Software
2010-03-04 21:01 . 2010-03-04 21:01 -------- d-sh--w- c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-03-04 20:53 . 2010-03-04 20:53 -------- d-----w- c:\program files\Defraggler
2010-03-04 20:52 . 2010-02-04 01:21 -------- d-----w- c:\program files\CCleaner
2010-03-04 20:50 . 2009-05-09 22:58 -------- d-----w- c:\programdata\Yahoo!
2010-03-04 20:47 . 2009-09-10 02:45 -------- d-----w- c:\program files\TuneUp Utilities 2009
2010-03-04 20:36 . 2010-03-04 20:36 -------- d-----w- c:\users\Austin\AppData\Roaming\Malwarebytes
2010-03-04 20:36 . 2010-03-04 20:36 -------- d-----w- c:\programdata\Malwarebytes
2010-03-04 20:34 . 2010-03-04 20:34 -------- d-----w- c:\users\Austin\AppData\Roaming\PC Tools
2010-03-03 06:13 . 2010-03-03 06:13 -------- d-----w- c:\program files\AutoHotkey
2010-03-01 23:04 . 2010-03-01 23:04 -------- d-----w- c:\program files\Elaborate Bytes
2010-03-01 22:55 . 2009-05-04 05:56 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-01 15:47 . 2010-03-01 15:47 -------- d-----w- c:\program files\Common Files\Creative Labs Shared
2010-03-01 15:46 . 2009-04-26 02:53 -------- d-----w- c:\program files\Creative
2010-03-01 15:45 . 2010-03-01 15:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-02-28 01:50 . 2010-02-28 01:50 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-28 01:38 . 2009-07-07 04:53 -------- d-----w- c:\users\Austin\AppData\Roaming\Corel
2010-02-28 01:38 . 2009-07-07 07:11 -------- d-----w- c:\users\Austin\AppData\Roaming\ACD Systems
2010-02-28 01:38 . 2009-04-26 07:19 -------- d-----w- c:\users\Austin\AppData\Roaming\acccore
2010-02-28 01:38 . 2009-09-27 19:06 -------- d-----w- c:\users\Guest\AppData\Roaming\WTablet
2010-02-28 01:26 . 2009-09-10 14:28 -------- d-----w- c:\program files\Smith Micro
2010-02-28 01:26 . 2009-04-26 19:43 -------- d-----w- c:\program files\RivaTuner v2.24
2010-02-28 01:26 . 2009-12-13 00:03 -------- d-----w- c:\program files\Ratio Faker
2010-02-28 01:26 . 2009-04-29 03:13 -------- d-----w- c:\program files\QuickTime
2010-02-28 01:26 . 2010-02-10 06:04 -------- d-----w- c:\program files\Pcsx2
2010-02-28 01:26 . 2010-02-28 01:14 -------- d-----w- c:\program files\OpenAL
2010-02-28 01:26 . 2009-11-29 23:59 -------- d-----w- c:\program files\PCPitstop
2010-02-28 01:26 . 2009-11-25 03:42 -------- d-----w- c:\program files\NTCore
2010-02-28 01:26 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2010-02-28 01:26 . 2009-06-04 00:04 -------- d-----w- c:\program files\Mnemosyne
2010-02-28 01:26 . 2009-05-04 06:17 -------- d-----w- c:\program files\Microsoft.NET
2010-02-28 01:25 . 2010-02-01 17:18 -------- d-----w- c:\program files\Microsoft Web Designer Tools
2010-02-28 01:25 . 2009-05-04 06:18 -------- d-----w- c:\program files\Microsoft Works
2010-02-28 01:25 . 2010-02-01 17:20 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-02-28 01:24 . 2010-02-01 17:32 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-02-28 01:24 . 2009-05-04 06:16 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-02-28 01:24 . 2010-02-01 17:32 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-02-28 01:24 . 2010-02-01 17:34 -------- d-----w- c:\program files\Microsoft SQL Server
2010-02-28 01:24 . 2009-10-11 05:27 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-28 01:23 . 2010-02-01 17:20 -------- d-----w- c:\program files\Microsoft SDKs
2010-02-28 01:23 . 2009-06-23 23:58 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-02-28 01:23 . 2009-07-14 04:52 -------- d-----w- c:\program files\Microsoft Games
2010-02-28 01:23 . 2010-02-01 17:34 -------- d-----w- c:\program files\Microsoft Device Emulator
2010-02-28 01:23 . 2009-04-26 19:33 -------- d-----w- c:\program files\Lavalys
2010-02-28 01:22 . 2010-02-01 17:20 -------- d-----w- c:\program files\HTML Help Workshop
2010-02-28 01:22 . 2009-05-07 21:11 -------- d-----w- c:\program files\Google
2010-02-28 01:22 . 2009-11-30 06:05 -------- d-----w- c:\program files\Driver Cleaner PE
2010-02-28 01:22 . 2009-11-30 00:13 -------- d-----w- c:\program files\DriverGenius
2010-02-28 01:22 . 2009-09-11 04:05 -------- d-----w- c:\program files\ESET
2010-02-28 01:22 . 2009-04-26 01:49 -------- d-----w- c:\program files\DivX
2010-02-28 01:22 . 2009-11-30 04:39 -------- d-----w- c:\program files\DIFX
2010-02-28 01:22 . 2009-07-07 04:51 -------- d-----w- c:\program files\Corel
2010-02-28 01:22 . 2009-07-07 04:52 -------- d-----w- c:\program files\Common Files\Protexis
2010-02-28 01:22 . 2009-04-26 07:11 -------- d-----w- c:\program files\Common Files\Steam
2010-02-28 01:22 . 2009-04-26 01:49 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-02-28 01:20 . 2009-12-05 20:20 -------- d-----w- c:\program files\BestGameEver
2010-02-28 01:20 . 2009-05-26 21:17 -------- d-----w- c:\program files\AMD
2010-02-28 01:20 . 2009-04-26 07:19 -------- d-----w- c:\program files\AIM6
2010-02-28 01:20 . 2009-05-08 20:27 -------- d-----w- c:\program files\Adobe Media Player
2010-02-28 01:20 . 2009-05-25 04:37 -------- d-----w- c:\program files\Activision
2010-02-28 01:20 . 2009-04-29 22:41 -------- d-----w- c:\program files\Acronis
2010-02-28 01:19 . 2009-07-07 05:10 -------- d-----w- c:\program files\ACD Systems
2010-02-28 01:19 . 2009-04-26 19:32 -------- d-----w- c:\program files\7-Zip
2010-02-28 01:14 . 2010-02-28 01:14 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-02-28 01:14 . 2010-02-28 01:14 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-02-24 17:16 . 2009-10-02 21:03 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-10 06:04 . 2010-02-10 06:04 12862 ----a-r- c:\users\Austin\AppData\Roaming\Microsoft\Installer\{0E2B767B-EA6A-489B-BF83-8083FE1DB661}\_1EEFFF72773535163E4216.exe
2010-02-04 17:01 . 2010-03-21 19:06 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 17:01 . 2010-03-21 19:06 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 17:01 . 2010-03-21 19:06 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 17:01 . 2010-03-21 19:06 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1529432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2009-03-04 19456]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-04-09 2029640]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-02-01 1103240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2009-01-21 06:34 377232 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2009-01-21 06:45 960536 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 11:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-11-27 02:36 1217808 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2009-01-21 06:06 4359280 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2009-04-03 19:23 3558648 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2009-07-14 01:14 660480 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe"
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-03-01 691696]
R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2009-03-04 99352]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-03-01 79360]
R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2009-03-04 555032]
R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2009-03-04 100888]
R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2009-03-04 100888]
R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2009-03-04 566296]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [2009-03-30 26224]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\DDC1.tmp [2009-06-18 6144]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2009-09-28 16472]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
R3 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2008-10-06 15656]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-07 1343400]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-04-09 107256]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-04-09 731840]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2009-04-09 93312]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-02-01 747912]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-03-27 2789672]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2009-10-30 1021256]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2009-03-04 99352]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2009-03-04 555032]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2009-03-04 566296]
S3 SaiH8000;SaiH8000;c:\windows\system32\DRIVERS\SaiH8000.sys [2008-04-04 136832]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = 127.0.0.1:8081
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Austin\AppData\Roaming\Mozilla\Firefox\Profiles\zrs4kg80.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\DDC1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
@Denied: (2) (S-1-5-21-419722441-2345317742-1423383986-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.032"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.abr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.abr"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ani\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ani"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.arw"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bay\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.bay"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.bmp"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.bw"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.cr2"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.crw"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cs1\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.cs1"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cur\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.cur"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.dcr"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.dcx"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.dib"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.djv"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djvu\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.djvu"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.dng"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.emf"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.eps"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.erf"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.fff"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.fpx"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.gif"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.hdr"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.icl"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icn\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.icn"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.iff"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ilbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ilbm"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.int\UserChoice]
@Denied: (2) (S-1-5-21-419722441-2345317742-1423383986-1000)
@Denied: (2) (LocalSystem)
"Progid"="Applications\\wordpad.exe"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inta\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.inta"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iw4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.iw4"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.j2c"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2k\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.j2k"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jbr"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jfif"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jif"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jp2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jp2"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpc"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpe"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpeg"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpg"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpk\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpk"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpx"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.kdc"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.lbm"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.mef"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mos\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.mos"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.mrw"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.nef"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.orf"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pbm"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pbr"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pcd"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pct\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pct"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pcx"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pef"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pgm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pgm"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pic\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pic"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pict\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pict"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pix\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pix"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.png"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ppm"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.psd"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.psp"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspbrush\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pspbrush"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspimage\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pspimage"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.raf"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ras\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ras"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.raw"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.rgb"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgba\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.rgba"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.rle"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.rsb"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sgi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.sgi"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.sr2"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.srf"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.tga"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.thm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.thm"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.tif"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.tiff"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ttc"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ttf"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v11o\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.v11o"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v11p\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.v11p"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v11pf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.v11pf"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.wbm"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.wbmp"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.wmf"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.xbm"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.xif"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.xmp"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.xpm"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-04-20 13:47:19
ComboFix-quarantined-files.txt 2010-04-20 20:47
ComboFix2.txt 2010-04-18 22:26

Pre-Run: 260,769,800,192 bytes free
Post-Run: 260,365,729,792 bytes free

- - End Of File - - 49272CB10C95978094038E837D568DF4





When combofix ran it had a popup that said "rootkit activity has been detected, combofix needs to restart your computer to continue"

I allowed it.

Also, after the log had finished and I saved it, I reconnected to the internet and immediately got a BSOD. Dont know if this has anything to do with the infection or not. I never received a bluscreen prior to this infection though...




#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:33 AM

Posted 20 April 2010 - 04:13 PM

A rootkit was removed and this battle can sometimes cause BSODs. They don't stay so don't worry.


Just one more run to remove a driver.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\programdata\D45C5AEB80.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 Chameleon Jim

Chameleon Jim
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 20 April 2010 - 04:26 PM

Alright, ran combofix with the remove script. Here is the updated log file.

ComboFix 10-04-19.08 - Austin 04/20/2010 14:18:29.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2814.1994 [GMT -7:00]
Running from: c:\users\Austin\Desktop\ComboFix.exe
Command switches used :: c:\users\Austin\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Spyware Doctor *disabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

FILE ::
"c:\programdata\D45C5AEB80.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\D45C5AEB80.sys

.
((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))
.

2010-04-20 21:23 . 2010-04-20 21:23 -------- d-----w- c:\users\Austin\AppData\Local\temp
2010-04-20 21:23 . 2010-04-20 21:23 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-20 21:23 . 2010-04-20 21:23 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-04-20 21:23 . 2010-04-20 21:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-19 07:52 . 2010-04-19 07:52 -------- d-----w- c:\users\Austin\AppData\Local\AOL OCP
2010-04-19 07:52 . 2010-04-19 07:52 -------- d-----w- c:\users\Austin\AppData\Local\AOL
2010-04-18 21:15 . 2010-04-18 21:15 -------- d-----w- c:\program files\Enigma Software Group
2010-04-18 21:00 . 2010-04-18 21:08 -------- d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP
2010-04-16 20:43 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-16 20:43 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-16 20:43 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-16 20:42 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-16 20:42 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-16 20:42 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-16 07:15 . 2010-04-19 07:28 -------- d-----w- c:\users\Austin\AppData\Local\Adobe
2010-04-16 05:28 . 2010-04-16 05:28 5918776 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-16 04:37 . 2010-04-16 04:37 388096 ----a-r- c:\users\Austin\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-16 04:37 . 2010-04-16 04:37 -------- d-----w- c:\program files\TrendMicro
2010-04-15 21:53 . 2010-04-20 02:25 -------- dc----w- c:\windows\system32\DRVSTORE
2010-04-15 21:51 . 2010-04-20 02:25 -------- d-----w- c:\programdata\Lavasoft
2010-04-15 21:36 . 2010-04-15 21:36 -------- dc-h--w- c:\programdata\{83C91755-2546-441D-AC40-9A6B4B860800}
2010-04-15 21:24 . 2010-04-15 21:24 -------- d-----w- c:\program files\Safer Networking
2010-04-15 20:37 . 2010-04-15 20:37 -------- d-----w- c:\program files\MSXML 4.0
2010-04-15 20:30 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-15 20:30 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-14 23:43 . 2010-04-14 23:43 -------- d-----w- c:\users\Austin\Office Genuine Advantage
2010-04-14 06:04 . 2010-04-14 06:04 -------- d-----w- c:\program files\Avanquest update
2010-04-14 06:04 . 2010-04-14 06:04 -------- d-----w- c:\programdata\BVRP Software
2010-04-14 06:03 . 2010-04-14 06:03 -------- d-----w- c:\program files\Avanquest
2010-04-14 05:00 . 2010-04-14 05:00 -------- d-----r- C:\_Backup.RC
2010-04-14 05:00 . 2010-04-15 02:16 -------- d-----w- C:\_Backup
2010-04-14 04:57 . 2010-04-14 05:26 -------- d-----w- c:\programdata\Avanquest
2010-04-14 04:57 . 2010-04-14 05:05 -------- d-----w- c:\users\Austin\AppData\Roaming\Avanquest
2010-04-14 04:57 . 2010-04-15 21:40 -------- d-----w- c:\program files\Common Files\AntiVirus
2010-04-14 04:27 . 2010-04-14 04:27 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-04-14 04:22 . 2010-04-14 04:24 -------- d-----w- c:\program files\Windows Live Safety Center
2010-04-13 22:42 . 2010-04-13 22:42 52224 ----a-w- c:\users\Austin\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-13 22:42 . 2010-04-13 22:47 117760 ----a-w- c:\users\Austin\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-13 07:43 . 2010-04-18 21:39 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-04-13 07:43 . 2010-04-15 20:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-13 05:33 . 2010-04-13 05:33 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-04-13 05:33 . 2010-04-13 22:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-13 05:33 . 2010-04-13 05:33 -------- d-----w- c:\users\Austin\AppData\Roaming\SUPERAntiSpyware.com
2010-04-12 04:05 . 2010-04-12 04:05 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 09:09 . 2010-03-31 09:10 2516 --sha-w- c:\programdata\KGyGaAvL.sys
2010-03-30 19:27 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll
2010-03-27 07:06 . 2010-03-27 07:06 -------- d-----w- c:\program files\bitComposer Games
2010-03-24 08:04 . 2010-03-24 18:17 952768 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\AdobeARM.exe
2010-03-24 08:04 . 2010-03-24 18:17 70584 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\AdobeExtractFiles.dll
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\ReaderUpdater.exe
2010-03-24 08:04 . 2010-03-24 18:17 326056 ----a-w- c:\programdata\Adobe\Reader\9.2\ARM\ARM Update\AcrobatUpdater.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 21:17 . 2009-12-04 04:49 -------- d-----w- c:\program files\PeerBlock
2010-04-20 20:53 . 2009-09-13 20:00 -------- d-----w- c:\users\Austin\AppData\Roaming\WTablet
2010-04-18 22:05 . 2009-07-13 23:12 710720 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-04-18 21:13 . 2010-03-07 02:07 -------- d-----w- c:\users\Austin\AppData\Roaming\uTorrent
2010-04-18 21:00 . 2009-04-26 00:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-18 20:01 . 2010-03-04 20:34 -------- d-----w- c:\program files\Spyware Doctor
2010-04-18 18:32 . 2009-04-26 07:11 -------- d-----w- c:\program files\Steam
2010-04-18 08:56 . 2009-05-04 06:15 -------- d-----w- c:\programdata\Microsoft Help
2010-04-16 06:58 . 2010-03-06 01:08 -------- d-----w- c:\users\Austin\AppData\Roaming\InstallShield Installation Information
2010-04-16 06:54 . 2009-06-06 08:09 -------- d-----w- c:\program files\Common Files\BioWare
2010-04-16 06:53 . 2009-04-26 02:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-16 05:34 . 2010-03-04 20:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-15 02:17 . 2010-03-01 15:46 109264 ----a-w- c:\users\Austin\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-13 08:46 . 2009-05-15 02:35 -------- d-----w- c:\users\Austin\AppData\Roaming\vlc
2010-04-13 08:46 . 2010-02-28 01:17 -------- d-----w- c:\programdata\NVIDIA
2010-04-13 08:46 . 2009-05-08 20:30 -------- d-----w- c:\programdata\FLEXnet
2010-04-13 08:46 . 2009-05-25 00:55 -------- d-----w- c:\program files\Java
2010-03-30 07:46 . 2010-03-04 20:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2010-03-04 20:36 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-21 19:09 . 2010-02-28 01:16 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-19 05:55 . 2010-03-19 05:55 -------- d-sh--w- c:\programdata\SecuROM
2010-03-13 06:26 . 2010-03-13 06:26 -------- d-----w- c:\program files\uTorrent
2010-03-07 04:00 . 2010-03-07 03:49 -------- d-----w- c:\program files\BitComet
2010-03-07 04:00 . 2010-03-07 03:50 -------- d-----w- c:\users\Austin\AppData\Roaming\BitComet
2010-03-07 03:45 . 2010-03-07 03:44 -------- d-----w- c:\users\Austin\AppData\Roaming\deluge
2010-03-06 05:25 . 2010-03-06 05:25 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-03-06 05:25 . 2010-03-06 05:25 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-03-05 21:30 . 2010-03-05 21:30 -------- d-----w- c:\program files\MediaMonkey
2010-03-04 21:06 . 2010-03-04 21:01 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-03-04 21:01 . 2009-09-10 02:45 -------- d-----w- c:\programdata\TuneUp Software
2010-03-04 21:01 . 2010-03-04 21:01 -------- d-sh--w- c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-03-04 20:53 . 2010-03-04 20:53 -------- d-----w- c:\program files\Defraggler
2010-03-04 20:52 . 2010-02-04 01:21 -------- d-----w- c:\program files\CCleaner
2010-03-04 20:50 . 2009-05-09 22:58 -------- d-----w- c:\programdata\Yahoo!
2010-03-04 20:47 . 2009-09-10 02:45 -------- d-----w- c:\program files\TuneUp Utilities 2009
2010-03-04 20:36 . 2010-03-04 20:36 -------- d-----w- c:\users\Austin\AppData\Roaming\Malwarebytes
2010-03-04 20:36 . 2010-03-04 20:36 -------- d-----w- c:\programdata\Malwarebytes
2010-03-04 20:34 . 2010-03-04 20:34 -------- d-----w- c:\users\Austin\AppData\Roaming\PC Tools
2010-03-03 06:13 . 2010-03-03 06:13 -------- d-----w- c:\program files\AutoHotkey
2010-03-01 23:04 . 2010-03-01 23:04 -------- d-----w- c:\program files\Elaborate Bytes
2010-03-01 22:55 . 2009-05-04 05:56 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-01 15:47 . 2010-03-01 15:47 -------- d-----w- c:\program files\Common Files\Creative Labs Shared
2010-03-01 15:46 . 2009-04-26 02:53 -------- d-----w- c:\program files\Creative
2010-03-01 15:45 . 2010-03-01 15:45 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-02-28 01:50 . 2010-02-28 01:50 21316 ----a-w- c:\windows\system32\emptyregdb.dat
2010-02-28 01:38 . 2009-07-07 04:53 -------- d-----w- c:\users\Austin\AppData\Roaming\Corel
2010-02-28 01:38 . 2009-07-07 07:11 -------- d-----w- c:\users\Austin\AppData\Roaming\ACD Systems
2010-02-28 01:38 . 2009-04-26 07:19 -------- d-----w- c:\users\Austin\AppData\Roaming\acccore
2010-02-28 01:38 . 2009-09-27 19:06 -------- d-----w- c:\users\Guest\AppData\Roaming\WTablet
2010-02-28 01:26 . 2009-09-10 14:28 -------- d-----w- c:\program files\Smith Micro
2010-02-28 01:26 . 2009-04-26 19:43 -------- d-----w- c:\program files\RivaTuner v2.24
2010-02-28 01:26 . 2009-12-13 00:03 -------- d-----w- c:\program files\Ratio Faker
2010-02-28 01:26 . 2009-04-29 03:13 -------- d-----w- c:\program files\QuickTime
2010-02-28 01:26 . 2010-02-10 06:04 -------- d-----w- c:\program files\Pcsx2
2010-02-28 01:26 . 2010-02-28 01:14 -------- d-----w- c:\program files\OpenAL
2010-02-28 01:26 . 2009-11-29 23:59 -------- d-----w- c:\program files\PCPitstop
2010-02-28 01:26 . 2009-11-25 03:42 -------- d-----w- c:\program files\NTCore
2010-02-28 01:26 . 2009-07-14 04:52 -------- d-----w- c:\program files\MSBuild
2010-02-28 01:26 . 2009-06-04 00:04 -------- d-----w- c:\program files\Mnemosyne
2010-02-28 01:26 . 2009-05-04 06:17 -------- d-----w- c:\program files\Microsoft.NET
2010-02-28 01:25 . 2010-02-01 17:18 -------- d-----w- c:\program files\Microsoft Web Designer Tools
2010-02-28 01:25 . 2009-05-04 06:18 -------- d-----w- c:\program files\Microsoft Works
2010-02-28 01:25 . 2010-02-01 17:20 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-02-28 01:24 . 2010-02-01 17:32 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-02-28 01:24 . 2009-05-04 06:16 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-02-28 01:24 . 2010-02-01 17:32 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-02-28 01:24 . 2010-02-01 17:34 -------- d-----w- c:\program files\Microsoft SQL Server
2010-02-28 01:24 . 2009-10-11 05:27 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-28 01:23 . 2010-02-01 17:20 -------- d-----w- c:\program files\Microsoft SDKs
2010-02-28 01:23 . 2009-06-23 23:58 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-02-28 01:23 . 2009-07-14 04:52 -------- d-----w- c:\program files\Microsoft Games
2010-02-28 01:23 . 2010-02-01 17:34 -------- d-----w- c:\program files\Microsoft Device Emulator
2010-02-28 01:23 . 2009-04-26 19:33 -------- d-----w- c:\program files\Lavalys
2010-02-28 01:22 . 2010-02-01 17:20 -------- d-----w- c:\program files\HTML Help Workshop
2010-02-28 01:22 . 2009-05-07 21:11 -------- d-----w- c:\program files\Google
2010-02-28 01:22 . 2009-11-30 06:05 -------- d-----w- c:\program files\Driver Cleaner PE
2010-02-28 01:22 . 2009-11-30 00:13 -------- d-----w- c:\program files\DriverGenius
2010-02-28 01:22 . 2009-09-11 04:05 -------- d-----w- c:\program files\ESET
2010-02-28 01:22 . 2009-04-26 01:49 -------- d-----w- c:\program files\DivX
2010-02-28 01:22 . 2009-11-30 04:39 -------- d-----w- c:\program files\DIFX
2010-02-28 01:22 . 2009-07-07 04:51 -------- d-----w- c:\program files\Corel
2010-02-28 01:22 . 2009-07-07 04:52 -------- d-----w- c:\program files\Common Files\Protexis
2010-02-28 01:22 . 2009-04-26 07:11 -------- d-----w- c:\program files\Common Files\Steam
2010-02-28 01:22 . 2009-04-26 01:49 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-02-28 01:20 . 2009-12-05 20:20 -------- d-----w- c:\program files\BestGameEver
2010-02-28 01:20 . 2009-05-26 21:17 -------- d-----w- c:\program files\AMD
2010-02-28 01:20 . 2009-04-26 07:19 -------- d-----w- c:\program files\AIM6
2010-02-28 01:20 . 2009-05-08 20:27 -------- d-----w- c:\program files\Adobe Media Player
2010-02-28 01:20 . 2009-05-25 04:37 -------- d-----w- c:\program files\Activision
2010-02-28 01:20 . 2009-04-29 22:41 -------- d-----w- c:\program files\Acronis
2010-02-28 01:19 . 2009-07-07 05:10 -------- d-----w- c:\program files\ACD Systems
2010-02-28 01:19 . 2009-04-26 19:32 -------- d-----w- c:\program files\7-Zip
2010-02-28 01:14 . 2010-02-28 01:14 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-02-28 01:14 . 2010-02-28 01:14 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-02-24 17:16 . 2009-10-02 21:03 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-10 06:04 . 2010-02-10 06:04 12862 ----a-r- c:\users\Austin\AppData\Roaming\Microsoft\Installer\{0E2B767B-EA6A-489B-BF83-8083FE1DB661}\_1EEFFF72773535163E4216.exe
2010-02-04 17:01 . 2010-03-21 19:06 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 17:01 . 2010-03-21 19:06 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 17:01 . 2010-03-21 19:06 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-04 17:01 . 2010-03-21 19:06 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1529432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2009-03-04 19456]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-04-09 2029640]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2009-01-21 06:34 377232 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2009-01-21 06:45 960536 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 11:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-11-27 02:36 1217808 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2009-01-21 06:06 4359280 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2009-04-03 19:23 3558648 ----a-w- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2009-07-14 01:14 660480 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe"
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-03-01 691696]
R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2009-03-04 99352]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-03-01 79360]
R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2009-03-04 555032]
R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2009-03-04 100888]
R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2009-03-04 100888]
R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2009-03-04 566296]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [2009-03-30 26224]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\DDC1.tmp [2009-06-18 6144]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
R3 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-02-01 747912]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\DRIVERS\wacmoumonitor.sys [2008-10-06 15656]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-07 1343400]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-04-09 107256]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-04-09 731840]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2009-04-09 93312]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-03-27 2789672]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2009-10-30 1021256]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2009-03-04 99352]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2009-03-04 555032]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2009-03-04 566296]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2009-09-28 16472]
S3 SaiH8000;SaiH8000;c:\windows\system32\DRIVERS\SaiH8000.sys [2008-04-04 136832]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]


--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = 127.0.0.1:8081
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Austin\AppData\Roaming\Mozilla\Firefox\Profiles\zrs4kg80.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\DDC1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
@Denied: (2) (S-1-5-21-419722441-2345317742-1423383986-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.032"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.abr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.abr"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ani\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ani"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.arw"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bay\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.bay"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.bmp"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.bw"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.cr2"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.crw"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cs1\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.cs1"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cur\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.cur"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.dcr"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.dcx"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.dib"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.djv"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djvu\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.djvu"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.dng"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.emf"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.eps"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.erf"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.fff"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.fpx"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.gif"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.hdr"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.icl"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icn\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.icn"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.iff"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ilbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ilbm"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.int\UserChoice]
@Denied: (2) (S-1-5-21-419722441-2345317742-1423383986-1000)
@Denied: (2) (LocalSystem)
"Progid"="Applications\\wordpad.exe"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inta\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.inta"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iw4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.iw4"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.j2c"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2k\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.j2k"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jbr"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jfif"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jif"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jp2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jp2"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpc"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpe"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpeg"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpg"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpk\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpk"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpx"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.kdc"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.lbm"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.mef"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mos\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.mos"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.mrw"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.nef"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.orf"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pbm"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pbr"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pcd"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pct\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pct"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pcx"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pef"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pgm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pgm"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pic\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pic"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pict\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pict"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pix\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pix"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.png"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ppm"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.psd"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.psp"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspbrush\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pspbrush"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspimage\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pspimage"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.raf"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ras\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ras"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.raw"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.rgb"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgba\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.rgba"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.rle"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.rsb"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sgi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.sgi"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.sr2"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.srf"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.tga"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.thm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.thm"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.tif"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.tiff"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ttc"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ttf"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v11o\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.v11o"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v11p\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.v11p"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v11pf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.v11pf"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.wbm"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.wbmp"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.wmf"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.xbm"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.xif"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.xmp"

[HKEY_USERS\S-1-5-21-419722441-2345317742-1423383986-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.xpm"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-04-20 14:25:09
ComboFix-quarantined-files.txt 2010-04-20 21:25
ComboFix2.txt 2010-04-20 20:47
ComboFix3.txt 2010-04-18 22:26

Pre-Run: 260,144,300,032 bytes free
Post-Run: 260,078,809,088 bytes free

- - End Of File - - 8E0A686892D396B6B92902E23CEA0F15


Hows it lookin? thumbup2.gif

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:33 AM

Posted 20 April 2010 - 04:56 PM

Well, it's looking clean. How's the redirects?

Let's run an online scan to remove any remnants

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#9 Chameleon Jim

Chameleon Jim
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 20 April 2010 - 04:59 PM

Redirects are gone, the three offending IP's that were launching with my browsers PID have also disappeared.

Quick question, if I already use ESET can I just run that? Or should I use the downloader anyways?

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:33 AM

Posted 20 April 2010 - 05:01 PM

ESET's online scan is more reliable if the PC is not clean. I think you are but let's not take any risks here. smile.gif
Posted Image
m0le is a proud member of UNITE

#11 Chameleon Jim

Chameleon Jim
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 20 April 2010 - 05:03 PM

Okie dokie, will post the results in a few.

#12 Chameleon Jim

Chameleon Jim
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 20 April 2010 - 06:36 PM

Okay, this is gonna be close. It is almost done but it still needs to scan my c:\windows folder. Program files have completed.

1 infection found so far...

I have to leave for Chem lab in about 30 minutes, and the online scan does not give the option of bypassing folders. I have very large modded games on my system so it is taking forever to complete the scan.

Hopefully it finishes before I have to leave, otherwise I will have to run it again when I get home (which will be around 10pm here, so 5 hours from now.)

Edited by Chameleon Jim, 20 April 2010 - 06:38 PM.


#13 Chameleon Jim

Chameleon Jim
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 20 April 2010 - 11:11 PM

There was only the 1 infection I mentioned earlier. It was cleaned.

What now m0le?

C:\Program Files\AIM6\services\softwareUpdate\ver2_14_16_3\aolsetup.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined

System is running great by the way..

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:33 AM

Posted 21 April 2010 - 01:52 PM

What's next?

The best part...

You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it Chameleon Jim, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#15 Chameleon Jim

Chameleon Jim
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:33 PM

Posted 21 April 2010 - 02:05 PM

Thanks m0le, I really appreciate the help with this. I ran OST and removed combofix, as well as all the logs I have kept. My desktop is finally clean again! thumbup.gif

I don't want to take up too much more of your time but I have a few quick questions. If you don't have time to answer them that is okay and feel free to close the thread as resolved...


what was it that tipped you off about that particular file in regards to the combofix solution? There are several other .sys files with random strings in front of them. The only difference I can see in the log is that the c:\programdata\D45C5AEB80.sys file has the --sh--r- before it.

The activity shows it was last active march 31'st.. if I am reading it correctly.

I had run combofix prior to establishing contact with you and a series of files were deleted:

c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500
C:\ErrLog.txt
C:\install.exe
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\Austin\AppData\Roaming\MICROS~1\Windows\Recent\desktop_53104538.ico
c:\users\Austin\AppData\Roaming\MICROS~1\Windows\Recent\hdbbt.com.url
c:\windows\system32\18804.exe
c:\windows\system32\31977.exe

At that time the ndis file associated with the Olmarik was not active. That appeared yesterday.

Combofix automatically detected and restored the ndis file on the run yesterday, which was nice.

However, where it deleted the file it says:

"Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif"

Where was the file restored from (Kitty had a snack)? That was kinda a strange thing to see...

Also, I really appreciate what you guys do here and would like to help out. Aside from this particular issue I am typically pretty good about removing viruses and keeping my system clean. I just don't understand rootkit removal and have a limited understanding of the combofix logs. I can identify the majority of valid programs but I don't know how you guys are able to identify the particular offending files...

I have several years of tech support experience and many many years of experience on computers.

What do you think the odds are of getting into the volunteer training program?

Did you just apply and get lucky?

Once again, you guys are fantastic and I really appreciate the job you are doing here.

Thanks m0le and my thanks to bleeping computer for setting this whole thing up.

Edited by Chameleon Jim, 21 April 2010 - 03:34 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users