Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Tidserv request, Tidserv request 2 and google redirect


  • This topic is locked This topic is locked
19 replies to this topic

#1 lamba105

lamba105

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 03 May 2010 - 04:34 AM

Hello, I recently got infected with a trojan call the "Antivirus live" or something similar. I removed it by installing Malwarebytes' Anti-Malware.

However since then I have been getting a pop up warning from Symantec Endpoint Protection about Tidserv requests. The pop ups have the following message:

[SID: 23621] HTTP Tidserv request detected

and

Traffic from I.P address xx.xxx.xxx.xx is blocked from (time of traffic) to (current time)
[SID: 23615] HTTPS Tidserv request 2 detected


I also have problems with Google searching, as it keep on redirecting me to random webpages, so I assume I have also been infected with the Google redirect trojan.

I then ran numerous full system scans by Symantec Endpoint Protection and Malwarebytes' Anti-Malware, but found no infected files.

Then last night I got infected with trojans called "security center" and "desktop security 2010", I ran Malwarebytes' Anti-Malware and got rid of them but they keep coming back

So my problem is that I am still infected with the Tidserv request, Tidserv request 2 trojans,Google redirect and constantly being attacked by Desktop Security 2010 and Security Center However my laptop is still functioning so there is no problem accessing the internet or doing work on it.

I have followed the preparation guide fully. I turned on my firewall (because the previous trojans attack turned it off).
I ran the DDS and gmer scan and have attached the reports below.


DDS

DDS (Ver_10-03-17.01) - NTFSx86
Run by user at 10:09:09.08 on Mon 05/03/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1870 [GMT 1:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Acer\Acer Bio Protection\CompPtcVUI.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Acer\Acer Bio Protection\BASVC.exe
C:\Windows\system32\libusbd-nt.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k regsvc
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\PLFSetI.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Users\user\AppData\Local\Temp\clwI.exe
C:\Program Files\Adobe\Adobe Bridge CS4\Resources\OpenerAdobe.exe
C:\Program Files\Intel\WiFi\bin\LangResources\fin\PROSetWirelessAdvStat.exe
C:\Program Files\Intel\WiFi\bin\LangResources\fin\PROSetWirelessAdvStat.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Users\user\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\cyberlink\powerdirector\runtime\recording pack full\librarylink.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrobat.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\user\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = Preserve
uStart Page = hxxp://www.google.co.uk/ig
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 3\Sup_SmartRAM.exe" /m
mRun: [PLFSetI] c:\windows\PLFSetI.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [EADMToolkit] c:\users\user\appdata\local\temp\clwI.exe
mRun: [AdobePreferences] c:\program files\adobe\adobe bridge cs4\resources\openeradobe.exe
mRun: [AdvStatPROSetWireless] c:\program files\intel\wifi\bin\langresources\fin\prosetwirelessadvstat.exe
mRun: [IntelRC1XStngs] c:\program files\intel\wifi\bin\langresources\fin\PROSetWirelessAdvStat.exe
mRun: [clwI] c:\users\user\appdata\local\temp\clwI.exe
mRunServices: [Standardswtwin323448] c:\users\user\appdata\local\temp\clwI.exe
mRunServices: [LauncherFramework] c:\program files\acer\empowering technology\ja\technologyframework.exe
mRunServices: [Systemmsosec12.0.6415.1000] c:\program files\microsoft office\office12\addins\toolsoutlvba7.10.5077.exe
mRunServices: [QuickTimeAudioSupportQuickTimeAudioSupport] c:\program files\quicktime\qtsystem\quicktimeaudiosupport.resources\ja.lproj\quicktimeaudiosupportquicktime.exe
mRunServices: [LibraryDynamic] c:\program files\cyberlink\powerdirector\runtime\recording pack full\librarylink.exe
mRunServices: [ManualDiagCPApplet] c:\program files\intel\wifi\bin\langresources\fin\PROSetWirelessAdvStat.exe
mRunServices: [clwI] c:\users\user\appdata\local\temp\clwI.exe
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {10954C80-4F0F-11d3-B17C-00C0DFE39736} - c:\program files\acer\acer bio protection\PwdBank.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: kcl.ac.uk\firepass
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - c:\users\user\appdata\local\temp\f5tmp\f5InspectionHost.cab
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AWinNotifyVitaKey MC3000 - c:\program files\acer\acer bio protection\WinNotify.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\482\G2AWinLogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli c:\program files\acer\acer bio protection\PwdFilter

================= FIREFOX ===================

FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\vdoydmp9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://kclmail.kcl.ac.uk/CookieAuth.dll?GetLogon?curl=Z2Fowa&reason=0&formdir=1
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\user\appdata\roaming\mozilla\firefox\profiles\vdoydmp9.default\extensions\{0851d9cd-87db-4a0d-a792-097dc9071486}\components\DownloadStudioNativeWrapper.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\npdsaud.dll
FF - plugin: c:\program files\opera\program\plugins\npdsprog.dll
FF - plugin: c:\program files\opera\program\plugins\npdsvid.dll
FF - plugin: c:\program files\opera\program\plugins\npdszip.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AlfaFF;AlfaFF File System mini-filter;c:\windows\system32\drivers\AlfaFF.sys [2008-12-26 43184]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\cyberlink\powerdvd8\000.fcl [2008-2-1 41456]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-5-16 24576]
R2 IGBASVC;iGroupTec Service;c:\program files\acer\acer bio protection\BASVC.exe [2008-12-26 3471360]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2008-12-26 233472]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-5-16 52736]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-1-16 102448]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-4-17 114528]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-1-8 33792]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-8-21 66592]
S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [2010-1-15 17152]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]

=============== Created Last 30 ================

2010-05-02 23:10:08 0 d-----w- c:\programdata\Google
2010-05-02 21:02:42 0 d-----w- c:\programdata\Oberon Games
2010-05-02 02:06:46 0 d-----w- c:\users\user\appdata\roaming\FloodLightGames
2010-05-01 03:49:16 0 d-----w- c:\users\user\appdata\roaming\Malwarebytes
2010-05-01 03:49:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-01 03:49:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-01 03:49:06 0 d-----w- c:\programdata\Malwarebytes
2010-05-01 03:49:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 22:42:03 0 d-----w- c:\programdata\OviInstallerCache
2010-04-28 22:25:10 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-04-28 22:24:30 0 d-----w- c:\program files\PC Connectivity Solution
2010-04-28 12:22:58 0 d-----w- c:\program files\iPod
2010-04-28 12:19:03 0 d-----w- c:\program files\Bonjour
2010-04-22 06:21:30 0 d-----w- c:\program files\Veoh Networks
2010-04-21 07:45:05 23 ----a-w- c:\windows\DownloadStudio.INI
2010-04-21 07:41:47 33 ----a-w- c:\windows\DownloadStudioScheduleMonitor.INI
2010-04-14 18:08:44 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 18:08:44 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 18:08:44 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 18:08:19 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 18:08:19 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 18:08:06 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 18:07:57 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-14 18:07:57 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-04-14 18:07:36 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 18:07:35 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 18:07:34 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 18:05:57 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 18:05:06 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-09 14:43:07 0 d-----w- c:\program files\Medieval Software
2010-04-08 18:55:06 0 ----a-w- C:\t1h4.2
2010-04-08 12:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 12:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

==================== Find3M ====================

2010-05-03 08:59:11 419982 ----a-w- c:\programdata\nvModes.dat
2010-04-28 22:46:49 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-28 22:46:49 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-28 22:25:08 143360 ----a-w- c:\windows\inf\infstor.dat
2010-02-26 12:32:50 92672 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-02-24 09:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-22 23:46:11 194872 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-12 10:32:56 293376 ----a-w- c:\windows\system32\browserchoice.exe
2009-10-31 14:16:52 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-09-24 09:39:08 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 10:10:38.66 ===============

Attached Files


Edited by lamba105, 03 May 2010 - 08:45 AM.


BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:10:57 PM

Posted 05 May 2010 - 01:25 PM

Hi lamba105, and welcome to Bleeping Computer.

I suggest you uninstall IOBit's Advanced SystemCare 3 - that company stole Malwarebytes’ Intellectual Property ... Your choice...

Please run the following scan:

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Post the log from ComboFix when you've accomplished that.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 lamba105

lamba105
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 05 May 2010 - 04:32 PM

Hi Snemelk,

Thank you for the reply. I will run combofix now and will post the log asap.

Please note I have installed a different antivirus since my last post, should I run the DDS and GMER again?

Also I will also uninstall Advance System Care afterwards as I only needed it to scan for spyware haha.

Again thank you and I will post the combofix log once it is completed.

#4 lamba105

lamba105
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 05 May 2010 - 05:42 PM

Hi there snemelk,

I have read and ran combofix, the log is as follows (I also attached it just in case you wanted it in a txt file):

Thanks smile.gif






ComboFix 10-05-05.04 - user 05/05/2010 23:03:49.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1707 [GMT 1:00]
Running from: c:\users\user\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\user\AppData\Roaming\.#
c:\windows\system32\kungsflnbbcpun.dat
c:\windows\system32\lsprst7.dll
c:\windows\system32\prsgrc.dll

Infected copy of c:\windows\system32\drivers\kbdhid.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kungsfwpitlyds
-------\Service_kungsfwpitlyds


((((((((((((((((((((((((( Files Created from 2010-04-05 to 2010-05-05 )))))))))))))))))))))))))))))))
.

2010-05-05 22:14 . 2010-05-05 22:17 -------- d-----w- c:\users\user\AppData\Local\temp
2010-05-05 22:14 . 2010-05-05 22:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-05 15:44 . 2010-05-05 15:46 -------- d-----w- c:\windows\system32\catroot2
2010-05-05 14:27 . 2010-05-05 14:27 -------- d-----w- c:\users\user\AppData\Roaming\AVG9
2010-05-05 10:38 . 2010-05-05 10:38 -------- d-----w- C:\$AVG
2010-05-05 10:13 . 2010-05-05 10:13 -------- d-----w- c:\users\user\AppData\Local\AVG Security Toolbar
2010-05-05 09:23 . 2010-05-05 09:23 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-05-05 09:23 . 2010-05-05 09:23 25096 ----a-w- c:\windows\system32\drivers\AVGIDSvx.sys
2010-05-05 09:23 . 2010-05-05 09:23 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-05-05 09:23 . 2010-05-05 09:23 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-05 09:23 . 2010-05-05 09:23 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-05-05 09:23 . 2010-05-05 09:23 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-05 09:23 . 2010-05-05 14:30 -------- d-----w- c:\windows\system32\drivers\Avg
2010-05-05 09:23 . 2010-05-05 14:44 -------- d-----w- c:\programdata\AVG Security Toolbar
2010-05-05 09:20 . 2010-05-05 09:20 24856 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2010-05-05 09:18 . 2010-05-05 09:18 -------- d-----w- c:\programdata\avg9
2010-05-05 07:11 . 2010-05-05 07:18 -------- d-----w- c:\windows\acerTemp
2010-05-04 17:03 . 2010-05-04 17:03 -------- d-----w- c:\users\user\AppData\Local\myPod_Apps
2010-05-02 21:02 . 2010-05-02 21:02 -------- d-----w- c:\programdata\Oberon Games
2010-05-02 02:06 . 2010-05-02 02:06 -------- d-----w- c:\users\user\AppData\Roaming\FloodLightGames
2010-05-01 03:49 . 2010-05-01 03:49 -------- d-----w- c:\users\user\AppData\Roaming\Malwarebytes
2010-05-01 03:49 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-01 03:49 . 2010-05-01 03:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-01 03:49 . 2010-05-01 03:49 -------- d-----w- c:\programdata\Malwarebytes
2010-05-01 03:49 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 22:46 . 2010-04-28 22:46 -------- d-----w- c:\users\user\AppData\Local\NokiaAccount
2010-04-28 22:42 . 2010-04-28 22:42 -------- d-----w- c:\programdata\OviInstallerCache
2010-04-28 22:25 . 2008-08-26 08:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-04-28 22:24 . 2010-04-28 22:24 -------- d-----w- c:\program files\PC Connectivity Solution
2010-04-28 12:22 . 2010-04-28 12:22 -------- d-----w- c:\program files\iPod
2010-04-28 12:19 . 2010-04-28 12:19 -------- d-----w- c:\program files\Bonjour
2010-04-22 06:21 . 2010-04-22 06:21 -------- d-----w- c:\program files\Veoh Networks
2010-04-15 20:28 . 2010-04-15 20:28 -------- d-----w- c:\program files\7-Zip
2010-04-14 18:08 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 18:08 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 18:08 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 18:08 . 2010-02-18 14:07 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 18:08 . 2010-02-18 14:07 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 18:08 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 18:07 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-14 18:07 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-14 18:07 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-14 18:05 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 18:05 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-09 14:43 . 2010-04-09 14:43 -------- d-----w- c:\program files\Medieval Software
2010-04-08 12:20 . 2010-04-08 12:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 12:20 . 2010-04-08 12:20 107808 ----a-w- c:\windows\system32\dns-sd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 22:16 . 2008-12-26 00:18 419982 ----a-w- c:\programdata\nvModes.dat
2010-05-05 22:15 . 2008-12-25 14:31 12 ----a-w- c:\windows\bthservsdp.dat
2010-05-05 21:56 . 2009-06-11 01:19 0 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-05-05 14:42 . 2009-02-23 02:36 -------- d-----w- c:\users\user\AppData\Roaming\PPStream
2010-05-05 14:38 . 2009-01-06 13:37 -------- d-----w- c:\programdata\Symantec
2010-05-05 10:27 . 2009-09-19 21:44 -------- d-----w- c:\users\user\AppData\Roaming\vlc
2010-05-05 08:05 . 2009-08-21 08:37 -------- d-----w- c:\users\user\AppData\Roaming\uTorrent
2010-05-05 07:14 . 2008-12-26 00:35 -------- d-----w- c:\program files\Launch Manager
2010-05-05 07:09 . 2008-05-16 13:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-05 06:52 . 2009-08-21 08:38 -------- d-----w- c:\program files\uTorrent
2010-05-05 01:17 . 2009-02-15 18:46 -------- d-----w- c:\programdata\Google Updater
2010-05-03 23:51 . 2008-05-16 14:23 -------- d-----w- c:\programdata\Microsoft Help
2010-05-02 23:41 . 2009-03-18 12:25 -------- d-----w- c:\users\user\AppData\Roaming\Azureus
2010-05-02 23:23 . 2009-03-08 20:53 -------- d-----w- c:\program files\ImTOO
2010-05-02 23:10 . 2009-02-15 18:46 -------- d-----w- c:\program files\Google
2010-05-02 22:46 . 2009-01-06 18:40 -------- d-----w- c:\program files\Common Files\Nokia
2010-05-02 22:46 . 2009-01-06 18:36 -------- d-----w- c:\program files\Nokia
2010-05-02 22:46 . 2009-09-22 16:49 -------- d-----w- c:\program files\Opera
2010-05-02 22:27 . 2009-08-22 07:34 -------- d-----w- c:\programdata\Electronic Arts
2010-05-02 22:24 . 2009-12-09 12:33 -------- d-----w- c:\program files\CCleaner
2010-05-02 22:21 . 2009-12-09 12:30 -------- d-----w- c:\users\user\AppData\Roaming\IObit
2010-05-02 22:15 . 2009-02-23 00:11 -------- d-----w- c:\program files\Xilisoft
2010-05-02 20:25 . 2009-11-05 16:29 -------- d-----w- c:\program files\Full Tilt Poker
2010-05-02 16:42 . 2008-12-25 18:17 -------- d-----w- c:\users\user\AppData\Roaming\Skype
2010-05-02 15:05 . 2008-12-25 18:20 -------- d-----w- c:\users\user\AppData\Roaming\skypePM
2010-05-02 01:59 . 2010-01-10 03:09 -------- d-----w- c:\users\user\AppData\Roaming\BSplayer PRO
2010-04-28 22:48 . 2009-01-06 18:41 -------- d-----w- c:\users\user\AppData\Roaming\Nokia
2010-04-28 22:42 . 2010-04-28 22:42 12212040 ----a-w- c:\programdata\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-04-28 22:42 . 2010-04-28 22:42 13930312 ----a-w- c:\programdata\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-04-28 22:42 . 2010-04-28 22:42 77824 ----a-w- c:\programdata\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-04-28 22:42 . 2010-04-28 22:42 61440 ----a-w- c:\programdata\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-04-28 22:42 . 2010-04-28 22:42 58880 ----a-w- c:\programdata\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-04-28 22:42 . 2010-04-28 22:42 50000 ----a-w- c:\programdata\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\pcswpc.exe
2010-04-28 22:41 . 2010-04-28 22:42 98366952 ----a-w- c:\programdata\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Nokia_Ovi_Suite_PCS_Update.exe
2010-04-28 22:25 . 2009-01-06 18:35 -------- d-----w- c:\programdata\Installations
2010-04-28 22:14 . 2010-04-28 22:14 3351812 ----a-w- c:\programdata\Installations\{4186FEBC-F0CC-4185-A406-24292BC9877A}\Installer\CommonCustomActions\msxml6Exec.exe
2010-04-28 22:14 . 2010-04-28 22:14 36864 ----a-w- c:\programdata\Installations\{4186FEBC-F0CC-4185-A406-24292BC9877A}\Installer\CommonCustomActions\Sleep.exe
2010-04-28 22:14 . 2010-04-28 22:14 3203453 ----a-w- c:\programdata\Installations\{4186FEBC-F0CC-4185-A406-24292BC9877A}\Installer\CommonCustomActions\vcredistExec.exe
2010-04-28 22:14 . 2010-04-28 22:14 35362608 ----a-w- c:\programdata\Installations\{4186FEBC-F0CC-4185-A406-24292BC9877A}\NokiaSoftwareUpdaterSetup_2.4.8EN.exe
2010-04-28 12:24 . 2010-02-03 10:09 -------- d-----w- c:\program files\iTunes
2010-04-28 12:22 . 2008-12-25 15:49 -------- d-----w- c:\program files\Common Files\Apple
2010-04-28 12:17 . 2010-04-28 12:17 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.11\SetupAdmin.exe
2010-04-16 18:50 . 2009-04-04 13:43 -------- d-----w- c:\users\user\AppData\Roaming\Free Download Manager
2010-04-14 18:59 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-04-11 15:40 . 2009-10-08 14:08 -------- d-----w- c:\users\user\AppData\Roaming\Spotify
2010-03-31 08:56 . 2010-03-31 08:54 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-03-31 08:51 . 2010-03-31 08:51 -------- d-----w- c:\program files\QuickTime
2010-03-27 16:56 . 2010-02-22 23:32 148 ----a-w- c:\programdata\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
2010-03-17 10:17 . 2009-02-16 16:16 -------- d-----w- c:\program files\Safari
2010-03-17 10:14 . 2010-03-17 10:14 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-10 15:36 . 2009-03-08 20:56 -------- d-----w- c:\users\user\AppData\Roaming\dvdcss
2010-02-26 12:32 . 2009-01-06 18:36 92672 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-02-24 16:39 . 2008-12-26 00:19 125032 ----a-w- c:\users\user\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 09:16 . 2009-10-03 00:22 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 13:04 . 2010-05-05 14:44 1664256 ----a-w- c:\programdata\AVG Security Toolbar\IEToolbar.dll
2010-02-23 06:39 . 2010-03-31 10:06 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 10:06 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:33 . 2010-03-31 10:06 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 04:55 . 2010-03-31 10:06 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-22 23:46 . 2009-02-16 16:21 194872 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-22 23:33 . 2010-02-22 23:33 1024 ----a-w- c:\windows\system32\grcauth2.dll
2010-02-22 23:33 . 2010-02-22 23:33 1024 ----a-w- c:\windows\system32\grcauth1.dll
2010-02-22 23:27 . 2010-02-22 23:27 1025 ----a-w- c:\windows\system32\sysprs7.dll
2010-02-20 23:06 . 2010-03-11 09:24 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-11 09:24 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-11 09:24 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-12 10:32 . 2010-02-27 08:25 293376 ----a-w- c:\windows\system32\browserchoice.exe
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-12-23 04:22 . 2010-04-21 07:45 105624 ----a-w- c:\program files\opera\program\plugins\DownloadStudioXML.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-02-23 13:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-08-25 16:12 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-29 16:52 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2010-01-22 200280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-22 1037608]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-19 6244896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-19 13793824]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-30 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-24 142120]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-07-02 850440]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-29 526896]

c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-19 4742184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AWinNotifyVitaKey MC3000]
2008-12-26 00:34 2972160 ----a-w- c:\program files\Acer\Acer Bio Protection\WinNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:95,b0,f5,61,36,ea,c9,01

R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-02-23 369920]
R3 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe AVGIDSAgent [x]
R3 AVGIDSDrivervtx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSDriver.sys [2010-05-05 122376]
R3 AVGIDSFiltervtx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSFilter.sys [2010-05-05 30216]
R3 AVGIDSShimvtx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSShim.sys [2010-05-05 27144]
R3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [2008-02-12 17152]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-07-19 721904]
S0 AlfaFF;AlfaFF File System mini-filter;c:\windows\system32\Drivers\AlfaFF.sys [2008-12-26 43184]
S0 AVGIDSErHrvtx;AVG9IDSErHr;c:\windows\System32\Drivers\AVGIDSvx.sys [2010-05-05 25096]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2010-05-05 52872]
S1 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwd6x.sys [2010-05-05 24856]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-05-05 216200]
S1 AvgTdiX;AVG Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-05-05 242896]
S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [2008-02-01 41456]
S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-05-05 308064]
S2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [2010-05-05 2325816]
S2 IGBASVC;iGroupTec Service;c:\program files\Acer\Acer Bio Protection\BASVC.exe [2008-12-26 3471360]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;c:\windows\system32\libusbd-nt.exe [2005-03-09 18944]
S2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [2008-01-11 233472]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2008-01-24 52736]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-04-17 114528]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2005-03-09 33792]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-08-21 66592]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-15 17:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
Trusted Zone: kcl.ac.uk\firepass
Trusted Zone: microsoft.com\v4.windowsupdate
Trusted Zone: microsoft.com\v5.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: windowsupdate.com\download
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vdoydmp9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://kclmail.kcl.ac.uk/CookieAuth.dll?GetLogon?curl=Z2Fowa&reason=0&formdir=1
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\vdoydmp9.default\extensions\{0851d9cd-87db-4a0d-a792-097dc9071486}\components\DownloadStudioNativeWrapper.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Opera\program\plugins\npdsaud.dll
FF - plugin: c:\program files\Opera\program\plugins\npdsprog.dll
FF - plugin: c:\program files\Opera\program\plugins\npdsvid.dll
FF - plugin: c:\program files\Opera\program\plugins\npdszip.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)
Notify-GoToAssist - c:\program files\Citrix\GoToAssist\482\G2AWinLogon.dll



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\G*e*n*i*e*"!\FM Genie Scout 2009 XE]
"GameDir"="c:\\Users\\user\\Documents\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"=""
"ScreenshotsDir"="c:\\Users\\user\\Documents\\Sports Interactive\\Football Manager 2009"
"SaveDir"="c:\\Users\\user\\Documents\\Sports Interactive\\Football Manager 2009\\"
"HistoryDir"="c:\\Users\\user\\Desktop\\FM09 Addons\\FM Genie Scout 2009 XE\\History Points"
"LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2009\\data\\updates\\update-910\\db\\910\\lang_db.dat"
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000066
"UniqueID"="25-EA80-E07F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"Currency"=dword:00000056

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.032"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ani\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.ani"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.arw"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bay\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.bay"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.bmp"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.bw"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bwf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.bwf"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cel\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.cel"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.cr2"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.crw"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cs1\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.cs1"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cur\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.cur"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.dcr"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.dcx"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.dib"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.djv"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djvu\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.djvu"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.dng"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.emf"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.eps"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.erf"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.fff"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.fpx"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.gif"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.hdr"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.icl"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icn\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.icn"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.ico"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.iff"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ilbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.ilbm"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.int\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.int"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inta\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.inta"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iw4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.iw4"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.j2c"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2k\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.j2k"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.jfif"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.jif"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jp2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.jp2"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.jpc"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.jpe"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.jpeg"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.jpg"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpk\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.jpk"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.jpx"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kar\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.kar"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.lbm"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m15\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.m15"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.m1a"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.m2a"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m75\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.m75"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.mef"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mos\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.mos"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.mpv"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.mrw"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.nef"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.orf"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.pbm"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.pcd"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pct\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.pct"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.pcx"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.pef"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pgm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.pgm"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pic\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.pic"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pics\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.pics"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pict\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.pict"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pix\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.pix"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.png"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.ppm"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.psd"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.psp"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspimage\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.pspimage"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.qcp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.qcp"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.qtpf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.qtpf"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.raf"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ras\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.ras"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.raw"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.rgb"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgba\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.rgba"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.rle"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.rsb"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sdv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.sdv"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sfil\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.sfil"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sgi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.sgi"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.smf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.smf"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.sml"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.sr2"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.srf"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.swa\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.swa"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.tga"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.thm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.thm"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.tif"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.tiff"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.ttc"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.ttf"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ulw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.ulw"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vfw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.vfw"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.wbm"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.wbmp"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.wmf"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.xbm"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.xif"

[HKEY_USERS\S-1-5-21-3634843480-2123401004-3452999172-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 2.0.xpm"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3424)
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Acer\Acer Bio Protection\CompPtcVUI.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\windows\RtHDVCpl.exe
c:\windows\ehome\ehmsas.exe
c:\users\user\AppData\Local\Temp\RtkBtMnt.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
.
**************************************************************************
.
Completion time: 2010-05-05 23:26:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-05 22:26

Pre-Run: 98,206,216,192 bytes free
Post-Run: 98,188,709,888 bytes free

- - End Of File - - 73C23CD674BF8C5004ACEF1851713021

Attached Files

  • Attached File  log.txt   49.31KB   7 downloads

Edited by lamba105, 05 May 2010 - 07:25 PM.


#5 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:10:57 PM

Posted 06 May 2010 - 12:27 PM

Hi again lamba105!!.. smile.gif.

QUOTE(lamba105 @ May 5 2010, 11:32 PM) View Post
Please note I have installed a different antivirus since my last post, should I run the DDS and GMER again?

No, no need for that... I'll ask you to re-run Gmer, though...

QUOTE
Also I will also uninstall Advance System Care afterwards as I only needed it to scan for spyware haha.

Good... MalwareBytes' Anti-Malware is a much better program for that purpose... ;)

It looks much better now...

ComboFix, apart from removing a rootkit infection, deleted also two files, which are probably legitimate... I'll need to have them uploaded...
Navigate to this folder: c:\Qoobox\Quarantine\c\windows\system32

Then, highlight the files below, right-click and choose: "Send to" --> "Compressed (zipped) Folder"
lsprst7.dll.vir
prsgrc.dll.vir


That should zip them up...
Then go to this site, click on Browse, and choose the zipped file...

In the text box paste a link to this thread and/or add any useful information, if you want to.
Then, click Upload. Allow the file to be uploaded - wait till: The file has been uploaded! appears.
Please let me know once you do this.

Then,
Please restore your Proxy settings as they have been modified by malware...
To do this:
In Internet Explorer: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings".
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

Then,
We need to make sure the rootkit infection is gone... Please re-run Gmer application as instructed in the Preparation guide... Post the logfile...

Finally,
Please scan your computer with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

Edited by snemelk, 06 May 2010 - 12:28 PM.

c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#6 lamba105

lamba105
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 06 May 2010 - 03:52 PM

Hi snemelk,

Thanks for the reply.

I have uploaded the zip file with the two files: lsprst7.dll.vir and prsgrc.dll.vir to the website.

However under the same folder there is another .vir file called: kungsflnbbcpun.dat.vir is this also legitimate?

I have now changed the network settings for I.E and firefox to no proxy.

I am about to run Gmer then ESET OnlineScan. I will post the logs once they are finish.

Thank you smile.gif

#7 lamba105

lamba105
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 07 May 2010 - 12:16 PM

Hi snemelk,

I have ran the Gmer and the ESET scan just finished - took just under 12 hours hahaha

The logs are as follow:

Gmer:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-06 22:46:32
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\user\AppData\Local\Temp\pgtyafod.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSShim.sys ZwOpenProcess [0x9E127730]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSShim.sys ZwTerminateProcess [0x9E1277E0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSShim.sys ZwTerminateThread [0x9E127880]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_Vista\AVGIDSShim.sys ZwWriteVirtualMemory [0x9E127920]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 3F1 824BBB54 4 Bytes [30, 77, 12, 9E] {XOR [EDI+0x12], DH; SAHF }
.text ntkrnlpa.exe!KeSetEvent + 621 824BBD84 8 Bytes [E0, 77, 12, 9E, 80, 78, 12, ...] {LOOPNZ 0x79; ADC BL, [ESI-0x61ed8780]}
.text ntkrnlpa.exe!KeSetEvent + 681 824BBDE4 4 Bytes [20, 79, 12, 9E] {AND [ECX+0x12], BH; SAHF }
C:\Program Files\CyberLink\PowerDVD8\000.fcl entry point in "" section [0x903EB000]
.clc C:\Program Files\CyberLink\PowerDVD8\000.fcl unknown last section [0x903EC000, 0x1000, 0x00000000]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[316] SHELL32.dll!SHGetFolderPathAndSubDirW + 81C9 7632B364 4 Bytes [00, 26, 00, 10] {ADD [ESI], AH; ADD [EAX], DL}
.text C:\Windows\Explorer.EXE[316] SHELL32.dll!ShellExecuteExW + 18B7 7635D9EC 4 Bytes [10, 1B, 00, 10] {ADC [EBX], BL; ADD [EAX], DL}
.text C:\Program Files\Mozilla Firefox\firefox.exe[1180] ntdll.dll!LdrLoadDll 77329390 5 Bytes JMP 00C813F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] kernel32.dll!FindResourceExA 77032575 7 Bytes JMP 28001D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] kernel32.dll!FindResourceA 77032653 5 Bytes JMP 28001CF0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] kernel32.dll!CreateEventA 770544C0 5 Bytes JMP 28001840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] kernel32.dll!LockResource 770568DF 5 Bytes JMP 28001F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] kernel32.dll!FindResourceExW 770569FD 7 Bytes JMP 28001C60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] kernel32.dll!LoadResource 77056ADB 7 Bytes JMP 28001E20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] kernel32.dll!FindResourceW 77057FA1 5 Bytes JMP 28001BE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] kernel32.dll!SizeofResource 77057FBF 7 Bytes JMP 28001EE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] ADVAPI32.dll!CryptDeriveKey 75EFFCAE 7 Bytes JMP 28001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] ADVAPI32.dll!CryptDecrypt 75EFFE91 7 Bytes JMP 28001060 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] USER32.dll!CreateDialogParamW 75AA72A2 5 Bytes JMP 28006090 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] USER32.dll!SetWindowPlacement 75AA7963 5 Bytes JMP 28005E10 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] USER32.dll!SetWindowRgn 75AAA221 7 Bytes JMP 28005F50 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] USER32.dll!LoadImageW 75AAC9E5 5 Bytes JMP 280066E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] USER32.dll!LoadIconW 75AADA9F 5 Bytes JMP 280068D0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] USER32.dll!CreateWindowExW 75AB1305 5 Bytes JMP 28003C60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] USER32.dll!GetWindowLongW 75ABF8BF 7 Bytes JMP 28006A70 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] USER32.dll!PeekMessageW 75AC045A 5 Bytes JMP 28004630 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] USER32.dll!TrackPopupMenuEx 75AD0CE7 5 Bytes JMP 28004F10 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] USER32.dll!MessageBoxIndirectW 75AFD5D3 5 Bytes JMP 28006280 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] WS2_32.dll!closesocket 7746330C 5 Bytes JMP 2800B8C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] WS2_32.dll!recv 7746343A 5 Bytes JMP 2800B0E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] WS2_32.dll!WSASend 77464496 5 Bytes JMP 2800B680 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] WS2_32.dll!send 7746659B 5 Bytes JMP 2800B4A0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] WS2_32.dll!WSARecv 77468400 5 Bytes JMP 2800B280 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] SHELL32.dll!Shell_NotifyIconW 76348626 5 Bytes JMP 280033B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] ole32.dll!CoRegisterClassObject 75BA7DB6 5 Bytes JMP 28002360 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] ole32.dll!CoCreateInstance 75BE9EA6 5 Bytes JMP 28002600 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] ole32.dll!CoInitializeEx 75BEAD63 5 Bytes JMP 28002260 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] WININET.dll!InternetReadFile 759C654B 5 Bytes JMP 2800A090 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] WININET.dll!InternetCloseHandle 759C9088 5 Bytes JMP 2800A240 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] WININET.dll!HttpOpenRequestA 759CD508 5 Bytes JMP 28009F00 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4688] WININET.dll!HttpSendRequestA 759DEE89 5 Bytes JMP 2800A170 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\001fe1febd5a
Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\001fe1febd5a@001d9873a5d1 0xDD 0x73 0x79 0x2C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BthPort\Parameters\Keys\001fe1febd5a@041e6401f5b8 0x3B 0x71 0xA9 0x28 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x39 0xF6 0x1E 0x52 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDF 0x43 0x51 0x4E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB5 0xC3 0x2F 0xDF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF4 0x86 0x21 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA4 0x75 0xEF 0x35 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5D 0x51 0x03 0x50 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BthPort\Parameters\Keys\001fe1febd5a (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BthPort\Parameters\Keys\001fe1febd5a@001d9873a5d1 0xDD 0x73 0x79 0x2C ...
Reg HKLM\SYSTEM\ControlSet002\Services\BthPort\Parameters\Keys\001fe1febd5a@041e6401f5b8 0x3B 0x71 0xA9 0x28 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x39 0xF6 0x1E 0x52 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDF 0x43 0x51 0x4E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB5 0xC3 0x2F 0xDF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF4 0x86 0x21 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA4 0x75 0xEF 0x35 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5D 0x51 0x03 0x50 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\650C6BE6BB20E3544884CE099B971408\Usage@MainFeature 1017548776

---- Files - GMER 1.0.15 ----

File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.ci 4096 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.dir 4096 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid 65536 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010020.ci 16384 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010020.dir 4096 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010020.wid 65536 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiMG0025.000 240 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiMG0025.001 65536 bytes
File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiMG0025.002 65536 bytes
File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O5GOALSR\mailhome[1].htm 0 bytes

---- EOF - GMER 1.0.15 ----


AND the ESET online scan log


C:\Program Files\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\kbdhid.sys.vir Win32/Patched.EQ trojan deleted - quarantined
C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-56eefd72 a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\7ab02891-62e49616 a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\fe6b793-23bd2a13 probably a variant of Java/TrojanDownloader.Agent.NAM trojan deleted - quarantined
C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\7adbb65d-37a42b47 a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\30feb821-7927fd3e a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\5473416c-68762fac a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\4934abef-1717b75c a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\43172bc5-7fda0bd7 a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\e649f74-19cfdba4 a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Users\user\Desktop\HSS-1.21-install-anchorfree-76-conduit.exe a variant of Win32/HotSpotShield application deleted - quarantined

Again I uploaded both txt log files in case you prefer them in a txt file.
Thank you smile.gif

Attached Files


Edited by lamba105, 07 May 2010 - 12:16 PM.


#8 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:10:57 PM

Posted 07 May 2010 - 01:43 PM

Hi again lamba105 and thank you for the logs!.. smile.gif..

The Gmer scan results look good - the rootkit infection is gone...

QUOTE(lamba105 @ May 6 2010, 10:52 PM) View Post
I have uploaded the zip file with the two files: lsprst7.dll.vir and prsgrc.dll.vir to the website.

However under the same folder there is another .vir file called: kungsflnbbcpun.dat.vir is this also legitimate?

Thanks, I got the files... However, as I'm away from home, I'm not able to check them now... Give me one or two days, please...
That other file (kungsf*) is malicious...

I'll ask you to clear Java cache now... If there are no further issues, I'll be back to you in one or two days to give you final instructions... smile.gif..

Your scan showed one of more viruses in your Sun Java Runtime Environment (JRE) cache. Delete those by clearing the JRE cache.
To clear the Java Runtime Environment (JRE) cache:
  • Double-click on the file in bold: C:\Program files\Java\jre6\bin\javacpl.exe.
    -The Java Control Panel appears.
  • Click Settings under Temporary Internet Files.
    -The Temporary Files Settings dialog box appears.
  • Click Delete Files.
    -The Delete Temporary Files dialog box appears.
    -There are two options on this window to clear the cache.
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files window.
    -Note: This deletes all the Downloaded Applications and Applets from the cache.
  • Click OK on Temporary Files Settings window.
  • Close the Java Control Panel

c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#9 lamba105

lamba105
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 07 May 2010 - 03:12 PM

hi snemelk,

Thanks for the reply.

I have now cleared the Java cache. I look forward to hearing from you for final instructions once you have return home. smile.gif

On a separate note, for some reason my "windows update" does not work anymore since I installed AVG 9.0 antivirus. I disabled the AVG firewall and am using the windows firewall instead but it is still not detecting any updates...

Again thank you so much. thumbup.gif



#10 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:10:57 PM

Posted 08 May 2010 - 05:16 AM

Hi again lamba105!.. smile.gif.

QUOTE(lamba105 @ May 7 2010, 10:12 PM) View Post
On a separate note, for some reason my "windows update" does not work anymore since I installed AVG 9.0 antivirus. I disabled the AVG firewall and am using the windows firewall instead but it is still not detecting any updates...

Do you get any error when trying to update??..
Check also this link on AVG forums: Windows Updates Vista SP2
Let me know if it helps... If not, we'll dig deeper... ;)
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#11 lamba105

lamba105
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 08 May 2010 - 08:58 AM

Hi snemelk,

I used to get an error code "error code 80072efe". But then the error went away after I turned off the AVG firewall and started using the windows firewall instead.

Now I don't get any errors but it has fail to find any update for a week, so I'm sure something is wrong...

Thanks smile.gif have a good weekend!


#12 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:10:57 PM

Posted 09 May 2010 - 10:28 AM

Hi again lamba105!!.. smile.gif.

QUOTE
Thanks smile.gif have a good weekend!

Thank you... smile.gif.

Firstly, let's restore those 2 files (related probably to SafeNet Sentinel) program:

Open Notepad and copy and paste next present in the quotebox:

QUOTE
@echo off
if not exist c:\windows\system32\lsprst7.dll copy c:\Qoobox\Quarantine\c\windows\system32\lsprst7.dll.vir c:\windows\system32\lsprst7.dll
if not exist c:\windows\system32\prsgrc.dll copy c:\Qoobox\Quarantine\c\windows\system32\prsgrc.dll.vir c:\windows\system32\prsgrc.dll
del %0

Save this as fix.bat , choose to save as *all files and place it on your Desktop.
It should look like this:
Right-click on it and choose: "Run as administrator". The script will run and quit without showing any information - just ensure those 2 files exist in the system32 folder...

Secondly, let's update outdated programs (with security vulnerabilities):

Adobe Acrobat 8 Professional - make sure you're running the latest available version... Run Help --> Check for updates if necessary...

Go to Start -> Control Panel -> Programs and Features, highlight a program to see the available option on the toolbar for it. Choose Uninstall for:
Java™ 6 Update 17

Then,
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select Windows, your Language, check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe that you downloaded to install the newest version.

Mozilla Firefox (3.0.15) - uninstall that pretty outdated version and install the newest: Firefox 3.6.3

Thirdly, let's do some cleaning up:
To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Then,
Please set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
  • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
  • Click "OK" to select the partition or drive you desire.
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one. More details and screenshots for Disk Cleanup in Windows Vista can be found here and for Windows 7 here.

Please check my site - snemelk.hekko.pl. There, you'll find a few steps to make your web browsing safer. thumbup2.gif

Also, I recommend you to read Grinler's excellent article: How did I get infected?, With steps so it does not happen again!

QUOTE(lamba105 @ May 8 2010, 03:58 PM) View Post
Now I don't get any errors but it has fail to find any update for a week, so I'm sure something is wrong...

Hmmm, that's strange...
Go to Start --> Windows Update - and look at the History of updates... On my computer, the last MS update was installed on 29th of April (then only four definition updates for Windows Defender)... How is it on yours??..
MS will release its set of updates on May 11 - we can certainly wait for that moment and see if it updates... smile.gif
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#13 lamba105

lamba105
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 09 May 2010 - 02:24 PM

Hi snemelk,

Thanks for the reply.

I have ran the fix.bat.

I updated Java, firefox and Acrobat.

I also ran the OTC.exe, created a system restore point and erased previous ones.

I will read your website and Grinler's article soon thumbup.gif

As for Windows Update - Before I used to get updates every 3-4 days:

My last update was on 3rd of May 2010 for Window Defender definitions (then no more updates after I installed AVG9.0) , then previous to that I had updates on 29th, 27th, 26th... of April, mostly for Window Defender definitions.

Could it be because my Window defender is no longer working?? This is because AVG9.0 seems to have disabled it.

Meanwhile I will wait for the update on 11th of May, hopefully I'll be able to get the update smile.gif

Thanks

Edited by lamba105, 09 May 2010 - 02:25 PM.


#14 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:10:57 PM

Posted 09 May 2010 - 05:08 PM

Hi again lamba105!!.. smile.gif.

QUOTE(lamba105 @ May 9 2010, 09:24 PM) View Post
Could it be because my Window defender is no longer working?? This is because AVG9.0 seems to have disabled it.


HHmm, WMI reports it as enabled and updated:
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

On my system, there were new updates installed for Windows Defender on 6th and 7th of May...

There is something strange, though, in why WU stopped working after installing AVG... ComboFix logfile shows something weird as well:

2010-05-05 15:44 . 2010-05-05 15:46 -------- d-----w- c:\windows\system32\catroot2
2010-05-05 14:27 . 2010-05-05 14:27 -------- d-----w- c:\users\user\AppData\Roaming\AVG9


catroot2 folder created not long after installing AVG 9.0 ... That's why I would like you to try method 2 and 3 from that MS article: You cannot install some updates or programs
Some people report (for example here: Automatic Updates) that it worked for them...
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#15 lamba105

lamba105
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 09 May 2010 - 06:54 PM

Hi snemelk,

I have done the two method, however window updates is still not detecting any updates.

Also there is no "catroot2" folder under my c:\windows\system32\ - but there is a folder call "catroot"

Window defender is also failing to start, every time I try to start it, a message comes up: "The Window Defender Service on Local Computer Started and then stopped. Some services stop automatically if they are not in use by other services or programs" - very strange??

Thanks smile.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users