Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avira running warnings for TR/XPack.gen, TR/Vundo.gen, TR/Zpack.gen and various other trojans trying to access my computer


  • This topic is locked This topic is locked
27 replies to this topic

#1 eriolclow

eriolclow

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 10 June 2010 - 08:57 AM

As requested by boopme, this topic has been moved from the "Am I infected?" forum to this one, with dds logs posted:

This is the link to the earlier topic:
http://www.bleepingcomputer.com/forums/top...ml#entry1793290

And this is the DDS log I ran last June 8:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Ken at 23:28:52.92 on Tue 06/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1240 [GMT 8:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\system32\userini.exe
C:\Program Files\VDOTool\TBPanel.exe
C:\WINDOWS\system32\oodtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\userini.exe
C:\WINDOWS\system32\userini.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\userini.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\Temp\wpv821275553665.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ken\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Taskman=c:\documents and settings\ken\application data\cift.exe
uWinlogon: Shell=c:\documents and settings\administrator\application data\cift.exe,explorer.exe,c:\documents and settings\ken\application data\cift.exe
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\progra~1\mi3aa1~1\wcescomm.exe"
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [userini] c:\windows\system32\userini.exe
mRun: [Gainward] c:\program files\vdotool\TBPanel.exe /A
mRun: [OODefragTray] c:\windows\system32\oodtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [EPSON Stylus C63 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S10IC2.EXE /P23 "EPSON Stylus C63 Series" /O6 "USB001" /M "Stylus C63"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [BigDog303] c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [userini] c:\windows\system32\userini.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uExplorerRun: [userini] c:\windows\system32\userini.exe
mExplorerRun: [userini] c:\windows\system32\userini.exe
StartupFolder: c:\docume~1\ken\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab?1271083908000
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201923454171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://games.bigfishgames.com/en_feedingfrenzy/online/Game/SproutLauncher.cab
TCP: {7A218CD9-2A4A-477E-AD0E-4A6975B74B17} = 202.78.97.41,210.4.2.61
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ken\applic~1\mozilla\firefox\profiles\4zxj8urj.default\
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-8 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-18 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-11 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-8 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-8 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-8 56816]

=============== Created Last 30 ================

2010-06-08 15:16:46 174 ----a-w- c:\documents and settings\ken\defogger_reenable
2010-06-08 15:11:45 55808 ----a-w- c:\windows\system32\userini.exe
2010-06-06 14:37:12 0 d-----w- c:\program files\Trend Micro
2010-06-06 14:31:01 388608 ----a-w- c:\program files\HijackThis.exe
2010-06-06 09:00:23 0 d-----w- c:\docume~1\ken\applic~1\SUPERAntiSpyware.com
2010-06-06 09:00:23 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-06 09:00:19 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-06 08:59:08 8924856 ----a-w- c:\program files\SUPERAntiSpyware.exe
2010-06-06 08:22:19 0 d-----w- c:\docume~1\ken\applic~1\Malwarebytes
2010-06-06 08:22:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-06 08:22:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-06 08:22:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-06 08:22:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-06 08:19:31 6153352 ----a-w- c:\program files\mbam-setup.exe
2010-06-06 05:14:03 0 ----a-w- c:\documents and settings\ken\Desktop.ini
2010-06-05 23:32:51 122880 --sh--r- c:\docume~1\ken\applic~1\cift.exe
2010-06-02 15:57:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-02 15:57:53 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-01 13:13:51 84480 --sh--r- c:\docume~1\ken\applic~1\mrpky.exe
2010-05-22 12:53:21 0 d-----w- c:\windows\system32\NtmsData
2010-05-18 15:19:08 0 d-----w- c:\program files\JDownloader
2010-05-18 15:18:40 19241022 ----a-w- c:\program files\JDownloaderSetup.exe

==================== Find3M ====================

2010-06-07 13:48:21 7163 ----a-w- c:\program files\hijackthis.log
2010-06-07 11:45:06 1033728 ----a-w- c:\windows\explorer.exe
2010-06-06 14:36:55 1402880 ----a-w- c:\program files\HiJackThis.msi
2010-05-18 12:58:37 40868 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-03 04:58:30 3759800 ----a-w- c:\program files\MSReaderSetupUSA.exe
2010-04-26 15:00:23 17829274 ----a-w- c:\program files\FreeYouTubeToMP3Converter.exe
2010-04-16 00:33:36 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 00:33:36 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-12 15:18:26 12400120 ----a-w- c:\program files\picasa36-setup.exe
2010-04-10 15:40:13 18499623 ----a-w- c:\program files\vlc-1.0.5-win32.exe
2010-04-10 14:50:32 3189496 ----a-w- c:\program files\MPC-HomeCinema.1.3.1249.0.(x86).exe
2010-04-08 05:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 05:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-22 18:38:00 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2008-07-06 05:14:39 917689 ----a-w- c:\program files\ComicsViewer_eng.zip
2008-03-19 04:35:59 0 ----a-w- c:\program files\temp01
2009-08-08 08:49:03 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-08-08 08:49:03 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009080820090809\index.dat

============= FINISH: 23:29:29.12 ===============


Still trying to run a gmer log without causing the program to freeze upon attemting to save the log, will post if I'm successful.

*EDIT*
GMER log successfully generated. However, I can no longer use the computer while the LAN connection is on. It appears that having the LAN connection on triggers the attempts of the trojans (listed in the post linked above) to enter the system, and AVIRA gives 20 or more warnings that I have to deny access to. While pressing the deny access button used to work before, now, after getting a certain number of these warnings the computer restarts by itself. The only solution I have for this (if your suggested fixes require downloading any programs and installing them) would be to use my laptop to download the programs, burn them onto a CD, and then run/install them on the infected computer in normal mode but with the LAN turned off. This is what I did with the GMER and attach.txt logs actually. I have them burned into a CD now as I found it impossible to connect to the internet using the infected computer, and then I posted the GMER log using my office laptop.

Attached Files

  • Attached File  ark.txt   75.84KB   3 downloads

Edited by eriolclow, 10 June 2010 - 08:53 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:48 AM

Posted 15 June 2010 - 05:39 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 eriolclow

eriolclow
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 15 June 2010 - 06:35 AM

Hi! The Gmer log was already attached in my original post. It's named ark.txt (I followed the instructions listed in this forum for posting logs and named it as such). Will I need to run gmer again and generate another log, or will the one I attached be fine? Based on your instructions, my understanding is that I have to run a new dds log and gmer log?

Edited by eriolclow, 15 June 2010 - 06:39 AM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:48 AM

Posted 15 June 2010 - 06:39 AM

No, that one is okay, just post the OTL logs please.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 eriolclow

eriolclow
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 15 June 2010 - 11:00 AM

Hi! Attaching the two logs requested:

OTL.Txt

OTL logfile created on: 6/15/2010 11:28:34 PM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Ken\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00003409 | Country: Republic of the Philippines | Language: ENP | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 69.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 15.82 Gb Free Space | 21.22% Space Free | Partition Type: NTFS
Drive D: | 232.88 Gb Total Space | 23.43 Gb Free Space | 10.06% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 647.18 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KENNETH
Current User Name: Ken
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/15 19:36:11 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ken\Desktop\OTL.exe
PRC - [2010/06/07 19:45:06 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2009/07/21 14:40:24 | 000,404,737 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\update.exe
PRC - [2009/07/21 14:34:33 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/26 19:40:52 | 000,755,576 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SoftwareDistribution\Download\0fa2ac15b3f3d16ecfc880648002b82e\update\update.exe
PRC - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/03/02 13:08:47 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2007/11/27 14:36:54 | 002,169,368 | ---- | M] (Palit Microsystems, Inc.) -- C:\Program Files\VDOTool\TBPANEL.exe
PRC - [2007/05/11 02:09:48 | 001,050,120 | ---- | M] (O&O Software GmbH) -- C:\WINDOWS\system32\oodag.exe
PRC - [2007/05/11 02:08:54 | 002,512,392 | ---- | M] (O&O Software GmbH) -- C:\WINDOWS\system32\oodtray.exe
PRC - [2005/12/22 14:10:54 | 000,061,440 | R--- | M] (Vimicro) -- C:\WINDOWS\VM303_STI.EXE
PRC - [2005/11/15 19:44:14 | 001,200,128 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\wcescomm.exe
PRC - [2005/11/15 19:42:22 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft ActiveSync\rapimgr.exe
PRC - [2003/05/27 11:08:00 | 000,099,840 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S10IC2.EXE


========== Modules (SafeList) ==========

MOD - [2010/06/15 19:36:11 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ken\Desktop\OTL.exe
MOD - [2008/04/14 05:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/07/21 14:34:33 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/13 16:48:22 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2007/05/11 02:09:48 | 001,050,120 | ---- | M] (O&O Software GmbH) [Auto | Running] -- C:\WINDOWS\system32\oodag.exe -- (O&O Defrag)


========== Driver Services (SafeList) ==========

DRV - [2010/05/11 02:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/18 02:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/12/08 18:51:34 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/10/14 22:16:07 | 000,716,272 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/05/11 10:12:24 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 10:33:07 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 12:35:05 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/10/09 15:42:42 | 000,017,408 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\KMWDFILTER.sys -- (KMWDFILTER)
DRV - [2008/08/02 11:41:13 | 000,094,064 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w810mdm.sys -- (w810mdm)
DRV - [2008/08/02 11:41:13 | 000,085,408 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w810mgmt.sys -- (w810mgmt) Sony Ericsson W810 USB WMC Device Management Drivers (WDM)
DRV - [2008/08/02 11:41:13 | 000,083,344 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w810obex.sys -- (w810obex)
DRV - [2008/08/02 11:41:13 | 000,058,288 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w810bus.sys -- (w810bus) Sony Ericsson W810 Driver driver (WDM)
DRV - [2008/08/02 11:41:13 | 000,008,336 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w810mdfl.sys -- (w810mdfl)
DRV - [2008/04/14 00:26:08 | 000,088,320 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkipx.sys -- (NwlnkIpx)
DRV - [2008/04/13 22:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/01/30 11:28:36 | 004,725,760 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2007/12/05 01:41:00 | 007,435,392 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/05/31 07:19:22 | 000,096,896 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/03/16 10:11:38 | 000,012,256 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\TBPanel.sys -- (TBPanel)
DRV - [2007/03/16 10:11:38 | 000,012,256 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TBPanel.sys -- (Cardex)
DRV - [2006/02/28 20:00:00 | 000,063,232 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnknb.sys -- (NwlnkNb)
DRV - [2006/02/28 20:00:00 | 000,055,936 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\nwlnkspx.sys -- (NwlnkSpx)
DRV - [2005/12/22 14:10:54 | 000,390,849 | R--- | M] (Vimicro Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbVM303.sys -- (ZSMC303)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-299502267-861567501-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-299502267-861567501-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-299502267-861567501-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-299502267-861567501-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-299502267-861567501-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-299502267-861567501-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-299502267-861567501-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20090123.1
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/09 20:29:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/02 23:57:53 | 000,000,000 | ---D | M]

[2009/02/10 23:14:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\Mozilla\Extensions
[2010/06/06 19:20:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\4zxj8urj.default\extensions
[2009/08/15 21:58:31 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\4zxj8urj.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/06/09 21:17:02 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\4zxj8urj.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010/06/06 19:20:53 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/02 23:57:55 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/06/02 23:57:38 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/06/08 22:56:50 | 000,404,757 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 14002 more lines...
O2 - BHO: (FGCatchUrl) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll (www.flashget.com)
O2 - BHO: (FlashGet GetFlash Class) - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll (www.flashget.com)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE (Vimicro)
O4 - HKLM..\Run: [EPSON Stylus C63 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe (Palit Microsystems, Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe (O&O Software GmbH)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime Alternative\qttask.exe (Apple Inc.)
O4 - HKU\S-1-5-21-299502267-861567501-839522115-1003..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-299502267-861567501-839522115-1003..\Run: [NBJ] C:\Program Files\Ahead\Nero BackItUp\NBJ.exe (Ahead Software AG)
O4 - HKU\S-1-5-21-299502267-861567501-839522115-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKU\S-1-5-21-299502267-861567501-839522115-1003..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\Ken\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-299502267-861567501-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-299502267-861567501-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\JC_ALL.HTM ()
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\JC_LINK.HTM ()
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)
O9 - Extra 'Tools' menuitem : FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe (FlashGet.com)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - Reg Error: Key error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/7.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} http://static.ak.facebook.com/fbplugin/win...b?1271083908000 (Reg Error: Value error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1201923454171 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Value error.)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} http://games.bigfishgames.com/en_feedingfr...outLauncher.cab (SproutLauncherCtrl Class)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: TaskMan - (C:\Documents and Settings\Ken\Application Data\cift.exe) - C:\Documents and Settings\Ken\Application Data\cift.exe ()
O20 - HKU\S-1-5-21-299502267-861567501-839522115-1003 Winlogon: Shell - (C:\Documents and Settings\Ken\Application Data\cift.exe) - C:\Documents and Settings\Ken\Application Data\cift.exe ()
O20 - HKU\S-1-5-21-299502267-861567501-839522115-1003 Winlogon: Shell - (C:\DOCUME~1\Ken\LOCALS~1\Temp\4610.exe) - C:\Documents and Settings\Ken\Local Settings\Temp\4610.exe ()
O20 - HKU\S-1-5-21-299502267-861567501-839522115-1003 Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-299502267-861567501-839522115-1003 Winlogon: Shell - (C:\DOCUME~1\Ken\LOCALS~1\Temp\838106.exe) - C:\Documents and Settings\Ken\Local Settings\Temp\838106.exe ()
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - Reg Error: Key error. File not found
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - Reg Error: Key error. File not found
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - Reg Error: Key error. File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/02/02 00:21:30 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{0395567c-e86e-11dc-afff-0019dbf95629}\Shell - "" = AutoRun
O33 - MountPoints2\{0395567c-e86e-11dc-afff-0019dbf95629}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{0395567c-e86e-11dc-afff-0019dbf95629}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O33 - MountPoints2\{0395567d-e86e-11dc-afff-0019dbf95629}\Shell\explore\Command - "" = I:\boot.exe -- File not found
O33 - MountPoints2\{0395567d-e86e-11dc-afff-0019dbf95629}\Shell\open\Command - "" = I:\boot.exe -- File not found
O33 - MountPoints2\{1d541cb2-da9b-11de-9288-0019dbf95629}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{1d541cb2-da9b-11de-9288-0019dbf95629}\Shell\AutoRun\command - "" = I:\ciribu\slavica.exe -- File not found
O33 - MountPoints2\{1d541cb2-da9b-11de-9288-0019dbf95629}\Shell\explore\command - "" = I:\ciribu\slavica.exe -- File not found
O33 - MountPoints2\{1d541cb2-da9b-11de-9288-0019dbf95629}\Shell\install\command - "" = I:\ciribu\slavica.exe -- File not found
O33 - MountPoints2\{1d541cb2-da9b-11de-9288-0019dbf95629}\Shell\open\command - "" = I:\ciribu\slavica.exe -- File not found
O33 - MountPoints2\{1d8d1e77-c8e0-11dd-90e2-0019dbf95629}\Shell - "" = AutoRun
O33 - MountPoints2\{1d8d1e77-c8e0-11dd-90e2-0019dbf95629}\Shell\Auto\command - "" = D:\Se101.exe -- File not found
O33 - MountPoints2\{1d8d1e77-c8e0-11dd-90e2-0019dbf95629}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7529519e-3723-11de-9197-0019dbf95629}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{7529519e-3723-11de-9197-0019dbf95629}\Shell\AutoRun\command - "" = I:\LICNA\\\\\\PESMICA.exe -- File not found
O33 - MountPoints2\{7529519e-3723-11de-9197-0019dbf95629}\Shell\explore\command - "" = I:\LICNA\\\\\\PESMICA.exe -- File not found
O33 - MountPoints2\{7529519e-3723-11de-9197-0019dbf95629}\Shell\open\command - "" = I:\LICNA\\\\\\PESMICA.exe -- File not found
O33 - MountPoints2\{a09c3cf8-4b18-11dd-b13c-0019dbf95629}\Shell - "" = AutoRun
O33 - MountPoints2\{a09c3cf8-4b18-11dd-b13c-0019dbf95629}\Shell\Auto\command - "" = Se101.exe
O33 - MountPoints2\{a09c3cf8-4b18-11dd-b13c-0019dbf95629}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d5f187a8-d6f7-11dd-90f5-0019dbf95629}\Shell\AutoRun\command - "" = sywyrl0q.exe
O33 - MountPoints2\{d5f187a8-d6f7-11dd-90f5-0019dbf95629}\Shell\open\Command - "" = sywyrl0q.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (OODBS) - C:\WINDOWS\System32\OODBS.exe (O&O Software GmbH)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/06/15 23:28:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/06/15 23:27:19 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ken\Desktop\OTL.exe
[2010/06/09 21:29:56 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Program Files\ATF-Cleaner.exe
[2010/06/08 23:33:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Desktop\gmer
[2010/06/06 22:37:12 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/06/06 22:31:01 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Program Files\HijackThis.exe
[2010/06/06 17:00:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Application Data\SUPERAntiSpyware.com
[2010/06/06 17:00:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/06/06 17:00:19 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/06/06 16:59:08 | 008,924,856 | ---- | C] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware.exe
[2010/06/06 16:55:16 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Ken\Desktop\ATF-Cleaner.exe
[2010/06/06 16:22:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Application Data\Malwarebytes
[2010/06/06 16:22:06 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/06 16:22:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/06/06 16:22:02 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/06/06 16:22:01 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/06 16:19:31 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Program Files\mbam-setup.exe
[2010/06/02 23:58:23 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/06/02 23:57:53 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/06/02 23:57:53 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/02 23:57:53 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/02 23:57:53 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/06/02 23:57:53 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/05/24 05:10:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\My Documents\Bizet - Carmen - Alagna, Garanca - Covent Garden, 2009 - BBC-Broadcast
[2010/05/22 20:53:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/05/18 23:19:08 | 000,000,000 | ---D | C] -- C:\Program Files\JDownloader
[2010/05/18 23:18:40 | 019,241,022 | ---- | C] (AppWork UG (haftungsbeschränkt)) -- C:\Program Files\JDownloaderSetup.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/15 23:32:00 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{B3E918AA-63F1-49D9-8894-AF88B05DA6F2}.job
[2010/06/15 23:30:57 | 000,000,558 | ---- | M] () -- C:\WINDOWS\DFC.INI
[2010/06/15 23:27:03 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/15 23:26:09 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/15 23:26:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/15 23:26:03 | 001,937,209 | ---- | M] () -- C:\WINDOWS\System32\oodbs.lor
[2010/06/15 19:36:11 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ken\Desktop\OTL.exe
[2010/06/11 03:48:39 | 013,369,344 | -H-- | M] () -- C:\Documents and Settings\Ken\NTUSER.DAT
[2010/06/11 03:48:39 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Ken\ntuser.ini
[2010/06/11 03:48:33 | 004,850,244 | -H-- | M] () -- C:\Documents and Settings\Ken\Local Settings\Application Data\IconCache.db
[2010/06/11 02:41:59 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/11 02:34:58 | 000,492,798 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/11 02:34:58 | 000,435,590 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/11 02:34:58 | 000,068,360 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/09 21:29:56 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Program Files\ATF-Cleaner.exe
[2010/06/09 21:29:16 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Ken\Desktop\ATF-Cleaner.exe
[2010/06/09 20:58:25 | 000,121,856 | RHS- | M] () -- C:\Documents and Settings\Ken\Application Data\cift.exe
[2010/06/09 07:33:00 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/06/09 07:32:49 | 000,029,184 | ---- | M] () -- C:\Documents and Settings\Ken\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/08 23:31:59 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Ken\Desktop\gmer.zip
[2010/06/08 23:28:19 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Ken\Desktop\dds.scr
[2010/06/08 23:16:56 | 000,000,174 | ---- | M] () -- C:\Documents and Settings\Ken\defogger_reenable
[2010/06/08 23:15:26 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Ken\Desktop\Defogger.exe
[2010/06/08 22:56:50 | 000,404,757 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/06/07 22:52:13 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\Ken\Desktop\HiJackThis.lnk
[2010/06/07 20:03:24 | 000,404,757 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100608-225650.backup
[2010/06/07 19:45:06 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\explorer.exe
[2010/06/07 19:45:06 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
[2010/06/06 22:36:55 | 001,402,880 | ---- | M] () -- C:\Program Files\HiJackThis.msi
[2010/06/06 22:31:29 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\HijackThis.exe
[2010/06/06 17:00:21 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/06/06 16:59:58 | 008,924,856 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware.exe
[2010/06/06 16:43:41 | 163,005,391 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_-_Part_2_-_Viva_Verdi.avi.001
[2010/06/06 16:22:09 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/06 16:21:27 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Program Files\mbam-setup.exe
[2010/06/06 15:55:00 | 141,111,168 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_-_Part_1_-_Beginnings.avi.003.part
[2010/06/06 15:07:14 | 163,003,951 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_-_Part_1_-_Beginnings.avi.002
[2010/06/06 13:53:16 | 000,404,757 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100607-200324.backup
[2010/06/06 11:05:48 | 020,917,512 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_2.AVI.002.part
[2010/06/06 10:42:26 | 209,715,200 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_2.AVI.001
[2010/06/06 09:47:02 | 184,650,896 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_Pt1.mpg.AVI.008
[2010/06/06 09:00:19 | 070,998,444 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_Pt1.mpg.AVI.007.part
[2010/06/06 08:29:31 | 209,715,200 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_Pt1.mpg.AVI.006
[2010/06/06 07:13:19 | 058,082,980 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_Pt1.mpg.AVI.005.part
[2010/06/06 06:36:33 | 209,715,200 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_Pt1.mpg.AVI.004
[2010/06/06 05:10:28 | 000,087,120 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_Pt1.mpg.AVI.003.part
[2010/06/06 05:06:36 | 035,565,288 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\MetCarmenCredits.avi.part
[2010/06/06 04:53:36 | 019,063,308 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_Pt1.mpg.AVI.002.part
[2010/06/06 04:44:44 | 020,245,236 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_2.AVI.005.part
[2010/06/06 04:30:16 | 163,005,390 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_-_Part_2_-_Viva_Verdi.avi.003
[2010/06/06 03:47:28 | 061,034,820 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_Pt1.mpg.AVI.001.part
[2010/06/06 03:27:12 | 041,422,656 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_-_Part_2_-_Viva_Verdi.avi.002.part
[2010/06/06 02:08:56 | 163,003,951 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_-_Part_1_-_Beginnings.avi.001
[2010/06/06 01:10:46 | 519,010,304 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\What_Makes_a_Great_Tenor.avi
[2010/06/06 01:09:47 | 173,003,434 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\What_Makes_a_Great_Tenor.avi.003
[2010/06/06 00:19:46 | 173,003,435 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\What_Makes_a_Great_Tenor.avi.002
[2010/06/05 23:18:38 | 173,003,435 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\What_Makes_a_Great_Tenor.avi.001
[2010/06/05 22:23:41 | 177,704,372 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Bizet_Carmen.m4a
[2010/06/05 22:23:17 | 083,332,532 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Bizet_Carmen.m4a.002
[2010/06/05 09:54:44 | 094,371,840 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\Bizet_Carmen.m4a.001
[2010/06/05 09:36:59 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part66.rar
[2010/06/05 08:57:55 | 096,044,536 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part71.rar
[2010/06/05 08:33:51 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part70.rar
[2010/06/05 08:04:40 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part69.rar
[2010/06/05 07:28:50 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part68.rar
[2010/06/05 07:03:08 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part67.rar
[2010/06/05 06:09:02 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part65.rar
[2010/06/05 05:09:32 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part64.rar
[2010/06/05 04:15:40 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part63.rar
[2010/06/05 03:17:02 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part62.rar
[2010/06/05 02:30:09 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part60.rar
[2010/06/05 01:34:48 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part59.rar
[2010/06/05 01:30:23 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part61.rar
[2010/06/05 01:00:01 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part30.rar
[2010/06/04 22:01:53 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/06/04 07:37:33 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part58.rar
[2010/06/04 07:11:30 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part57.rar
[2010/06/04 06:27:50 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part56.rar
[2010/06/04 05:42:10 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part55.rar
[2010/06/04 05:15:19 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part54.rar
[2010/06/04 04:22:30 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part53.rar
[2010/06/04 02:45:26 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part52.rar
[2010/06/04 02:19:11 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part51.rar
[2010/06/04 01:36:41 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part50.rar
[2010/06/04 01:13:07 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part49.rar
[2010/06/04 00:51:47 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part48.rar
[2010/06/04 00:23:54 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part47.rar
[2010/06/03 23:57:33 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part46.rar
[2010/06/03 23:34:29 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part45.rar
[2010/06/03 23:14:03 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part44.rar
[2010/06/03 22:30:31 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part34.rar
[2010/06/03 21:09:35 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part43.rar
[2010/06/03 08:21:19 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part42.rar
[2010/06/03 08:00:53 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part41.rar
[2010/06/03 07:35:32 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part40.rar
[2010/06/03 07:14:53 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part39.rar
[2010/06/03 06:53:55 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part38.rar
[2010/06/03 06:32:23 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part37.rar
[2010/06/03 06:12:13 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part36.rar
[2010/06/03 05:51:30 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part35.rar
[2010/06/03 04:56:41 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part33.rar
[2010/06/03 04:29:38 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part32.rar
[2010/06/03 04:01:36 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part31.rar
[2010/06/03 03:04:53 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part29.rar
[2010/06/03 02:34:34 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part28.rar
[2010/06/03 02:03:58 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part27.rar
[2010/06/03 01:25:00 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part26.rar
[2010/06/03 00:56:03 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part25.rar
[2010/06/02 23:57:38 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/02 23:57:38 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/02 23:57:38 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/06/02 23:57:38 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/06/02 23:57:37 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/06/02 23:43:54 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part24.rar
[2010/06/02 23:25:11 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part11.rar
[2010/06/01 21:13:47 | 000,084,480 | RHS- | M] () -- C:\Documents and Settings\Ken\Application Data\mrpky.exe
[2010/05/30 03:52:23 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part23.rar
[2010/05/30 03:32:05 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part21.rar
[2010/05/30 03:10:35 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part22.rar
[2010/05/30 02:49:38 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part20.rar
[2010/05/30 02:29:16 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part19.rar
[2010/05/30 02:08:06 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part18.rar
[2010/05/30 01:46:03 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part17.rar
[2010/05/30 01:25:16 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part16.rar
[2010/05/30 00:53:59 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part15.rar
[2010/05/30 00:25:29 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part14.rar
[2010/05/29 23:47:03 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part13.rar
[2010/05/29 23:19:22 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part12.rar
[2010/05/29 22:46:26 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part10.rar
[2010/05/29 22:21:23 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part09.rar
[2010/05/29 22:14:59 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part05.rar
[2010/05/29 21:56:28 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part04.rar
[2010/05/29 14:09:29 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part08.rar
[2010/05/29 14:02:38 | 000,000,048 | ---- | M] () -- C:\WINDOWS\wpd99.drv
[2010/05/29 13:31:39 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part07.rar
[2010/05/29 12:44:39 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part06.rar
[2010/05/29 11:45:01 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part03.rar
[2010/05/29 11:17:18 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part02.rar
[2010/05/29 10:50:32 | 100,431,872 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part01.rar
[2010/05/18 23:19:20 | 000,000,736 | ---- | M] () -- C:\Documents and Settings\Ken\Desktop\JDownloader.lnk
[2010/05/18 23:18:45 | 019,241,022 | ---- | M] (AppWork UG (haftungsbeschränkt)) -- C:\Program Files\JDownloaderSetup.exe
[2010/05/18 20:58:37 | 000,040,868 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/09 21:15:50 | 000,121,856 | RHS- | C] () -- C:\Documents and Settings\Ken\Application Data\cift.exe
[2010/06/08 23:31:54 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Ken\Desktop\gmer.zip
[2010/06/08 23:28:11 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Ken\Desktop\dds.scr
[2010/06/08 23:16:46 | 000,000,174 | ---- | C] () -- C:\Documents and Settings\Ken\defogger_reenable
[2010/06/08 23:15:26 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Ken\Desktop\Defogger.exe
[2010/06/06 22:37:12 | 000,002,443 | ---- | C] () -- C:\Documents and Settings\Ken\Desktop\HiJackThis.lnk
[2010/06/06 22:32:02 | 000,007,163 | ---- | C] () -- C:\Program Files\hijackthis.log
[2010/06/06 22:30:24 | 001,402,880 | ---- | C] () -- C:\Program Files\HiJackThis.msi
[2010/06/06 17:00:21 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/06/06 16:22:09 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/06 11:00:17 | 020,917,512 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_2.AVI.002.part
[2010/06/06 09:54:36 | 209,715,200 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_2.AVI.001
[2010/06/06 09:02:22 | 184,650,896 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_Pt1.mpg.AVI.008
[2010/06/06 08:37:05 | 070,998,444 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_Pt1.mpg.AVI.007.part
[2010/06/06 07:15:38 | 209,715,200 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_Pt1.mpg.AVI.006
[2010/06/06 06:44:07 | 058,082,980 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_Pt1.mpg.AVI.005.part
[2010/06/06 05:12:44 | 209,715,200 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_Pt1.mpg.AVI.004
[2010/06/06 05:08:53 | 000,087,120 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_Pt1.mpg.AVI.003.part
[2010/06/06 04:56:28 | 035,565,288 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\MetCarmenCredits.avi.part
[2010/06/06 04:46:58 | 019,063,308 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_Pt1.mpg.AVI.002.part
[2010/06/06 04:38:16 | 020,245,236 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_2.AVI.005.part
[2010/06/06 03:49:19 | 163,005,390 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_-_Part_2_-_Viva_Verdi.avi.003
[2010/06/06 03:31:28 | 061,034,820 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_Pt1.mpg.AVI.001.part
[2010/06/06 03:16:14 | 041,422,656 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_-_Part_2_-_Viva_Verdi.avi.002.part
[2010/06/06 03:11:22 | 163,005,391 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_-_Part_2_-_Viva_Verdi.avi.001
[2010/06/06 02:37:27 | 141,111,168 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_-_Part_1_-_Beginnings.avi.003.part
[2010/06/06 02:15:55 | 163,003,951 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_-_Part_1_-_Beginnings.avi.002
[2010/06/06 01:27:06 | 163,003,951 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Opera_Italia_-_Part_1_-_Beginnings.avi.001
[2010/06/06 01:09:47 | 519,010,304 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\What_Makes_a_Great_Tenor.avi
[2010/06/06 00:26:51 | 173,003,434 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\What_Makes_a_Great_Tenor.avi.003
[2010/06/05 23:36:00 | 173,003,435 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\What_Makes_a_Great_Tenor.avi.002
[2010/06/05 22:37:14 | 173,003,435 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\What_Makes_a_Great_Tenor.avi.001
[2010/06/05 22:23:18 | 177,704,372 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Bizet_Carmen.m4a
[2010/06/05 10:11:26 | 083,332,532 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Bizet_Carmen.m4a.002
[2010/06/05 09:23:51 | 094,371,840 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Bizet_Carmen.m4a.001
[2010/06/05 08:34:45 | 096,044,536 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part71.rar
[2010/06/05 08:05:38 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part70.rar
[2010/06/05 07:29:47 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part69.rar
[2010/06/05 07:04:09 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part68.rar
[2010/06/05 06:39:41 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part67.rar
[2010/06/05 06:09:58 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part66.rar
[2010/06/05 05:10:30 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part65.rar
[2010/06/05 04:16:39 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part64.rar
[2010/06/05 03:17:59 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part63.rar
[2010/06/05 02:31:43 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part62.rar
[2010/06/05 01:00:59 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part61.rar
[2010/06/04 21:12:59 | 000,508,782 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\Copy (2) of Avalon Organics Vitamin C.pdf
[2010/06/04 07:59:37 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part60.rar
[2010/06/04 07:38:28 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part59.rar
[2010/06/04 07:12:26 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part58.rar
[2010/06/04 06:28:44 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part57.rar
[2010/06/04 05:43:07 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part56.rar
[2010/06/04 05:16:16 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part55.rar
[2010/06/04 04:23:27 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part54.rar
[2010/06/04 02:46:22 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part53.rar
[2010/06/04 02:20:08 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part52.rar
[2010/06/04 01:37:38 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part51.rar
[2010/06/04 01:14:03 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part50.rar
[2010/06/04 00:52:46 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part49.rar
[2010/06/04 00:24:50 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part48.rar
[2010/06/03 23:58:36 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part47.rar
[2010/06/03 23:35:29 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part46.rar
[2010/06/03 21:15:51 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part45.rar
[2010/06/03 21:10:30 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part44.rar
[2010/06/03 08:22:17 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part43.rar
[2010/06/03 08:01:51 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part42.rar
[2010/06/03 07:36:26 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part41.rar
[2010/06/03 07:15:48 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part40.rar
[2010/06/03 06:54:50 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part39.rar
[2010/06/03 06:33:18 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part38.rar
[2010/06/03 06:13:07 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part37.rar
[2010/06/03 05:52:44 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part36.rar
[2010/06/03 05:31:05 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part35.rar
[2010/06/03 04:57:36 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part34.rar
[2010/06/03 04:30:32 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part33.rar
[2010/06/03 04:02:36 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part32.rar
[2010/06/03 03:34:43 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part31.rar
[2010/06/03 03:05:50 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part30.rar
[2010/06/03 02:35:34 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part29.rar
[2010/06/03 02:04:53 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part28.rar
[2010/06/03 01:25:56 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part27.rar
[2010/06/02 23:54:14 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part26.rar
[2010/06/02 23:44:49 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part25.rar
[2010/06/01 21:13:51 | 000,084,480 | RHS- | C] () -- C:\Documents and Settings\Ken\Application Data\mrpky.exe
[2010/05/30 03:53:18 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part24.rar
[2010/05/30 03:33:16 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part23.rar
[2010/05/30 03:11:30 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part21.rar
[2010/05/30 02:50:46 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part22.rar
[2010/05/30 02:30:15 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part20.rar
[2010/05/30 02:09:02 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part19.rar
[2010/05/30 01:46:59 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part18.rar
[2010/05/30 01:26:09 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part17.rar
[2010/05/30 00:54:56 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part16.rar
[2010/05/30 00:26:25 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part15.rar
[2010/05/29 23:47:57 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part14.rar
[2010/05/29 23:20:18 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part13.rar
[2010/05/29 23:00:14 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part12.rar
[2010/05/29 22:47:20 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part11.rar
[2010/05/29 22:22:16 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part10.rar
[2010/05/29 14:10:34 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part09.rar
[2010/05/29 13:32:38 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part08.rar
[2010/05/29 12:45:36 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part07.rar
[2010/05/29 12:15:10 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part06.rar
[2010/05/29 12:07:52 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part05.rar
[2010/05/29 11:45:59 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part04.rar
[2010/05/29 11:18:14 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part03.rar
[2010/05/29 10:51:29 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part02.rar
[2010/05/29 10:16:42 | 100,431,872 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\DesFille.part01.rar
[2010/05/18 23:19:20 | 000,000,736 | ---- | C] () -- C:\Documents and Settings\Ken\Desktop\JDownloader.lnk
[2009/11/15 14:00:56 | 001,984,512 | ---- | C] () -- C:\WINDOWS\System32\avcodec-51.dll
[2009/11/15 14:00:56 | 000,217,088 | ---- | C] () -- C:\WINDOWS\System32\avformat-50.dll
[2009/11/15 14:00:56 | 000,018,432 | ---- | C] () -- C:\WINDOWS\System32\avutil-49.dll
[2009/08/08 17:15:59 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/08/08 17:15:59 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/08/08 17:15:58 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009/08/08 17:15:58 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/08/08 17:15:58 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/08/08 17:15:55 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/08/08 17:15:55 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/04/22 00:20:08 | 000,000,048 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2009/04/22 00:19:29 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2009/04/22 00:19:06 | 000,172,173 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2008/10/30 22:41:38 | 000,147,506 | ---- | C] () -- C:\WINDOWS\System32\pdfmona.dll
[2008/10/30 22:41:38 | 000,050,364 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2008/10/25 13:59:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\game.INI
[2008/03/19 13:27:52 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/03/13 11:41:16 | 000,000,025 | ---- | C] () -- C:\WINDOWS\CDEC63THEMN.ini
[2008/02/02 17:22:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\oodcnt.INI
[2008/02/02 01:30:04 | 000,000,558 | ---- | C] () -- C:\WINDOWS\DFC.INI
[2007/12/05 01:41:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/12/05 01:41:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/12/05 01:41:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/12/05 01:41:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/12/05 01:41:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2007/03/05 13:34:28 | 000,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 351693 bytes -> C:\WINDOWS\Temp:temp
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C74D7A47
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A384652A
< End of report >

Extras.txt

OTL Extras logfile created on: 6/15/2010 11:28:34 PM - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Ken\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00003409 | Country: Republic of the Philippines | Language: ENP | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 69.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 4092 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 15.82 Gb Free Space | 21.22% Space Free | Partition Type: NTFS
Drive D: | 232.88 Gb Total Space | 23.43 Gb Free Space | 10.06% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 647.18 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: KENNETH
Current User Name: Ken
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-299502267-861567501-839522115-1003\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Maxthon2\Maxthon.exe (Maxthon International ltd.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\FlashGet\flashget.exe" = C:\Program Files\FlashGet\flashget.exe:*:Enabled:Flashget -- (FlashGet.com)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)
"D:\Kim\sysreset\mirc.exe" = D:\Kim\sysreset\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.)
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\Program Files\mIRC\mirc.exe" = C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.)
"C:\Program Files\Maxthon2\Modules\MxDownloader\MxDownloadServer.exe" = C:\Program Files\Maxthon2\Modules\MxDownloader\MxDownloadServer.exe:*:Enabled:MxDownloadServer -- (Maxthon International ltd.)
"C:\Program Files\CAPCOM\RESIDENT EVIL 5\RE5DX9.EXE" = C:\Program Files\CAPCOM\RESIDENT EVIL 5\RE5DX9.EXE:*:Enabled:RESIDENT EVIL 5 (DX9) -- (CAPCOM CO., LTD.)
"C:\Program Files\CAPCOM\RESIDENT EVIL 5\RE5DX10.EXE" = C:\Program Files\CAPCOM\RESIDENT EVIL 5\RE5DX10.EXE:*:Enabled:RESIDENT EVIL 5 (DX10) -- (CAPCOM CO., LTD.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}" = Microsoft Games for Windows - LIVE Redistributable
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1" = Media Player Classic - Home Cinema v. 1.3.1249.0
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4D243BA7-9AC4-46D1-90E5-EEB88974F501}" = Microsoft Games for Windows - LIVE
"{53480330-E1D1-41CA-B8F8-7F78644F7F50}" = O&O Defrag Professional Edition
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5A0EF44E-1DDD-12F3-2321-75972B1CF0D8}" = Multiply AutoUploader
"{5ECB3A3C-980B-4D12-9724-25DCB07A1F47}" = iTunes
"{8A253629-0511-4854-8B4E-46E57E66005C}" = Bonjour
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{EF1FF5B7-8127-407B-B97B-0F3DB131EC21}" =
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{EF1FF5B7-8127-407B-B97B-0F3DB131EC21}" =
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{92D34E42-4C6F-11D5-A76D-006008D256FF}" = Nancy Drew: Treasure in the Royal Tower
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9DE1BE03-AFE2-4CDB-BFEB-D06D736CD01A}" = Apple Mobile Device Support
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC08BBA0-96B9-431A-A7D0-D8598E493775}" = RESIDENT EVIL 5
"{B208806F-A231-4FA0-AB3F-5C1B8979223E}" = Microsoft ActiveSync 4.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6F7DBE7-2FE2-458F-A738-B10832746036}" = Microsoft Reader
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B74D4E10-6884-0000-0000-000000000103}" = Adobe Bridge 1.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{EE0D5DCD-2B97-4473-98DF-E93C0BD92F7A}" = Adobe Stock Photos 1.0
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"7-Zip" = 7-Zip 4.65
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"AviSynth" = AviSynth 2.5
"BFGC" = Big Fish Games Client
"com.Multiply.AutoUploader.C7DF09F73C2059D294831784007C5F0856677385.1" = Multiply AutoUploader
"EPSON Printer and Utilities" = EPSON Printer Software
"FlashGet" = FlashGet 1.9.6.1073
"Foxit Reader" = Foxit Reader
"Google Desktop" = Google Desktop Search
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"IsoBuster_is1" = IsoBuster 2.5.5
"JDownloader" = JDownloader
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 5.0.5
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Maxthon2" = Maxthon2
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"mIRC" = mIRC
"Mozilla Firefox (3.5.2)" = Mozilla Firefox (3.5.2)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Parking Dash" = Parking Dash (remove only)
"Pdf995" = Pdf995
"Picasa 3" = Picasa 3
"PROPLUS" = Microsoft Office Professional Plus 2007
"QuicktimeAlt_is1" = QuickTime Alternative 2.9.0
"VDOTool_is1" = VDOTool 5.9
"Videora iPod touch Converter" = Videora iPod touch Converter 5.04
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger
"YouTube Downloader App" = YouTube Downloader App 2.03

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-299502267-861567501-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/10/2010 11:52:20 AM | Computer Name = KENNETH | Source = ESENT | ID = 455
Description = wuaueng.dll (2624) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 6/10/2010 11:52:30 AM | Computer Name = KENNETH | Source = ESENT | ID = 489
Description = wuauclt (2624) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 6/10/2010 11:52:30 AM | Computer Name = KENNETH | Source = ESENT | ID = 455
Description = wuaueng.dll (2624) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 6/10/2010 2:22:12 PM | Computer Name = KENNETH | Source = MsiInstaller | ID = 11704
Description = Product: Microsoft .NET Framework 2.0 Service Pack 2 -- Error 1704.An
installation for Microsoft Office Professional Plus 2007 is currently suspended.
You must undo the changes made by that installation to continue. Do you want
to undo those changes?

Error - 6/10/2010 2:24:31 PM | Computer Name = KENNETH | Source = ESENT | ID = 490
Description = svchost (1204) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 6/10/2010 2:28:03 PM | Computer Name = KENNETH | Source = ESENT | ID = 490
Description = svchost (1196) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 6/10/2010 2:28:03 PM | Computer Name = KENNETH | Source = ESENT | ID = 439
Description = Catalog Database (1196) Unable to write a shadowed header for file
C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb. Error
-1032.

Error - 6/10/2010 2:28:03 PM | Computer Name = KENNETH | Source = ESENT | ID = 454
Description = Catalog Database (1196) Database recovery/restore failed with unexpected
error -1032.

Error - 6/10/2010 2:30:04 PM | Computer Name = KENNETH | Source = ESENT | ID = 490
Description = svchost (1192) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 6/10/2010 2:31:34 PM | Computer Name = KENNETH | Source = MsiInstaller | ID = 11704
Description = Product: Microsoft Office Professional Plus 2007 -- Error 1704.An
installation for Microsoft .NET Framework 2.0 Service Pack 2 is currently suspended.
You must undo the changes made by that installation to continue. Do you want
to undo those changes?

[ System Events ]
Error - 6/15/2010 11:28:34 AM | Computer Name = KENNETH | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom1.

Error - 6/15/2010 11:29:24 AM | Computer Name = KENNETH | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom1.

Error - 6/15/2010 11:29:24 AM | Computer Name = KENNETH | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom1.

Error - 6/15/2010 11:29:24 AM | Computer Name = KENNETH | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom1.

Error - 6/15/2010 11:29:24 AM | Computer Name = KENNETH | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom1.

Error - 6/15/2010 11:29:24 AM | Computer Name = KENNETH | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom1.

Error - 6/15/2010 11:29:24 AM | Computer Name = KENNETH | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom1.

Error - 6/15/2010 11:29:24 AM | Computer Name = KENNETH | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom1.

Error - 6/15/2010 11:29:24 AM | Computer Name = KENNETH | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom1.

Error - 6/15/2010 11:29:24 AM | Computer Name = KENNETH | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom1.


< End of report >


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:48 AM

Posted 15 June 2010 - 12:27 PM

Hello again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 eriolclow

eriolclow
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 15 June 2010 - 12:46 PM

Hello. I might have a problem with combofix if Microsoft Windows Recovery Console turns out to be unavaialable/not yet installed in my computer, as the infected computer can't connect to the internet anymore... In case I'm prompted to download it, what should I do? Can I download it fron anywhere else, so I can burn it into a CD where I can run the installation from? If yes, I'll do that tomorrow (as it's already 1 AM over here) so I can install combofix properly.

I have avira and spybot installed, do I disable them by following these instructions to disable them?

spybot:
SPYBOT TEATIMER
Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
On the left hand side, click on Tools, then click on the Resident Icon in the list.
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
Click on the "System Startup" icon in the List
Uncheck the "TeaTimer" box and "OK" any prompts.
If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
Exit Spybot S&D when done and reboot your computer.
(When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]
Please download ResetTeaTimer.zip and save to your Desktop. Extract (unzip) the file and double-click ResetTeaTimer.bat to run the script. This will remove all entries set by TeaTimer and keep it from restoring them upon reactivation.


Avira:
AVIRA ANTIVIR
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: )
right click it-> untick the option AntiVir Guard enable.
You should now see a closed, white umbrella on a red background (looks to this: )

Malwarebytes and superantispyware were also installed, but since it's the free version they doesn't have the real time protection feature anyway. So I guess I don't nee dto do anything about those?

And final question, no need to run combofix in safe mode right?

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:48 AM

Posted 15 June 2010 - 01:38 PM

See below for instructions on how to manually install the Recovery console smile.gif

The instructions for Spybot and Avira are correct indeed.

And no need to run Combofix in safe mode. Normal mode will do just fine.

===================

Download ComboFix from one of these locations:

Link 1
Link 2


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools



  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.





  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 eriolclow

eriolclow
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 15 June 2010 - 09:01 PM

Based on the OTL log, I'm running service pack 3 for XP professional. If I understand your instructions regarding the recovery console correctly, I have to download the package for SP2 instead, which is this one?

http://www.microsoft.com/downloads/details...;displaylang=en

Also, just to confirm, do I have to keep spybot and avira deactivated until we're finished cleaning out the malware from the system? After which I'm required to run resetteatimer.bat afer I've reactivated teatimer? I'm sorry if I seem to be asking so many questions--I just want to be sure I'm doing things right so we can finish up as soon as possible. And of course you'll have an easier time of it if I've done everything correctly. tongue.gif

Edited by eriolclow, 15 June 2010 - 09:28 PM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:48 AM

Posted 16 June 2010 - 05:00 AM

Its no problem you ask your questions, that is what I am here for, better safe than sorry smile.gif

Please keep teatimer disabled until I give you All Clean. However, Avira should be re-enabled after finishing Combofix.

And yes, you have the right package for the Recovery console there.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 eriolclow

eriolclow
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 16 June 2010 - 12:41 PM

Hi! Combofix log posted. I had to rename the .txt file, as the filename of the log that came up was just log.txt. Hope that's normal?


ComboFix 10-06-15.02 - Ken 06/17/2010 1:10.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1598 [GMT 8:00]
Running from: c:\documents and settings\Ken\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ken\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ken\Application Data\cift.exe
c:\documents and settings\Ken\Application Data\mrpky.exe
c:\windows\system32\winlogon.bak

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

.
((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 )))))))))))))))))))))))))))))))
.

2010-06-16 17:13 . 2008-04-13 21:42 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2010-06-16 17:13 . 2008-04-13 21:42 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-06-09 13:29 . 2010-06-09 13:29 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2010-06-07 15:33 . 2010-06-07 15:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-07 13:31 . 2010-06-07 13:31 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-07 13:31 . 2010-06-07 13:31 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-07 13:31 . 2010-06-07 13:31 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-07 13:30 . 2010-06-07 13:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-06-06 14:37 . 2010-06-06 14:37 388096 ----a-r- c:\documents and settings\Ken\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-06 14:37 . 2010-06-06 14:37 -------- d-----w- c:\program files\Trend Micro
2010-06-06 14:31 . 2010-06-06 14:31 388608 ----a-w- c:\program files\HijackThis.exe
2010-06-06 14:30 . 2010-06-06 14:36 1402880 ----a-w- c:\program files\HiJackThis.msi
2010-06-06 09:03 . 2010-06-09 13:25 63488 ----a-w- c:\documents and settings\Ken\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-06 09:03 . 2010-06-06 09:03 52224 ----a-w- c:\documents and settings\Ken\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-06 09:03 . 2010-06-09 13:25 117760 ----a-w- c:\documents and settings\Ken\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-06 09:00 . 2010-06-06 09:00 -------- d-----w- c:\documents and settings\Ken\Application Data\SUPERAntiSpyware.com
2010-06-06 09:00 . 2010-06-06 09:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-06 09:00 . 2010-06-06 09:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-06 08:59 . 2010-06-06 08:59 8924856 ----a-w- c:\program files\SUPERAntiSpyware.exe
2010-06-06 08:22 . 2010-06-06 08:22 -------- d-----w- c:\documents and settings\Ken\Application Data\Malwarebytes
2010-06-06 08:22 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-06 08:22 . 2010-06-06 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-06 08:22 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-06 08:22 . 2010-06-06 08:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-06 08:19 . 2010-06-06 08:21 6153352 ----a-w- c:\program files\mbam-setup.exe
2010-06-02 15:58 . 2010-06-02 15:58 -------- d-----w- c:\program files\Common Files\Java
2010-06-02 15:57 . 2010-06-02 15:57 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-22 20:14 . 2010-05-22 20:14 503808 ----a-w- c:\documents and settings\Ken\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5396e640-n\msvcp71.dll
2010-05-22 20:14 . 2010-05-22 20:14 499712 ----a-w- c:\documents and settings\Ken\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5396e640-n\jmc.dll
2010-05-22 20:14 . 2010-05-22 20:14 348160 ----a-w- c:\documents and settings\Ken\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5396e640-n\msvcr71.dll
2010-05-22 20:13 . 2010-05-22 20:13 61440 ----a-w- c:\documents and settings\Ken\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7a29fc34-n\decora-sse.dll
2010-05-22 20:13 . 2010-05-22 20:13 12800 ----a-w- c:\documents and settings\Ken\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7a29fc34-n\decora-d3d.dll
2010-05-22 12:53 . 2010-05-22 12:53 -------- d-----w- c:\windows\system32\NtmsData
2010-05-18 15:19 . 2010-06-03 13:35 -------- d-----w- c:\program files\JDownloader
2010-05-18 15:18 . 2010-05-18 15:18 19241022 ----a-w- c:\program files\JDownloaderSetup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-10 18:41 . 2008-02-02 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 18:32 . 2009-08-08 09:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-07 13:48 . 2010-06-06 14:32 7163 ----a-w- c:\program files\hijackthis.log
2010-06-07 12:58 . 2008-02-02 11:04 -------- d-----w- c:\documents and settings\Ken\Application Data\uTorrent
2010-06-07 11:45 . 2006-02-28 12:00 1033728 ----a-w- c:\windows\explorer.exe
2010-06-06 14:59 . 2008-02-02 10:48 -------- d-----w- c:\documents and settings\Ken\Application Data\MxBoost
2010-06-05 08:02 . 2008-12-30 09:23 -------- d-----w- c:\documents and settings\Ken\Application Data\mIRC
2010-06-05 08:02 . 2008-12-30 09:23 -------- d-----w- c:\program files\mIRC
2010-05-29 06:02 . 2009-04-21 16:20 48 ----a-w- c:\windows\wpd99.drv
2010-05-18 12:58 . 2010-02-04 14:13 40868 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-18 12:50 . 2010-01-26 12:12 -------- d-----w- c:\program files\iTunes
2010-05-09 12:31 . 2010-05-09 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-09 12:30 . 2010-05-09 12:30 -------- d-----w- c:\program files\iPod
2010-05-09 12:30 . 2010-01-26 12:11 -------- d-----w- c:\program files\Common Files\Apple
2010-05-09 12:29 . 2009-08-08 09:16 -------- d-----w- c:\program files\QuickTime Alternative
2010-05-09 12:28 . 2010-05-09 12:28 -------- d-----w- c:\program files\Apple Software Update
2010-05-09 12:27 . 2010-05-09 12:27 -------- d-----w- c:\program files\Bonjour
2010-05-07 12:30 . 2008-02-01 17:31 47016 ----a-w- c:\documents and settings\Ken\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-03 04:58 . 2010-05-03 04:58 -------- d-----w- c:\program files\Microsoft Reader
2010-05-03 04:58 . 2008-02-01 17:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-03 04:58 . 2010-05-03 04:58 3759800 ----a-w- c:\program files\MSReaderSetupUSA.exe
2010-04-28 07:45 . 2010-04-28 07:45 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-26 15:00 . 2010-04-26 15:00 17829274 ----a-w- c:\program files\FreeYouTubeToMP3Converter.exe
2010-04-24 16:28 . 2010-04-24 15:48 -------- d-----w- c:\program files\123 Video Converter
2010-04-24 16:28 . 2008-03-19 04:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-24 16:02 . 2010-04-24 16:02 -------- d-----w- c:\documents and settings\Ken\Application Data\Red Kawa
2010-04-24 16:01 . 2010-04-24 16:01 -------- d-----w- c:\program files\Regensoft
2010-04-24 16:01 . 2010-04-24 16:01 -------- d-----w- c:\program files\AviSynth 2.5
2010-04-24 16:01 . 2010-04-24 16:01 -------- d-----w- c:\program files\Red Kawa
2010-04-16 00:33 . 2010-01-26 12:11 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 00:33 . 2010-01-26 12:11 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-12 15:18 . 2010-04-12 15:18 12400120 ----a-w- c:\program files\picasa36-setup.exe
2010-04-10 15:40 . 2010-04-10 15:40 18499623 ----a-w- c:\program files\vlc-1.0.5-win32.exe
2010-04-10 14:50 . 2010-04-10 14:50 3189496 ----a-w- c:\program files\MPC-HomeCinema.1.3.1249.0.(x86).exe
2010-04-08 05:20 . 2010-04-08 05:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 05:20 . 2010-04-08 05:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-22 18:38 . 2010-03-22 18:38 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2008-07-06 05:14 . 2008-07-06 05:14 917689 ----a-w- c:\program files\ComicsViewer_eng.zip
2008-03-19 04:35 . 2008-03-19 04:35 0 ----a-w- c:\program files\temp01
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="c:\program files\VDOTool\TBPanel.exe" [2007-11-27 2169368]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2007-05-10 2512392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"nwiz"="nwiz.exe" [2007-12-04 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-29 16859648]
"EPSON Stylus C63 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2003-05-27 99840]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"BigDog303"="c:\windows\VM303_STI.EXE" [2005-12-22 61440]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Ken\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Kim\\sysreset\\mirc.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Maxthon2\\Modules\\MxDownloader\\MxDownloadServer.exe"=
"c:\\Program Files\\CAPCOM\\RESIDENT EVIL 5\\RE5DX9.EXE"=
"c:\\Program Files\\CAPCOM\\RESIDENT EVIL 5\\RE5DX10.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/18/2010 2:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/11/2010 2:41 AM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/8/2009 4:51 PM 108289]
S2 emhboxeezhdtu;\??\c:\docume;\??\c:\docume~1\Ken\LOCALS~1\Temp\ijdmypzdrfxyw.sys --> c:\docume~1\Ken\LOCALS~1\Temp\ijdmypzdrfxyw.sys [?]
S2 fiotktvxp;\??\c:\do;\??\c:\docume~1\Ken\LOCALS~1\Temp\zlnoubjomzu.sys --> c:\docume~1\Ken\LOCALS~1\Temp\zlnoubjomzu.sys [?]
S2 gunsivrolsq;\??\c:\docu;\??\c:\docume~1\Ken\LOCALS~1\Temp\qpmuencuzqmnc.sys --> c:\docume~1\Ken\LOCALS~1\Temp\qpmuencuzqmnc.sys [?]
S2 gvkxwtfhnlksie;\??\c:\docume~;\??\c:\docume~1\Ken\LOCALS~1\Temp\xkjlnuqkb.sys --> c:\docume~1\Ken\LOCALS~1\Temp\xkjlnuqkb.sys [?]
S2 hjaqc;\??\C;\??\c:\docume~1\Ken\LOCALS~1\Temp\ttatsktdndlzj.sys --> c:\docume~1\Ken\LOCALS~1\Temp\ttatsktdndlzj.sys [?]
S2 jlwflus;\??\c:\;\??\c:\docume~1\Ken\LOCALS~1\Temp\btoevtipzuu.sys --> c:\docume~1\Ken\LOCALS~1\Temp\btoevtipzuu.sys [?]
S2 jzviqotoubtugq;\??\c:\docume~;\??\c:\docume~1\Ken\LOCALS~1\Temp\jzbgiloiqfcuegb.sys --> c:\docume~1\Ken\LOCALS~1\Temp\jzbgiloiqfcuegb.sys [?]
S2 leydgudstmmotrw;\??\c:\docume~1;\??\c:\docume~1\Ken\LOCALS~1\Temp\ujjqyzrzajoiu.sys --> c:\docume~1\Ken\LOCALS~1\Temp\ujjqyzrzajoiu.sys [?]
S2 neqqz;\??\C;\??\c:\docume~1\Ken\LOCALS~1\Temp\jzhniemogrriukt.sys --> c:\docume~1\Ken\LOCALS~1\Temp\jzhniemogrriukt.sys [?]
S2 ppepfqextcpu;\??\c:\docum;\??\c:\docume~1\Ken\LOCALS~1\Temp\ilnxthqnpavqlj.sys --> c:\docume~1\Ken\LOCALS~1\Temp\ilnxthqnpavqlj.sys [?]
S2 rdiflkegaehxv;\??\c:\docume;\??\c:\docume~1\Ken\LOCALS~1\Temp\wwruj.sys --> c:\docume~1\Ken\LOCALS~1\Temp\wwruj.sys [?]
S2 sawdbogyoeit;\??\c:\docum;\??\c:\docume~1\Ken\LOCALS~1\Temp\zgvscuu.sys --> c:\docume~1\Ken\LOCALS~1\Temp\zgvscuu.sys [?]
S2 szrclpnekmsejpl;\??\c:\docume~1;\??\c:\docume~1\Ken\LOCALS~1\Temp\akafg.sys --> c:\docume~1\Ken\LOCALS~1\Temp\akafg.sys [?]
S2 wdtfwgqzs;\??\c:\do;\??\c:\docume~1\Ken\LOCALS~1\Temp\nqwpm.sys --> c:\docume~1\Ken\LOCALS~1\Temp\nqwpm.sys [?]
S2 wqcozdbrxvlsnji;\??\c:\docume~1;\??\c:\docume~1\Ken\LOCALS~1\Temp\iznggnbg.sys --> c:\docume~1\Ken\LOCALS~1\Temp\iznggnbg.sys [?]
S2 xkiliyoht;\??\c:\do;\??\c:\docume~1\Ken\LOCALS~1\Temp\bnvnnjbndrhuf.sys --> c:\docume~1\Ken\LOCALS~1\Temp\bnvnnjbndrhuf.sys [?]
S2 zpdediianggzv;\??\c:\docume;\??\c:\docume~1\Ken\LOCALS~1\Temp\xojkhmkk.sys --> c:\docume~1\Ken\LOCALS~1\Temp\xojkhmkk.sys [?]
S3 ckwnwbvd;ckwnwbvd;\??\c:\windows\System32\Drivers\ckwnwbvd.sys --> c:\windows\System32\Drivers\ckwnwbvd.sys [?]
S3 foccyaqc;foccyaqc;\??\c:\windows\System32\Drivers\foccyaqc.sys --> c:\windows\System32\Drivers\foccyaqc.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/2/2008 4:45 PM 716272]
.
Contents of the 'Scheduled Tasks' folder

2010-05-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 03:50]

2010-06-16 c:\windows\Tasks\User_Feed_Synchronization-{B3E918AA-63F1-49D9-8894-AF88B05DA6F2}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {7A218CD9-2A4A-477E-AD0E-4A6975B74B17} = 202.78.97.41,210.4.2.61
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab?1271083908000
FF - ProfilePath - c:\documents and settings\Ken\Application Data\Mozilla\Firefox\Profiles\4zxj8urj.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG10.00.00.01WORKSTATION"="146DB98FC32AD916D093713BE372226C88E6916A2192B57928EB34579F8455E94DDF5761ACA91C373DDCF8C50F38B7E72809F5DEBB30FE5DBEDD4D02D0EED02F157622E3DD41C2A256F3160B8511A41E4FF1705C66214D3E3B85182C5BD4BD73E9CEDE69830F92303BA11350A096C2A4D8B26D3646942D15545BC75752207FAC836B25463BD6E3F73B0F0EDB2C037D59523D3044F261409D75BCE20E3A5F8B1BC6B3E3D418FD1FD95DCD78F8E7B7D45800EC51E27A7EBBD83EEBFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B555A2D97226D213B555A6A0AC4980AC7933B2560CDFBA5060A032EB0014E0B45035200BA6DB1F68CFAD008ADED5598641C85D6F1BC19A8683A23B2E0480A20905F7C9847F184A3929F76DDDF1D232B8FA2B9B4A66E7C420B25E7F06F036038D0BAAF011F28E29C064094350A18D1ECC3B6E59C9E588B15467048C688A86AFD7BAE86B54B1483F975701B957AA6914FC735DD1D307806D9DD1A8C64C096669469D2EDFF764F5A11C0AE7DD6EC2EB1F49C9289954A8CF99BBD3C365AC9BEE86F775DA4AA8A1677BED38A790100F415FF0186114B89E99E83304327189E0DCEED0B4B67B167A938AF2548D06C12B3807FC6B017B743226A3C82CB5C968EF11A0F804E916F5EE93A1D4014DC68627C2DE368463DE7E1D61A7894BEFA24D51902C5EBD01120076A5A50017FCB0E784F841A9D9C59FD013DA634414EA81C68105382E716FBBF17AAB12252417F3F4BB161DAB954CF1E934C65C0AEC14C2E371B9FC5FE309320C58AB753B67F9953FB577F6511300E0CC1BFC2AB4703913B8062049280A08691262CF71F8D6E76D5B53206474E5C9CA80D2F9F95EEC11765B994EFB05138929CC5FE4BC5E990729E3E7B81234D37B608E5B5C8BE6E532C268F7FB0B37DA0F8D0B09DEA12A0DE1C975388BBE7154C6A707296A326F109AA47F6285014277FE861A8C517DE14167A3330285BC5316C2F9FA24095861572A19C48EEDFAEDAF2057D18D7843CFFA69DFC0F2BB74437BEC8782A74678665925735EA358A8C5FDA1980821AFF801B21F7AC92D64E27018234F3885D022EEE9B2DAF9C10DD09C1495341CD0FAB94595A1C57B49DA14CC3729273A7F7D7CAC8FE1C945767B4C04D36F6BEC9B7EB2B282F06407511C2C8D5526BA2BCE443E9782218EF5C9B28754548A52DE7306A7A210ED5021C5CDE3AD25A50631203FB2EBB3C54D41B2E706AA6322CF5B3DFDECB185DFD606183505EA0A175CF712303BA644877BE420745AE67E5AA050D479EDC05F701770AFBE70C720CD632E39FA4C8C0B0464A071D4AF2ED9B5D2AB862C29F5CE2F08A4E6F69789B28192859DA66EA314B9A636FBAAC2E55D204B6415F2B0BA"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75}]
@DACL=(02 0000)
@="Group Policy Environment"
"ProcessGroupPolicy"="ProcessGroupPolicyEnviron"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyEnviron"
"ProcessGroupPolicyEx 0"=""
"EventSources"="(Group Policy Environment,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-1"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509}]
@DACL=(02 0000)
@="Group Policy Local Users and Groups"
"ProcessGroupPolicy"="ProcessGroupPolicyLocUsAndGroups"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyLocUsAndGroups"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExLocUsAndGroups"
"EventSources"="(Group Policy Local Users and Groups,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-2"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5}]
@DACL=(02 0000)
@="Group Policy Device Settings"
"ProcessGroupPolicy"="ProcessGroupPolicyDevices"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyDevices"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExDevices"
"EventSources"="(Group Policy Device Settings,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-3"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F}]
@DACL=(02 0000)
@="Group Policy Network Options"
"ProcessGroupPolicy"="ProcessGroupPolicyNetworkOptions"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyNetworkOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExNetworkOptions"
"EventSources"="(Group Policy Network Options,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-4"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F}]
@DACL=(02 0000)
@="Group Policy Drive Maps"
"ProcessGroupPolicy"="ProcessGroupPolicyDrives"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyDrives"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExDrives"
"EventSources"="(Group Policy Drive Maps,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-5"
"PerUserLocalSettings"=dword:00000001
"NoBackgroundPolicy"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E}]
@DACL=(02 0000)
@="Group Policy Folders"
"ProcessGroupPolicy"="ProcessGroupPolicyFolders"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyFolders"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExFolders"
"EventSources"="(Group Policy Folders,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-6"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2}]
@DACL=(02 0000)
@="Group Policy Network Shares"
"ProcessGroupPolicy"="ProcessGroupPolicyNetShares"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyNetShares"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExNetShares"
"EventSources"="(Group Policy Network Shares,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-7"
"NoUserPolicy"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA}]
@DACL=(02 0000)
@="Group Policy Files"
"ProcessGroupPolicy"="ProcessGroupPolicyFiles"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyFiles"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExFiles"
"EventSources"="(Group Policy Files,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-8"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED}]
@DACL=(02 0000)
@="Group Policy Data Sources"
"ProcessGroupPolicy"="ProcessGroupPolicyDataSources"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyDataSources"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExDataSources"
"EventSources"="(Group Policy Data Sources,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-9"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB}]
@DACL=(02 0000)
@="Group Policy Ini Files"
"ProcessGroupPolicy"="ProcessGroupPolicyIniFile"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyIniFile"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExIniFile"
"EventSources"="(Group Policy Ini Files,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-10"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325}]
@DACL=(02 0000)
@="Group Policy Services"
"ProcessGroupPolicy"="ProcessGroupPolicyServices"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyServices"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExServices"
"EventSources"="(Group Policy Services,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-11"
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8}]
@DACL=(02 0000)
@="Group Policy Folder Options"
"ProcessGroupPolicy"="ProcessGroupPolicyFolderOptions"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyFolderOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExFolderOptions"
"EventSources"="(Group Policy Folder Options,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-12"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527}]
@DACL=(02 0000)
@="Group Policy Scheduled Tasks"
"ProcessGroupPolicy"="ProcessGroupPolicySchedTasks"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicySchedTasks"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExSchedTasks"
"EventSources"="(Group Policy Scheduled Tasks,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-13"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}]
@DACL=(02 0000)
@="Group Policy Registry"
"ProcessGroupPolicy"="ProcessGroupPolicyRegistry"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyRegistry"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExRegistry"
"EventSources"="(Group Policy Registry,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-14"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}]
@DACL=(02 0000)
@="Group Policy Printers"
"ProcessGroupPolicy"="ProcessGroupPolicyPrinters"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyPrinters"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExPrinters"
"EventSources"="(Group Policy Printers,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-16"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}]
@DACL=(02 0000)
@="Group Policy Shortcuts"
"ProcessGroupPolicy"="ProcessGroupPolicyShortcuts"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyShortcuts"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExShortcuts"
"EventSources"="(Group Policy Shortcuts,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-17"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}]
@DACL=(02 0000)
@="Group Policy Internet Settings"
"ProcessGroupPolicy"="ProcessGroupPolicyShortcuts"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyInternet"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExInternet"
"EventSources"="(Group Policy Internet Settings,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-18"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18}]
@DACL=(02 0000)
@="Group Policy Start Menu Settings"
"ProcessGroupPolicy"="ProcessGroupPolicyStartMenu"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyStartMenu"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExStartMenu"
"EventSources"="(Group Policy Start Menu Settings,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-19"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00}]
@DACL=(02 0000)
@="Group Policy Regional Options"
"ProcessGroupPolicy"="ProcessGroupPolicyRegionOptions"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyRegionOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExRegionOptions"
"EventSources"="(Group Policy Regional Options,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-20"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F}]
@DACL=(02 0000)
@="Group Policy Power Options"
"ProcessGroupPolicy"="ProcessGroupPolicyPowerOptions"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyPowerOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExPowerOptions"
"EventSources"="(Group Policy Power Options,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-21"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3}]
@DACL=(02 0000)
@="Group Policy Applications"
"ProcessGroupPolicy"="ProcessGroupPolicyApplications"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyApplications"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExApplications"
"EventSources"="(Group Policy Applications,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-15"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-17 01:14:15
ComboFix-quarantined-files.txt 2010-06-16 17:14

Pre-Run: 16,753,111,040 bytes free
Post-Run: 16,760,745,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - D7665BDD4B3314F9C34EC4BBEF212763


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:48 AM

Posted 16 June 2010 - 02:15 PM

Hello again, still some leftovers to clean.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
Driver::
emhboxeezhdtu
fiotktvxp
gunsivrolsq
gvkxwtfhnlksie
hjaqc
jlwflus
jzviqotoubtugq
leydgudstmmotrw
neqqz
ppepfqextcpu
rdiflkegaehxv
sawdbogyoeit
szrclpnekmsejpl
wdtfwgqzs
wqcozdbrxvlsnji
xkiliyoht
zpdediianggzv
ckwnwbvd
foccyaqc

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions]

RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#13 eriolclow

eriolclow
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 17 June 2010 - 08:18 AM

Hi! Here's the second combofix log that was generated:

ComboFix 10-06-15.02 - Ken 06/17/2010 20:55:08.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1616 [GMT 8:00]
Running from: c:\documents and settings\Ken\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ken\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ckwnwbvd
-------\Service_emhboxeezhdtu
-------\Service_fiotktvxp
-------\Service_foccyaqc
-------\Service_gunsivrolsq
-------\Service_gvkxwtfhnlksie
-------\Service_hjaqc
-------\Service_jlwflus
-------\Service_jzviqotoubtugq
-------\Service_leydgudstmmotrw
-------\Service_neqqz
-------\Service_ppepfqextcpu
-------\Service_rdiflkegaehxv
-------\Service_sawdbogyoeit
-------\Service_szrclpnekmsejpl
-------\Service_wdtfwgqzs
-------\Service_wqcozdbrxvlsnji
-------\Service_xkiliyoht
-------\Service_zpdediianggzv


((((((((((((((((((((((((( Files Created from 2010-05-17 to 2010-06-17 )))))))))))))))))))))))))))))))
.

2010-06-16 17:13 . 2008-04-13 21:42 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe
2010-06-16 17:13 . 2008-04-13 21:42 39424 ----a-w- c:\windows\system32\grpconv.exe
2010-06-09 13:29 . 2010-06-09 13:29 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2010-06-07 15:33 . 2010-06-07 15:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-07 13:31 . 2010-06-07 13:31 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-07 13:31 . 2010-06-07 13:31 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-07 13:31 . 2010-06-07 13:31 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-07 13:30 . 2010-06-07 13:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-06-06 14:37 . 2010-06-06 14:37 388096 ----a-r- c:\documents and settings\Ken\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-06 14:37 . 2010-06-06 14:37 -------- d-----w- c:\program files\Trend Micro
2010-06-06 14:31 . 2010-06-06 14:31 388608 ----a-w- c:\program files\HijackThis.exe
2010-06-06 14:30 . 2010-06-06 14:36 1402880 ----a-w- c:\program files\HiJackThis.msi
2010-06-06 09:03 . 2010-06-09 13:25 63488 ----a-w- c:\documents and settings\Ken\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-06 09:03 . 2010-06-06 09:03 52224 ----a-w- c:\documents and settings\Ken\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-06 09:03 . 2010-06-09 13:25 117760 ----a-w- c:\documents and settings\Ken\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-06 09:00 . 2010-06-06 09:00 -------- d-----w- c:\documents and settings\Ken\Application Data\SUPERAntiSpyware.com
2010-06-06 09:00 . 2010-06-06 09:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-06 09:00 . 2010-06-06 09:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-06 08:59 . 2010-06-06 08:59 8924856 ----a-w- c:\program files\SUPERAntiSpyware.exe
2010-06-06 08:22 . 2010-06-06 08:22 -------- d-----w- c:\documents and settings\Ken\Application Data\Malwarebytes
2010-06-06 08:22 . 2010-04-29 07:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-06 08:22 . 2010-06-06 08:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-06 08:22 . 2010-04-29 07:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-06 08:22 . 2010-06-06 08:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-06 08:19 . 2010-06-06 08:21 6153352 ----a-w- c:\program files\mbam-setup.exe
2010-06-02 15:58 . 2010-06-02 15:58 -------- d-----w- c:\program files\Common Files\Java
2010-06-02 15:57 . 2010-06-02 15:57 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-22 20:14 . 2010-05-22 20:14 503808 ----a-w- c:\documents and settings\Ken\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5396e640-n\msvcp71.dll
2010-05-22 20:14 . 2010-05-22 20:14 499712 ----a-w- c:\documents and settings\Ken\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5396e640-n\jmc.dll
2010-05-22 20:14 . 2010-05-22 20:14 348160 ----a-w- c:\documents and settings\Ken\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-5396e640-n\msvcr71.dll
2010-05-22 20:13 . 2010-05-22 20:13 61440 ----a-w- c:\documents and settings\Ken\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7a29fc34-n\decora-sse.dll
2010-05-22 20:13 . 2010-05-22 20:13 12800 ----a-w- c:\documents and settings\Ken\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7a29fc34-n\decora-d3d.dll
2010-05-22 12:53 . 2010-05-22 12:53 -------- d-----w- c:\windows\system32\NtmsData
2010-05-18 15:19 . 2010-06-03 13:35 -------- d-----w- c:\program files\JDownloader
2010-05-18 15:18 . 2010-05-18 15:18 19241022 ----a-w- c:\program files\JDownloaderSetup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-10 18:41 . 2008-02-02 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-08 18:32 . 2009-08-08 09:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-07 13:48 . 2010-06-06 14:32 7163 ----a-w- c:\program files\hijackthis.log
2010-06-07 12:58 . 2008-02-02 11:04 -------- d-----w- c:\documents and settings\Ken\Application Data\uTorrent
2010-06-07 11:45 . 2006-02-28 12:00 1033728 ----a-w- c:\windows\explorer.exe
2010-06-06 14:59 . 2008-02-02 10:48 -------- d-----w- c:\documents and settings\Ken\Application Data\MxBoost
2010-06-05 08:02 . 2008-12-30 09:23 -------- d-----w- c:\documents and settings\Ken\Application Data\mIRC
2010-06-05 08:02 . 2008-12-30 09:23 -------- d-----w- c:\program files\mIRC
2010-05-29 06:02 . 2009-04-21 16:20 48 ----a-w- c:\windows\wpd99.drv
2010-05-18 12:58 . 2010-02-04 14:13 40868 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-18 12:50 . 2010-01-26 12:12 -------- d-----w- c:\program files\iTunes
2010-05-09 12:31 . 2010-05-09 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-09 12:30 . 2010-05-09 12:30 -------- d-----w- c:\program files\iPod
2010-05-09 12:30 . 2010-01-26 12:11 -------- d-----w- c:\program files\Common Files\Apple
2010-05-09 12:29 . 2009-08-08 09:16 -------- d-----w- c:\program files\QuickTime Alternative
2010-05-09 12:28 . 2010-05-09 12:28 -------- d-----w- c:\program files\Apple Software Update
2010-05-09 12:27 . 2010-05-09 12:27 -------- d-----w- c:\program files\Bonjour
2010-05-07 12:30 . 2008-02-01 17:31 47016 ----a-w- c:\documents and settings\Ken\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-03 04:58 . 2010-05-03 04:58 -------- d-----w- c:\program files\Microsoft Reader
2010-05-03 04:58 . 2008-02-01 17:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-03 04:58 . 2010-05-03 04:58 3759800 ----a-w- c:\program files\MSReaderSetupUSA.exe
2010-04-28 07:45 . 2010-04-28 07:45 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-04-26 15:00 . 2010-04-26 15:00 17829274 ----a-w- c:\program files\FreeYouTubeToMP3Converter.exe
2010-04-24 16:28 . 2010-04-24 15:48 -------- d-----w- c:\program files\123 Video Converter
2010-04-24 16:28 . 2008-03-19 04:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-24 16:02 . 2010-04-24 16:02 -------- d-----w- c:\documents and settings\Ken\Application Data\Red Kawa
2010-04-24 16:01 . 2010-04-24 16:01 -------- d-----w- c:\program files\Regensoft
2010-04-24 16:01 . 2010-04-24 16:01 -------- d-----w- c:\program files\AviSynth 2.5
2010-04-24 16:01 . 2010-04-24 16:01 -------- d-----w- c:\program files\Red Kawa
2010-04-16 00:33 . 2010-01-26 12:11 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 00:33 . 2010-01-26 12:11 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-12 15:18 . 2010-04-12 15:18 12400120 ----a-w- c:\program files\picasa36-setup.exe
2010-04-10 15:40 . 2010-04-10 15:40 18499623 ----a-w- c:\program files\vlc-1.0.5-win32.exe
2010-04-10 14:50 . 2010-04-10 14:50 3189496 ----a-w- c:\program files\MPC-HomeCinema.1.3.1249.0.(x86).exe
2010-04-08 05:20 . 2010-04-08 05:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 05:20 . 2010-04-08 05:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-22 18:38 . 2010-03-22 18:38 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2008-07-06 05:14 . 2008-07-06 05:14 917689 ----a-w- c:\program files\ComicsViewer_eng.zip
2008-03-19 04:35 . 2008-03-19 04:35 0 ----a-w- c:\program files\temp01
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gainward"="c:\program files\VDOTool\TBPanel.exe" [2007-11-27 2169368]
"OODefragTray"="c:\windows\system32\oodtray.exe" [2007-05-10 2512392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"nwiz"="nwiz.exe" [2007-12-04 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-29 16859648]
"EPSON Stylus C63 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2003-05-27 99840]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"BigDog303"="c:\windows\VM303_STI.EXE" [2005-12-22 61440]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Ken\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Kim\\sysreset\\mirc.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Maxthon2\\Modules\\MxDownloader\\MxDownloadServer.exe"=
"c:\\Program Files\\CAPCOM\\RESIDENT EVIL 5\\RE5DX9.EXE"=
"c:\\Program Files\\CAPCOM\\RESIDENT EVIL 5\\RE5DX10.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/18/2010 2:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/11/2010 2:41 AM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/8/2009 4:51 PM 108289]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/2/2008 4:45 PM 716272]
.
Contents of the 'Scheduled Tasks' folder

2010-05-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 03:50]

2010-06-17 c:\windows\Tasks\User_Feed_Synchronization-{B3E918AA-63F1-49D9-8894-AF88B05DA6F2}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {7A218CD9-2A4A-477E-AD0E-4A6975B74B17} = 202.78.97.41,210.4.2.61
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab?1271083908000
FF - ProfilePath - c:\documents and settings\Ken\Application Data\Mozilla\Firefox\Profiles\4zxj8urj.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-17 21:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0E28E245-9368-4853-AD84-6DA3BA35BB75}]
@DACL=(02 0000)
@="Group Policy Environment"
"ProcessGroupPolicy"="ProcessGroupPolicyEnviron"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyEnviron"
"ProcessGroupPolicyEx 0"=""
"EventSources"="(Group Policy Environment,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-1"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{17D89FEC-5C44-4972-B12D-241CAEF74509}]
@DACL=(02 0000)
@="Group Policy Local Users and Groups"
"ProcessGroupPolicy"="ProcessGroupPolicyLocUsAndGroups"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyLocUsAndGroups"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExLocUsAndGroups"
"EventSources"="(Group Policy Local Users and Groups,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-2"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{1A6364EB-776B-4120-ADE1-B63A406A76B5}]
@DACL=(02 0000)
@="Group Policy Device Settings"
"ProcessGroupPolicy"="ProcessGroupPolicyDevices"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyDevices"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExDevices"
"EventSources"="(Group Policy Device Settings,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-3"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3A0DBA37-F8B2-4356-83DE-3E90BD5C261F}]
@DACL=(02 0000)
@="Group Policy Network Options"
"ProcessGroupPolicy"="ProcessGroupPolicyNetworkOptions"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyNetworkOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExNetworkOptions"
"EventSources"="(Group Policy Network Options,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-4"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{5794DAFD-BE60-433f-88A2-1A31939AC01F}]
@DACL=(02 0000)
@="Group Policy Drive Maps"
"ProcessGroupPolicy"="ProcessGroupPolicyDrives"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyDrives"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExDrives"
"EventSources"="(Group Policy Drive Maps,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-5"
"PerUserLocalSettings"=dword:00000001
"NoBackgroundPolicy"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6232C319-91AC-4931-9385-E70C2B099F0E}]
@DACL=(02 0000)
@="Group Policy Folders"
"ProcessGroupPolicy"="ProcessGroupPolicyFolders"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyFolders"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExFolders"
"EventSources"="(Group Policy Folders,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-6"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E2}]
@DACL=(02 0000)
@="Group Policy Network Shares"
"ProcessGroupPolicy"="ProcessGroupPolicyNetShares"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyNetShares"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExNetShares"
"EventSources"="(Group Policy Network Shares,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-7"
"NoUserPolicy"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7150F9BF-48AD-4da4-A49C-29EF4A8369BA}]
@DACL=(02 0000)
@="Group Policy Files"
"ProcessGroupPolicy"="ProcessGroupPolicyFiles"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyFiles"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExFiles"
"EventSources"="(Group Policy Files,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-8"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{728EE579-943C-4519-9EF7-AB56765798ED}]
@DACL=(02 0000)
@="Group Policy Data Sources"
"ProcessGroupPolicy"="ProcessGroupPolicyDataSources"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyDataSources"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExDataSources"
"EventSources"="(Group Policy Data Sources,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-9"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{74EE6C03-5363-4554-B161-627540339CAB}]
@DACL=(02 0000)
@="Group Policy Ini Files"
"ProcessGroupPolicy"="ProcessGroupPolicyIniFile"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyIniFile"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExIniFile"
"EventSources"="(Group Policy Ini Files,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-10"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{91FBB303-0CD5-4055-BF42-E512A681B325}]
@DACL=(02 0000)
@="Group Policy Services"
"ProcessGroupPolicy"="ProcessGroupPolicyServices"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyServices"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExServices"
"EventSources"="(Group Policy Services,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-11"
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A3F3E39B-5D83-4940-B954-28315B82F0A8}]
@DACL=(02 0000)
@="Group Policy Folder Options"
"ProcessGroupPolicy"="ProcessGroupPolicyFolderOptions"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyFolderOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExFolderOptions"
"EventSources"="(Group Policy Folder Options,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-12"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{AADCED64-746C-4633-A97C-D61349046527}]
@DACL=(02 0000)
@="Group Policy Scheduled Tasks"
"ProcessGroupPolicy"="ProcessGroupPolicySchedTasks"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicySchedTasks"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExSchedTasks"
"EventSources"="(Group Policy Scheduled Tasks,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-13"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}]
@DACL=(02 0000)
@="Group Policy Registry"
"ProcessGroupPolicy"="ProcessGroupPolicyRegistry"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyRegistry"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExRegistry"
"EventSources"="(Group Policy Registry,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-14"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}]
@DACL=(02 0000)
@="Group Policy Printers"
"ProcessGroupPolicy"="ProcessGroupPolicyPrinters"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyPrinters"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExPrinters"
"EventSources"="(Group Policy Printers,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-16"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC7}]
@DACL=(02 0000)
@="Group Policy Shortcuts"
"ProcessGroupPolicy"="ProcessGroupPolicyShortcuts"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyShortcuts"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExShortcuts"
"EventSources"="(Group Policy Shortcuts,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-17"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E47248BA-94CC-49c4-BBB5-9EB7F05183D0}]
@DACL=(02 0000)
@="Group Policy Internet Settings"
"ProcessGroupPolicy"="ProcessGroupPolicyShortcuts"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyInternet"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExInternet"
"EventSources"="(Group Policy Internet Settings,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-18"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E4F48E54-F38D-4884-BFB9-D4D2E5729C18}]
@DACL=(02 0000)
@="Group Policy Start Menu Settings"
"ProcessGroupPolicy"="ProcessGroupPolicyStartMenu"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyStartMenu"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExStartMenu"
"EventSources"="(Group Policy Start Menu Settings,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-19"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E5094040-C46C-4115-B030-04FB2E545B00}]
@DACL=(02 0000)
@="Group Policy Regional Options"
"ProcessGroupPolicy"="ProcessGroupPolicyRegionOptions"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyRegionOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExRegionOptions"
"EventSources"="(Group Policy Regional Options,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-20"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{E62688F0-25FD-4c90-BFF5-F508B9D2E31F}]
@DACL=(02 0000)
@="Group Policy Power Options"
"ProcessGroupPolicy"="ProcessGroupPolicyPowerOptions"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyPowerOptions"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExPowerOptions"
"EventSources"="(Group Policy Power Options,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-21"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{F9C77450-3A41-477E-9310-9ACD617BD9E3}]
@DACL=(02 0000)
@="Group Policy Applications"
"ProcessGroupPolicy"="ProcessGroupPolicyApplications"
"DllName"=expand:"gpprefcl.dll"
"GenerateGroupPolicy"="GenerateGroupPolicyApplications"
"ProcessGroupPolicyEx"="ProcessGroupPolicyExApplications"
"EventSources"="(Group Policy Applications,Application)"
"DisplayName"=expand:"@gpprefcl.dll,-15"
"PerUserLocalSettings"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2148)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\oodag.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\progra~1\MI3AA1~1\wcescomm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-06-17 21:07:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-17 13:07
ComboFix2.txt 2010-06-16 17:14

Pre-Run: 16,780,816,384 bytes free
Post-Run: 16,648,814,592 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - E40F1C2177994573CE43B6040BEB6714


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,648 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:48 AM

Posted 17 June 2010 - 08:25 AM

How are things running now?


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#15 eriolclow

eriolclow
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:06:48 PM

Posted 17 June 2010 - 08:38 AM

Hi! I was running the computer with the LAN turned off. I'll reboot and turn on the LAN to see if I get any more trojan trying to access warnings from Avira (they only pop up when I'm connected to the intrnet). And then I'll update the malwarebytes definitions and run a scan. The malwarebytes scan should take a while though, but hopefully I'll be able to reply within two to three hours or so...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users