Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Microsoft engineer" rang me on saturday 17-07-10


  • This topic is locked This topic is locked
43 replies to this topic

#1 Brightraven94

Brightraven94

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 17 July 2010 - 09:18 PM

I was awoken with a phone call from an Indian supposed "Microsoft Engineer in the Technical department" telling me that my PC was generating and sending out enormous amounts of files and that I should get onto my PC in order for them to freely provide me with tools to eradicate my supposedly bad files causing this. Going onto my PC, I was "shown" (Told how to run it) the Event Viewer (Never previously used by myself). It showed 100's of ERROR reports that gave some credence to their statements. I did not realise at the time that these were merely common errors reported by the system. I later deleted them after finding out how to. A security-conscious individual of many years I am ALWAYS sceptical of such phone calls but sadly this time I decided that I may indeed be speaking to a Microsoft engineer and must allow them access or perhaps my PC would indeed be a major problem in a week's time. According to the con man my PC would close down eventually and I would be unable to retrieve any of my files again as the PC would not boot. I felt uneasy and still being rather sleepy, I was unsure as to his chat. Taken in by his speil I suspected a scam, especially since it was an Indian speaking and experience of bad business with such warned me off, but I felt that I may indeed be causing a problem to the Internet world and foolishly decided to allow them access to my PC. Once decided, they gained access via a software programme which they downloaded (Teamviewer) and ran on my PC. I was still rather sleepy and trying to remember what was happening. Alarm bells were ringing but I was still unsure. They also downloaded "Advanced Windows Care" ver.2 and ran it which appeared very similar to my own Advanced System Care programme (IOBIT). I later discovered that it was a much earlier version of my own software albeit several versions back. What they did once on my PC I have no idea as all I could see was the progamme checking my PC. They then said that my "software maintenance" programme had expired after running another programme. It reeled off dozens of files and at the end stated "Software expired". My suspicions were already on edge but I was foolishly under the impression that it may be genuine and that if I did not allow them access then I would be unable to get my PC up again if it did indeed stop functioning in a week as they stated. Told early on that it was free, I was then told that my PC had a "temporary software manager" that controlled all my programmes, that it had expired and that I had to renew the contract. I felt that this was rubbish and demanded to know why I would be sold an expensive machine with a "temporary" software programme that needed renewing and was never told of it. I did not like his explanations especially when he said that it would be £65 to renew and then later said that it was ANNUAL and would be payable for 4 years. At this stage I dissed him from my PC and stated that I could not pay and laughed at his suggestion. Sadly I may be the last one to laugh as he had control of my PC for some time and obviously may have uploaded god knows what onto my PC. I am now on tenterhooks and will be for some time as to just what he may have stolen\downloaded onto my machine. I update and run my AVs and other malware programmes regularly. However, my PC has been doing funny things in the last week or two and this made me think that the call may be genuine. Several times I have been unable to switch the PC off and have had to hold the ON button for 8 seconds to close it down. On reboot, everything appeared to run Ok until I could not close it down again. Naturally I have run all my AVs again and also downloaded\run MALWAREBYTES Anti-Malware programme. This unlike my other programmes, showed up a "REG-TOOL" (dozens of them which I immediately cleaned). I will need to go through my information to change passwords etc. which he has possibly found. However, all seems ok otherwise but I need a programme which will check for some sort of malware that may be allowing remote access or may be sending information from my PC. Anything else possibly needed would be appreciated. For many years I have always looked after my own PC but this has been a first which goes down badly for me. No excuses, I was fooled. Indians are now persona non grata in my opinion. All tainted for some\many crooks. I shall enclose the DDS text as asked for and attach the other. I suspect that my accounts are now greatly at risk. I have spent the last 12 hours renewing and scanning with AVs and other programmes, Spybot, Super-Antispyware etc. GMER crashed my PC twice (Bsod) so I can not upload the result. Thank you for your time. Brightraven.

----
DDS (Ver_10-03-17.01) - NTFSx86
Run by PC1 at 0:54:59.01 on 18/07/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3071.1215 [GMT 1:00]

AV: avast! antivirus 4.8.1229 [VPS 081123-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: avast! antivirus 4.8.1229 [VPS 081123-0] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\wininit.exe
C:\WINDOWS\system32\lsm.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k secsvcs
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k GPSvcGroup
C:\WINDOWS\system32\SLsvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\NCH Software\Eyeline\eyeline.exe
C:\Program Files\Firebird\Firebird_2_5\bin\fbguard.exe
c:\hp\HPEZBTN\HPBtnSrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\SPAMfighter\sfus.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\WINDOWS\System32\svchost.exe -k WerSvcGroup
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Firebird\Firebird_2_5\bin\fbserver.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\taskeng.exe
C:\WINDOWS\system32\Dwm.exe
C:\WINDOWS\system32\taskeng.exe
C:\WINDOWS\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\WINDOWS\RtHDVCpl.exe
C:\WINDOWS\system32\schtasks.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\WindowsMobile\wmdc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\svchost.exe -k WindowsMobile
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\system32\jusched.exe
C:\Program Files\Portrait Displays\Pivot Software\wpCtrl.exe
C:\Program Files\Portrait Displays\HP My Display\dthtml.exe
C:\WINDOWS\System32\mobsync.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IObit\IObit Security 360\is360tray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
M:\Downloads\utorrent.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\DAP\DAP.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\ProgramData\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Qlock\qlock.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\WINDOWS\ehome\ehsched.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\ehome\ehRecvr.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\svchost.exe -k SDRSVC
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\sdclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\DllHost.exe
M:\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mirostart.com/?cfg=2-73-0-8HvC
uSearch Page =
uSearch Bar =
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
mSearchAssistant =
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PriceGongBHO Class: {1631550f-191d-4826-b069-d9439253d926} - c:\program files\pricegong\2.1.0\PriceGongIE.dll
BHO: SBCONVERT Class: {3017fb3e-9a77-4396-88c5-0ec9548fb42f} - c:\program files\speedbit video downloader\tbu4a\tbcore3.dll
BHO: SBCONVERT Class: {31b27f2d-6bc6-451b-b3d2-4eab36b2fc3b} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll
BHO: SearchPredictObj Class: {389943b0-c3a2-4e69-82cb-8596a84cb3dc} - c:\progra~1\search~1\SEARCH~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: FreecycleMemberBHO Class: {c3e5e149-27b7-49d1-8420-b02ac52af663} - c:\program files\freecycle\FreecycleMember.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: DAPIELoader Class: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\dap\DAPIEL~1.DLL
BHO: GrabberObj Class: {ff7c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\speedb~3\tbu4a\grabber.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: SpeedBit Video Downloader: {0329e7d6-6f54-462d-93f6-f5c3118badf2} - c:\program files\speedbit video downloader\tbu4a\tbcore3.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Google Update] "c:\users\pc1\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [uTorrent] "m:\downloads\utorrent.exe"
uRun: [Free Download Manager] c:\program files\free download manager\fdm.exe -autorun
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [SpeedBitVideoAccelerator] c:\program files\speedbit video accelerator\VideoAccelerator.exe
uRun: [DownloadAccelerator] "c:\program files\dap\DAP.EXE" /STARTUP
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [FinePrint Dispatcher v5] "c:\windows\system32\spool\drivers\w32x86\3\fpdisp5a.exe" /source=HKLM
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [EPSON Stylus DX4200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaee.exe /f "c:\windows\temp\E_S8390.tmp" /EF "HKLM"
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [DT HPW] c:\program files\portrait displays\hp my display\DTHtml.exe -startup_folder
mRun: [SPAMfighter Agent] "c:\program files\spamfighter\SFAgent.exe" update delay 60
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: c:\users\pc1\appdata\roaming\micros~1\windows\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\users\pc1\appdata\roaming\microsoft\windows\start menu\programs\startup\Microsoft Find Fast.lnk.disabled
StartupFolder: c:\users\pc1\appdata\roaming\micros~1\windows\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\users\pc1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\users\pc1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\users\pc1\appdata\roaming\micros~1\windows\startm~1\programs\startup\qlock.lnk - c:\program files\qlock\qlock.exe
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\BlueSoleil.lnk.disabled
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\launch~1.lnk - c:\windows\installer\{d8e363a7-88b7-446d-b2c0-e26ce4dc8e54}\_294823.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AOL Toolbar Search
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send To &Bluetooth
IE: Translate this web page with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Action.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
LSP: c:\progra~1\speedb~1\sblsp.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\xobni\Skype4COM.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\pc1\appdata\roaming\mozilla\firefox\profiles\bjf9ahud.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438922&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://search.speedbit.com
FF - prefs.js: keyword.URL - hxxp://search.speedbit.com/searchresults.asp?src=default&q=
FF - component: c:\program files\dap\dapfirefox\components\DAPFireFox.dll
FF - component: c:\program files\pricegong\2.1.0\ff\components\PriceGongFF.dll
FF - component: c:\program files\speedbit video downloader\spfirefox\components\Engine.dll
FF - component: c:\users\pc1\appdata\roaming\mozilla\firefox\profiles\bjf9ahud.default\extensions\{0fc85f5d-6207-4515-a490-45a549d285c0}\components\FFExternalAlert.dll
FF - component: c:\users\pc1\appdata\roaming\mozilla\firefox\profiles\bjf9ahud.default\extensions\{0fc85f5d-6207-4515-a490-45a549d285c0}\components\RadioWMPCore.dll
FF - component: c:\users\pc1\appdata\roaming\mozilla\firefox\profiles\bjf9ahud.default\extensions\{a0729639-d831-46c9-811b-9b0aa79fb45a}\components\FFExternalAlert.dll
FF - component: c:\users\pc1\appdata\roaming\mozilla\firefox\profiles\bjf9ahud.default\extensions\{a0729639-d831-46c9-811b-9b0aa79fb45a}\components\RadioWMPCore.dll
FF - component: c:\users\pc1\appdata\roaming\mozilla\firefox\profiles\bjf9ahud.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar3.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\skyhook wireless\loki browser plugin\versions\3.4.2.20\nploki.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\pc1\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-6-15 39472]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-6-28 114768]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-7-7 59240]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-7-7 166632]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-5-13 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-13 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-6-28 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2008-6-28 53328]
R2 DXSOFTIO;DXSOFTIO;c:\windows\system32\drivers\DXSOFTIO.SYS [2009-11-23 3824]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2008-12-3 1426304]
R3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\drivers\netr73.sys [2008-2-26 493568]
S0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-17 64288]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-9-3 54632]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-3-4 16472]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-13 12872]

=============== Created Last 30 ================

2010-07-17 21:18:06 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-17 20:34:29 0 dc-h--w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-17 15:03:58 0 d-----w- c:\users\pc1\appdata\roaming\Malwarebytes
2010-07-17 15:03:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-17 15:03:49 0 d-----w- c:\programdata\Malwarebytes
2010-07-17 15:03:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-17 15:03:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-17 14:48:13 0 d-----w- c:\users\pc1\appdata\roaming\Trusteer
2010-07-17 14:48:07 0 d-----w- c:\program files\Trusteer
2010-07-17 14:45:21 0 d-----w- c:\programdata\Trusteer
2010-07-17 10:19:37 0 d-----w- c:\program files\QS
2010-07-17 10:19:35 0 d-----w- c:\users\pc1\appdata\roaming\TeamViewer
2010-06-30 16:16:57 81920 ----a-w- c:\windows\system32\drivers\ser2pl.sys
2010-06-25 16:57:11 0 d-----w- c:\program files\iPod
2010-06-25 16:51:13 0 d-----w- c:\program files\Bonjour
2010-06-25 14:04:27 0 d-----w- c:\programdata\McAfee
2010-06-24 02:01:21 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-24 02:01:21 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 02:01:21 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 02:01:21 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 02:01:21 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 22:04:15 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-23 22:04:14 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

==================== Find3M ====================

2010-07-17 21:18:02 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-04 16:50:27 1718 ----a-w- c:\users\pc1\appdata\roaming\wklnhst.dat
2010-06-30 16:17:33 86016 ----a-w- c:\windows\inf\infpub.dat
2010-06-30 16:17:33 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-06-30 16:17:32 143360 ----a-w- c:\windows\inf\infstor.dat
2010-06-02 03:55:30 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-06-02 03:55:30 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-06-02 03:55:30 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-26 10:41:02 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-05-26 10:41:02 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-05-26 10:41:02 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-05-26 10:41:02 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-05-26 10:41:02 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-05-21 13:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 15:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 15:35:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 15:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 15:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13:48 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-23 14:13:55 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-18 10:29:11 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-07-02 19:57:50 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-16 10:06:35 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2008-07-28 15:20:54 8 --sha-r- c:\windows\system32\E6AD6C1670.sys
2009-08-12 02:15:37 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
2009-07-30 10:07:04 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009072020090727\index.dat
2009-08-06 14:02:33 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009072720090803\index.dat
2009-08-10 00:51:41 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009080320090810\index.dat
2009-08-10 00:51:41 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009081020090811\index.dat
2009-08-12 02:15:37 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009081220090813\index.dat
2009-08-12 03:15:42 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\low\history.ie5\index.dat
2009-08-12 03:15:42 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\low\content.ie5\index.dat
2009-08-12 03:15:42 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\cookies\low\index.dat
2009-08-12 02:15:37 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\privacie\index.dat
2007-12-12 22:09:07 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 0:57:53.41 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:38 AM

Posted 19 July 2010 - 09:29 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



=================================

Please try to run GMER in safe mode. How to boot in safe mode: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/


Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Unchecked the following checkboxes:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Brightraven94

Brightraven94
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 20 July 2010 - 04:01 PM

Hello Sempai. Thank you for replying to my problem. It is appreciated. Babysitting for my two grandsons rather delays my replies so my apologies in advance.
I HOPE that I have now correctly subscribed to my own thread. I thought that I had but discovered later that you had replied 7 hours previously so I obviously had not.

I have tried unsuccessfully several times to run GMER. I tried several times in normal mode with no success. I then switched to SAFE MODE with similar results. Each time I ran it the programme stopped. Twice with a window saying that it had stopped and twice with a BSOD. I captured a picture of it and hopefully I will be able to enclose it with this mail. I appear not to be able to enclose the scan.

The last file scanned by GMER was noted. The problem causing the stoppage appears to be somewhere in ....Devices\HarddiskVolumeShadowCopy1.

Thank you for your time.

Attached Files


Edited by Brightraven94, 20 July 2010 - 04:09 PM.


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:38 AM

Posted 21 July 2010 - 07:58 AM

Hi,

P2P Warning:
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case utorrent/Vuze).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."




======================================


1. We need to disable Spybot S&D's "TeaTimer"

TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy



2. I do not recommend the use of Iobit, please see here => http://www.spywareinfoforum.com/index.php?showtopic=126267

Please uninstall IObit Security 360.
  • Click Start button > Control Panel> Programs > Programs and Features.
  • Select IObit Security 360 then click uninstall.
Note: If you are prompted for an administrator password or confirmation, type the password or provide confirmation.




3. Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.







~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 Brightraven94

Brightraven94
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 21 July 2010 - 03:33 PM

Thank you for your comments. I hope that I have followed your instructions correctly. Sadly, I only found IOBIT products, Advanced System Care, then Security 360 a short time ago and considered the ASC to be a decent programme although it seemed to find some items and NOT clean them up as although it said that it was "Fixed", another immediate scan found the same (Or another) fault again! I appreciate the heads-up about the Chinese copying Malware's OS and have eradicated both the ASC and 360 products. I am now using Malwarebytes Anti-Malware which appears to be a good programme. Is this a comparable programme to replace ASC or can you point to a better (Hopefully free) one?

I had to uninstall my Avast? AV as it kept coming up as installed on running the Combofix even though it was "DISABLED" in the actual programme. I have now re-installed a fresh copy of it (A completely different version\Front end). The Combofixlog is enclosed. Thank you again for your time and efforts.

Attached Files



#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:38 AM

Posted 22 July 2010 - 09:09 AM

Hi,

Please do not attach logs.

Malwarebytes' Anti-Malware is a good program and I strongly recommend it.


===================================


We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
File::
c:\windows\system32\E6AD6C1670.sys

Folder::
c:\users\pc1\appdata\roaming\TeamViewer
c:\programdata\McAfee
c:\programdata\Norton
c:\programdata\Symantec

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-

DDS::
uSearch Page =
uSearch Bar =
mSearchAssistant =
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&28b228d&0&UID256\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&28b228d&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GSM4A61\5&28b228d&0&UID256\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GSM4A61\5&28b228d&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID272\Device Parameters\MODES]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID272\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID272\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID273\Device Parameters\MODES]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID273\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID273\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 Brightraven94

Brightraven94
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 23 July 2010 - 08:36 AM

Thank you again. I enclose the log.txt below.

--------------------------

ComboFix 10-07-22.01 - PC1 23/07/2010 14:05:25.2.4 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3071.1385 [GMT 1:00]
Running from: c:\users\PC1\Desktop\ComboFix.exe
Command switches used :: c:\users\PC1\Desktop\CFScript.txt
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\E6AD6C1670.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\McAfee
c:\programdata\McAfee\MCLOGS\Common\McCHSvc\McCHSvc000.log
c:\programdata\McAfee\MCLOGS\McUICnt\McUICnt\McUICnt000.log
c:\programdata\McAfee\MCLOGS\PartnerCustom\McCHSvc\McCHSvc000.log
c:\programdata\McAfee\MCLOGS\PartnerCustom\McUICnt\McUICnt000.log
c:\programdata\McAfee\MCLOGS\PartnerCustom\SecurityScan_Release\SecurityScan_Release000.log
c:\programdata\McAfee\MCLOGS\PartnerCustom\SSScheduler\SSScheduler000.log
c:\programdata\McAfee\MCLOGS\SecurityScanner\McUICnt\McUICnt000.log
c:\programdata\Norton
c:\programdata\Norton\symdata.xml
c:\programdata\Symantec
c:\programdata\Symantec\DSA\V_G\DSASL.xml
c:\programdata\Symantec\LiveUpdate\Settings.LiveUpdate
c:\programdata\Symantec\symdata.xml
c:\users\pc1\appdata\roaming\TeamViewer
c:\users\pc1\appdata\roaming\TeamViewer\TeamViewer5_Logfile.log
c:\windows\system32\E6AD6C1670.sys

.
((((((((((((((((((((((((( Files Created from 2010-06-23 to 2010-07-23 )))))))))))))))))))))))))))))))
.

2010-07-23 13:16 . 2010-07-23 13:16 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-07-23 13:16 . 2010-07-23 13:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-23 13:16 . 2010-07-23 13:16 -------- d-----w- c:\users\1\AppData\Local\temp
2010-07-21 19:57 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-21 19:57 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-21 19:57 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-21 19:57 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-21 19:55 . 2010-06-28 20:32 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-07-21 19:54 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-21 19:54 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-21 19:54 . 2010-07-21 19:54 -------- d-----w- c:\programdata\Alwil Software
2010-07-21 18:37 . 2010-07-23 13:16 -------- d-----w- c:\users\PC1\AppData\Local\temp
2010-07-18 02:30 . 2010-07-18 02:30 388096 ----a-r- c:\users\PC1\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-17 21:18 . 2010-07-12 08:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-17 21:05 . 2010-07-17 21:05 -------- d-----w- c:\users\PC1\AppData\Local\Sunbelt Software
2010-07-17 20:34 . 2010-07-17 20:34 -------- dc-h--w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-17 20:34 . 2010-07-12 08:56 2979280 -c--a-w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-07-17 18:28 . 2010-07-17 18:28 63488 ----a-w- c:\users\PC1\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-17 15:03 . 2010-07-17 15:03 -------- d-----w- c:\users\PC1\AppData\Roaming\Malwarebytes
2010-07-17 15:03 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-17 15:03 . 2010-07-17 15:03 -------- d-----w- c:\programdata\Malwarebytes
2010-07-17 15:03 . 2010-07-17 15:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-17 15:03 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-17 14:48 . 2010-07-17 14:48 -------- d-----w- c:\users\PC1\AppData\Roaming\Trusteer
2010-07-17 14:48 . 2010-07-17 14:48 -------- d-----w- c:\program files\Trusteer
2010-07-17 14:45 . 2010-07-17 14:45 -------- d-----w- c:\programdata\Trusteer
2010-07-17 10:19 . 2010-07-17 10:19 -------- d-----w- c:\program files\QS
2010-07-12 19:34 . 2010-06-22 10:58 241664 ----a-w- c:\users\PC1\AppData\Roaming\Mozilla\Firefox\Profiles\bjf9ahud.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enclip.dll
2010-07-12 19:34 . 2010-06-22 10:58 114688 ----a-w- c:\users\PC1\AppData\Roaming\Mozilla\Firefox\Profiles\bjf9ahud.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\ENImaDLL.dll
2010-07-12 19:34 . 2010-06-22 10:58 90112 ----a-w- c:\users\PC1\AppData\Roaming\Mozilla\Firefox\Profiles\bjf9ahud.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\entbcompose.dll
2010-07-12 19:34 . 2010-06-22 10:58 167936 ----a-w- c:\users\PC1\AppData\Roaming\Mozilla\Firefox\Profiles\bjf9ahud.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enbar3.dll
2010-07-12 19:22 . 2010-07-12 19:22 56765 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-07-12 19:22 . 2010-07-12 19:22 57715 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-07-12 19:22 . 2010-07-12 19:22 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
2010-07-09 15:35 . 2007-03-22 10:46 126976 ----a-w- c:\users\PC1\AppData\Roaming\GRETECH\GomPlayer\GrLauncher.exe
2010-07-06 23:33 . 2010-07-06 23:33 434176 ----a-w- c:\programdata\Trusteer\Rapport\store\exts\RapportMS\18481\RapportMS.dll
2010-06-30 16:16 . 2010-03-12 17:22 81920 ----a-w- c:\windows\system32\drivers\ser2pl.sys
2010-06-30 16:08 . 2010-07-02 00:52 -------- d-----w- c:\users\PC1\AppData\Roaming\vlc
2010-06-25 16:57 . 2010-06-25 16:57 -------- d-----w- c:\program files\iPod
2010-06-25 16:51 . 2010-06-25 16:51 -------- d-----w- c:\program files\Bonjour
2010-06-25 16:49 . 2010-06-25 16:49 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-24 02:01 . 2009-11-08 09:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-24 02:01 . 2009-11-08 09:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 02:01 . 2009-11-08 09:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 02:01 . 2009-11-08 09:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 02:01 . 2009-11-08 09:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 22:04 . 2010-04-16 16:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-23 22:04 . 2010-04-16 14:39 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-23 13:15 . 2009-07-15 21:00 -------- d-----w- c:\users\PC1\AppData\Roaming\Free Download Manager
2010-07-23 12:30 . 2008-06-14 18:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-23 12:16 . 2010-07-21 19:39 31681 ----a-w- c:\programdata\nvModes.dat
2010-07-23 12:07 . 2009-07-08 15:49 -------- d-----w- c:\program files\SPAMfighter
2010-07-23 12:01 . 2008-07-16 21:42 12 ----a-w- c:\windows\bthservsdp.dat
2010-07-23 00:07 . 2008-06-17 14:22 -------- d-----w- c:\programdata\Google Updater
2010-07-21 19:54 . 2008-06-14 23:19 -------- d-----w- c:\program files\Alwil Software
2010-07-21 19:45 . 2008-06-14 20:23 1356 ----a-w- c:\users\PC1\AppData\Local\d3d9caps.dat
2010-07-21 19:45 . 2007-12-12 22:45 -------- d-----w- c:\programdata\NVIDIA
2010-07-19 14:28 . 2009-08-06 16:54 -------- d-----w- c:\program files\Lizardtech
2010-07-19 14:28 . 2007-12-12 22:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-19 10:29 . 2007-12-12 22:51 -------- d---a-w- c:\program files\Common Files\LightScribe
2010-07-18 02:57 . 2008-09-13 14:26 -------- d-----w- c:\users\PC1\AppData\Roaming\uTorrent
2010-07-17 21:18 . 2009-10-29 23:04 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-17 18:28 . 2009-05-17 14:19 117760 ----a-w- c:\users\PC1\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-17 16:05 . 2010-05-10 15:25 -------- d-----w- c:\program files\TimeLeft3
2010-07-17 15:38 . 2009-07-15 20:53 -------- d-----w- c:\program files\Free Download Manager
2010-07-15 02:06 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-15 02:03 . 2008-08-15 14:55 -------- d-----w- c:\programdata\Microsoft Help
2010-07-12 19:27 . 2010-05-15 16:01 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-07-12 19:27 . 2010-04-15 16:43 -------- d-----w- c:\programdata\DivX
2010-07-12 19:22 . 2008-06-17 19:28 -------- d-----w- c:\program files\DivX
2010-07-12 19:16 . 2010-05-15 15:54 1062184 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-07-12 19:16 . 2010-05-15 15:54 895256 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-07-05 22:03 . 2010-01-01 18:22 -------- d-----w- c:\program files\Ask.com
2010-07-04 16:50 . 2008-06-17 11:03 1718 ----a-w- c:\users\PC1\AppData\Roaming\wklnhst.dat
2010-07-01 22:25 . 2008-06-19 20:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-01 20:11 . 2009-11-20 12:20 -------- d-----w- c:\users\PC1\AppData\Roaming\TuneUpMedia
2010-07-01 20:10 . 2008-07-28 15:28 -------- d-----w- c:\users\PC1\AppData\Roaming\Apple Computer
2010-06-30 21:38 . 2009-03-24 21:17 -------- d-----w- c:\program files\Winamp
2010-06-30 16:45 . 2008-06-17 14:22 -------- d-----w- c:\program files\Google
2010-06-30 15:47 . 2010-05-10 14:45 1 ----a-w- c:\users\PC1\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-27 00:52 . 2009-12-26 17:03 -------- d-----w- c:\program files\CCleaner
2010-06-26 02:01 . 2008-08-15 14:59 -------- d-----w- c:\program files\Microsoft.NET
2010-06-25 16:58 . 2009-09-26 08:00 -------- d-----w- c:\program files\iTunes
2010-06-25 16:57 . 2008-07-28 15:27 -------- d-----w- c:\program files\Common Files\Apple
2010-06-25 16:57 . 2008-07-28 15:16 -------- d-----w- c:\programdata\Apple Computer
2010-06-20 21:13 . 2008-08-28 23:49 -------- d-----w- c:\program files\ACD Systems
2010-06-19 00:02 . 2009-12-28 21:52 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-18 21:46 . 2009-12-28 21:52 53632 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-14 14:26 . 2009-08-12 02:25 95744 ----a-w- c:\programdata\SpeedBit\DAP\SDCondition.dll
2010-06-13 16:12 . 2010-06-13 16:12 -------- d-----w- c:\program files\Skyhook Wireless
2010-06-11 17:35 . 2008-07-28 15:38 -------- d-----w- c:\program files\Safari
2010-06-11 17:33 . 2010-06-11 17:33 71992 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-06-06 13:03 . 2009-06-25 19:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-06 11:58 . 2008-10-21 17:48 119720 ----a-w- c:\users\1\AppData\Local\GDIPFONTCACHEV1.DAT
2010-06-05 14:56 . 2008-09-15 17:49 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-05 14:17 . 2009-05-02 19:28 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-05 14:17 . 2010-06-05 14:17 56997 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-06-05 14:17 . 2010-06-05 14:17 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-06-05 14:16 . 2010-06-05 14:16 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
2010-06-05 14:16 . 2010-06-05 14:16 54644 ----a-w- c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
2010-06-05 14:16 . 2010-06-05 14:16 54101 ----a-w- c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-04 16:04 . 2010-06-04 16:04 -------- dc----w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-04 15:27 . 2008-12-26 15:36 -------- d-----w- c:\users\PC1\AppData\Roaming\Media Player Classic
2010-06-02 03:55 . 2010-07-01 21:36 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-06-02 03:55 . 2010-07-01 21:36 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-06-02 03:55 . 2010-07-01 21:36 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-06-01 12:58 . 2009-07-21 11:37 -------- d-----w- c:\program files\Lavasoft
2010-06-01 12:58 . 2008-06-19 16:18 -------- d-----w- c:\programdata\Lavasoft
2010-05-26 19:19 . 2009-11-07 22:23 -------- d-----w- c:\programdata\NCH Software
2010-05-26 19:09 . 2009-11-07 22:23 -------- d-----w- c:\program files\NCH Software
2010-05-26 19:09 . 2009-11-07 22:26 -------- d-----w- c:\users\PC1\AppData\Roaming\NCH Software
2010-05-26 19:06 . 2009-09-23 11:18 -------- d-----w- c:\program files\SpeedBit Video Downloader
2010-05-26 17:06 . 2010-06-08 22:01 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 15:14 . 2009-01-25 21:01 -------- d-----w- c:\program files\Microsoft
2010-05-26 14:47 . 2010-06-08 22:01 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-26 10:41 . 2010-07-01 21:36 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-05-26 10:41 . 2010-07-01 21:36 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-05-26 10:41 . 2010-07-01 21:36 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-05-26 10:41 . 2010-07-01 21:36 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-05-26 10:41 . 2010-07-01 21:36 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-05-21 13:14 . 2009-10-02 21:30 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 15:35 . 2010-05-18 15:35 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-05-18 15:35 . 2010-05-18 15:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-15 15:53 . 2010-05-15 15:53 84040 ----a-w- c:\programdata\DivX\TransferWizard\Uninstaller.exe
2010-05-15 15:53 . 2010-05-15 15:53 57054 ----a-w- c:\programdata\DivX\DSDesktopComponents\Uninstaller.exe
2010-05-15 15:53 . 2010-05-15 15:53 54166 ----a-w- c:\programdata\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-15 15:53 . 2010-05-15 15:53 57532 ----a-w- c:\programdata\DivX\DSASPDecoder\Uninstaller.exe
2010-05-15 15:53 . 2010-05-15 15:53 56458 ----a-w- c:\programdata\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-05-15 15:53 . 2010-05-15 15:53 54174 ----a-w- c:\programdata\DivX\DSAACDecoder\Uninstaller.exe
2010-05-15 15:53 . 2010-05-15 15:53 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-05-15 15:53 . 2010-05-15 15:53 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-05-15 15:53 . 2010-05-15 15:53 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-05-15 15:52 . 2010-05-15 15:52 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
2010-05-10 13:49 . 2008-06-14 18:18 119720 ----a-w- c:\users\PC1\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-09 21:54 . 2008-07-18 22:24 1 ----a-w- c:\users\PC1\AppData\Roaming\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-05-06 13:58 . 2010-05-06 13:58 257257 ----a-w- c:\users\PC1\AppData\Roaming\OpenCandy\OpenCandy_2131BD7D7184491789B6E5B5CAF1B218\DLMgr3WrapperUniBlue.exe
2010-05-04 05:59 . 2010-06-08 22:01 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-08 22:01 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-08 22:01 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-08 22:01 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-08 22:01 2037248 ----a-w- c:\windows\system32\win32k.sys
2007-12-12 22:09 . 2007-12-12 22:04 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1631550F-191D-4826-B069-D9439253D926}]
2010-03-28 19:47 353656 ----a-w- c:\program files\PriceGong\2.1.0\PriceGongIE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3017FB3E-9A77-4396-88C5-0EC9548FB42F}]
2010-05-26 19:06 2447360 ----a-w- c:\program files\SpeedBit Video Downloader\TBU4A\tbcore3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31B27F2D-6BC6-451B-B3D2-4EAB36B2FC3B}]
2010-04-08 20:58 2447360 ----a-w- c:\program files\SpeedBit Video Downloader\Toolbar\tbcore3.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{389943B0-C3A2-4E69-82CB-8596A84CB3DC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-10-04 1783136]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-12-12 1840424]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-04-28 2633976]
"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2009-03-02 3399727]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-07-16 25604904]
"SpeedBitVideoAccelerator"="c:\program files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2010-02-11 1611368]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2010-05-01 2815488]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-01 2403568]
"L08ZXLRD_3906608"="c:\program files\Microsoft Student\Microsoft Student with Encarta Reference Library 2008 DVD\EDICT.EXE" [2007-05-21 351000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"FinePrint Dispatcher v5"="c:\windows\system32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2008-03-05 516096]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-12-02 2221352]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2008-06-02 178712]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 280064]
"SPAMfighter Agent"="c:\program files\SPAMfighter\SFAgent.exe" [2009-06-19 333960]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-26 13789728]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

c:\users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\users\PC1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk.disabled [2010-7-18 862]
Microsoft Find Fast.lnk.disabled [2008-8-7 929]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-12-9 51984]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 3.2.lnk.disabled [2010-5-10 1032]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BlueSoleil.lnk.disabled [2009-12-26 2036]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2008-9-22 22486]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2010-2-26 2057536]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2010-2-26 9136960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-12 18:15 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\users\PC1\AppData\Local\Google\Update\GoogleUpdate.exe" /c
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:f8,c8,de,21,e3,3a,ca,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-03 133104]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-12 1352832]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2009-09-28 16472]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-25 12872]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-02-14 39472]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-12 64288]
S1 aswSP;aswSP; [x]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-07-06 59240]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-07-06 166632]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-25 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-05-26 67656]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
S2 DXSOFTIO;DXSOFTIO; [x]
S2 EyelineService;Eyeline Video System;c:\program files\NCH Software\Eyeline\eyeline.exe [2009-11-07 643076]
S2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_2_5\bin\fbguard.exe [2009-12-08 98304]
S2 HPBtnSrv;HP Chasis Button Service;c:\hp\HPEZBTN\HPBtnSrv.exe [2007-05-29 198240]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-07-06 840936]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\SPAMfighter\sfus.exe [2009-06-19 189064]
S2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe [2010-02-11 300656]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2010-02-26 110592]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
S2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [2009-11-13 46824]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_2_5\bin\fbserver.exe [2009-12-08 3710976]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2009-07-14 1443584]
S3 netr73;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2009-05-24 501248]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-07-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-17 21:40]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-29 15:19]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-29 15:19]

2010-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4102808562-1563517724-2785566093-1000Core.job
- c:\users\PC1\AppData\Local\Google\Update\GoogleUpdate.exe [2008-12-16 16:09]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4102808562-1563517724-2785566093-1000UA.job
- c:\users\PC1\AppData\Local\Google\Update\GoogleUpdate.exe [2008-12-16 16:09]

2010-07-23 c:\windows\Tasks\User_Feed_Synchronization-{30F22343-5A88-4D2A-B1AE-14E62E9AD1CD}.job
- c:\windows\system32\msfeedssync.exe [2010-06-08 04:30]

2009-07-25 c:\windows\Tasks\User_Feed_Synchronization-{D3A69213-CD0B-46AD-8680-A9589BD43A3B}.job
- c:\windows\system32\msfeedssync.exe [2010-06-08 04:30]

2010-07-23 c:\windows\Tasks\User_Feed_Synchronization-{D945232E-005D-4B80-9291-EF753261C0A8}.job
- c:\windows\system32\msfeedssync.exe [2010-06-08 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mirostart.com/?cfg=2-73-0-8HvC
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth
IE: Translate this web page with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Action.htm
LSP: c:\progra~1\SPEEDB~1\sblsp.dll
FF - ProfilePath - c:\users\PC1\AppData\Roaming\Mozilla\Firefox\Profiles\bjf9ahud.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438922&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://search.speedbit.com
FF - prefs.js: keyword.URL - hxxp://search.speedbit.com/searchresults.asp?src=default&q=
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - component: c:\program files\PriceGong\2.1.0\FF\components\PriceGongFF.dll
FF - component: c:\program files\SpeedBit Video Downloader\SPFireFox\components\Engine.dll
FF - component: c:\users\PC1\AppData\Roaming\Mozilla\Firefox\Profiles\bjf9ahud.default\extensions\{0fc85f5d-6207-4515-a490-45a549d285c0}\components\FFExternalAlert.dll
FF - component: c:\users\PC1\AppData\Roaming\Mozilla\Firefox\Profiles\bjf9ahud.default\extensions\{0fc85f5d-6207-4515-a490-45a549d285c0}\components\RadioWMPCore.dll
FF - component: c:\users\PC1\AppData\Roaming\Mozilla\Firefox\Profiles\bjf9ahud.default\extensions\{a0729639-d831-46c9-811b-9b0aa79fb45a}\components\FFExternalAlert.dll
FF - component: c:\users\PC1\AppData\Roaming\Mozilla\Firefox\Profiles\bjf9ahud.default\extensions\{a0729639-d831-46c9-811b-9b0aa79fb45a}\components\RadioWMPCore.dll
FF - component: c:\users\PC1\AppData\Roaming\Mozilla\Firefox\Profiles\bjf9ahud.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enbar3.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Skyhook Wireless\Loki Browser Plugin\versions\3.4.2.20\nploki.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\PC1\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-23 14:16
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&28b228d&0&UID256\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000003\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:6d,00,6f,00,6e,00,69,00,74,00,6f,00,72,00,2e,00,69,00,6e,00,66,00,
3a,00,47,00,65,00,6e,00,65,00,72,00,69,00,63,00,2e,00,4e,00,54,00,78,00,38,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&28b228d&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000002\00000000]
@DACL=(02 0000)
"Type"=hex:10,00,00,00
"Data"=hex:00,80,8c,a3,c5,94,c6,01

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&28b228d&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000003\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:36,00,2e,00,30,00,2e,00,36,00,30,00,30,00,31,00,2e,00,31,00,38,00,
30,00,30,00,30,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&28b228d&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000004\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:47,00,65,00,6e,00,65,00,72,00,69,00,63,00,20,00,4e,00,6f,00,6e,00,
2d,00,50,00,6e,00,50,00,20,00,4d,00,6f,00,6e,00,69,00,74,00,6f,00,72,00,00,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&28b228d&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000005\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:6d,00,6f,00,6e,00,69,00,74,00,6f,00,72,00,2e,00,69,00,6e,00,66,00,
00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&28b228d&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000006\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:4e,00,6f,00,6e,00,50,00,6e,00,50,00,4d,00,6f,00,6e,00,69,00,74,00,
6f,00,72,00,2e,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&28b228d&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000008\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:6d,00,6f,00,6e,00,69,00,74,00,6f,00,72,00,5c,00,64,00,65,00,66,00,
61,00,75,00,6c,00,74,00,5f,00,6d,00,6f,00,6e,00,69,00,74,00,6f,00,72,00,00,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&28b228d&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000009\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\Default_Monitor\5&28b228d&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0000000E\00000000]
@DACL=(02 0000)
"Type"=hex:07,00,00,00
"Data"=hex:00,00,ff,0d

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GSM4A61\5&28b228d&0&UID256\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000003\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:6d,00,6f,00,6e,00,69,00,74,00,6f,00,72,00,2e,00,69,00,6e,00,66,00,
3a,00,47,00,65,00,6e,00,65,00,72,00,69,00,63,00,2e,00,4e,00,54,00,78,00,38,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GSM4A61\5&28b228d&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000002\00000000]
@DACL=(02 0000)
"Type"=hex:10,00,00,00
"Data"=hex:00,80,8c,a3,c5,94,c6,01

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GSM4A61\5&28b228d&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000003\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:36,00,2e,00,30,00,2e,00,36,00,30,00,30,00,31,00,2e,00,31,00,38,00,
30,00,30,00,30,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GSM4A61\5&28b228d&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000004\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:47,00,65,00,6e,00,65,00,72,00,69,00,63,00,20,00,50,00,6e,00,50,00,
20,00,4d,00,6f,00,6e,00,69,00,74,00,6f,00,72,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GSM4A61\5&28b228d&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000005\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:6d,00,6f,00,6e,00,69,00,74,00,6f,00,72,00,2e,00,69,00,6e,00,66,00,
00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GSM4A61\5&28b228d&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000006\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:50,00,6e,00,50,00,4d,00,6f,00,6e,00,69,00,74,00,6f,00,72,00,2e,00,
49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GSM4A61\5&28b228d&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000008\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:2a,00,70,00,6e,00,70,00,30,00,39,00,66,00,66,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GSM4A61\5&28b228d&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000009\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:4d,00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\GSM4A61\5&28b228d&0&UID256\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0000000E\00000000]
@DACL=(02 0000)
"Type"=hex:07,00,00,00
"Data"=hex:00,20,ff,0d

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID272\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000003\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:6f,00,65,00,6d,00,33,00,39,00,2e,00,69,00,6e,00,66,00,3a,00,48,00,
50,00,3a,00,77,00,32,00,34,00,30,00,38,00,5f,00,44,00,2e,00,49,00,6e,00,73,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID272\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000002\00000000]
@DACL=(02 0000)
"Type"=hex:10,00,00,00
"Data"=hex:00,c0,f9,26,96,92,c7,01

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID272\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000003\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:31,00,2e,00,35,00,30,00,2e,00,30,00,2e,00,30,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID272\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000004\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:48,00,50,00,20,00,77,00,32,00,34,00,30,00,38,00,20,00,57,00,69,00,
64,00,65,00,20,00,4c,00,43,00,44,00,20,00,4d,00,6f,00,6e,00,69,00,74,00,6f,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID272\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000005\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:6f,00,65,00,6d,00,33,00,39,00,2e,00,69,00,6e,00,66,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID272\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000006\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:77,00,32,00,34,00,30,00,38,00,5f,00,44,00,2e,00,49,00,6e,00,73,00,
74,00,61,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID272\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000008\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:6d,00,6f,00,6e,00,69,00,74,00,6f,00,72,00,5c,00,68,00,77,00,70,00,
32,00,36,00,63,00,66,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID272\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000009\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:48,00,50,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID272\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0000000E\00000000]
@DACL=(02 0000)
"Type"=hex:07,00,00,00
"Data"=hex:00,00,ff,0d

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID273\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000003\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:6f,00,65,00,6d,00,33,00,39,00,2e,00,69,00,6e,00,66,00,3a,00,48,00,
50,00,3a,00,77,00,32,00,34,00,30,00,38,00,5f,00,44,00,2e,00,49,00,6e,00,73,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID273\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000002\00000000]
@DACL=(02 0000)
"Type"=hex:10,00,00,00
"Data"=hex:00,c0,f9,26,96,92,c7,01

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID273\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000003\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:31,00,2e,00,35,00,30,00,2e,00,30,00,2e,00,30,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID273\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000004\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:48,00,50,00,20,00,77,00,32,00,34,00,30,00,38,00,20,00,57,00,69,00,
64,00,65,00,20,00,4c,00,43,00,44,00,20,00,4d,00,6f,00,6e,00,69,00,74,00,6f,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID273\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000005\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:6f,00,65,00,6d,00,33,00,39,00,2e,00,69,00,6e,00,66,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID273\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000006\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:77,00,32,00,34,00,30,00,38,00,5f,00,44,00,2e,00,49,00,6e,00,73,00,
74,00,61,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID273\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000008\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:6d,00,6f,00,6e,00,69,00,74,00,6f,00,72,00,5c,00,68,00,77,00,70,00,
32,00,36,00,63,00,66,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID273\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\00000009\00000000]
@DACL=(02 0000)
"Type"=hex:12,00,00,00
"Data"=hex:48,00,50,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID273\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0000000E\00000000]
@DACL=(02 0000)
"Type"=hex:07,00,00,00
"Data"=hex:00,00,ff,0d

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID83886353\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26CF\5&28b228d&0&UID83886353\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(712)
c:\progra~1\SPEEDB~1\sblsp.dll
c:\program files\SpeedBit Video Accelerator\Accelerator.dll
c:\program files\SpeedBit Video Accelerator\Collector.dll
.
Completion time: 2010-07-23 14:19:29
ComboFix-quarantined-files.txt 2010-07-23 13:19
ComboFix2.txt 2010-07-21 18:37

Pre-Run: 301,340,987,392 bytes free
Post-Run: 301,292,777,472 bytes free

- - End Of File - - FAA4D7BC14AAD32038EC306A1DAF7017

--------------


#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:38 AM

Posted 23 July 2010 - 09:10 AM

Hi,

How's the computer running now?


======================================


I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:38 AM

Posted 25 July 2010 - 05:37 PM

Are you still with me?

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 Brightraven94

Brightraven94
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 25 July 2010 - 06:05 PM

Yes, definitely, still with you. My apologies for the delay. We have been to a wedding over the weekend (Saturday and Sunday) and have just returned (It is nearly midnight so I must leave the ESET until tomorrow). Before I went I decided to wait until I had ran the ESET programme before responding but had problems with it. Firstly, it ran for some time and several problems began to be listed. I had suspected that there would be problems, hence my contacting you in the first place although everything SEEMED ok after running all of my AVs and Anti-Spyware, etc.. I was pretty certain that some Malware was sitting on my drive. A bit later, my screensaver kicked in (Sadly I had forgotten about that or I would have disbled it). Not knowing whether or not the ESET run had actually finished or not, I did the standard "Hit the space bar" to bring the screen back up and ESET had stopped "Due to user intervention". Hmm. I saved the list and shall enclose it along with the full test which I shall run ASAP tomorrow. Thank you again for your time. Although I am babysitting > 8 AM tomorrow\today, I shall try to get this done as soon as I am able to. Please bear with me. Thank you again.

#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:38 AM

Posted 26 July 2010 - 07:39 AM

No worries. thumbup2.gif just inform me if you will not be able to reply so that I will not think that you already abandon this thread.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 Brightraven94

Brightraven94
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 26 July 2010 - 11:18 AM

At last. I began the scan around 08.30 this morning and it did not finish until 10 minutes or so ago 15:30Hrs). I enclose the two scan results, the first being incomplete although threats were deleted, along with the results of the 2nd full scan. My apologies for the wait due to circumstances beyond my control in the main.

------------------------
1st incomplete scan (1 hour scanning).

C:\Program Files\ophcrack\pwdump\lsremora.dll Win32/PSWTool.PWDump6 application cleaned by deleting - quarantined
C:\Program Files\ophcrack\pwdump\pwdump6_setup.exe Win32/PSWTool.PWDump6 application cleaned by deleting - quarantined
C:\Program Files\ophcrack\pwdump\servpw.exe Win32/PSWTool.PWDump6 application cleaned by deleting - quarantined
C:\Users\PC1\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\2b46d1a6-5e158bfb a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
C:\Users\PC1\Downloads\7zip.uk02.exe a variant of Win32/Adware.DoubleD.AF application deleted - quarantined
C:\Users\PC1\Downloads\FREE Password Cracker ophcrack-win32-installer-3.3.0.exe Win32/PSWTool.PWDump6 application deleted - quarantined
C:\Users\PC1\Downloads\jZipV1c.exe a variant of Win32/Adware.Toolbar.Shopper.AA application deleted - quarantined
C:\Users\PC1\Downloads\Nero-8.3.13.0_all_update (1).exe Win32/Toolbar.AskSBar application deleted - quarantined
C:\Users\PC1\Downloads\Nero-8.3.13.0_all_update.exe Win32/Toolbar.AskSBar application deleted - quarantined

2nd (Full) scan. (Five and a half hours, total of 6.5Hrs scanning).

F:\PC\Backup Set 2010-07-17 222511\Backup Files 2010-07-17 222511\Backup files 38.zip a variant of Java/TrojanDownloader.Agent.NAN trojan deleted - quarantined
L:\Installs\Nero-8.3.13.0_all_update.exe Win32/Toolbar.AskSBar application deleted - quarantined
M:\Downloads\adrmpro2.exe probably a variant of Win32/Adware.Agent application cleaned by deleting - quarantined
M:\Downloads\Nero-8.3.6.0_eng_update.exe Win32/Toolbar.AskSBar application deleted - quarantined
M:\Downloads\Software\7zip.uk02.exe a variant of Win32/Adware.DoubleD.AF application deleted - quarantined
M:\Installs\7zip.uk02.exe a variant of Win32/Adware.DoubleD.AF application deleted - quarantined
----------
END.

Thank you again for your patience.
----
The site is not accepting this reply 15:40 so I assume that it is being serviced. I shall try again until it is accepted. after several more attempts, another one at 17:16

#13 Brightraven94

Brightraven94
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 26 July 2010 - 11:28 AM

I have just seen this so I am replying somewhat later sad.gif .

QUOTE(sempai @ Jul 26 2010, 01:39 PM) View Post
No worries. thumbup2.gif just inform me if you will not be able to reply so that I will not think that you already abandon this thread.


Ok. No problem. I should have told you that I was away to a wedding and would be away for a while but I had a lot to do so I forgot my manners. Please excuse me. Assuming that I am able to, I will inform you if I am away again b4 this is sorted but rest assured, I will not just abandon this thread. I do not work that way. I stick to the end and will finish only when all is sorted. Thank you again for your assistance.

Edited by Brightraven94, 26 July 2010 - 11:28 AM.


#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:09:38 AM

Posted 27 July 2010 - 05:09 AM

How's the computer running now?


================================


1. Please run Malwarebytes Anti-Malware. Go to update tab and download all updates and then perform a full scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



2. Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .
Note: Kaspersky online scan may take time to complete, please be patient.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 Brightraven94

Brightraven94
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 27 July 2010 - 07:01 AM

Hi, Just running Malwarebytes scan now so this will obviously take some time, especially with another scan to run after it with Kaspersky.

As for the computer itself, my PC has ran Ok since before I contacted you as I mentioned earlier, but I was certain that some malicious rootkit or malware was still hidden onboard so needed a good check from someone more knowledgeable than I to renew confidence previously known. I did not feel that an on-line scan would necessarily get rid of potential problems even with all my on-board AV and anti-spyware up-to-date.

I was foolish to fall for that scam and I know it but was uncertain so fell for it. Being woken up at the time when my guard was not so acute did not help either. That will not happen again (I hope!). First time in 20 years so chagrin and embarrassment is the order of the day. I have kept malware at bay up until now and did this to myself which is all the more galling. I am well aware that NO AV OR ANTI-SPWARE etc. is 100% foolproof so even with two AV and other software permanently running I am aware that things can still get past one's security. I note that you\I have used two on-line scanners and I do that now and again. I rarely have a problem as my security is usually good but letting anyone control by remote is an obvious downer when that control is evil.

As I mentioned earlier, I had found many ROOT-GENs (?) on one (MALWAREBYTES) scan after the remote and thought that they were due to the remote. Several of the scan problems brought to light then and since, I suspect, would\might have been captured by normal means but SWP? "DUMPs" look very suspicious. Others were merely dubious "trackers" loaded with unwanted Toolbars which are more often than not discarded. I feel much happier knowing that you are helping to clean my mess up. Thank you again. I shall respond as soon as the two scans are finished. No doubt that will be in several hours time.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users