Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32: Yabector, Java: Agent DV, GM, & DM, Orbtray


  • This topic is locked This topic is locked
14 replies to this topic

#1 Angbblue

Angbblue

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Seattle, Washington
  • Local time:11:29 PM

Posted 31 May 2011 - 05:53 PM

At first I thought my worst problems were when I downloaded TWC Screensaver. I didn't like it, I did a thorough uninstall with Revo Uninstaller, and found that I could no longer connect to the internet afterward. I used system restore to put things back as they were, internet connection was fixed. Since then, I have tried everything to stop the TWC software from automatically starting with my system. I've used the ms-config, I've gone into the Control Panel where I edit my services, tried to stop it in the properties folder. It's not really a nuisance (that I'm aware of) except that it won't behave like the rest of them normally behave. Anyway, I've been noticing new running processes in my task manager. I'm lucky to get two words before the ....of the running file descriptions. I've also noticed strange file names like eBay in my program files. For the past few weeks my computer has been showing mild signs that it might be infected. It's been running sluggish off and on for about three weeks now. It's been doing this weird blinky thing where icon names and drop down menus would blink real fast. My task manager showed my CPU usage was spiked up to like 95 and 100%. The little CPU numbers and meter were moving up and down from 10-100 so fast I could barely see the numbers. I've been running my Hijack This scans a lot the past two weeks. I upload my results to Log file auswertung. They have been all clean. I scanned with Malwarebytes Anti Malware (after updating) a full scan, then a quick scan a few days ago. Zero infections. About 10 days ago, I ran a quick system scan with Avast after being alerted of files being found and quarantined. I'm sending the screen shot. The scan was fine afterward, zero infection. So, last night I noticed on my uninstall list in Revo Uninstaller the Java files looked strange. The Company name was Orade, and the website was typed with a bunch of periods in between the words. So, I did a custom scan with Avast choosing files that looked strange and all the Windows files. Actually, I did two scans. I accidentally stopped the scan after it found the first infections, ran it again resulting in more infections found. I'm sending you those log files as well. I started researching the names of the threats Win32: Yabector-B was one of them to try to see how big of trouble I'm actually in. I almost downloaded Microsoft's malware removal tools. I'm so glad I came here first and learned of all the problems caused by those exact tools. Here I found a program called autoruns which I installed, and ran, and found an unbelievable amount of files that didn't have certificates, and that m Google searches were telling me were viruses of some type or another. Usually I don't take the Google search thing too seriously, and it takes a long time to find concrete info. on files of that type. The thing that worried me most was all the strange running processes just appearing randomly from nowhere in my task manager, and I wasn't recognizing the names of all these files in my autoruns results either. I didn't attach a copy of the autoruns, but easily can if you need me to. So, that's all. I hope this helped some. I thank you so very much for your help. One last thing, the GMER scan produced an error pop up saying it was unable to get to the PC Doctor snapshot installation directory. I've never used the PC Doctor. Is it a rogue scanner of sorts (it sounds like one). Anyway, here's your requested log files plus a few of my scan results.







Attached File  Untitled4.png   20.05KB   2 downloads

sig_zpssbt5rtdf.png


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:02:29 AM

Posted 09 June 2011 - 11:24 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth Code, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



NEXT:


Running OTL

We need to create a FULL OTL Report
  • Please download OTL from here:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

NEXT:


Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 Angbblue

Angbblue
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Seattle, Washington
  • Local time:11:29 PM

Posted 09 June 2011 - 12:48 PM

Hi ST. I had a problem with the RkU. I chose link #1 for my download. I noticed right away that I was not prompted by my browser, which is Google Chrome, as to what to do with the file (save or cancel download) as I have always been prompted in the past. Against my better judgement (please kick me now), I ran the file RKUnhookerLE all it did was reboot my computer and nothing after I logged in. I also scanned the file with Avast and no infection was found there. I will continue on with your instructions putting this one on hold until I hear from you on what I should do next.

PS. Thank you so much for taking your time to help me. I do appreciate it very much. Have a nice day
Angie

Hi St. I downloaded the OTL, ran as administrator, and got a pop up message OTL has quit working. I went into the properties, clicked unblock program, apply, close. Tried to run again, OTL has quit working. I added the install file (the one on my desktop) to my data execution prevention list and still got the pop up message. I figured I best quit at this point as I'll probably end up blowing the machine up one way or the other, haha. I'm patiently awaiting further instructions.

Upon checking my settings in my Chrome Browser, I discovered that I have "selected certain files to open automatically after downloading". I don't remember doing that. Actually the fact that this is an option is outrageous to me as well as very dangerous. I cleared the auto open settings and put it back to ask me each time.

Edited by Angbblue, 09 June 2011 - 01:12 PM.

sig_zpssbt5rtdf.png


#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:02:29 AM

Posted 09 June 2011 - 01:10 PM

Hi!

Please try downloading OTL from this link here and attempt to run a scan with it.

Edited by SweetTech, 09 June 2011 - 01:10 PM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 Angbblue

Angbblue
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Seattle, Washington
  • Local time:11:29 PM

Posted 09 June 2011 - 02:45 PM

I downloaded the OTL from the link you provided. I still get the OTL has stopped working. I right clicked it and chose install and got screensaver settings for OTL screensaver underneath the OTL has stopped working pop up.

sig_zpssbt5rtdf.png


#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:02:29 AM

Posted 09 June 2011 - 02:52 PM

Try this tool;

Scanning with DDS

Posted Image
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.
-----------------------------------------------------

Please include the following logs in your thread:
  • Post the contents of the DDS.txt & Attach.txt reports in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 Angbblue

Angbblue
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Seattle, Washington
  • Local time:11:29 PM

Posted 09 June 2011 - 03:02 PM

DDS,txt


.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Administrator at 12:55:34 on 2011-06-09
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1916.1212 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\lxddcoms.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\System32\tcpsvcs.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\vds.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\jureg.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\schtasks.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\svchost.exe -k wcssvc
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.msn.com
uWindow Title = Angie's Internet Browser
uSearch Bar =
mStart Page = hxxp://www.msn.com
mWindow Title = Microsoft Internet Explorer provided by CenturyTel
mSearchAssistant =
mURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: ShareThis: {6a719530-8443-4898-9bc4-69e76b5f1c89} -
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} -
TB: CommentsBar: {5a0035ab-8f83-4d03-be4e-c8267a3a4a1a} -
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [LXDDCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXDDtime.dll,_RunDLLEntry@16
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: ValidateAdminCodeSignatures = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Free YouTube Download - c:\users\administrator\appdata\roaming\dvdvideosoftiehelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\users\administrator\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: invoke.com\www
DPF: {038E2507-7A48-41E2-94AD-7F23D199AF4E} - hxxp://www.worldwinner.com/games/v54/zengems/zengems.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://aol.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {42FDC231-A411-45F8-B8B6-3B5026111DA8} - hxxp://www.worldwinner.com/games/v47/solitairerush/solitairerush.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://fb.familylink.com/we_are_related/stream/core/lib/AurigmaImageUploader/ImageUploader5.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.23.01.0/iewwload.cab
DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} - hxxp://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab
DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} - hxxp://www.worldwinner.com/games/v67/swapit/swapit.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}
DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} - hxxp://www.worldwinner.com/games/v44/golfsol/golfsol.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{7FBB9A19-16B8-49CB-9CB6-192B41849BE8} : DhcpNameServer = 192.168.1.1
IFEO: mDNSResponder.exe - rundll32.exe
IFEO: PC_Checkup.exe - rundll32.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\7vw12ox1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1320680&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmidas.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\administrator\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-6 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-12-31 307928]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2008-11-29 20392]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-12-31 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-12-31 53592]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-31 42184]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2010-2-28 821664]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-4-16 21504]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2010-4-24 550760]
R3 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2010-4-24 483688]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2010-4-24 195944]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2010-4-24 21864]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2010-4-24 19304]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2010-4-24 209768]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AppBoosterService;AppBooster Service; [x]
S3 BlackBox;BlackBox SR2;c:\windows\system32\drivers\BlackBox.sys [2011-6-9 35712]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-5-28 1153368]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 GGService;GameGround App Service;c:\program files\gameground\ggapp\GGService.exe [2011-2-16 466256]
S4 JQC;JQC; [x]
S4 KHHC;KHHC; [x]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]
.
=============== File Associations ===============
.
VBEFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-06-09 19:18:31 -------- d-----w- c:\program files\Invoke Solutions
2011-06-09 17:32:26 35712 ----a-w- c:\windows\system32\drivers\BlackBox.sys
2011-06-05 12:58:05 -------- d-----w- c:\users\administrator\appdata\roaming\Playrix Entertainment
2011-06-05 12:50:22 -------- d-----w- c:\users\administrator\appdata\local\Yummy_Interactive_Inc
2011-06-05 12:50:20 -------- d-----w- c:\users\administrator\appdata\local\Yummy
2011-06-05 12:43:39 -------- d-----w- c:\program files\common files\YummyInteractiveInc
2011-06-05 12:42:50 -------- d-----w- c:\users\administrator\appdata\local\YummyInteractiveInc
2011-05-31 10:03:40 -------- d-----w- c:\program files\Cobian Backup 10
2011-05-30 05:24:37 2062504 ----a-w- c:\programdata\SPL27CB.tmp
2011-05-29 00:26:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-20 02:50:07 -------- d-----w- c:\users\administrator\appdata\roaming\ChromePlus
2011-05-17 17:07:08 -------- d-----w- c:\program files\Windows Journal Viewer
2011-05-17 02:20:56 -------- d-----w- c:\program files\MozBackup
2011-05-11 04:15:31 -------- d-----w- c:\users\administrator\appdata\roaming\DVDVideoSoftIEHelpers
2011-05-11 04:15:05 -------- d-----w- c:\program files\common files\Plasmoo
2011-05-11 04:14:31 -------- d-----w- c:\users\administrator\appdata\roaming\DVDVideoSoft
2011-05-11 04:14:09 -------- d-----w- c:\program files\common files\DVDVideoSoft
2011-05-11 04:14:04 -------- d-----w- c:\program files\DVDVideoSoft
2011-05-11 02:37:23 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
.
==================== Find3M ====================
.
2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:03:54 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 11:59:44 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-03-12 21:55:52 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-12 09:44:37 737280 ----a-w- c:\windows\iun6002.exe
2008-10-27 18:38:54 95056 ----a-w- c:\program files\DSETUP.dll
2008-10-27 18:37:34 1692496 ----a-w- c:\program files\dsetup32.dll
2008-10-27 18:36:58 526160 ----a-w- c:\program files\DXSETUP.exe
.
============= FINISH: 12:56:56.32 ===============


Attach.txt


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-03.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 7/26/2008 8:54:51 PM
System Uptime: 6/9/2011 10:33:18 AM (2 hours ago)
.
Motherboard: FOXCONN | | Napa
Processor: Intel® Pentium® Dual CPU E2180 @ 2.00GHz | Socket 775 | 2000/200mhz
.
==== Disk Partitions =========================
.
B: is FIXED (NTFS) - 122 GiB total, 103.178 GiB free.
C: is FIXED (NTFS) - 335 GiB total, 176.071 GiB free.
D: is FIXED (NTFS) - 9 GiB total, 1.307 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0001
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0001
Service: tunmp
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: WAN Miniport (Network Monitor)
Device ID: ROOT\MS_NDISWANBH\0000
Manufacturer: Microsoft
Name: WAN Miniport (Network Monitor)
PNP Device ID: ROOT\MS_NDISWANBH\0000
Service: NdisWan
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: WAN Miniport (IP)
Device ID: ROOT\MS_NDISWANIP\0000
Manufacturer: Microsoft
Name: WAN Miniport (IP)
PNP Device ID: ROOT\MS_NDISWANIP\0000
Service: NdisWan
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: WAN Miniport (IPv6)
Device ID: ROOT\MS_NDISWANIPV6\0000
Manufacturer: Microsoft
Name: WAN Miniport (IPv6)
PNP Device ID: ROOT\MS_NDISWANIPV6\0000
Service: NdisWan
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: WAN Miniport (PPPOE)
Device ID: ROOT\MS_PPPOEMINIPORT\0000
Manufacturer: Microsoft
Name: WAN Miniport (PPPOE)
PNP Device ID: ROOT\MS_PPPOEMINIPORT\0000
Service: RasPppoe
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: WAN Miniport (PPTP)
Device ID: ROOT\MS_PPTPMINIPORT\0000
Manufacturer: Microsoft
Name: WAN Miniport (PPTP)
PNP Device ID: ROOT\MS_PPTPMINIPORT\0000
Service: PptpMiniport
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: RAS Async Adapter
Device ID: SW\{EEAB7790-C514-11D1-B42B-00805FC1270E}\ASYNCMAC
Manufacturer: Microsoft
Name: RAS Async Adapter
PNP Device ID: SW\{EEAB7790-C514-11D1-B42B-00805FC1270E}\ASYNCMAC
Service: AsyncMac
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Ace Explorer (remove only)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.0.1)
Adobe Shockwave Player 11.5
Advanced SystemCare 4
African Safari
Ala Carte 2008
Amazing Adventures The Caribbean Secret
Auslogics BoostSpeed
avast! Free Antivirus
Bejeweled 2 Deluxe 1.1
Bejeweled Twist 1.0
Big Fish Games: Game Manager
Blackbeard's Revenge
Bonus Mania
BonusMania/Vegas
BufferChm
CameraDrivers
CameraUserGuides
CCleaner
Chainz 2
Choice Guard
ChromePlus
Chuzzle Deluxe 1.0
CodecPatch
coralreef_3133975 Screen Saver
CyberLink DVD Suite Deluxe
Desktop Toilet 4.0
DeviceDiscovery
DeviceManagementQFolder
Dream Wallpaper 1.2
Emoticons
Enhanced Multimedia Keyboard Solution
eSupportQFolder
Eusing Free Registry Cleaner
FastStone Image Viewer 3.9
Free Address Book
Free Alarm Clock 2.1.0
Free Studio version 5.0.9
Free Videos To DVD V 3.2.0
Free YouTube Download version 2.10.35.426
fullmoonoverwater_3142291 Screen Saver
G-Force
Game Booster
GameGround App 3.2.0.222
Ghost Town
GoldRush
Google Chrome
Google Gears
Google Toolbar for Internet Explorer
Hardware Diagnostic Tools
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
Hidden Expedition Titanic (remove only)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Advisor
HP Customer Feedback
HP Imaging Device Functions 9.0
HP Photosmart Cameras 9.0
HP Picasso Media Center Add-In
HP Product Assistant
HP Solution Center 9.0
HP Update
hpicamDrvQFolder
HPProductAssistant
ieSpell
InstantShareDevicesMFC
Invoke Solutions Participant 6.2.0.1452
IrfanView (remove only)
Java Auto Updater
Java DB 10.5.3.0
Java™ 6 Update 24
Java™ SE Development Kit 6 Update 23
Jenkat Games Arcade
Jewel Quest (remove only)
Jewel Quest 2 (remove only)
Jewel Quest Solitaire (remove only)
Jewel Quest Solitaire II (remove only)
Jewel Quest Solitaire III
Jewel Quest Solitaire III (remove only)
Junk Mail filter update
king.com (remove only)
Koffix Blocker
LabelPrint
Lexmark 2500 Series
Lexmark Fax Solutions
lightningstrikes_3123875 Screen Saver
LightScribe System Software
LightScribe Template Labeler
Lost Treasures of Alexandria
Luxor 3
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office Click-to-Run 2010
Microsoft Office Home and Student 2010 - English
Microsoft Office Home and Student 60 day trial
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Windows Journal Viewer
Millionaires Club
MozBackup 1.5.1
Mozilla Firefox 4.0.1 (x86 en-US)
MP3 Rocket
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Mystery Solitaire: Secret Island (remove only)
MysticForest
Nertz Solitaire (remove only)
Next Generation Visualisations
NVIDIA Drivers
NVIDIA nTune
OGA Notifier 2.0.0048.0
Paint.NET v3.5.8
PanoStandAlone
Pat Sajak's Lucky Letters Deluxe
Patch
Peggle Nights Deluxe 1.0
playfuldolphin_3122094 Screen Saver
PopCap Browser Plugin
PowerDirector
PurePlay Poker
Realtek High Definition Audio Driver
Reel Deal Downloads
Reel Deal Slots Adventure
Revo Uninstaller 1.89
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Smileycons 6.0.1
Soft Data Fax Modem with SmartCP
SolutionCenter
SoundTrax
SpeedBit Video Accelerator
Spider Player 2.5.3
Spybot - Search & Destroy
Status
The Price Is Right 1.1.4
The Weather Channel Screensaver
TheSage
Totem Treasure 2
TrayApp
tropicalreef_3116236 Screen Saver
Uninstall 1.0.0.1
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Vista Services Optimizer
Vivitar Experience Image Manager
VLC media player 1.0.5
WalmartPlugout
WebReg
What's Running 3.0
Wheel of Fortune 2 (remove only)
When Icons ATTACK! v 1.3
WhiteCap
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Player Firefox Plugin
WinPatrol
winterbeauty_3066700 Screen Saver
WinUtilities 10.0 Free Edition
WinUtilities Process Security 2.0
Woodsy Winnings
Yahoo! Browser Services
Yahoo! Software Update
Yahoo! Toolbar
Yahtzee Download Edition
Zamora Personality Test
Zuma's Revenge!
.
==== Event Viewer Messages From Past Week ========
.
6/9/2011 3:09:25 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.47 for the Network Card with network address 001C255185FC has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
6/9/2011 3:08:20 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.15.100 for the Network Card with network address 001C255185FC has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
6/9/2011 10:34:35 AM, Error: Microsoft-Windows-WMPNSS-Service [14344] - A new media server was not initialized because WMCreateDeviceRegistration() encountered error '0xc00d2751'. The Windows Media DRM components on your computer might be corrupted. Verify that protected files play correctly in Windows Media Player, and then restart the WMPNetworkSvc service.
6/9/2011 10:34:15 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl SBRE
6/9/2011 10:34:10 AM, Error: Microsoft-Windows-PrintSpooler [72] - Windows could not initialize printer Journal Note Writer because the print processor JournalPrint could not be found. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.
6/9/2011 10:33:44 AM, Error: EventLog [6008] - The previous system shutdown at 10:32:29 AM on 6/9/2011 was unexpected.
6/9/2011 10:33:38 AM, Error: volmgr [46] - Crash dump initialization failed!
6/8/2011 3:43:41 PM, Error: Service Control Manager [7022] - The Diagnostic Service Host service hung on starting.
6/6/2011 7:46:55 PM, Error: Service Control Manager [7034] - The Yahoo! Updater service terminated unexpectedly. It has done this 1 time(s).
6/6/2011 7:46:40 PM, Error: Service Control Manager [7034] - The lxdd_device service terminated unexpectedly. It has done this 1 time(s).
6/6/2011 7:19:40 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.15.101 for the Network Card with network address 001C255185FC has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
6/2/2011 11:57:09 PM, Error: Service Control Manager [7034] - The Simple TCP/IP Services service terminated unexpectedly. It has done this 1 time(s).
6/2/2011 11:56:39 PM, Error: Service Control Manager [7034] - The SBSD Security Center Service service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================

sig_zpssbt5rtdf.png


#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:02:29 AM

Posted 09 June 2011 - 03:07 PM

Hi!


Disable SpyBot TeaTimer
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy


NEXT:


Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 Angbblue

Angbblue
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Seattle, Washington
  • Local time:11:29 PM

Posted 10 June 2011 - 09:55 PM

Hi. I'll start by saying I followed your directions perfectly. I disabled Spybot tea timer and closed Spybot, Downloaded Combo Fix & saved to desktop. I was prompted to update Combo Fix and said no.
I disabled Avast until next reboot. I set my Vista settings a long time ago so I am the real administrator with elevated privileges. Anyway, now the real fun (not really) begins. I double click CF (Combo Fix) to run, the first thing I see in the blue box is "Please wait CF preparing to run....Access denied Admin. permissions are needed to use the selected options use an Admin. cmd prompt." So I closed CF, right click run as Admin., same message. So, I opened an Administrator cmd prompt, did the file path thing, pressed enter to run CF. Same message I know I dis the administrator cmd prompt correctly. I opened CF right up in the little black box simple except without desired results. Anyway, CF kept right on going scanning and creating it's #'d list not appearing to be having problems with denied access until stage 38. Under 38 the access denied Admin. privileges...appeared again, it kept right on going though until the the end without any more problems that I could see. It visibly deleted 2 Firefox profile files, then finished up with the txt. file. I copied txt file to send to you, went to open Google Chrome Browser and was given a popup message "Illegal operation attempted on a registry key that has been marked for deletion" I'll make this short by saying that I got that exact same pop up with 3 other browsers and every file on my desktop as well. Soooo, I restarted my PC in recovery mode, accessed system restore, noticed that the restore point that CK allegedly created was not there, I would have chose the restore point at 10am yesterday morning anyway just as I did today. Rebooted, everything seems OK except my internet is noticeably slower than normal now. I'm not sure where that leaves us now. The log file should not be any different than if it were created yesterday at 10am, but I'm clueless about these things. No damage was done that I can notice, I own my recovery disks, anything I care about is on a thumb drive, so a complete system restore is tedious and inconvenient, but not the worst thing (by far) that could happen to me. A less experienced computer user would not be thinking that right now though, as he or she would still be trying to figure out how to access their not deleted, but marked for deletion files (strange to me). OK, I'll spare you any more chatter, and paste the log file below. Thank you once again for your help. Have a good night.

ComboFix 11-06-10.01 - Administrator 06/10/2011 5:32.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1916.949 [GMT -7:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Administrator\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
c:\users\Angie\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
c:\users\Angie\infinst.exe
c:\windows\msvrc20.dll
c:\windows\system32\jusched.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-05-10 to 2011-06-10 )))))))))))))))))))))))))))))))
.
.
2011-06-10 12:46 . 2011-06-10 12:46 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2011-06-10 12:46 . 2011-06-10 12:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-10 12:46 . 2011-06-10 12:46 -------- d-----w- c:\users\Angie\AppData\Local\temp
2011-06-09 19:18 . 2011-06-09 19:18 -------- d-----w- c:\program files\Invoke Solutions
2011-06-09 17:32 . 2011-06-09 17:32 35712 ----a-w- c:\windows\system32\drivers\BlackBox.sys
2011-06-05 12:58 . 2011-06-05 12:58 -------- d-----w- c:\users\Administrator\AppData\Roaming\Playrix Entertainment
2011-06-05 12:50 . 2011-06-05 12:50 -------- d-----w- c:\users\Administrator\AppData\Local\Yummy
2011-06-05 12:43 . 2011-06-05 12:43 -------- d-----w- c:\program files\Common Files\YummyInteractiveInc
2011-05-31 10:03 . 2011-05-31 10:07 -------- d-----w- c:\program files\Cobian Backup 10
2011-05-30 05:24 . 2011-05-30 05:24 2062504 ----a-w- c:\programdata\SPL27CB.tmp
2011-05-29 00:26 . 2011-05-29 00:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-26 08:11 . 2011-05-26 08:11 -------- d-----w- c:\users\Administrator\AppData\Roaming\dvdcss
2011-05-20 02:50 . 2011-05-20 03:21 -------- d-----w- c:\users\Administrator\AppData\Roaming\ChromePlus
2011-05-17 17:07 . 2011-05-17 17:07 -------- d-----w- c:\program files\Windows Journal Viewer
2011-05-17 02:20 . 2011-05-17 02:20 -------- d-----w- c:\program files\MozBackup
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 12:10 . 2010-12-31 15:52 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2010-12-31 15:52 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2011-03-06 23:05 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:03 . 2010-12-31 15:53 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2010-12-31 15:53 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 11:59 . 2010-12-31 15:53 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2010-12-31 15:53 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-05-10 11:59 . 2010-12-31 15:53 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-03-31 09:32 . 2011-03-31 09:32 161792 ----a-w- c:\windows\system32\msls31.dll
2011-03-31 09:32 . 2011-03-31 09:32 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-03-31 09:32 . 2011-03-31 09:32 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-03-31 09:32 . 2011-03-31 09:32 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-03-31 09:32 . 2011-03-31 09:32 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-03-31 09:32 . 2011-03-31 09:32 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-03-31 09:32 . 2011-03-31 09:32 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-03-31 09:32 . 2011-03-31 09:32 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-03-31 09:32 . 2011-03-31 09:32 367104 ----a-w- c:\windows\system32\html.iec
2011-03-31 09:32 . 2011-03-31 09:32 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-03-31 09:32 . 2011-03-31 09:32 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-03-31 09:32 . 2011-03-31 09:32 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-31 09:32 . 2011-03-31 09:32 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-03-31 09:32 . 2011-03-31 09:32 152064 ----a-w- c:\windows\system32\wextract.exe
2011-03-31 09:32 . 2011-03-31 09:32 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-03-31 09:32 . 2011-03-31 09:32 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-03-31 09:32 . 2011-03-31 09:32 11776 ----a-w- c:\windows\system32\mshta.exe
2011-03-31 09:32 . 2011-03-31 09:32 101888 ----a-w- c:\windows\system32\admparse.dll
2011-03-31 09:32 . 2011-03-31 09:32 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-03-31 09:32 . 2011-03-31 09:32 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-03-31 09:32 . 2011-03-31 09:32 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-03-12 21:55 . 2011-04-27 00:46 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2008-10-27 18:38 . 2008-10-27 18:38 95056 ----a-w- c:\program files\DSETUP.dll
2008-10-27 18:37 . 2008-10-27 18:37 1692496 ----a-w- c:\program files\dsetup32.dll
2008-10-27 18:36 . 2008-10-27 18:36 526160 ----a-w- c:\program files\DXSETUP.exe
2011-04-30 05:53 . 2011-04-03 08:00 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2009-07-25 55072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-03-16 325000]
"avast"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-05-10 3459712]
"LXDDCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXDDtime.dll" [2007-01-22 102400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"PromptOnSecureDesktop"= 0 (0x0)
"ValidateAdminCodeSignatures"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Launchy.lnk]
backup=c:\windows\pss\Launchy.lnk.CommonStartup
backupExtension=.CommonStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 19:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-06-29 17:21 133104 ----atw- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jenkat Arcade]
2010-10-07 10:31 221184 ----a-w- c:\users\Angie\AppData\Roaming\Jenkat\Jenkat Games Arcade\NotifyApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 22:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 22:49 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WindowsWelcomeCenter"=rundll32.exe oobefldr.dll,ShowWelcomeCenter
"Jenkat Arcade"=c:\users\Angie\AppData\Roaming\Jenkat\Jenkat Games Arcade\notifyapp.exe
"Smileycons"=c:\program files\Smileycons\smileycons.exe
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R1 SBRE;SBRE; [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 sbbotdi;sbbotdi; [x]
R3 AppBoosterService;AppBooster Service; [x]
R3 BlackBox;BlackBox SR2; [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 GGService;GameGround App Service;c:\program files\GameGround\GGApp\GGService.exe GGService [x]
R4 JQC;JQC; [x]
R4 KHHC;KHHC; [x]
R4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe [2009-07-08 292472]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2009-11-12 20392]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-02-12 537520]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2010-04-24 550760]
S3 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2010-04-24 195944]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2010-04-24 21864]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2010-04-24 19304]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1471742865-771052735-1817507966-500Core.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-16 17:21]
.
2011-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1471742865-771052735-1817507966-500UA.job
- c:\users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-16 17:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
mWindow Title = Microsoft Internet Explorer provided by CenturyTel
IE: Free YouTube Download - c:\users\Administrator\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Free YouTube to MP3 Converter - c:\users\Administrator\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
Trusted Zone: invoke.com\www
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} - hxxp://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7vw12ox1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1320680&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - chrome://browser-region/locale/region.properties
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{6A719530-8443-4898-9BC4-69E76B5F1C89} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-10 05:46
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDDCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXDDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,3b,1b,0c,17,c9,
06,9b,bc,e8,0d,b1,9b,bd,17,8b,6a,f9,df
"{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}"=hex:51,66,7a,6c,4c,1d,3b,1b,53,c1,7f,
b1,6e,29,53,09,a2,f7,89,26,b2,e9,64,41
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,3b,1b,54,1f,de,
c5,73,f0,30,0c,a8,79,db,65,c6,81,cc,b5
"{21FA44EF-376D-4D53-9B0F-8A89D3229068}"=hex:51,66,7a,6c,4c,1d,3b,1b,ff,5b,ec,
3f,5b,63,38,02,8f,02,cd,c9,d4,66,d4,74
"{36587A54-C21B-4F3B-B31D-847CAB57F333}"=hex:51,66,7a,6c,4c,1d,3b,1b,44,65,4e,
28,2d,96,50,00,a7,10,c3,3c,ac,13,b7,2f
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (Administrator)
"Timestamp"=hex:ca,49,9e,d2,b5,f5,cb,01
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4f,22,d7,16,e1,c1,84,47,9a,e5,81,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4f,22,d7,16,e1,c1,84,47,9a,e5,81,\
"027C9CB72E593A8F02C55092F385DBAC99DF56D067"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b3,b7,26,34,66,3b,19,4c,b4,b4,29,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4f,22,d7,16,e1,c1,84,47,9a,e5,81,\
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aca\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\PaintDotNet.exe"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acs\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\notepad.exe"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ani\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.ANI"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.apl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\Spider.exe"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.raw.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.avi"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avr\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\wksss.exe"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.B3D\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.B3D"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.bmp.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.c2r\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\ehshell.exe"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CAM\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.CAM"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.raw.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.raw.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CUR\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.CUR"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DCM\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.DCM"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.raw.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DCX\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.DCX"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DDS\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.DDS"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.bmp.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DJVU\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.DJVU"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\notepad.exe"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.raw.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ECW\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.ECW"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.EMF"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Microsoft Internet Mail Message"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.EPS\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.EPS"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.raw.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.EXR\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.EXR"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.FLV\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\Spider.exe"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.FPX\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.FPX"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.FSH\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.FSH"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.G3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.G3"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.gif.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.HDP\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.HDP"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ICL\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.ICL"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.ico.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.IFF\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.IFF"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.IMG\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.IMG"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.jpg.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.JLS\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.JLS"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.JNG\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.JNG"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jnt\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\jntview.exe"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.JP2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.JP2"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.jpg.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.jpg.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.jpg.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.JPM\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.JPM"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jtp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="jtpfile"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.raw.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.LDF\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.LDF"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.LWF\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.LWF"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M3U"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MED\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.MED"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MNG\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.MNG"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.MOV"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.raw.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.raw.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.NLM\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.NLM"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.OGG\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.OGG"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.raw.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.PBM\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.PBM"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.PCD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.PCD"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.PCX\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.PCX"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdn\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Paint.NET.1"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.raw.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.PGM\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.PGM"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.png.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.PPM\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.PPM"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.PSD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.PSD"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.PSP\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.PSP"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ptx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.raw.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.RA\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.RA"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.raw.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.RAS\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.RAS"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.RAW\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.RAW"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.RLE"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.SFF\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.SFF"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.SFW\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.SFW"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.SGI\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.SGI"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.SID\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.SID"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.raw.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.raw.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.SWF\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.SWF"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TGA\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.TGA"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.tif.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.tif.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.TTF"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.URL"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAV"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WBMP\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.WBMP"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wdp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.wdp.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.WMF"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMV"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.x3f\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WindowsLive.PhotoGallery.raw.14.0"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.XBM\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.XBM"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-1471742865-771052735-1817507966-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.XPM\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IrfanView.XPM"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-06-10 05:50:03
ComboFix-quarantined-files.txt 2011-06-10 12:50
.
Pre-Run: 189,376,839,680 bytes free
Post-Run: 189,287,342,080 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
- - End Of File - - 12762BB0D8620F7F2C0E6D998AE75368

sig_zpssbt5rtdf.png


#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:02:29 AM

Posted 11 June 2011 - 08:41 AM

Run a new scan with ComboFix. If you get that error message again, reboot your computer, or if something unexpected happens, post back! Don't continue, and please do not do things on your own. It makes it much harder for me.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 Angbblue

Angbblue
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Seattle, Washington
  • Local time:11:29 PM

Posted 11 June 2011 - 08:49 PM

Ummm, no thank you. I might not know everything about computers but, this Combo Fix thing had all my browser .dll files, and several more that I tried to access "marked for deletion" as I described in my last email. I had to go into recovery mode to do a system restore. Even then the Combo Fix did not create a restore point, I remember waiting for it to make the restore point. So, I'm really glad it didn't actually delete all my .dll files and I'm not going to run a program again that broke my PC once already. I think I will just continue on my own now. Thank you so much for your help and your time.

Have a good night, Angie

:busy:

sig_zpssbt5rtdf.png


#12 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:02:29 AM

Posted 12 June 2011 - 09:13 AM

Ummm, no thank you. I might not know everything about computers but, this Combo Fix thing had all my browser .dll files, and several more that I tried to access "marked for deletion" as I described in my last email. I had to go into recovery mode to do a system restore. Even then the Combo Fix did not create a restore point, I remember waiting for it to make the restore point. So, I'm really glad it didn't actually delete all my .dll files and I'm not going to run a program again that broke my PC once already. I think I will just continue on my own now. Thank you so much for your help and your time.

First of all, it wasn't going to delete all of your browser .dll files. If you had posted back like I asked you to if something unexpected happens, I would have told you to perform a reboot to get rid of that error message.

If you're not comfortable with running ComboFix again, we can still continue cleaning up your computer, we will just use different tools to do so.

Please let me know.

Kindest Regards,
SweetTech

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#13 Angbblue

Angbblue
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Seattle, Washington
  • Local time:11:29 PM

Posted 14 June 2011 - 12:05 AM

Ummm, no thank you. I might not know everything about computers but, this Combo Fix thing had all my browser .dll files, and several more that I tried to access "marked for deletion" as I described in my last email. I had to go into recovery mode to do a system restore. Even then the Combo Fix did not create a restore point, I remember waiting for it to make the restore point. So, I'm really glad it didn't actually delete all my .dll files and I'm not going to run a program again that broke my PC once already. I think I will just continue on my own now. Thank you so much for your help and your time.

First of all, it wasn't going to delete all of your browser .dll files. If you had posted back like I asked you to if something unexpected happens, I would have told you to perform a reboot to get rid of that error message.

If you're not comfortable with running ComboFix again, we can still continue cleaning up your computer, we will just use different tools to do so.

Please let me know.

Kindest Regards,
SweetTech


I couldn't. It disabled all of my Browser files.

sig_zpssbt5rtdf.png


#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:02:29 AM

Posted 14 June 2011 - 12:19 PM

Okay. Well would you like my assistance still removing the malware form your computer?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#15 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:02:29 AM

Posted 16 June 2011 - 10:35 AM

Due to lack of feedback this thread will now be closed. If you still require assistance, and would like to have your thread re-opened, please feel free to send me a Private Message (PM) being sure to include a link to your topic, and I'd be happy to re-open it.


Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users