Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google Redirect Virus 090820 cliccker.cn klikstats.cn [Solved]

Started by David08052 , Aug 20 2009 01:26 PM

  • This topic is locked This topic is locked

#1
David08052
Posted 20 August 2009 - 01:26 PM

David08052

    New Member

  • Member
  • Pip
  • 9 posts
Hi,
I noticed on Mon that after a google search, when I clicked on a google link (either direct click or right click and open in a new window), I would often be sent to a site other than the one with the specified URL. This is in Internet Explorer 8: I do not have a problem in Firefox.

I have been struggling with many posts but what seemed to help was spynomore. It returned these names:
Agent Rootkit C:\Windows\system32\net.net
HKEY_LOCAL_MACHINE\SOFTWARE\UAC
HKEY_LOCAL_MACHINE\SOFTWARE\UAC\connections
C:\Windows\system32\Drivers\UACrbxmstypye.sys
C:\Windows\system32\UACscwebjrcne.dll

I renamed all of these after which no further problem with right click and open in a new window. However, the problem persists with direct click. All now have a suffix of orig, so in the registry for example I have UAC.orig

The UAC registry shows a "sval" entry for klikstats.cn which worries me because it seems to open my computer for a connection from this site, and since the suffix is for China, it suggests to me that someone in China might both be setting up to connect to my computer, and might be issuing the redirects. The redirects are all shell sites: when I try to contact them, I cannot. None have a phone number or physical location. When I email them, there is no reply.

I just ran RootRepeal "Only Display Hooked Functions" and found this:
C:\Windows\System32\kbiwkmcbrffgvd.dll
C:\Windows\System32\kbiwkmkturrjqs.dat
C:\Windows\System32\kbiwkmvbteufjw.dat
six files with the kbiwkm prefix.
Root repeal just found a hidden service:
C:\windows\system32\drivers\kbiwkmcvvjiiwk.sys

However, when I go to that directory, there are no kbiwk files found. And I don't see anything like that in startup using msconfig.

I know that China has been invading U.S. computers and wonder if this could be related to those news reports. But, most I would like to stop this problem and move on. Any help will be appreciated. I can receive mail from other users as well as the moderator.
Thanks
David
  • 0

Advertisements

#2
Perplexus
Posted 20 August 2009 - 01:39 PM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
Hello and welcome to Geeks To Go!:)

My name is Perplexus and I will be helping you fix your computer problem.

I am still in training here, so there might be a delay between my replies as they need to be checked by a resident expert before I can post them. I appreciate your patience.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate, so stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Before we proceed to clean your computer from malware there are some points you should consider that will make the process go smoother:
  • To make sure that you receive an email when this topic is updated, please click here and check that this topic is listed under Malware Removal and Spyware Removal.
  • Before beginning the fix, read this post completely. If there's anything that you do not understand, please ask your questions before proceeding as you may temporarily be disconnected from the internet. No question is considered dumb here. It's better to be safe than sorry!
  • Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.
  • It is IMPORTANT that you do not miss a step & perform everything in the correct order/sequence.
  • Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested, as it can be very dangerous and cause harm to your system.
  • When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad in the menubar click on Format and make sure that Word Wrap is unchecked)
---------------------------------------------------------------------------------------------

Please post the RootRepeal log. In addition do the the following:

  • Download OTL by OldTimer to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

  • 0

#3
David08052
Posted 20 August 2009 - 06:11 PM

David08052

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi at 8:30pm
Thank you so much for your attention to my problem. I'm going add now OTL.txt and then Extras.txt.

OTL logfile created on: 8/20/2009 7:59:10 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\usr\spyware-otl.090820.v.x
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18813)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 0.96 Gb Available Physical Memory | 51.48% Memory free
3.99 Gb Paging File | 2.89 Gb Available in Paging File | 72.35% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 138.97 Gb Total Space | 5.67 Gb Free Space | 4.08% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.16 Gb Free Space | 61.65% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VNOTE1
Current User Name: Admin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Windows\System32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\Windows\System32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\Windows\System32\WISPTIS.EXE (Microsoft Corporation)
PRC - C:\Windows\System32\WLTRYSVC.EXE ()
PRC - C:\Windows\System32\bcmwltry.exe (Dell Inc.)
PRC - C:\Windows\System32\WISPTIS.EXE (Microsoft Corporation)
PRC - C:\sys\cygwin\bin\cygrunsrv.exe ()
PRC - C:\Program Files\Kodak\printer\center\KodakSvc.exe (Eastman Kodak Company)
PRC - C:\sys\cygwin\usr\sbin\cron.exe ()
PRC - C:\Program Files\AT&T Global Network Client\netcfgsvr.exe (AT&T)
PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
PRC - C:\Windows\System32\WLTRAY.EXE (Dell Inc.)
PRC - C:\Windows\System32\WTMKM.exe ()
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
PRC - C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe (Adobe Systems Inc.)
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
PRC - C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
PRC - C:\Windows\ehome\ehtray.exe (Microsoft Corporation)
PRC - C:\usr\spybot.0908.v.1.6.2\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)
PRC - C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
PRC - C:\Windows\ehome\ehmsas.exe (Microsoft Corporation)
PRC - C:\Windows\System32\STacSV.exe (IDT, Inc.)
PRC - C:\Windows\System32\atwtusb.exe ()
PRC - C:\Windows\System32\DRIVERS\xaudio.exe (Conexant Systems, Inc.)
PRC - C:\usr\spybot.0908.v.1.6.2\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\atwtusb.exe ()
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\usr\spyware-otl.090820.v.x\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Adobe Version Cue CS4 [On_Demand | Stopped]) -- C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe (Adobe Systems Incorporated)
SRV - (AppHostSvc [Auto | Running]) -- C:\Windows\System32\inetsrv\apphostsvc.dll (Microsoft Corporation)
SRV - (Ati External Event Utility [Auto | Running]) -- C:\Windows\System32\Ati2evxx.exe (ATI Technologies Inc.)
SRV - (Bonjour Service [Disabled | Stopped]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (Boonty Games [Disabled | Stopped]) -- C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe (BOONTY)
SRV - (BrlAPI [On_Demand | Stopped]) -- C:\sys\cygwin\bin\cygrunsrv.exe ()
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (CLTNetCnService [Auto | Stopped]) -- File not found
SRV - (cron [Auto | Running]) -- C:\sys\cygwin\bin\cygrunsrv.exe ()
SRV - (DSBrokerService [On_Demand | Stopped]) -- C:\Program Files\DellSupport\brkrsvc.exe ()
SRV - (ehRecvr [On_Demand | Stopped]) -- C:\Windows\ehome\ehRecvr.exe (Microsoft Corporation)
SRV - (ehSched [On_Demand | Stopped]) -- C:\Windows\ehome\ehsched.exe (Microsoft Corporation)
SRV - (ehstart [Auto | Stopped]) -- C:\Windows\ehome\ehstart.dll (Microsoft Corporation)
SRV - (Eventlog [Auto | Running]) -- C:\Windows\System32\wevtsvc.dll (Microsoft Corporation)
SRV - (FLEXnet Licensing Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (fsssvc [On_Demand | Stopped]) -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe (Microsoft Corporation)
SRV - (GoogleDesktopManager-061008-081103 [On_Demand | Stopped]) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (Kodak AiO Network Discovery Service [Auto | Stopped]) -- C:\Program Files\Kodak\Printer\Center\EKDiscovery.exe (Eastman Kodak Company)
SRV - (KodakSvc [Auto | Running]) -- C:\Program Files\Kodak\printer\center\KodakSvc.exe (Eastman Kodak Company)
SRV - (MSSQL$SQLEXPRESS [On_Demand | Stopped]) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
SRV - (MSSQLServerADHelper [Disabled | Stopped]) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe (Microsoft Corporation)
SRV - (MySQL [On_Demand | Stopped]) -- C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe ()
SRV - (netcfgsvr [Auto | Running]) -- C:\Program Files\AT&T Global Network Client\netcfgsvr.exe (AT&T)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (RoxMediaDB9 [On_Demand | Stopped]) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe (Sonic Solutions)
SRV - (RoxWatch9 [On_Demand | Stopped]) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (Sonic Solutions)
SRV - (SBSDWSCService [Auto | Running]) -- C:\usr\spybot.0908.v.1.6.2\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (SeaPort [Auto | Running]) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
SRV - (SQLBrowser [Auto | Running]) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)
SRV - (SQLWriter [Auto | Running]) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)
SRV - (STacSV [Auto | Running]) -- C:\Windows\System32\STacSV.exe (IDT, Inc.)
SRV - (stllssvr [On_Demand | Stopped]) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (MicroVision Development, Inc.)
SRV - (W3SVC [On_Demand | Stopped]) -- C:\Windows\System32\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (wampapache [On_Demand | Stopped]) -- File not found
SRV - (wampmysqld [On_Demand | Stopped]) -- File not found
SRV - (WAS [On_Demand | Stopped]) -- C:\Windows\System32\inetsrv\iisw3adm.dll (Microsoft Corporation)
SRV - (WinDefend [Auto | Running]) -- C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation)
SRV - (wltrysvc [Auto | Running]) -- C:\Windows\System32\WLTRYSVC.EXE ()
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
SRV - (WTService [Auto | Running]) -- C:\Windows\System32\atwtusb.exe ()
SRV - (XAudioService [Auto | Running]) -- C:\Windows\System32\DRIVERS\xaudio.exe (Conexant Systems, Inc.)

========== Driver Services (SafeList) ==========

DRV - (adfs [Auto | Running]) -- C:\Windows\System32\drivers\adfs.sys (Adobe Systems, Inc.)
DRV - (adp94xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (adpahci [Disabled | Stopped]) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (adpu160m [Disabled | Stopped]) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (adpu320 [Disabled | Stopped]) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (agnfilt [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\agnfilt.sys (AT&T)
DRV - (aic78xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (aliide [Disabled | Stopped]) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (arc [Disabled | Stopped]) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (arcsas [Disabled | Stopped]) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (ASPI32 [Auto | Running]) -- C:\Windows\System32\drivers\aspi32.sys (Adaptec)
DRV - (AtiPcie [Boot | Running]) -- C:\Windows\system32\DRIVERS\AtiPcie.sys (ATI Technologies Inc.)
DRV - (avpnnic [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\avpnnic.sys (AT&T)
DRV - (BCM43XX [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\bcmwl6.sys (Broadcom Corporation)
DRV - (bcm4sbxp [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\bcm4sbxp.sys (Broadcom Corporation)
DRV - (BrFiltLo [On_Demand | Stopped]) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp [On_Demand | Stopped]) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (Brserid [Disabled | Stopped]) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrSerWdm [Disabled | Stopped]) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm [Disabled | Stopped]) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer [On_Demand | Stopped]) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (cmdide [Disabled | Stopped]) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (DSproct [On_Demand | Running]) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.)
DRV - (dsunidrv [Auto | Running]) -- C:\Windows\System32\DRIVERS\dsunidrv.sys (Gteko Ltd.)
DRV - (e1express [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\e1e6032.sys (Intel Corporation)
DRV - (E1G60 [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\E1G60I32.sys (Intel Corporation)
DRV - (elxstor [Disabled | Stopped]) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (fssfltr [On_Demand | Stopped]) -- C:\Windows\System32\DRIVERS\fssfltr.sys (Microsoft Corporation)
DRV - (HpCISSs [Disabled | Stopped]) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (HSF_DPV [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\HSX_DPV.sys (Conexant Systems, Inc.)
DRV - (HSXHWAZL [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\HSXHWAZL.sys (Conexant Systems, Inc.)
DRV - (iaStorV [Disabled | Stopped]) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (iirsp [Disabled | Stopped]) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (iteatapi [Disabled | Stopped]) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (iteraid [Disabled | Stopped]) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (LSI_FC [Disabled | Stopped]) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (LSI_SAS [Disabled | Stopped]) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (LSI_SCSI [Disabled | Stopped]) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (mdmxsdk [Auto | Running]) -- C:\Windows\System32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (megasas [Disabled | Stopped]) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (Mraid35x [Disabled | Stopped]) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (nfrd960 [Disabled | Stopped]) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (ntrigdigi [Disabled | Stopped]) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (nvraid [Disabled | Stopped]) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nvstor [Disabled | Stopped]) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (PxHelp20 [Boot | Running]) -- C:\Windows\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (ql2300 [Disabled | Stopped]) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (ql40xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (R300 [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\atikmdag.sys (ATI Technologies Inc.)
DRV - (rimmptsk [Auto | Running]) -- C:\Windows\System32\DRIVERS\rimmptsk.sys (REDC)
DRV - (rimsptsk [Disabled | Stopped]) -- C:\Windows\system32\drivers\rimsptsk.sys (REDC)
DRV - (rismxdp [Disabled | Stopped]) -- C:\Windows\system32\drivers\rixdptsk.sys (REDC)
DRV - (SCDEmu [System | Running]) -- C:\Windows\System32\drivers\scdemu.sys (PowerISO Computing, Inc.)
DRV - (secdrv [Auto | Running]) -- C:\Windows\System32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SiSRaid2 [Disabled | Stopped]) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (SiSRaid4 [Disabled | Stopped]) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (STHDA [On_Demand | Running]) -- C:\Windows\System32\drivers\stwrt.sys (IDT, Inc.)
DRV - (Symc8xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (Sym_hi [Disabled | Stopped]) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (Sym_u3 [Disabled | Stopped]) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (SynTP [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\SynTP.sys (Synaptics, Inc.)
DRV - (uliahci [Disabled | Stopped]) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (UlSata [Disabled | Stopped]) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (ulsata2 [Disabled | Stopped]) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (usbaudio [On_Demand | Stopped]) -- C:\Windows\System32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (vhidmini [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\walvhid.sys (Windows ® Codename Longhorn DDK provider)
DRV - (viaide [Disabled | Stopped]) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (vsmraid [Disabled | Stopped]) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (winachsf [On_Demand | Running]) -- C:\Windows\System32\DRIVERS\HSX_CNXT.sys (Conexant Systems, Inc.)
DRV - (XAudio [Auto | Running]) -- C:\Windows\System32\DRIVERS\xaudio.sys (Conexant Systems, Inc.)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co...amp;ibd=4071005
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - URLSearchHook: {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL File not found
IE - URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.2
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/08/18 14:12:33 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/08/20 10:17:42 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/08/20 10:17:41 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.19\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/02/10 18:24:24 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.19\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2009/02/20 16:16:54 | 00,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\mozilla\Extensions
[2009/02/20 16:16:54 | 00,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/08/20 10:28:20 | 00,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\mozilla\Firefox\Profiles\hr90q0gr.default\extensions
[2009/08/18 17:03:13 | 00,000,000 | ---D | M] -- C:\Users\Admin\AppData\Roaming\mozilla\Firefox\Profiles\hr90q0gr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/08/20 10:28:20 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/08/20 10:17:42 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/02/26 12:05:34 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/08/18 14:35:25 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
[2009/07/30 07:26:53 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/07/30 07:26:54 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/08/18 14:34:47 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/07/30 07:26:55 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/02/27 12:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/07/30 03:24:20 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/07/30 03:24:20 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/30 03:24:20 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/07/30 03:24:20 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/07/30 03:24:20 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/07/30 03:24:20 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/07/30 03:24:20 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (761 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Ask Search Assistant BHO) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL File not found
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\usr\spybot.0908.v.1.6.2\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe_ID0ENQBO] C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4Tray.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\Windows\System32\WLTRAY.exe (Dell Inc.)
O4 - HKLM..\Run: [dscactivate] c:\dell\dsca.exe ( )
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\Windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [MacrokeyManager] C:\Windows\System32\WTMKM.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [SNM] C:\Users\Admin\spynomore.0908.v.x\SpyNoMore\SNM.exe (Illysoft LLC)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKCU..\Run: [DellSupport] C:\Program Files\DellSupport\DSAgnt.exe (Gteko Ltd.)
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (Microsoft Corporation)
O4 - HKCU..\Run: [NetSP - restore settings on power failure] C:\Program Files\AT&T Global Network Client\NetSP.exe (AT&T)
O4 - HKCU..\Run: [PxDotNetLoader] C:\usr\fidelityatp\Fidelity Active Trader\System\ATPStartupAssistant.exe (Fidelity Investments)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\usr\spybot.0908.v.1.6.2\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKLM..\RunOnceEx: [] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\usr\spybot.0908.v.1.6.2\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O9 - Extra 'Tools' menuitem : Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...tes/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg...l_v1-0-27-0.cab (EPUImageControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\x-atng {7e8717b0-d862-11d5-8c9e-00010304f989} - C:\usr\fidelityatp\Fidelity Active Trader\System\atngprot.dll (Fidelity Investments)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll (Google Inc.)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (/p) - File not found
O34 - HKLM BootExecute: (\??\C:) - File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/08/20 19:33:59 | 00,004,149 | ---- | C] () -- C:\vpers-090820-show-hidden-files.html
[2009/08/20 19:17:18 | 00,000,837 | ---- | C] () -- C:\Users\Admin\Desktop\ZZ.RootRepeal.exe.lnk
[2009/08/20 14:32:57 | 00,000,000 | ---- | C] () -- C:\Windows\System32\settings.dat
[2009/08/20 13:45:26 | 00,001,078 | ---- | C] () -- C:\Users\Admin\Desktop\ZZ.History Killer Pro.lnk
[2009/08/20 13:45:25 | 00,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\Emergency Soft
[2009/08/20 13:35:29 | 00,000,983 | ---- | C] () -- C:\Users\Admin\Desktop\ZZZ.Internet Explorer.lnk
[2009/08/20 11:17:55 | 00,001,628 | ---- | C] () -- C:\Users\Admin\Desktop\ZZ.HijackThis.lnk
[2009/08/20 10:38:43 | 00,000,000 | ---D | C] -- C:\Avenger
[2009/08/20 10:17:44 | 00,001,758 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2009/08/19 20:21:16 | 54,918,170 | ---- | C] () -- C:\zz.perl_dir.out.090819
[2009/08/19 16:27:48 | 14,875,0620 | ---- | C] () -- C:\zz.perl_reg.ascii
[2009/08/19 15:54:06 | 30,213,5528 | R--- | C] () -- C:\zz.perl_reg.out.090819
[2009/08/19 15:53:44 | 30,213,5528 | ---- | C] () -- C:\zz.perl_reg.out
[2009/08/19 15:51:45 | 30,261,0604 | R--- | C] () -- C:\zz.regedit.corporate.090819-155123
[2009/08/19 15:46:36 | 00,000,423 | ---- | C] () -- C:\zz.perl_reg.pl
[2009/08/19 09:14:28 | 30,251,9012 | ---- | C] () -- C:\regedit.export.090819.all
[2009/08/18 17:35:10 | 00,001,152 | ---- | C] () -- C:\Windows\System32\windrv.sys
[2009/08/18 17:34:56 | 00,000,846 | ---- | C] () -- C:\Users\Admin\Desktop\ZZ.SpyNoMore.lnk
[2009/08/18 17:01:03 | 00,000,000 | ---D | C] -- C:\zz.web.pix
[2009/08/18 16:14:24 | 00,040,282 | ---- | C] () -- C:\cross-slide-app.html
[2009/08/18 16:12:23 | 00,010,889 | ---- | C] () -- C:\cross-slide-index.html
[2009/08/18 14:41:58 | 00,000,000 | ---D | C] -- C:\Users\Admin\Documents\My Received Files
[2009/08/18 14:35:15 | 00,410,984 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deploytk.dll
[2009/08/18 14:35:15 | 00,148,888 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2009/08/18 14:35:15 | 00,144,792 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2009/08/18 14:35:15 | 00,144,792 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2009/08/18 14:01:03 | 00,055,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\fssfltr.sys
[2009/08/18 13:59:58 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Sync Framework
[2009/08/18 13:59:08 | 03,426,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx9_32.dll
[2009/08/18 13:57:59 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2009/08/18 13:57:48 | 00,000,000 | ---D | C] -- C:\Users\Public\Documents\microsoft
[2009/08/18 13:57:39 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2009/08/18 13:57:17 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2009/08/18 13:52:28 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2009/08/18 13:46:35 | 01,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2009/08/18 13:46:35 | 00,206,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\occache.dll
[2009/08/18 13:46:34 | 00,594,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2009/08/18 13:46:34 | 00,184,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2009/08/18 13:46:34 | 00,164,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2009/08/18 13:46:34 | 00,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2009/08/18 13:46:34 | 00,055,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedsbs.dll
[2009/08/18 13:46:34 | 00,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2009/08/18 13:46:33 | 01,985,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iertutil.dll
[2009/08/18 13:46:33 | 00,915,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wininet.dll
[2009/08/18 13:46:33 | 00,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2009/08/18 13:46:33 | 00,057,667 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2009/08/18 13:46:33 | 00,055,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2009/08/18 13:46:33 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeedssync.exe
[2009/08/18 13:46:32 | 01,208,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\urlmon.dll
[2009/08/18 13:46:32 | 00,386,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2009/08/18 13:46:32 | 00,133,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2009/08/18 13:46:32 | 00,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesysprep.dll
[2009/08/18 13:46:31 | 01,469,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2009/08/18 13:46:30 | 11,067,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieframe.dll
[2009/08/18 13:46:30 | 05,937,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.dll
[2009/08/18 13:45:28 | 00,066,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtmled.dll
[2009/08/18 13:45:27 | 00,156,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msls31.dll
[2009/08/18 13:45:27 | 00,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\admparse.dll
[2009/08/18 13:45:27 | 00,066,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tdc.ocx
[2009/08/18 13:45:27 | 00,059,904 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\icardie.dll
[2009/08/18 13:45:27 | 00,048,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtmler.dll
[2009/08/18 13:45:27 | 00,018,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\corpol.dll
[2009/08/18 13:45:26 | 00,348,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtmsft.dll
[2009/08/18 13:45:26 | 00,216,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxtrans.dll
[2009/08/18 13:45:26 | 00,125,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakeng.dll
[2009/08/18 13:45:26 | 00,094,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inseng.dll
[2009/08/18 13:45:26 | 00,043,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\licmgr10.dll
[2009/08/18 13:45:26 | 00,034,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\imgutil.dll
[2009/08/18 13:45:25 | 00,611,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2009/08/18 13:45:25 | 00,236,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\webcheck.dll
[2009/08/18 13:45:25 | 00,229,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2009/08/18 13:45:25 | 00,208,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WinFXDocObj.exe
[2009/08/18 13:45:25 | 00,193,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msrating.dll
[2009/08/18 13:45:25 | 00,163,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieakui.dll
[2009/08/18 13:45:25 | 00,066,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wextract.exe
[2009/08/18 13:45:24 | 00,726,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2009/08/18 13:45:24 | 00,445,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2009/08/18 13:45:24 | 00,420,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2009/08/18 13:45:24 | 00,128,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\advpack.dll
[2009/08/18 13:45:24 | 00,105,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2009/08/18 13:45:24 | 00,046,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\pngfilt.dll
[2009/08/18 13:45:23 | 00,385,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2009/08/18 13:45:22 | 03,698,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dat
[2009/08/18 13:45:22 | 00,169,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iexpress.exe
[2009/08/18 13:45:22 | 00,109,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PDMSetup.exe
[2009/08/18 13:45:22 | 00,107,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\RegisterIEPKEYs.exe
[2009/08/18 13:45:22 | 00,107,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SetIEInstalledDate.exe
[2009/08/18 13:45:22 | 00,103,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\SetDepNx.exe
[2009/08/18 13:45:22 | 00,045,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshta.exe
[2009/08/18 13:39:41 | 00,562,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdtcprx.dll
[2009/08/18 13:39:41 | 00,038,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xolehlp.dll
[2009/08/18 13:39:37 | 00,784,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rpcrt4.dll
[2009/08/18 13:39:35 | 00,160,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wkssvc.dll
[2009/08/18 13:39:32 | 00,636,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\localspl.dll
[2009/08/18 13:39:06 | 00,428,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2009/08/18 13:39:05 | 00,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisdecd.dll
[2009/08/18 13:39:05 | 00,217,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisrndr.ax
[2009/08/18 13:39:05 | 00,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2009/08/18 13:39:05 | 00,080,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSNP.ax
[2009/08/18 13:39:00 | 03,599,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2009/08/18 13:39:00 | 03,547,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2009/08/18 13:39:00 | 00,551,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rpcss.dll
[2009/08/18 13:38:58 | 00,666,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\printfilterpipelinesvc.exe
[2009/08/18 13:38:58 | 00,183,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sdohlp.dll
[2009/08/18 13:38:58 | 00,098,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iasrecst.dll
[2009/08/18 13:38:58 | 00,054,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iasads.dll
[2009/08/18 13:38:58 | 00,044,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iasdatastore.dll
[2009/08/18 13:38:58 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\printfilterpipelineprxy.dll
[2009/08/18 13:38:58 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iashost.exe
[2009/08/18 13:38:53 | 01,256,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lsasrv.dll
[2009/08/18 13:38:53 | 00,499,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\kerberos.dll
[2009/08/18 13:38:53 | 00,270,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\schannel.dll
[2009/08/18 13:38:53 | 00,213,504 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msv1_0.dll
[2009/08/18 13:38:53 | 00,175,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wdigest.dll
[2009/08/18 13:38:52 | 00,439,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\ksecdd.sys
[2009/08/18 13:38:52 | 00,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\secur32.dll
[2009/08/18 13:38:52 | 00,009,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lsass.exe
[2009/08/18 13:38:49 | 00,289,792 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\System32\atmfd.dll
[2009/08/18 13:38:49 | 00,156,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\t2embed.dll
[2009/08/18 13:38:49 | 00,072,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\fontsub.dll
[2009/08/18 13:38:49 | 00,010,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dciman32.dll
[2009/08/18 13:38:46 | 02,033,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2009/08/18 13:38:42 | 02,066,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstscax.dll
[2009/08/18 13:38:40 | 00,376,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winhttp.dll
[2009/08/18 13:38:38 | 00,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\atl.dll
[2009/08/18 13:38:34 | 00,091,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\avifil32.dll
[2009/08/18 13:37:17 | 00,888,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\kernel32.dll
[2009/08/18 13:37:15 | 00,024,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\amxread.dll
[2009/08/18 13:37:15 | 00,013,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\apilogen.dll
[2009/08/18 13:37:09 | 10,626,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmp.dll
[2009/08/18 13:37:08 | 00,313,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmpdxm.dll
[2009/08/18 13:37:08 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\spwmp.dll
[2009/08/18 13:37:07 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdxm.ocx
[2009/08/18 13:37:07 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxmasf.dll
[2009/08/18 13:37:06 | 08,147,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmploc.DLL
[2009/08/18 13:37:06 | 00,043,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdxm.tlb
[2009/08/18 13:37:06 | 00,018,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\amcompat.tlb
[2009/08/18 13:01:10 | 00,000,598 | ---- | C] () -- C:\Windows\wininit.ini
[2009/08/18 12:11:13 | 00,001,135 | ---- | C] () -- C:\Users\Admin\Desktop\ZZ.Spybot - Search & Destroy.lnk
[2009/08/18 12:11:07 | 00,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2009/08/18 09:46:07 | 00,000,000 | ---- | C] () -- C:\Windows\System32\cygrunsrv.exe.stackdump
[2009/08/18 09:40:24 | 14,387,563 | ---- | C] () -- C:\diff.out
[2009/08/18 09:11:28 | 57,653,496 | ---- | C] () -- C:\zz.perl_dir.out.090818
[2009/08/17 18:26:48 | 00,000,000 | ---D | C] -- C:\cvt
[2009/08/17 15:39:31 | 00,212,010 | ---- | C] () -- C:\philly-skyline.jpg
[2009/08/17 14:04:48 | 00,030,208 | ---- | C] () -- C:\Windows\System32\uacrem.dll.orig
[2009/08/17 14:04:47 | 01,110,399 | ---- | C] () -- C:\Windows\System32\uacmal.db.orig
[2009/08/17 14:04:45 | 00,074,240 | ---- | C] () -- C:\Windows\System32\uacbbr.dll.orig
[2009/08/17 14:04:44 | 00,054,784 | ---- | C] () -- C:\Windows\System32\drivers\UACrbsmstypye.sys.orig
[2009/08/17 14:04:44 | 00,026,624 | ---- | C] () -- C:\Windows\System32\UACscwebjrcne.dll.orig
[2009/08/17 14:04:13 | 00,164,800 | ---- | C] (Privat) -- C:\Windows\System32\net.net.orig
[2009/08/15 09:16:29 | 00,006,461 | ---- | C] () -- C:\imageiio.pe4
[2009/08/15 09:16:29 | 00,000,615 | ---- | C] () -- C:\imaginfo.pe4
[2009/08/15 09:15:25 | 00,021,194 | ---- | C] () -- C:\DSC00016.coffeetable.jpg
[2009/08/14 15:50:37 | 00,004,214 | ---- | C] () -- C:\mail.jeffnchris.090814.FallingWater.eml
[2009/08/14 15:32:45 | 00,000,000 | ---D | C] -- C:\zz.augustgold
[2009/08/14 08:24:01 | 00,000,786 | ---- | C] () -- C:\Users\Admin\Desktop\Z.giftedmot.lnk
[2009/08/13 19:24:38 | 00,000,750 | ---- | C] () -- C:\Users\Admin\Desktop\Z.AVIedit.lnk
[2009/08/13 19:10:41 | 00,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\ASkySoft
[2009/08/13 15:24:40 | 00,002,529 | ---- | C] () -- C:\Users\Admin\Desktop\Z.Jasc Animation Shop 3.lnk
[2009/08/13 15:08:39 | 00,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\Jasc
[2009/08/13 15:07:10 | 00,000,000 | ---D | C] -- C:\Program Files\Jasc Software Inc
[2009/08/13 10:02:18 | 00,000,000 | ---D | C] -- C:\zz.web
[2009/08/11 10:35:04 | 00,000,000 | ---D | C] -- C:\Program Files\William O'Neil + Co. Inc
[2009/08/11 10:34:47 | 00,000,000 | ---D | C] -- C:\Users\Admin\AppData\Roaming\InstallShield
[2009/08/10 17:53:56 | 53,880,881 | ---- | C] () -- C:\zz.perl_dir.out.090810
[2009/08/10 17:44:32 | 00,004,781 | -H-- | C] () -- C:\.flashProjectProperties
[2009/08/10 14:00:34 | 00,000,000 | ---D | C] -- C:\zz.dev.flash
[2009/08/06 13:11:45 | 57,430,289 | ---- | C] () -- C:\zz.perl_dir.out.090806
[2009/08/06 10:33:09 | 00,004,769 | ---- | C] () -- C:\Users\Admin\Documents\mail.090806.read-for-blind.eml
[2009/08/02 14:45:28 | 00,000,000 | ---D | C] -- C:\zz.flash
[2009/07/31 19:33:04 | 00,000,990 | ---- | C] () -- C:\Users\Admin\Desktop\Y.Adobe Flash CS4 Professional.lnk
[2009/07/31 17:35:41 | 00,000,000 | ---D | C] -- C:\Users\Admin\AppData\Local\SourceTec
[2009/07/31 17:35:40 | 00,000,023 | ---- | C] () -- C:\Windows\SWFDecompiler.INI
[2009/07/31 17:35:34 | 00,000,890 | ---- | C] () -- C:\Users\Admin\Desktop\Y.Sothink SWF Decompiler.lnk
[2009/07/31 17:35:34 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\SourceTec
[2009/07/27 15:07:32 | 00,000,000 | ---D | C] -- C:\ProgramData\GoldWave
[2009/07/27 15:06:48 | 00,000,583 | ---- | C] () -- C:\Users\Admin\Desktop\MP3 GoldWave.lnk
[2009/07/24 16:11:13 | 00,000,000 | ---D | C] -- C:\Users\Public\Desktop\A.Users Public
[2009/07/23 14:37:16 | 00,000,000 | ---D | C] -- C:\Thirteenth Floor.xlisoft.iso
[2009/07/23 12:35:30 | 18,879,28320 | ---- | C] () -- C:\ThirteenthFloor.xlisoft.iso
[2009/07/22 13:39:18 | 93,587,5558 | ---- | C] () -- C:\Thirteenth Floor 1080P_X264_NLSUBBED Just4FunTeam.avi
[2009/07/22 13:27:49 | 00,001,121 | ---- | C] () -- C:\Users\Admin\Desktop\X.cvt Xilisoft.lnk
[2009/07/22 10:38:30 | 00,000,000 | ---D | C] -- C:\zz.dweaver.class
[2009/07/22 09:48:15 | 04,193,439 | ---- | C] () -- C:\du.srt
[2009/07/22 09:24:26 | 04,193,391 | ---- | C] () -- C:\du.out
[2009/04/24 16:42:29 | 00,815,104 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/04/24 16:42:29 | 00,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2009/04/23 09:28:27 | 00,057,344 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2009/04/23 09:28:27 | 00,000,547 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll.manifest
[2009/04/13 12:54:48 | 00,011,270 | -HS- | C] () -- C:\Windows\System32\KGyGaAvL.sys
[2009/02/10 18:25:18 | 00,012,800 | ---- | C] () -- C:\Windows\System32\EKDeviceServices.dll
[2009/02/10 13:30:50 | 00,285,216 | ---- | C] () -- C:\Windows\System32\drivers\Onsio.sys
[2009/02/10 13:30:50 | 00,007,680 | ---- | C] () -- C:\Windows\System32\drivers\Onsreged.sys
[2009/02/03 14:31:34 | 00,000,000 | ---- | C] () -- C:\Windows\uesviewer.INI
[2009/01/28 16:09:17 | 00,087,552 | ---- | C] () -- C:\Windows\System32\cpwmon2k.dll
[2009/01/28 14:47:48 | 00,000,071 | ---- | C] () -- C:\Windows\pex.INI
[2009/01/16 20:13:58 | 00,180,224 | ---- | C] () -- C:\Windows\System32\ATWTINK.DLL
[2009/01/16 20:13:57 | 00,014,545 | R--- | C] () -- C:\Windows\System32\Photoshop Elements.ini
[2009/01/16 20:13:57 | 00,010,922 | ---- | C] () -- C:\Windows\System32\Vista.ini
[2009/01/16 20:13:57 | 00,010,616 | ---- | C] () -- C:\Windows\System32\XP_2000.ini
[2009/01/16 20:13:57 | 00,010,361 | R--- | C] () -- C:\Windows\System32\PhotoImpact XL SE.ini
[2009/01/16 20:13:57 | 00,006,991 | ---- | C] () -- C:\Windows\aiptbl.ini
[2009/01/16 20:13:57 | 00,000,574 | ---- | C] () -- C:\Windows\System32\MKProfile.ini
[2007/12/31 10:54:41 | 00,002,068 | ---- | C] () -- C:\Windows\mp3tunes2.ini
[2007/10/28 20:07:53 | 00,000,965 | ---- | C] () -- C:\Windows\ULead32.ini
[2007/10/20 21:15:26 | 00,157,696 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2007/10/20 21:15:24 | 00,019,968 | ---- | C] () -- C:\Windows\System32\cpuinf32.dll
[2007/10/05 18:56:37 | 00,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2007/10/05 18:56:36 | 00,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2007/10/05 18:56:26 | 01,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2007/10/05 11:16:34 | 00,065,536 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
[2006/11/07 15:25:58 | 00,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/11/02 08:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:23:31 | 00,000,259 | ---- | C] () -- C:\Windows\win.ini
[2006/11/02 06:23:31 | 00,000,219 | ---- | C] () -- C:\Windows\system.ini
[2006/11/02 03:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/09/17 00:36:50 | 00,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/17 00:36:50 | 00,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2004/09/01 11:49:17 | 03,375,104 | ---- | C] () -- C:\Windows\System32\qt-mt331.dll
[2002/03/16 20:00:00 | 00,007,420 | ---- | C] () -- C:\Windows\UA000059.DLL

========== Files - Modified Within 30 Days ==========

[2009/08/20 19:58:08 | 00,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/08/20 19:58:07 | 00,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/08/20 19:34:00 | 00,004,149 | ---- | M] () -- C:\vpers-090820-show-hidden-files.html
[2009/08/20 19:18:13 | 00,000,837 | ---- | M] () -- C:\Users\Admin\Desktop\ZZ.RootRepeal.exe.lnk
[2009/08/20 17:25:05 | 00,000,356 | ---- | M] () -- C:\Windows\tasks\Kodak AiO Scheduled Maintenance.job
[2009/08/20 14:32:57 | 00,000,000 | ---- | M] () -- C:\Windows\System32\settings.dat
[2009/08/20 14:00:29 | 00,000,259 | ---- | M] () -- C:\Windows\win.ini
[2009/08/20 13:58:10 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/08/20 13:57:50 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/08/20 13:57:45 | 20,091,45344 | -HS- | M] () -- C:\hiberfil.sys
[2009/08/20 13:56:39 | 05,065,684 | -H-- | M] () -- C:\Users\Admin\AppData\Local\IconCache.db
[2009/08/20 13:45:26 | 00,001,078 | ---- | M] () -- C:\Users\Admin\Desktop\ZZ.History Killer Pro.lnk
[2009/08/20 11:17:55 | 00,001,628 | ---- | M] () -- C:\Users\Admin\Desktop\ZZ.HijackThis.lnk
[2009/08/20 10:17:44 | 00,001,758 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2009/08/20 09:24:35 | 00,004,214 | ---- | M] () -- C:\mail.jeffnchris.090814.FallingWater.eml
[2009/08/19 20:44:57 | 54,918,170 | ---- | M] () -- C:\zz.perl_dir.out.090819
[2009/08/19 20:44:39 | 14,875,0620 | ---- | M] () -- C:\zz.perl_reg.ascii
[2009/08/19 20:41:48 | 30,213,5528 | R--- | M] () -- C:\zz.perl_reg.out.090819
[2009/08/19 20:41:16 | 30,213,5528 | ---- | M] () -- C:\zz.perl_reg.out
[2009/08/19 20:21:10 | 00,001,976 | ---- | M] () -- C:\zz.perl_dir.pl
[2009/08/19 20:09:32 | 00,000,423 | ---- | M] () -- C:\zz.perl_reg.pl
[2009/08/19 15:51:52 | 30,261,0604 | R--- | M] () -- C:\zz.regedit.corporate.090819-155123
[2009/08/19 09:17:00 | 30,251,9012 | ---- | M] () -- C:\regedit.export.090819.all
[2009/08/18 17:35:10 | 00,001,152 | ---- | M] () -- C:\Windows\System32\windrv.sys
[2009/08/18 17:34:56 | 00,000,846 | ---- | M] () -- C:\Users\Admin\Desktop\ZZ.SpyNoMore.lnk
[2009/08/18 16:14:25 | 00,040,282 | ---- | M] () -- C:\cross-slide-app.html
[2009/08/18 16:12:24 | 00,010,889 | ---- | M] () -- C:\cross-slide-index.html
[2009/08/18 14:34:44 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2009/08/18 14:34:44 | 00,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2009/08/18 14:34:44 | 00,144,792 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2009/08/18 14:34:43 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deploytk.dll
[2009/08/18 14:27:08 | 00,000,983 | ---- | M] () -- C:\Users\Admin\Desktop\ZZZ.Internet Explorer.lnk
[2009/08/18 14:24:13 | 02,270,320 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/08/18 14:05:59 | 00,745,446 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/08/18 14:05:59 | 00,670,452 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/08/18 14:05:59 | 00,126,354 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/08/18 13:01:11 | 00,000,598 | ---- | M] () -- C:\Windows\wininit.ini
[2009/08/18 12:11:13 | 00,001,135 | ---- | M] () -- C:\Users\Admin\Desktop\ZZ.Spybot - Search & Destroy.lnk
[2009/08/18 10:35:43 | 20,556,8303 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2009/08/18 09:59:02 | 00,000,000 | ---- | M] () -- C:\Windows\System32\cygrunsrv.exe.stackdump
[2009/08/18 09:40:26 | 14,387,563 | ---- | M] () -- C:\diff.out
[2009/08/18 09:30:34 | 57,653,496 | ---- | M] () -- C:\zz.perl_dir.out.090818
[2009/08/17 16:07:47 | 00,000,965 | ---- | M] () -- C:\Windows\ULead32.ini
[2009/08/17 16:05:52 | 00,006,461 | ---- | M] () -- C:\imageiio.pe4
[2009/08/17 16:05:52 | 00,000,615 | ---- | M] () -- C:\imaginfo.pe4
[2009/08/17 15:39:04 | 00,212,010 | ---- | M] () -- C:\philly-skyline.jpg
[2009/08/17 14:04:48 | 01,110,399 | ---- | M] () -- C:\Windows\System32\uacmal.db.orig
[2009/08/17 14:04:48 | 00,030,208 | ---- | M] () -- C:\Windows\System32\uacrem.dll.orig
[2009/08/17 14:04:45 | 00,074,240 | ---- | M] () -- C:\Windows\System32\uacbbr.dll.orig
[2009/08/17 14:04:44 | 00,054,784 | ---- | M] () -- C:\Windows\System32\drivers\UACrbsmstypye.sys.orig
[2009/08/17 14:04:44 | 00,026,624 | ---- | M] () -- C:\Windows\System32\UACscwebjrcne.dll.orig
[2009/08/17 14:04:14 | 00,164,800 | ---- | M] (Privat) -- C:\Windows\System32\net.net.orig
[2009/08/15 09:19:48 | 00,021,194 | ---- | M] () -- C:\DSC00016.coffeetable.jpg
[2009/08/14 08:36:23 | 00,002,529 | ---- | M] () -- C:\Users\Admin\Desktop\Z.Jasc Animation Shop 3.lnk
[2009/08/14 08:28:24 | 00,000,786 | ---- | M] () -- C:\Users\Admin\Desktop\Z.giftedmot.lnk
[2009/08/13 19:24:38 | 00,000,750 | ---- | M] () -- C:\Users\Admin\Desktop\Z.AVIedit.lnk
[2009/08/10 18:11:04 | 53,880,881 | ---- | M] () -- C:\zz.perl_dir.out.090810
[2009/08/10 17:44:32 | 00,004,781 | -H-- | M] () -- C:\.flashProjectProperties
[2009/08/06 13:49:05 | 57,430,289 | ---- | M] () -- C:\zz.perl_dir.out.090806
[2009/08/06 10:33:09 | 00,004,769 | ---- | M] () -- C:\Users\Admin\Documents\mail.090806.read-for-blind.eml
[2009/07/31 17:35:40 | 00,000,023 | ---- | M] () -- C:\Windows\SWFDecompiler.INI
[2009/07/31 17:35:34 | 00,000,890 | ---- | M] () -- C:\Users\Admin\Desktop\Y.Sothink SWF Decompiler.lnk
[2009/07/29 17:49:16 | 24,281,536 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mrt.exe
[2009/07/27 17:44:53 | 00,002,068 | ---- | M] () -- C:\Windows\mp3tunes2.ini
[2009/07/27 15:06:48 | 00,000,583 | ---- | M] () -- C:\Users\Admin\Desktop\MP3 GoldWave.lnk
[2009/07/23 14:33:02 | 18,879,28320 | ---- | M] () -- C:\ThirteenthFloor.xlisoft.iso
[2009/07/22 13:45:43 | 93,587,5558 | ---- | M] () -- C:\Thirteenth Floor 1080P_X264_NLSUBBED Just4FunTeam.avi
[2009/07/22 13:43:18 | 00,001,121 | ---- | M] () -- C:\Users\Admin\Desktop\X.cvt Xilisoft.lnk
[2009/07/22 09:56:21 | 04,193,439 | ---- | M] () -- C:\du.srt
[2009/07/22 09:34:56 | 04,193,391 | ---- | M] () -- C:\du.out

========== Alternate Data Streams ==========

@Alternate Data Stream - 190 bytes -> C:\ProgramData\TEMP:40B19B5E
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:0C1EFF69
@Alternate Data Stream - 1093 bytes -> C:\mail.jeffnchris.090814.FallingWater.eml:OECustomProperty
< End of report >


==================================================================
Extras.txt
==================================================================

OTL Extras logfile created on: 8/20/2009 7:59:10 PM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\usr\spyware-otl.090820.v.x
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18813)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 0.96 Gb Available Physical Memory | 51.48% Memory free
3.99 Gb Paging File | 2.89 Gb Available in Paging File | 72.35% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 138.97 Gb Total Space | 5.67 Gb Free Space | 4.08% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 6.16 Gb Free Space | 61.65% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: VNOTE1
Current User Name: Admin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 0
"InternetSettingsDisableNotify" = 0
"AutoUpdateDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1766564128-518351188-3516307728-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\usr\anim-gif-river\Animated GIF Converter and Booster Pack\VideoCleaner.exe" = C:\usr\anim-gif-river\Animated GIF Converter and Booster Pack\VideoCleaner.exe:*:Enabled:River Past Animated GIF Converter -- File not found


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{19270C9D-EAEB-4308-A3B8-024D7AD7BC37}" = lport=2869 | protocol=6 | dir=in | app=system |
"{36121F3F-B6D8-404E-9FA4-19F3D35CB1C8}" = lport=9322 | protocol=6 | dir=in | name=ekdiscovery |
"{60251FDA-AC14-4E83-980F-72FBB3B74F1E}" = lport=9323 | protocol=6 | dir=in | name=ekdiscovery |
"{77E61D8D-658C-4410-8DE2-95F164988DCE}" = lport=3703 | protocol=6 | dir=in | name=adobe version cue cs4 server |
"{9CBB7F13-EA7D-4F51-A289-56D96BEF9BB4}" = lport=5353 | protocol=6 | dir=in | name=adobe csi cs4 |
"{A7E8BC0C-81A8-4422-A8BD-12A8485E0DD8}" = lport=3303 | protocol=6 | dir=in | name=mysql server |
"{B895073E-CD49-479E-BC2C-EAD345DCE9D1}" = lport=3704 | protocol=6 | dir=in | name=adobe version cue cs4 server |
"{BA068AAD-72FD-45F3-912B-7F8EE7EBA0F8}" = lport=51000 | protocol=6 | dir=in | name=adobe version cue cs4 server |
"{BD77C896-0CDE-478D-9DAF-FDF5A65EBA6C}" = lport=51001 | protocol=6 | dir=in | name=adobe version cue cs4 server |
"{C5782C46-E527-4CDF-BA18-F340FAF88C1D}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{10E0F801-6B54-4816-8955-E79CD38AEFDF}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{40C1ACA2-FAF4-441D-B7DC-8842E4F6A1F0}" = protocol=17 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |
"{46687B35-E175-4AEB-BF40-38F2685CB95F}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{4D695F4A-513D-4F1D-9DA2-489ADAA7914A}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{78D7D76C-5FDB-477C-A7D5-F1A31827EFC7}" = protocol=6 | dir=in | app=c:\usr\nb553\nbpro.exe |
"{BD62C096-6803-4C73-A019-D867A66BE8AC}" = protocol=6 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |
"{D457ED17-4B2F-468C-A808-E6CD3503B52B}" = protocol=6 | dir=in | app=c:\program files\common files\adobe\adobe version cue cs4\server\bin\versioncuecs4.exe |
"{D5E8C7DA-FE83-47B3-9BA9-8D49FBB16FC2}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{DB1F7870-D525-47C4-84FB-55EB06DFCECD}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{FB43DE28-9561-4978-BD22-9C9212B4529A}" = protocol=17 | dir=in | app=c:\program files\common files\adobe\adobe version cue cs4\server\bin\versioncuecs4.exe |
"{FD7029C7-B666-475D-A908-1A1187B58E63}" = protocol=17 | dir=in | app=c:\usr\nb553\nbpro.exe |
"TCP Query User{0A771EC0-0138-46FD-B625-C28597D5DD34}C:\sys\cygwin\usr\x11r6\bin\xwin.exe" = protocol=6 | dir=in | app=c:\sys\cygwin\usr\x11r6\bin\xwin.exe |
"TCP Query User{0A8B0BCE-D091-4ECD-9489-CF5577B433F5}C:\sys\cygwin\usr\x11r6\bin\xwin.exe" = protocol=6 | dir=in | app=c:\sys\cygwin\usr\x11r6\bin\xwin.exe |
"TCP Query User{37009C4B-3C87-4CF1-A927-2425E4C6CD60}C:\windows\system32\ftp.exe" = protocol=6 | dir=in | app=c:\windows\system32\ftp.exe |
"TCP Query User{974F211C-BF33-4F22-9CDD-3933F65497D2}C:\sys\cygwin\bin\ftp.exe" = protocol=6 | dir=in | app=c:\sys\cygwin\bin\ftp.exe |
"TCP Query User{A2A4402F-64F2-4814-AA9B-B547B0441B90}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{AA2925A0-52AD-4E6F-8C2A-25AFE6048D15}C:\program files\adobe\adobe dreamweaver cs4\dreamweaver.exe" = protocol=6 | dir=in | app=c:\program files\adobe\adobe dreamweaver cs4\dreamweaver.exe |
"TCP Query User{C0449049-F796-46B9-9011-76C22C309EAF}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{C3D0B382-7832-4A15-B9B7-B68489A8FF92}C:\windows\system32\ftp.exe" = protocol=6 | dir=in | app=c:\windows\system32\ftp.exe |
"UDP Query User{1A7B3026-47ED-4670-AD23-76ABD8761D66}C:\program files\adobe\adobe dreamweaver cs4\dreamweaver.exe" = protocol=17 | dir=in | app=c:\program files\adobe\adobe dreamweaver cs4\dreamweaver.exe |
"UDP Query User{46E1C47E-9F80-4DE9-ABAB-D4A82EDF8B52}C:\sys\cygwin\usr\x11r6\bin\xwin.exe" = protocol=17 | dir=in | app=c:\sys\cygwin\usr\x11r6\bin\xwin.exe |
"UDP Query User{4A42A393-62E4-43DB-B522-4FB44145AC2B}C:\windows\system32\ftp.exe" = protocol=17 | dir=in | app=c:\windows\system32\ftp.exe |
"UDP Query User{727D8221-F194-4527-909A-0C02373757C0}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{7514420F-1798-407E-BDD4-8FB883C5DB00}C:\sys\cygwin\usr\x11r6\bin\xwin.exe" = protocol=17 | dir=in | app=c:\sys\cygwin\usr\x11r6\bin\xwin.exe |
"UDP Query User{8B126F57-92F2-4C4F-B799-434A0E2225E4}C:\windows\system32\ftp.exe" = protocol=17 | dir=in | app=c:\windows\system32\ftp.exe |
"UDP Query User{96536986-E2E6-4FC6-96D4-A77C2882A4F5}C:\sys\cygwin\bin\ftp.exe" = protocol=17 | dir=in | app=c:\sys\cygwin\bin\ftp.exe |
"UDP Query User{BDBC338F-0BF3-49B4-B26D-43292C91B6DB}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{03DEEAD2-F3B7-45BF-9006-A25D015F00D2}" = Adobe Flash Player 10 Plugin
"{03EDED24-8375-407D-A721-4643D9768BE1}" = kgchlwn
"{044F9133-B8D7-4d11-BF39-803FA20F5C8B}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0996C331-6DCB-4E38-A3EC-0A77ABAE1361}" = Help_CTR
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0C19D563-5F25-4621-BF10-01F741BD283F}" = Microsoft SQL Server Compact 3.5 SP1 Design Tools English
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{11F3F858-4131-4FFA-A560-3FE282933B6E}" = kgchday
"{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5}" = Dell System Customization Wizard
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{15BF7AAF-846C-4A6D-80E1-5D1FC7FB461B}" = Adobe SGM CS4
"{15EFEBF6-E414-33EB-8710-A04AD1302BF8}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Web - enu
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1B7C06E1-4888-47A6-992A-0990B9683486}" = Adobe Version Cue CS4 Server
"{1DCA3EAA-6EB5-4563-A970-EA14D75037BA}" = Adobe InDesign CS4
"{1E04CB54-AF4E-4AC3-B4B7-C0A160BE57F1}" = Adobe InDesign CS4 Icon Handler
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{2168245A-B5AD-40D8-A641-48E3E070B5B6}" = Adobe Flash CS4 STI-en
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2349E6AA-CFCA-4D17-B633-3ECDA92E38CD}" = Internet Information Services (IIS) 7.0 Manager
"{2357B8BC-88C9-4A72-818C-050CC4EB0778}" = AOL Install
"{256430AF-D83C-4F55-A6BD-565A94C1C5F9}" = MSDN Library for Visual Studio 2008 Express Editions SP1
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 14
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{2A97D5B3-A989-47E1-B207-1CA9E3635655}" = aioprnt
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{2BAF2B96-7560-48B4-87D4-10178DDBE217}" = Adobe InDesign CS4 Application Feature Set Files (Roman)
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{30C8AA56-4088-426F-91D1-0EDFD3A25678}" = Adobe Dreamweaver CS4
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{352310C3-E46B-42D3-8F32-54721FDD72D9}" = NetZeroInstallers
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3BED0238-3A25-41AE-BC23-316914B5B048}" = aioocr
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{3C52E7DA-C431-4239-B66B-1BF703D5B194}" = Windows Live Photo Gallery
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3E25E350-949F-4DB7-8288-2A60E018B4C1}" = Games, Music, & Photos Launcher
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{428FDF9F-E010-4C4C-A8BB-156960AFCA1C}" = Adobe Fireworks CS4
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{43509E18-076E-40FE-AF38-CA5ED400A5A9}" = Pixel Bender Toolkit
"{43602F34-1AA3-44FB-AEB2-D08C2C73743F}" = Paint.NET v3.36
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A52555C-032A-4083-BDD9-6A85ABFB39A8}" = Adobe SING CS4
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}" = Junk Mail filter update
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{5BE1E709-30E4-3D6D-A708-96CE8D5E5E8D}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
"{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}" = User's Guides
"{5E68BB65-4059-4FE5-AAC4-0CD1D79BBDE2}" = EarthLink Setup Files
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}" = fflink
"{60DB5894-B5A1-4B62-B0F3-669A22C0EE5D}" = Adobe Dynamiclink Support
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{693C08A7-9E76-43FF-B11E-9A58175474C4}" = kgckids
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73F1681F-ADE1-461F-9F18-B7640507D395}" = ksdip
"{76CD2979-09C0-493A-84B3-8FD97EF4BCEA}" = Windows Live Family Safety
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{779A19AC-A302-425D-B295-F12116C2D731}" = DGOControls
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{791E3D44-33D3-4446-82AD-5CD4B0169083}" = aiofw
"{793D1D88-6141-43DE-BE58-59BCE31B4090}" = Adobe Flash CS4 Extension - Flash Lite STI en
"{79E41D91-BA1C-44B9-9358-48E598263ECF}" = center
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7C4196CA-CA41-4F34-9C08-7724E7705D52}" = Jasc Animation Shop 3
"{7CC7BDD5-6F10-4724-96A1-EAC7D9F2831C}" = Adobe InDesign CS4 Common Base Files
"{7D95B533-4BA1-4EED-8096-EFCB6DD6B95F}" = AdventureWorksDB
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F0C4457-8E64-491B-8D7B-991504365D1E}" = QuickSet
"{8186FF34-D389-4B7E-9A2F-C197585BCFBD}" = Adobe Media Encoder CS4 Importer
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{843081BD-351F-46FC-8A17-517A0D9117A3}" = helptut
"{87532CAB-7932-4F84-8937-823337622807}" = Adobe Illustrator CS4
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89CEAE14-DD0F-448E-9554-15781EC9DB24}" = Product Documentation Launcher
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8A8664E1-84C8-4936-891C-BC1F07797549}" = kgcvday
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8AF3E926-ED59-11D4-A44B-0000E86D2305}" = Ulead GIF Animator 5 Trial
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{8EAFF2AD-3DBF-46CD-9CBF-43F60C584477}_is1" = Photoful 0.93
"{8F5E3B9E-ABBD-4B35-BB68-626CB9BE98D6}" = MySQL Server 5.1
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-0021-0000-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer 2007
"{90120000-0021-0409-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer MUI (English) 2007
"{90120000-0021-0409-0000-0000000FF1CE}_VisualWebDeveloper_{E1044ED2-E4AD-4B39-B500-31109750F6B4}" = Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_VisualWebDeveloper_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_VisualWebDeveloper_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{993A1CF7-311D-4990-B41E-77F1A04BADDE}" = AT&T Global Network Client Managed VPN Edition
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9A33B83D-FFC4-44CF-BEEF-632DECEF2FCD}" = Microsoft SQL Server Database Publishing Wizard 1.3
"{9BD54685-1496-46A5-AB62-357CD140ED8B}" = kgcinvt
"{9CF7DA3A-0BB8-4925-8445-36F14482CB2E}" = DirectX for Managed Code Update (February 2005)
"{A128921B-D03F-4BFB-8141-C365AA48D660}" = Adobe Setup
"{A1588373-1D86-4D44-86C9-78ABD190F9CC}" = kgcmove
"{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}" = Windows Live Sync
"{A2881E09-38DB-4F79-9135-00FDA01768A7}" = Adobe Creative Suite 4 Design Premium
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A4418082-E601-3954-805B-D56A2B50EC8B}" = Microsoft Visual C# 2008 Express Edition with SP1 - ENU
"{A4512736-8D63-4298-9271-5329931FA46B}" = Microsoft SQL Server Management Studio Express
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Français, Deutsch
"{AC76BA86-1033-F400-7760-000000000004}_912" = Adobe Acrobat 9.1.2 - CPSID_49166
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.2
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B08D262E-D902-11D5-9C28-0080C85A0C2D}" = ScanWizard 5
"{B09E10DE-75C6-4793-8CA2-927617860200}" = TrackingTime-CS
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B30F1434-AB40-458E-B497-8A69DBEAC9E0}_is1" = LittleRGB Color Picker 3.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{B8C54AB1-7E1A-40E8-B794-EDB6E8921F3A}" = Dell Support Center
"{B9F4561A-924D-4510-A85A-BB0960C338CB}" = Adobe Asset Services CS4
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BCDB856C-D247-4DEE-9132-89C02F4D6B8C}_is1" = Sothink SWF Decompiler
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{BDE71D53-E30B-44AE-BD6A-368680D6CFF0}" = Microsoft DirectX 9.0 SDK Update (February 2005)
"{BFD96B89-B769-4CD6-B11E-E79FFD46F067}" = QuickTime
"{C0251585-1BE8-4278-B3CB-964B6E01C59D}" = aioscnnr
"{C23587D9-1415-4042-9B3D-43118A4334C7}_is1" = BoontyBox 2.1
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{C6DB11F1-EBD1-3AA4-A44D-55630E1E6FDA}" = Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU
"{C6E9540C-4B66-4367-A8CF-570DCFD9F030}" = IIS Manager Admin Pack for IIS 7.0
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CCFF1E13-77A2-4032-8B12-7566982A27DF}" = Internet Service Offers Launcher
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = KODAK All-in-One Printer Software
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{D8087907-E255-3A41-A46D-D0F798709C71}" = Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DB675427-7BE2-4CFC-B0D0-11E601A020E3}" = Microsoft Report Viewer Add-on for Visual Web Developer 2008 Express Edition
"{DC626A21-EDF1-40C7-8F2F-D2BA7535529F}" = helpug
"{DD622B1D-A78E-3FE8-9C8C-246F5764B0D0}" = Microsoft Visual Basic 2008 Express Edition with SP1 - ENU
"{DDF6E319-BCD9-4FE3-9D69-26B2F47BEF7C}" = Microsoft SQL Server 2005 Samples
"{DEB90B8E-0DCB-48CE-B90E-8842A2BD643E}" = Adobe Media Encoder CS4
"{E18B549C-5D15-45DA-8D8F-8FD2BD946344}" = kgcbaby
"{E31BF0CC-B6BC-4570-B9A3-729F2CC73D3B}" = Fidelity Active Trader Pro®
"{E356CBF5-8A06-4D13-B9FB-5254A2FDD205}" = PHP 5.3.0beta1
"{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E713653C-8312-4BC6-AFC9-ADE1F2F04AB9}" = ATI PCI Express (3GIO) Filter Driver
"{E721072F-AF17-4E39-8CC4-9811626E2867}" = Clever Island Free Edition
"{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}" = tooltips
"{EAB9C426-6626-7B76-64F3-569FDCA9852D}" = ATI Catalyst Control Center Ex
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F44DA61E-720D-4E79-871F-F6E628B33242}" = OpenOffice.org 3.0
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"{F63A3748-B93D-4360-9AD4-B064481A5C7B}" = Modem Diagnostic Tool
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F6E99614-F042-4459-82B7-8B38B2601356}" = Adobe Flash CS4
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"Adobe_55230b0b70661df0f212e88f0b655f7" = Adobe Creative Suite 4 Design Premium
"Animated GIF Banner Maker" = Animated GIF Banner Maker
"Animated GIF Converter and Booster Pack" = River Past Animated GIF Converter and Booster Pack
"Any Video Converter_is1" = Any Video Converter 2.7.2
"AVI to DVD Converter" = AVI to DVD Converter
"AVI to GIF SWF Converter" = AVI to GIF SWF Converter
"AVIedit 3.38" = AVIedit 3.38
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.3
"AVS4YOU Video Converter 6_is1" = AVS Video Converter 6
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CutePDF Writer Installation" = CutePDF Writer 2.7
"Deejaysystem Video VJ2_is1" = Deejaysystem Video VJ2 3.3
"Doggie Dash_is1" = Doggie Dash en
"Forex Monitor-Calculator_is1" = Forex Monitor-Calculator 1.45
"Free Create-Burn ISO Image_is1" = Free Create-Burn ISO Image v2.0
"Free ISO Creator (by minidvdsoft)_is1" = Free ISO Creator version 2.8
"Free YouTube Uploader_is1" = Free YouTube Uploader version 2.2
"GIF Animator" = Microsoft GIF Animator
"GoldWave v5.52" = GoldWave v5.52
"Google Desktop" = Google Desktop
"HijackThis" = HijackThis 2.0.2
"ImgBurn" = ImgBurn
"ImTOO DVD Creator" = ImTOO DVD Creator
"Karaoke-DX" = Karaoke for DirectX (remove only)
"KLiteCodecPack_is1" = K-Lite Codec Pack 2.72 Full
"Magic Morph_is1" = Magic Morph 1.95b
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual Basic 2008 Express Edition with SP1 - ENU" = Microsoft Visual Basic 2008 Express Edition with SP1 - ENU
"Microsoft Visual C# 2008 Express Edition with SP1 - ENU" = Microsoft Visual C# 2008 Express Edition with SP1 - ENU
"Microsoft Visual C++ 2008 Express Edition with SP1 - ENU" = Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
"Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU" = Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU
"Mozilla Firefox (3.5.2)" = Mozilla Firefox (3.5.2)
"Mozilla Thunderbird (2.0.0.19)" = Mozilla Thunderbird (2.0.0.19)
"MP3Tunes v2" = MP3 Tunes v2
"MSDN Library for Visual Studio 2008 Express Editions SP1" = MSDN Library for Visual Studio 2008 Express Editions SP1
"net" = Advertisement Service
"NewsBin5" = NewsBin Pro
"NewzToolz_is1" = NewzToolz v2.0.0
"Picasa 3" = Picasa 3
"PowerISO" = PowerISO
"QuicktimeAlt_is1" = QuickTime Alternative 1.67
"Rmtablet" = Pen Pad Driver with Macro Key Manager
"SpyNoMore" = SpyNoMore 2.93
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Uninstall_is1" = Uninstall 1.0.0.1
"Virtual Magnifying Glass_is1" = Virtual Magnifying Glass v3.3.2
"VisualWebDeveloper" = Microsoft Visual Studio Web Authoring Component
"WampServer 2_is1" = WampServer 2.0
"WinGimp-2.0_is1" = GIMP 2.6.4
"WinLiveSuite_Wave3" = Windows Live Essentials
"Wisdom-soft ScreenHunter 5.1 Free" = Wisdom-soft ScreenHunter 5.1 Free
"Xvid_is1" = Xvid 1.2.1 final uninstall
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"History Killer Pro" = History Killer Pro 5.0.1

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >
  • 0

#4
Perplexus
Posted 20 August 2009 - 07:24 PM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
Hi David08052,

I need you to post the RootRepeal log as well. If you don't have it, then run it again.

Also, I see you have a topic open at Bleeping Computer as well:

http://www.bleepingc...opic251093.html

Opening topics at different sites is a waste of time for all involved as efforts are duplicated and each site is trying to fix a moving machine state. :)

I will be more than happy to help you, but you need to let them know you are already receiving help here :)
  • 0

#5
Perplexus
Posted 21 August 2009 - 04:58 AM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
Hi David08052,

From here on out, please do no more cleaning or running of tools that I don't ask for. That way I can tell what each tool has accomplished and to better plan the next step. :)

Let's see what we can do to get your machine clean. :)

------------------
Step 1:
------------------

Download Combofix from any of the links below and save it to your desktop. You must rename it to Combo-Fix.exe before saving it.

Link 1
Link 2

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using FireFox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to Always ask me where to Save the files
  • During the download, rename it to Combo-Fix.exe as follows:

    Posted Image

    Posted Image
  • It is important to rename it during the download and not after.
  • Please do not rename it to something other than what was indicated.
  • Make sure to do the following:
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • Warning: ComboFix will disconnect your machine from the internet as soon as it starts.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt log so we can continue cleaning the system.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

------------------
Step 2:
------------------

Please post back with the following:
  • How your machine is running
  • C:\ComboFix.txt log

  • 0

#6
David08052
Posted 21 August 2009 - 08:42 AM

David08052

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi,
1. Please excuse the duplicate post on my part. My post topic has been closed on bleepingcomputer. The microsoft board recommend that I contact five sites. That poster could have mentioned one at a time. In any event, you were the first to respond and I'm happy you did so. Please excuse this. I wonder if you are connected with Best Buy?

2. I haven't done any cleaning since my first post here. I have run RootRepeal a couple of times in report mode. I have just completed running it again and am posting the log here.

RootRepeal identifies c:\Windows\System32\kbiwkm prefix objects which I can't find on my computer even though I set hidden files to on and system hidden files to on. So, I can't find c:\Windows\system32\kbiwkmcbrffgvd.dll etc. Do you know if these files actually exist or whether they might be something that is referenced in a registry entry?

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/21 08:46
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0x8C4B1000 Size: 32768 File Visible: No Signed: -
Status: -

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x8C4A6000 Size: 45056 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x9DDB3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\{13249a3e-8d97-11de-bb06-001c23a7e026}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{13249a5b-8d97-11de-bb06-001c23a7e026}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{5b36c332-8d7d-11de-ad8f-001c23a7e026}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{74f00d3b-8e46-11de-9637-001c23a7e026}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{98368338-8cb3-11de-8976-001c23a7e026}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ee3bbde5-8db2-11de-8fb4-001c23a7e026}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Windows\System32\kbiwkmcbrffgvd.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\kbiwkmkturrjqs.dat
Status: Invisible to the Windows API!

Path: C:\Windows\System32\kbiwkmvbteufjw.dat
Status: Invisible to the Windows API!

Path: C:\Windows\System32\kbiwkmyitmvvwx.dll
Status: Invisible to the Windows API!

Path: C:\Windows\Temp\kbiwkmmcsraoixxb.tmp
Status: Invisible to the Windows API!

Path: C:\Windows\Microsoft.NET\Framework\NETFXS~1.HKF
Status: Locked to the Windows API!

Path: C:\Windows\System32\drivers\kbiwkmcvvjiiwk.sys
Status: Invisible to the Windows API!

Path: C:\Windows\inf\.NET CLR Data\_DATAP~1.H
Status: Locked to the Windows API!

Path: C:\Windows\inf\.NET CLR Networking\_NETWO~1.H
Status: Locked to the Windows API!

Path: C:\Windows\inf\.NET Data Provider for SqlServer\_DATAP~2.H
Status: Locked to the Windows API!

Path: C:\Windows\inf\.NETFramework\CORPER~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_a6e7a8e20e9863b4.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_4ddfc6cd11929a02.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_8550c6b5d18a9128.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_dcc7eae99ad0d9cf.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_bb1f6aa1308c35eb.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11df268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_58843c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.21022.8_none_b81d038aaf540e86.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc0ea08098.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\amd64_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.1_none_57b67ceb7de564e6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_81c25f21d3d46d84.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_b7e811287b298060.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.1_none_7dd1e0ebd6590e0b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\amd64_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.1_none_c9dd3cb0e555217c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.4148_none_f0efb442f8a0f46c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.805_none_9196a9bc671b2587.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.1_none_9f63b3c292618dec.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.1801_none_d088a2ec442ef17b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_818f59bf601aa775.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_e29d1181971ae11e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.4148_none_51ca66a2bbe76806.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.1801_none_516953ad0f4d16c4.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.30729.1_none_118a7387f9d14a82.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.21022.8_none_bdf22a22ab9e15d5.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_b7e911727b2899b7.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.21022.8_none_5d1777c2e857a23b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.21022.8_none_b59bae9d65014b98.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.1_none_da4695fc507e16e1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_ecdf8c290e547f39.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_7ab8cc63a6e4c2a3.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cda6db.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.805_none_10b5f8fb9bfd003e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.21022.8_none_5926f98ceadc42c2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3ce6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.21022.8_none_5ce47260749ddc2c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.debugcrt_1fc8b3b9a1e18e3b_9.0.30729.1_none_61305e07e4f1bc01.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_a6e6a8980e994a5d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16885_none_09320a57522f812d\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21083_none_09b97eb06b4f218b\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18000_none_0b69c31f4f19b995\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6000.16720_none_7c654fdc62654993\ASPNET~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6000.20883_none_659d66807c078e86\ASPNET~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6001.18111_none_7c40349262b75634\ASPNET~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_regsql_cfg_b03f5f7f11d50a3a_6.0.6001.22230_none_6574a52e7c5ccf47\ASPNET~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6000.16720_none_04c87b54ba4ac535\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6000.20883_none_ee0091f8d3ed0a28\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6001.18111_none_04a3600aba9cd1d6\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_uninstallsqlstatetem_b03f5f7f11d50a3a_6.0.6001.22230_none_edd7d0a6d4424ae9\UNINST~1.SQL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4f196f15369ae496\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6000.20883_none_385185b9503d2989\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4ef453cb36ecf137\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\APPCON~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\APPSET~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\DEBUGA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\DEFINE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\EDITAP~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appcfg_res_b03f5f7f11d50a3a_6.0.6001.22230_none_3828c46750926a4a\SMTPSE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.16720_none_4ef4fbb8699d6b09\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.16720_none_4ef4fbb8699d6b09\DEFINE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.16720_none_4ef4fbb8699d6b09\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.20883_none_382d125c833faffc\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.20883_none_382d125c833faffc\DEFINE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6000.20883_none_382d125c833faffc\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.18111_none_4ecfe06e69ef77aa\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.18111_none_4ecfe06e69ef77aa\DEFINE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_appconfig_b03f5f7f11d50a3a_6.0.6001.18111_none_4ecfe06e69ef77aa\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.16720_none_950a4e2fda3ee0ba\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.16720_none_950a4e2fda3ee0ba\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.20883_none_7e4264d3f3e125ad\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6000.20883_none_7e4264d3f3e125ad\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.18111_none_94e532e5da90ed5b\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.18111_none_94e532e5da90ed5b\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.22230_none_7e19a381f436666e\CREATE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_permissions_b03f5f7f11d50a3a_6.0.6001.22230_none_7e19a381f436666e\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4cb2b120b7498755\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.16720_none_4cb2b120b7498755\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.20883_none_35eac7c4d0ebcc48\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6000.20883_none_35eac7c4d0ebcc48\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4c8d95d6b79b93f6\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.18111_none_4c8d95d6b79b93f6\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.22230_none_35c20672d1410d09\CREATE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_perm_res_b03f5f7f11d50a3a_6.0.6001.22230_none_35c20672d1410d09\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.16720_none_7325c867d7281910\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6000.20883_none_5c5ddf0bf0ca5e03\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.18111_none_7300ad1dd77a25b1\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6000.16720_none_c39efe8a3f927437\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6000.20883_none_acd7152e5934b92a\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6001.18111_none_c379e3403fe480d8\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_secur_res_b03f5f7f11d50a3a_6.0.6001.22230_none_acae53dc5989f9eb\SETUPA~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.6000.16720_none_b103fb905f6db0d9\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.6000.20883_none_9a3c1234790ff5cc\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.6001.18111_none_b0dee0465fbfbd7a\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6000.16720_none_9e3e9a071d8dacdd\WEBCON~1.DEF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6000.20883_none_8776b0ab372ff1d0\WEBCON~1.DEF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6000.16720_none_b462fc0cbe880bcb\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6000.20883_none_9d9b12b0d82a50be\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6001.18111_none_b43de0c2beda186c\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-msbuild_core_schema__b03f5f7f11d50a3a_6.0.6001.22230_none_9d72515ed87f917f\MICROS~1.XSD
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\CHOOSE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\MANAGE~1.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_6.0.6001.22230_none_5c351db9f11f9ec4\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_roles_b03f5f7f11d50a3a_6.0.6001.18111_none_75c874a9a137a5f0\MANAGE~2.ASP
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.0.6001.22230_none_9a1350e27965368d\MANAGE~1.RES
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_web_config_b03f5f7f11d50a3a_6.0.6001.18000_none_9e18955f1de08635\WEBCON~1.DEF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6000.16720_none_7b4eba45cecd6936\IEEXEC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6000.20883_none_6486d0e9e86fae29\IEEXEC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6001.18111_none_7b299efbcf1f75d7\IEEXEC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-redist_config_files_b03f5f7f11d50a3a_6.0.6001.22230_none_645e0f97e8c4eeea\IEEXEC~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6000.16720_none_173a294b153205b9\REGASM~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6000.20883_none_00723fef2ed44aac\REGASM~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6001.18000_none_171424a31584df11\REGASM~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_regasm_b03f5f7f11d50a3a_6.0.6001.18111_noProcesses
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1252 Status: Locked to the Windows API!

SSDT
-------------------
SYSENTER/INT2E Hooked [0x3da73da6]!

ServiceTable Hooked [0x3da93da8]!

Stealth Objects
-------------------
Object: Hidden Module [Name: kbiwkmcbrffgvd.dll]
Process: svchost.exe (PID: 820) Address: 0x10000000 Size: 53248

Object: Hidden Module [Name: kbiwkmyitmvvwx.dll]
Process: sqlbrowser.exe (PID: 2900) Address: 0x10000000 Size: 28672

Hidden Services
-------------------
Service Name: kbiwkmxyiexont
Image Path: C:\Windows\system32\drivers\kbiwkmcvvjiiwk.sys

==EOF==







3. Thank you for showing me how to do "save as" in firefox. I have been wanting to know that.

4. ComboFix



ComboFix 09-08-20.07 - Admin 08/21/2009 10:01.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1917.1277 [GMT -4:00]
Running from: c:\usr\spyware-combofix.090821.v.x\Combo-Fix.exe
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-1766564128-518351188-3516307728-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\progra~2\MICROS~1\Windows\STARTM~1\Internet Explorer.lnk
c:\windows\system32\drivers\kbiwkmcvvjiiwk.sys
c:\windows\system32\kbiwkmcbrffgvd.dll
c:\windows\system32\kbiwkmkturrjqs.dat
c:\windows\system32\kbiwkmvbteufjw.dat
c:\windows\system32\kbiwkmyitmvvwx.dll
c:\windows\system32\sgswejl.dll
c:\windows\UA000059.DLL

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Boonty Games
-------\Service_kbiwkmxyiexont


((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 )))))))))))))))))))))))))))))))
.

2009-08-20 18:32 . 2009-08-20 18:32 0 ----a-w- c:\windows\system32\settings.dat
2009-08-20 17:45 . 2009-08-20 17:45 -------- d-----w- c:\users\Admin\AppData\Roaming\Emergency Soft
2009-08-18 21:35 . 2009-08-18 21:35 1152 ----a-w- c:\windows\system32\windrv.sys
2009-08-18 21:34 . 2009-08-18 21:34 -------- d-----w- c:\users\Admin\spynomore.0908.v.x
2009-08-18 21:01 . 2009-08-19 20:57 -------- d-----w- C:\zz.web.pix
2009-08-18 18:35 . 2009-08-18 18:34 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-18 18:01 . 2009-08-18 18:40 -------- d-----w- c:\users\Admin\Tracing
2009-08-18 18:01 . 2009-02-06 22:08 55280 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2009-08-18 17:59 . 2009-08-18 17:59 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-08-18 17:59 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-08-18 17:57 . 2009-08-18 17:57 -------- d-----w- c:\program files\Microsoft
2009-08-18 17:57 . 2009-08-18 17:57 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-18 17:57 . 2009-08-18 18:01 -------- d-----w- c:\program files\Windows Live
2009-08-18 17:52 . 2009-08-18 17:52 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-18 17:39 . 2008-06-06 03:27 38912 ----a-w- c:\windows\system32\xolehlp.dll
2009-08-18 17:39 . 2008-06-06 03:27 562176 ----a-w- c:\windows\system32\msdtcprx.dll
2009-08-18 17:39 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-08-18 17:39 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-18 17:39 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll
2009-08-18 17:39 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-18 17:39 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-18 17:39 . 2009-03-03 04:46 3599328 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-18 17:39 . 2009-03-03 04:46 3547632 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-18 17:39 . 2009-03-03 04:40 499200 ----a-w- c:\windows\system32\wbem\WmiPrvSD.dll
2009-08-18 17:39 . 2009-03-03 04:39 551424 ----a-w- c:\windows\system32\rpcss.dll
2009-08-18 17:39 . 2009-03-03 04:36 615424 ----a-w- c:\windows\system32\wbem\fastprox.dll
2009-08-18 17:39 . 2009-03-03 02:16 247296 ----a-w- c:\windows\system32\wbem\WmiPrvSE.exe
2009-08-18 17:37 . 2009-03-17 03:38 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-08-18 17:37 . 2009-03-17 03:38 24064 ----a-w- c:\windows\system32\amxread.dll
2009-08-18 17:37 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-18 17:37 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-18 17:37 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-18 17:37 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-18 16:11 . 2009-08-18 17:01 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-08-17 22:26 . 2009-08-20 13:22 -------- d-----w- C:\cvt
2009-08-14 19:32 . 2009-08-14 19:44 -------- d-----w- C:\zz.augustgold
2009-08-13 23:10 . 2009-08-13 23:10 -------- d-----w- c:\users\Admin\AppData\Roaming\ASkySoft
2009-08-13 19:08 . 2009-08-13 19:08 -------- d-----w- c:\users\Admin\AppData\Roaming\Jasc
2009-08-13 19:07 . 2009-08-13 19:07 -------- d-----w- c:\program files\Jasc Software Inc
2009-08-13 14:02 . 2009-08-14 15:07 -------- d-----w- C:\zz.web
2009-08-11 14:35 . 2009-08-11 14:35 -------- d-----w- c:\program files\William O'Neil + Co. Inc
2009-08-11 14:34 . 2009-08-11 14:34 -------- d-----w- c:\users\Admin\AppData\Roaming\InstallShield
2009-08-10 18:00 . 2009-08-10 18:53 -------- d-----w- C:\zz.dev.flash
2009-08-02 18:45 . 2009-08-19 13:59 -------- d-----w- C:\zz.flash
2009-07-31 21:35 . 2009-07-31 21:35 -------- d-----w- c:\users\Admin\AppData\Local\SourceTec
2009-07-31 21:35 . 2009-07-31 21:35 -------- d-----w- c:\program files\Common Files\SourceTec
2009-07-27 19:07 . 2009-07-27 19:07 -------- d-----w- c:\progra~2\GoldWave
2009-07-23 18:37 . 2009-07-23 18:37 -------- d-----w- C:\Thirteenth Floor.xlisoft.iso
2009-07-22 14:38 . 2009-08-17 13:46 -------- d-----w- C:\zz.dweaver.class

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-20 17:45 . 2009-03-23 12:02 333236 ----a-w- c:\users\Admin\AppData\Roaming\Emergency Soft\History Killer Pro\Uninst.exe
2009-08-20 17:45 . 2009-03-23 12:02 315723 ----a-w- c:\users\Admin\AppData\Roaming\Emergency Soft\History Killer Pro\Updater.exe
2009-08-20 17:45 . 2009-03-23 12:02 1419264 ----a-w- c:\users\Admin\AppData\Roaming\Emergency Soft\History Killer Pro\HistoryKillerPro.exe
2009-08-18 18:34 . 2007-10-05 15:13 -------- d-----w- c:\program files\Java
2009-08-18 18:22 . 2009-01-07 17:52 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-18 18:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-18 18:14 . 2008-02-19 20:45 -------- d-----w- c:\progra~2\Microsoft Help
2009-08-18 18:13 . 2007-10-05 15:36 -------- d-----w- c:\program files\Microsoft Works
2009-08-18 18:09 . 2008-02-19 20:14 -------- d-----w- c:\program files\Microsoft SQL Server
2009-08-18 17:59 . 2009-01-07 18:31 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-08-17 18:04 . 2009-08-17 18:04 54784 ----a-w- c:\windows\system32\drivers\UACrbsmstypye.sys.orig
2009-08-13 23:38 . 2009-02-09 15:50 -------- d-----w- c:\users\Admin\AppData\Roaming\gtk-2.0
2009-08-11 14:35 . 2007-10-05 15:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-31 21:53 . 2009-01-17 00:22 -------- d-----w- c:\progra~2\NOS
2009-07-31 21:53 . 2009-01-17 00:22 -------- d-----w- c:\program files\NOS
2009-07-21 21:52 . 2009-08-18 17:46 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-08-18 17:46 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-08-18 17:46 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-08-18 17:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-21 01:13 . 2009-04-23 12:46 -------- d-----w- c:\program files\AVS4YOU
2009-07-21 01:13 . 2009-04-23 12:46 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-07-17 14:35 . 2009-08-18 17:38 71680 ----a-w- c:\windows\system32\atl.dll
2009-06-25 14:18 . 2009-06-25 14:16 -------- d-----w- c:\users\Admin\AppData\Roaming\NewzToolz
2009-06-18 16:14 . 2007-10-21 19:59 1958880 ----a-w- c:\users\Admin\AppData\Roaming\oarnett.zip
2009-06-15 18:20 . 2009-08-18 17:38 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-15 15:24 . 2009-08-18 17:38 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-06-15 15:24 . 2009-08-18 17:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:24 . 2009-08-18 17:38 72704 ----a-w- c:\windows\system32\secur32.dll
2009-06-15 15:24 . 2009-08-18 17:38 270848 ----a-w- c:\windows\system32\schannel.dll
2009-06-15 15:23 . 2009-08-18 17:38 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-15 15:22 . 2009-08-18 17:38 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-15 15:21 . 2009-08-18 17:38 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-06-15 15:20 . 2009-08-18 17:38 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-08-18 17:38 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:57 . 2009-08-18 17:38 9728 ----a-w- c:\windows\system32\lsass.exe
2009-06-15 12:52 . 2009-08-18 17:38 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-10 12:07 . 2009-08-18 17:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-06-08 13:32 . 2009-06-08 13:32 261 ----a-w- C:\rename3.bat
2009-06-04 12:34 . 2009-08-18 17:38 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-01 18:28 . 2009-04-13 16:54 11270 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-10-05 22:56 . 2007-10-05 22:48 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"NetSP - restore settings on power failure"="c:\program files\AT&T Global Network Client\NetSP.exe" [2007-06-27 42264]
"PxDotNetLoader"="c:\usr\fidelityatp\Fidelity Active Trader\System\ATPStartupAssistant.exe" [2009-03-25 42336]
"SpybotSD TeaTimer"="c:\usr\spybot.0908.v.1.6.2\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-20 815104]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1540096]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-18 148888]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-04-08 1511424]
"SNM"="c:\users\Admin\spynomore.0908.v.x\SpyNoMore\SNM.exe" [2009-05-22 1068496]
"MacrokeyManager"="WTMKM.exe" - c:\windows\System32\WTMKM.exe [2008-01-22 1969824]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-5 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1766564128-518351188-3516307728-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{0A771EC0-0138-46FD-B625-C28597D5DD34}c:\\sys\\cygwin\\usr\\x11r6\\bin\\xwin.exe"= UDP:c:\sys\cygwin\usr\x11r6\bin\xwin.exe:XWin
"UDP Query User{7514420F-1798-407E-BDD4-8FB883C5DB00}c:\\sys\\cygwin\\usr\\x11r6\\bin\\xwin.exe"= TCP:c:\sys\cygwin\usr\x11r6\bin\xwin.exe:XWin
"TCP Query User{0A8B0BCE-D091-4ECD-9489-CF5577B433F5}c:\\sys\\cygwin\\usr\\x11r6\\bin\\xwin.exe"= UDP:c:\sys\cygwin\usr\x11r6\bin\xwin.exe:XWin
"UDP Query User{46E1C47E-9F80-4DE9-ABAB-D4A82EDF8B52}c:\\sys\\cygwin\\usr\\x11r6\\bin\\xwin.exe"= TCP:c:\sys\cygwin\usr\x11r6\bin\xwin.exe:XWin
"TCP Query User{C0449049-F796-46B9-9011-76C22C309EAF}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{727D8221-F194-4527-909A-0C02373757C0}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{C3D0B382-7832-4A15-B9B7-B68489A8FF92}c:\\windows\\system32\\ftp.exe"= UDP:c:\windows\system32\ftp.exe:File Transfer Program
"UDP Query User{8B126F57-92F2-4C4F-B799-434A0E2225E4}c:\\windows\\system32\\ftp.exe"= TCP:c:\windows\system32\ftp.exe:File Transfer Program
"{A7E8BC0C-81A8-4422-A8BD-12A8485E0DD8}"= UDP:3303:MySQL Server
"{4D695F4A-513D-4F1D-9DA2-489ADAA7914A}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{10E0F801-6B54-4816-8955-E79CD38AEFDF}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{36121F3F-B6D8-404E-9FA4-19F3D35CB1C8}"= UDP:9322:EKDiscovery
"{60251FDA-AC14-4E83-980F-72FBB3B74F1E}"= UDP:9323:EKDiscovery
"{9CBB7F13-EA7D-4F51-A289-56D96BEF9BB4}"= UDP:5353:Adobe CSI CS4
"{BD62C096-6803-4C73-A019-D867A66BE8AC}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{40C1ACA2-FAF4-441D-B7DC-8842E4F6A1F0}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{77E61D8D-658C-4410-8DE2-95F164988DCE}"= UDP:3703:Adobe Version Cue CS4 Server
"{B895073E-CD49-479E-BC2C-EAD345DCE9D1}"= UDP:3704:Adobe Version Cue CS4 Server
"{BA068AAD-72FD-45F3-912B-7F8EE7EBA0F8}"= UDP:51000:Adobe Version Cue CS4 Server
"{BD77C896-0CDE-478D-9DAF-FDF5A65EBA6C}"= UDP:51001:Adobe Version Cue CS4 Server
"{D457ED17-4B2F-468C-A808-E6CD3503B52B}"= UDP:c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe:Adobe Version Cue CS4 Server
"{FB43DE28-9561-4978-BD22-9C9212B4529A}"= TCP:c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe:Adobe Version Cue CS4 Server
"{78D7D76C-5FDB-477C-A7D5-F1A31827EFC7}"= UDP:c:\usr\nb553\nbpro.exe:NewsBin Pro
"{FD7029C7-B666-475D-A908-1A1187B58E63}"= TCP:c:\usr\nb553\nbpro.exe:NewsBin Pro
"TCP Query User{AA2925A0-52AD-4E6F-8C2A-25AFE6048D15}c:\\program files\\adobe\\adobe dreamweaver cs4\\dreamweaver.exe"= UDP:c:\program files\adobe\adobe dreamweaver cs4\dreamweaver.exe:Adobe Dreamweaver CS4
"UDP Query User{1A7B3026-47ED-4670-AD23-76ABD8761D66}c:\\program files\\adobe\\adobe dreamweaver cs4\\dreamweaver.exe"= TCP:c:\program files\adobe\adobe dreamweaver cs4\dreamweaver.exe:Adobe Dreamweaver CS4
"{D5E8C7DA-FE83-47B3-9BA9-8D49FBB16FC2}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\usr\\anim-gif-river\\Animated GIF Converter and Booster Pack\\VideoCleaner.exe"= c:\usr\anim-gif-river\Animated GIF Converter and Booster Pack\VideoCleaner.exe:*:Enabled:River Past Animated GIF Converter

R2 cron;Cron daemon;c:\sys\cygwin\bin\cygrunsrv.exe [12/19/2008 2:54 PM 68096]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [10/30/2008 11:58 AM 28672]
R2 SBSDWSCService;SBSD Security Center Service;c:\usr\spybot.0908.v.1.6.2\Spybot - Search & Destroy\SDWinSec.exe [8/18/2009 12:11 PM 1153368]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s --> c:\windows\system32\atwtusb.exe -s [?]
R3 agnfilt;AGN Filter Interface;c:\windows\System32\drivers\agnfilt.sys [8/19/2008 7:49 PM 218368]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\Printer\Center\EKDiscovery.exe [10/10/2008 1:33 PM 274432]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\System32\drivers\avpnnic.sys [8/19/2008 7:49 PM 11264]
S3 BrlAPI;BrlAPI;c:\sys\cygwin\bin\cygrunsrv.exe [12/19/2008 2:54 PM 68096]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [8/18/2009 2:01 PM 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/5/2007 11:36 AM 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
HKCU-Run-AdobeBridge - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: {D5FE327B-93AF-4D52-9563-162C97363844} = 192.193.215.65,192.193.215.69
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hr90q0gr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\kbiwkmxyiexont]
"imagepath"="\systemroot\system32\drivers\kbiwkmcvvjiiwk.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\kbiwkmxyiexont]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\kbiwkmcvvjiiwk.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(716)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'Explorer.exe'(3872)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\wisptis.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\BCMWLTRY.EXE
c:\sys\cygwin\usr\sbin\cron.exe
c:\windows\System32\wisptis.exe
c:\program files\AT&T Global Network Client\netcfgsvr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\System32\stacsv.exe
c:\windows\System32\atwtusb.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\ehome\ehmsas.exe
c:\windows\System32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2009-08-21 10:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-21 14:30

Pre-Run: 5,416,562,688 bytes free
Post-Run: 5,012,086,784 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,5
365 --- E O F --- 2009-08-20 15:29




ComboFix deleted the kbi stuff. I think that's it.

BTW, what is rootkit? I'm guessing it's the files in C:\

David
  • 0

#7
David08052
Posted 21 August 2009 - 08:50 AM

David08052

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi,
The cliccker.cn virus is gone.

My check for the virus was to search for "my home" - this seems to always return at least one bad link that goes to cliccker.cn or some other misdirected sites.

What do you think the consequences might be for data on my computer? Do you think I should change my credit card numbers even though I haven't used them on this computer since the virus showed up.

What about the UAC entry in the registry. It's gone now, but did that provide a back door for a stranger to change the "User Account Control" on my machine?

Any guidance on this would be appreciated.

The virus seems to have shown up about 1pm on Monday. I can't associate that with any files I downloaded. I did several downloads last week but the time stamp on them is not from Mon.

I suspicious that the virus might have come in through Windows Mail. I get phishing notices from it but phishing requires that I click on a link in the email, as I understand it. If there is something I can do to make Windows Mail more secure, I would appreciate suggestions about that. Also, is there a safer mail reader?

Thanks again for your help. I hope something like this doesn't happen again for a while.

By the way, how are you organized and where are you physically located? I am in the Philadephia area. Is there some way I can help others through your site? Do you take donations?

David
  • 0

#8
Perplexus
Posted 21 August 2009 - 11:47 AM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
Hi David08052,

I wonder if you are connected with Best Buy?


:) Why would I be connected to Best Buy? This site is run by volunteers, it's all free. :)

ComboFix deleted the kbi stuff. I think that's it.


Not quite. Still more to do. :)

BTW, what is rootkit?


http://en.wikipedia.org/wiki/Rootkit

What do you think the consequences might be for data on my computer?


Considering you did alot of cleaning on your own and I have no idea what all was on here, that may be a good idea.

What about the UAC entry in the registry.


It's a rootkit variant of TDSS.

If there is something I can do to make Windows Mail more secure, I would appreciate suggestions about that. Also, is there a safer mail reader?


One thing to do is not click on stuff sent to you from people you don't know. I'm not familiar with specifics of email clients, but I know alot of people use Thunderbird. You might give that a look.

By the way, how are you organized and where are you physically located? I am in the Philadephia area. Is there some way I can help others through your site? Do you take donations?


We are a group of volunteers from all over the world. If you want to help others, you can apply for GeekU HERE

As far as donations, since I'm still in training, I cannot accept personal donations. It is simply my pleasure to help :) However, if you want, you can donate to the site HERE

------------------
Step 1:
------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
c:\windows\system32\drivers\UACrbsmstypye.sys.orig
c:\windows\system32\drivers\kbiwkmcvvjiiwk.sys

RegLockDel::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\kbiwkmxyiexont]

Driver::
kbiwkmxyiexont

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


------------------
Step 2:
------------------

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

------------------
Step 3:
------------------

Posted Image Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

------------------
Step 4:
------------------

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

------------------
Step 5:
------------------

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.

    Posted Image

  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

------------------
Step 6:
------------------

Please post back with the following:
  • How your machine is running
  • Win32kDiag.txt
  • C:\ComboFix.txt
  • MBAM log
  • KasReport.txt

  • 0

#9
David08052
Posted 24 August 2009 - 06:58 PM

David08052

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Notes.
I put ComboFix.exe in directory c:\Combo-Fix
While shutting down, I got a popup that sadi failed to reboot because of a problem with catch.cxffe like that
I clicked "OK"
It then rebooted, and after startup when I clicked on an desktop icon, I got a message that said illegal operation on registry key that had been marked for deletion.
I shut down the laptop and did a startup and didn't get that mesage any more.

I than started step2 - win2kdiag - on startup, it's box said, "WARNING: Could not get backup previleges!"
but it continued to run.

Here is the ComboFix Log

ComboFix 09-08-23.01 - Admin 08/24/2009 9:41.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1917.1007 [GMT -4:00]
Running from: c:\combo-fix\ComboFix.exe
Command switches used :: c:\combo-fix\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\drivers\kbiwkmcvvjiiwk.sys"
"c:\windows\system32\drivers\UACrbsmstypye.sys.orig"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\UACrbsmstypye.sys.orig

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmxyiexont
-------\Service_kbiwkmxyiexont


((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))
.

2009-08-24 13:47 . 2009-08-24 13:50 -------- d-----w- c:\users\Admin\AppData\Local\temp
2009-08-24 13:47 . 2009-08-24 13:47 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-08-24 13:47 . 2009-08-24 13:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-24 13:35 . 2009-08-24 13:41 -------- d-----w- C:\Combo-Fix
2009-08-20 18:32 . 2009-08-20 18:32 0 ----a-w- c:\windows\system32\settings.dat
2009-08-20 17:45 . 2009-08-20 17:45 -------- d-----w- c:\users\Admin\AppData\Roaming\Emergency Soft
2009-08-18 21:35 . 2009-08-18 21:35 1152 ----a-w- c:\windows\system32\windrv.sys
2009-08-18 21:34 . 2009-08-18 21:34 -------- d-----w- c:\users\Admin\spynomore.0908.v.x
2009-08-18 21:01 . 2009-08-19 20:57 -------- d-----w- C:\zz.web.pix
2009-08-18 18:35 . 2009-08-18 18:34 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-18 18:01 . 2009-08-18 18:40 -------- d-----w- c:\users\Admin\Tracing
2009-08-18 18:01 . 2009-02-06 22:08 55280 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2009-08-18 17:59 . 2009-08-18 17:59 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-08-18 17:59 . 2006-11-29 17:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-08-18 17:57 . 2009-08-18 17:57 -------- d-----w- c:\program files\Microsoft
2009-08-18 17:57 . 2009-08-18 17:57 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-18 17:57 . 2009-08-18 18:01 -------- d-----w- c:\program files\Windows Live
2009-08-18 17:52 . 2009-08-18 17:52 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-18 17:39 . 2008-06-06 03:27 38912 ----a-w- c:\windows\system32\xolehlp.dll
2009-08-18 17:39 . 2008-06-06 03:27 562176 ----a-w- c:\windows\system32\msdtcprx.dll
2009-08-18 17:39 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-08-18 17:39 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-18 17:39 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll
2009-08-18 17:39 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-18 17:39 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-18 17:39 . 2009-03-03 04:46 3599328 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-18 17:39 . 2009-03-03 04:46 3547632 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-18 17:39 . 2009-03-03 04:40 499200 ----a-w- c:\windows\system32\wbem\WmiPrvSD.dll
2009-08-18 17:39 . 2009-03-03 04:39 551424 ----a-w- c:\windows\system32\rpcss.dll
2009-08-18 17:39 . 2009-03-03 04:36 615424 ----a-w- c:\windows\system32\wbem\fastprox.dll
2009-08-18 17:39 . 2009-03-03 02:16 247296 ----a-w- c:\windows\system32\wbem\WmiPrvSE.exe
2009-08-18 17:37 . 2009-03-17 03:38 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-08-18 17:37 . 2009-03-17 03:38 24064 ----a-w- c:\windows\system32\amxread.dll
2009-08-18 17:37 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-18 17:37 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-18 17:37 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-18 17:37 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-18 16:11 . 2009-08-18 17:01 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-08-17 22:26 . 2009-08-20 13:22 -------- d-----w- C:\cvt
2009-08-14 19:32 . 2009-08-14 19:44 -------- d-----w- C:\zz.augustgold
2009-08-13 23:10 . 2009-08-13 23:10 -------- d-----w- c:\users\Admin\AppData\Roaming\ASkySoft
2009-08-13 19:08 . 2009-08-13 19:08 -------- d-----w- c:\users\Admin\AppData\Roaming\Jasc
2009-08-13 19:07 . 2009-08-13 19:07 -------- d-----w- c:\program files\Jasc Software Inc
2009-08-13 14:02 . 2009-08-14 15:07 -------- d-----w- C:\zz.web
2009-08-11 14:35 . 2009-08-11 14:35 -------- d-----w- c:\program files\William O'Neil + Co. Inc
2009-08-11 14:34 . 2009-08-11 14:34 -------- d-----w- c:\users\Admin\AppData\Roaming\InstallShield
2009-08-10 18:00 . 2009-08-10 18:53 -------- d-----w- C:\zz.dev.flash
2009-08-02 18:45 . 2009-08-19 13:59 -------- d-----w- C:\zz.flash
2009-07-31 21:35 . 2009-07-31 21:35 -------- d-----w- c:\users\Admin\AppData\Local\SourceTec
2009-07-31 21:35 . 2009-07-31 21:35 -------- d-----w- c:\program files\Common Files\SourceTec
2009-07-27 19:07 . 2009-07-27 19:07 -------- d-----w- c:\programdata\GoldWave
2009-07-27 19:07 . 2008-09-25 01:33 484352 ----a-w- c:\programdata\GoldWave\lame_enc.dll
2009-07-26 20:32 . 2009-07-26 20:32 713992 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-20 17:45 . 2009-03-23 12:02 333236 ----a-w- c:\users\Admin\AppData\Roaming\Emergency Soft\History Killer Pro\Uninst.exe
2009-08-20 17:45 . 2009-03-23 12:02 315723 ----a-w- c:\users\Admin\AppData\Roaming\Emergency Soft\History Killer Pro\Updater.exe
2009-08-20 17:45 . 2009-03-23 12:02 1419264 ----a-w- c:\users\Admin\AppData\Roaming\Emergency Soft\History Killer Pro\HistoryKillerPro.exe
2009-08-18 18:34 . 2007-10-05 15:13 -------- d-----w- c:\program files\Java
2009-08-18 18:22 . 2009-01-07 17:52 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-18 18:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-18 18:14 . 2008-02-19 20:45 -------- d-----w- c:\programdata\Microsoft Help
2009-08-18 18:13 . 2007-10-05 15:36 -------- d-----w- c:\program files\Microsoft Works
2009-08-18 18:09 . 2008-02-19 20:14 -------- d-----w- c:\program files\Microsoft SQL Server
2009-08-18 17:59 . 2009-01-07 18:31 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-08-13 23:38 . 2009-02-09 15:50 -------- d-----w- c:\users\Admin\AppData\Roaming\gtk-2.0
2009-08-11 14:35 . 2007-10-05 15:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-31 21:53 . 2009-01-17 00:22 -------- d-----w- c:\programdata\NOS
2009-07-31 21:53 . 2009-01-17 00:22 -------- d-----w- c:\program files\NOS
2009-07-21 21:52 . 2009-08-18 17:46 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-08-18 17:46 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-08-18 17:46 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-08-18 17:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-21 01:13 . 2009-04-23 12:46 -------- d-----w- c:\program files\AVS4YOU
2009-07-21 01:13 . 2009-04-23 12:46 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-07-17 14:35 . 2009-08-18 17:38 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-09 15:22 . 2009-07-09 15:22 193824 ----a-w- c:\programdata\Microsoft\VBExpress\9.0\1033\ResourceCache.dll
2009-07-09 15:21 . 2009-01-07 18:29 416 ----a-w- c:\programdata\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-06-25 14:18 . 2009-06-25 14:16 -------- d-----w- c:\users\Admin\AppData\Roaming\NewzToolz
2009-06-18 16:14 . 2007-10-21 19:59 1958880 ----a-w- c:\users\Admin\AppData\Roaming\oarnett.zip
2009-06-15 18:20 . 2009-08-18 17:38 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-15 15:24 . 2009-08-18 17:38 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-06-15 15:24 . 2009-08-18 17:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:24 . 2009-08-18 17:38 72704 ----a-w- c:\windows\system32\secur32.dll
2009-06-15 15:24 . 2009-08-18 17:38 270848 ----a-w- c:\windows\system32\schannel.dll
2009-06-15 15:23 . 2009-08-18 17:38 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-15 15:22 . 2009-08-18 17:38 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-15 15:21 . 2009-08-18 17:38 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-06-15 15:20 . 2009-08-18 17:38 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-08-18 17:38 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:57 . 2009-08-18 17:38 9728 ----a-w- c:\windows\system32\lsass.exe
2009-06-15 12:52 . 2009-08-18 17:38 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-10 12:07 . 2009-08-18 17:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-06-08 13:32 . 2009-06-08 13:32 261 ----a-w- C:\rename3.bat
2009-06-04 12:34 . 2009-08-18 17:38 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-01 18:28 . 2009-04-13 16:54 11270 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-10-05 22:56 . 2007-10-05 22:48 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-08-21_14.16.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-05 15:45 . 2009-08-22 11:56 49728 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-24 13:51 80426 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-10-20 19:17 . 2009-08-24 13:51 19018 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1766564128-518351188-3516307728-1000_UserData.bin
+ 2006-11-02 13:02 . 2009-08-24 13:38 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:02 . 2009-08-21 11:33 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-08-24 13:38 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:02 . 2009-08-21 11:33 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:02 . 2009-08-21 11:33 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 13:02 . 2009-08-24 13:38 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-24 13:49 . 2009-08-24 13:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-08-24 13:49 . 2009-08-24 13:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-08-21 14:54 670452 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-08-18 18:05 670452 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-08-18 18:05 126354 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-08-21 14:54 126354 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"NetSP - restore settings on power failure"="c:\program files\AT&T Global Network Client\NetSP.exe" [2007-06-27 42264]
"PxDotNetLoader"="c:\usr\fidelityatp\Fidelity Active Trader\System\ATPStartupAssistant.exe" [2009-03-25 42336]
"SpybotSD TeaTimer"="c:\usr\spybot.0908.v.1.6.2\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-20 815104]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1540096]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-18 148888]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-04-08 1511424]
"SNM"="c:\users\Admin\spynomore.0908.v.x\SpyNoMore\SNM.exe" [2009-05-22 1068496]
"MacrokeyManager"="WTMKM.exe" - c:\windows\System32\WTMKM.exe [2008-01-22 1969824]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-5 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1766564128-518351188-3516307728-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{0A771EC0-0138-46FD-B625-C28597D5DD34}c:\\sys\\cygwin\\usr\\x11r6\\bin\\xwin.exe"= UDP:c:\sys\cygwin\usr\x11r6\bin\xwin.exe:XWin
"UDP Query User{7514420F-1798-407E-BDD4-8FB883C5DB00}c:\\sys\\cygwin\\usr\\x11r6\\bin\\xwin.exe"= TCP:c:\sys\cygwin\usr\x11r6\bin\xwin.exe:XWin
"TCP Query User{0A8B0BCE-D091-4ECD-9489-CF5577B433F5}c:\\sys\\cygwin\\usr\\x11r6\\bin\\xwin.exe"= UDP:c:\sys\cygwin\usr\x11r6\bin\xwin.exe:XWin
"UDP Query User{46E1C47E-9F80-4DE9-ABAB-D4A82EDF8B52}c:\\sys\\cygwin\\usr\\x11r6\\bin\\xwin.exe"= TCP:c:\sys\cygwin\usr\x11r6\bin\xwin.exe:XWin
"TCP Query User{C0449049-F796-46B9-9011-76C22C309EAF}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{727D8221-F194-4527-909A-0C02373757C0}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{C3D0B382-7832-4A15-B9B7-B68489A8FF92}c:\\windows\\system32\\ftp.exe"= UDP:c:\windows\system32\ftp.exe:File Transfer Program
"UDP Query User{8B126F57-92F2-4C4F-B799-434A0E2225E4}c:\\windows\\system32\\ftp.exe"= TCP:c:\windows\system32\ftp.exe:File Transfer Program
"{A7E8BC0C-81A8-4422-A8BD-12A8485E0DD8}"= UDP:3303:MySQL Server
"{4D695F4A-513D-4F1D-9DA2-489ADAA7914A}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{10E0F801-6B54-4816-8955-E79CD38AEFDF}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{36121F3F-B6D8-404E-9FA4-19F3D35CB1C8}"= UDP:9322:EKDiscovery
"{60251FDA-AC14-4E83-980F-72FBB3B74F1E}"= UDP:9323:EKDiscovery
"{9CBB7F13-EA7D-4F51-A289-56D96BEF9BB4}"= UDP:5353:Adobe CSI CS4
"{BD62C096-6803-4C73-A019-D867A66BE8AC}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{40C1ACA2-FAF4-441D-B7DC-8842E4F6A1F0}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{77E61D8D-658C-4410-8DE2-95F164988DCE}"= UDP:3703:Adobe Version Cue CS4 Server
"{B895073E-CD49-479E-BC2C-EAD345DCE9D1}"= UDP:3704:Adobe Version Cue CS4 Server
"{BA068AAD-72FD-45F3-912B-7F8EE7EBA0F8}"= UDP:51000:Adobe Version Cue CS4 Server
"{BD77C896-0CDE-478D-9DAF-FDF5A65EBA6C}"= UDP:51001:Adobe Version Cue CS4 Server
"{D457ED17-4B2F-468C-A808-E6CD3503B52B}"= UDP:c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe:Adobe Version Cue CS4 Server
"{FB43DE28-9561-4978-BD22-9C9212B4529A}"= TCP:c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe:Adobe Version Cue CS4 Server
"{78D7D76C-5FDB-477C-A7D5-F1A31827EFC7}"= UDP:c:\usr\nb553\nbpro.exe:NewsBin Pro
"{FD7029C7-B666-475D-A908-1A1187B58E63}"= TCP:c:\usr\nb553\nbpro.exe:NewsBin Pro
"TCP Query User{AA2925A0-52AD-4E6F-8C2A-25AFE6048D15}c:\\program files\\adobe\\adobe dreamweaver cs4\\dreamweaver.exe"= UDP:c:\program files\adobe\adobe dreamweaver cs4\dreamweaver.exe:Adobe Dreamweaver CS4
"UDP Query User{1A7B3026-47ED-4670-AD23-76ABD8761D66}c:\\program files\\adobe\\adobe dreamweaver cs4\\dreamweaver.exe"= TCP:c:\program files\adobe\adobe dreamweaver cs4\dreamweaver.exe:Adobe Dreamweaver CS4
"{D5E8C7DA-FE83-47B3-9BA9-8D49FBB16FC2}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\usr\\anim-gif-river\\Animated GIF Converter and Booster Pack\\VideoCleaner.exe"= c:\usr\anim-gif-river\Animated GIF Converter and Booster Pack\VideoCleaner.exe:*:Enabled:River Past Animated GIF Converter

R2 cron;Cron daemon;c:\sys\cygwin\bin\cygrunsrv.exe [12/19/2008 2:54 PM 68096]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [10/30/2008 11:58 AM 28672]
R2 SBSDWSCService;SBSD Security Center Service;c:\usr\spybot.0908.v.1.6.2\Spybot - Search & Destroy\SDWinSec.exe [8/18/2009 12:11 PM 1153368]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe -s --> c:\windows\system32\atwtusb.exe -s [?]
R3 agnfilt;AGN Filter Interface;c:\windows\System32\drivers\agnfilt.sys [8/19/2008 7:49 PM 218368]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\Printer\Center\EKDiscovery.exe [10/10/2008 1:33 PM 274432]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 284016]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\System32\drivers\avpnnic.sys [8/19/2008 7:49 PM 11264]
S3 BrlAPI;BrlAPI;c:\sys\cygwin\bin\cygrunsrv.exe [12/19/2008 2:54 PM 68096]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [8/18/2009 2:01 PM 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/5/2007 11:36 AM 29744]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-20 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\Printer\Center\Kodak.Statistics.exe [2008-10-30 15:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: {D5FE327B-93AF-4D52-9563-162C97363844} = 192.193.215.65,192.193.215.69
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hr90q0gr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-24 09:50
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(680)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'Explorer.exe'(3628)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\wisptis.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\BCMWLTRY.EXE
c:\sys\cygwin\usr\sbin\cron.exe
c:\program files\AT&T Global Network Client\netcfgsvr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\wisptis.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\System32\stacsv.exe
c:\windows\System32\atwtusb.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-08-24 10:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-24 14:06
ComboFix2.txt 2009-08-21 14:31

Pre-Run: 5,741,891,584 bytes free
Post-Run: 5,328,162,816 bytes free

378 --- E O F --- 2009-08-20 15:29



------------
step 2
------------

Here is the win32kdiag log

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-08-24 10:19:21 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-08-24 10:19:07 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-08-24 10:19:07 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-08-24 10:19:07 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

[1] 2009-08-24 10:20:14 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl ()





Finished!





------------------
Step 3
------------------

This is very nice. One by one these checks are find the files I renamed to .orig.

Malwarebytes' Anti-Malware 1.40
Database version: 2687
Windows 6.0.6001 Service Pack 1

8/24/2009 10:43:44 AM
mbam-log-2009-08-24 (10-43-44).txt

Scan type: Quick Scan
Objects scanned: 88543
Time elapsed: 4 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\gamevance.linker.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SNM.exe (Rogue.SpyNoMore) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyNoMore (Rogue.SpyNoMore) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyNoMore (Rogue.SpyNoMore) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\net.net.orig (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\uacbbr.dll.orig (Rogue.Agent) -> Quarantined and deleted successfully.


---------------------
Step 4
---------------------



Here is the JavaRe Log


JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Mon Aug 24 10:54:40 2009

Found and removed: C:\Program Files\Java\jre1.6.0

Found and removed: C:\Program Files\Java\jre1.6.0_07

Found and removed: C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.6.0_07

Found and removed: C:\Users\Admin\AppData\LocalLow\Sun\Java\jre1.6.0_14

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0002-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610000

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610000

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610000

Found and removed: SOFTWARE\Classes\JavaPlugin.160

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610000

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610000

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610000

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160000}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0005-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0002-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0005-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0007-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0009-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0011-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0012-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0013-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0014-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0015-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\JavaPlugin.160

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0

Found and removed: Software\JavaSoft\Java2D\1.6.0

Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_07

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_07

Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610007

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610007

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160070}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_07\bin\

------------------------------------

Finished reporting.







-------------------------
Step 5
-------------------------


I am running Karpersky online scanner, so I don't have the settings panel to set. I do see a configure link but that is greyed out now that the scan is running.



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, August 24, 2009
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 24, 2009 16:57:44
Records in database: 2684030
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 442776
Threats found: 4
Infected objects found: 5
Suspicious objects found: 0
Scan duration: 09:30:36


File name / Threat / Threats count
C:\Program Files\Gamevance.archive\gamevance32.exe Infected: Trojan.Win32.Patched.cp 1
C:\Qoobox\Quarantine\C\Windows\System32\drivers\UACrbsmstypye.sys.orig.vir Infected: Rootkit.Win32.Agent.oxr 1
C:\usr\mp3freerip\freeripmp3.exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ak 1
C:\usr\mp3freerip2994\freeripmp3.exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ak 1
C:\usr\spyware-stop.0908.v.x\setup.exe Infected: Trojan-Downloader.Win32.FraudLoad.wolo 1

Selected area has been scanned.





OK, I think that's it. I wish I could have found more convincingly
where the virus came from.

Maybe it's that spyware-stop.0908.v.x - the .0908. means it came
during Aug, 09 but according to the file timestamp it came on
Aug 18th at 2:58.pm but the UAC files have a timestamp of 2:04pm
on the 17th. Close enough, do you think?

Anyway, I can delete all these files.

Next time, I think I would run this first: is that a good idea?



Thanks again for your help.

David
  • 0

#10
Perplexus
Posted 25 August 2009 - 06:08 AM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
Hi David,

It's hard to say when exactly it came, but the UAC timestamp is probably pretty close.

The Kaspersky online scanner is always available to you to run and it would be a good idea to run every now and then. While it will identify threats, it will not delete them. Hence, we have one more removal to do. Of course your Gamevance and mp3freerip needs to go. Spynomore was once considered a rogue application, and at best it just isn't very good.

I have some recommendations below to help secure your machine.

------------------
Final Removal Step
------------------

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

:Files
C:\Program Files\Gamevance.archive
C:\usr\mp3freerip
C:\usr\mp3freerip2994
C:\usr\spyware-stop.0908.v.x

:Commands
[purity]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

------------------
Cleanup
------------------

Once you've completed the above then good news.

Well done! Your log appears clean! :)

------------------
Step 1:
------------------

We're almost done. We need to do some clean up and get you on your way.

Follow these steps to uninstall Combofix
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image
(This will remove all restore points to rid your machine of saved infected files and create a new restore point)

------------------
Step 2:
------------------

We need to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions.

  • Run OTL.exe
  • Click the Clean Up button in top right corner.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
Now delete any logs that you have left over on your desktop.


------------------
Step 3:
------------------

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
Note: It is a good idea to run TFC to clear out all your temp files every now and again. This helps to keep your computer running more efficiently. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.


------------------
Step 4:
------------------

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Windows Updates are constantly being revised to combat the newest hacks and threats. Microsoft releases security updates that help your computer from becoming vunerable.

Please go to Microsoft's Windows Update and download all the critical updates to help prevent possible re-infection.

It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.

---------------------------------------------------------------------------------------------

This is a good time to set up protection against further attacks. Read our How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker, and a real time spyware program to prevent malware intrusions. Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

---------------------------------------------------------------------------------------------

Anti Virus Programs

One AntiVirus is a must have! But never more than one, as this can and will cause conflicts and false readings. It is imperative that you have an antivirus program installed on your computer to browse safely in the world of today's internet. Antivirus programs will find and delete any malicious files on your computer as well as protecting your computer from such files in the first place. The best of your antivirus program options are these:

---------------------------------------------------------------------------------------------

Personal Firewalls

Firewalls help to prevent unauthorised access both to and from the internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are some free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

---------------------------------------------------------------------------------------------

Anti Spyware

Anti Spyware helps to eliminate certain types of infections. I would recommend getting these and running the scans at least twice a month. Also a real-time protector is beneficial to stop infections before they start. SpywareGuard is an excellent choice here.
  • Posted ImageSUPERAntiSpyware is a powerful tool that can eliminate nasties that make it onto your machine.
  • Posted ImageSpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • Posted ImageSpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

---------------------------------------------------------------------------------------------

Safer Web Browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are some good free alternatives:
All are faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these.

If you choose FireFox, here are a couple of addons that I recommend:
  • NoScript - for blocking ads and other potential website attacks
  • McAfee SiteAdvisor - this tells you whether the sites you are about to visit are safe or not. A must have if you do alot of Google searches.

---------------------------------------------------------------------------------------------

Other Recommendations

FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Its important to keep programs up to date so that malware doesn't exploit any old security flaws.

Take Care and Happy Surfing! :)
  • 0

Advertisements

#11
David08052
Posted 25 August 2009 - 07:54 AM

David08052

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi,
Thanks again so much for your help.

When I click on start | settings | control panel | Backup and REstore Center | restore files, it still says "There are no backups available on this computer.

I thought I read something in your latest reply about this but on rereading, I can't find it.

When I do this: right click my computer, and click Properties | System Protection | system protection, it says the most recent restore point was 8/24/2009 10:52:42 am.

Am I ok with these settings? Should I create another restore point?

---

Now, I have an authorized copy of Norton 7 ( the latest ) : do you think I should install that or go with your recommendations for free software. BTW, I'm not going to sign up for netflix to get avira so at best I would have the second level there.

---

And, my primary goal is to reduce the number of jobs running which is why I'm trying to resist adding much in the way of software jobs even for security. I got hit here because I knowingly downloaded some free software to create slideshows. It looks as if I use Firefox for downloading, there will be a virus check built in. Anyway, I would like a virus check to be part of any download.

---

and, again Thank you so much for your help. I know taking the time to learn all you had to discover to be helpful was a lot of work for you and thank you for that and not to mention the additional effort in walking me through the steps you did here. Thank you again.

This computer came with some temporarily free firewall software and I tried to uninstall that, and I have my firewall set this way:

Firewall: Off
Automatic Updating: No automatic (I think that's right for me)
Malware protection: Check Settings
Virus protection: not found
Spyware protection: On
Other Security Settings: Check Settings.
Internet security settings: OK
User Account Control: Off

If I install the free firewall, will it fix these settings. I would prefer not to get a daily popup when I reboot telling me that there is a problem with my security settings. Do you think I'll be ok if I go that way?

I don't mean to be ungrateful but I do want to understand the steps I am going to be taken to protect my computer in the future.

Thanks again so much for your work and your patience and understanding. I think you would make a good teacher.

David
  • 0

#12
Perplexus
Posted 25 August 2009 - 08:17 AM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
Hi David,

No problem. Glad we could help :)

When I do this: right click my computer, and click Properties | System Protection | system protection, it says the most recent restore point was 8/24/2009 10:52:42 am.


Have you uninstalled combofix as mentioned? When you do, it will clean out the restore points (because they may contain infected files) and create a new restore point.

Now, I have an authorized copy of Norton 7 ( the latest ) : do you think I should install that or go with your recommendations for free software. BTW, I'm not going to sign up for netflix to get avira so at best I would have the second level there.


If you have purchased a copy of Norton, then you might as well use it since you paid for it. I personally do not use Norton or McAfee as they tend to slow things down. I use Avira, just the free version, however since it's free, you will have to deal with a nag screen every day. Avira gives you the premimum version if you sign up for other stuff. That's just another type of marketing campaign, I never fall for that :)

And, my primary goal is to reduce the number of jobs running which is why I'm trying to resist adding much in the way of software jobs even for security. I got hit here because I knowingly downloaded some free software to create slideshows. It looks as if I use Firefox for downloading, there will be a virus check built in. Anyway, I would like a virus check to be part of any download.


I don't believe there is any type of "built-in" virus check for FireFox. There is an add-on by Dr. Web HERE that you can use, but it isn't automatic. The best thing is to have an antivirus app running.

This computer came with some temporarily free firewall software and I tried to uninstall that, and I have my firewall set this way:

Firewall: Off
Automatic Updating: No automatic (I think that's right for me)
Malware protection: Check Settings
Virus protection: not found
Spyware protection: On
Other Security Settings: Check Settings.
Internet security settings: OK
User Account Control: Off


If you have no firewall installed, I recommend you putting one on. For Automatic updating, I would at least choose Download updates for me, but let me choose when to install them.

I also recommend SpywareGuard and SpywareBlaster.

If I install the free firewall, will it fix these settings. I would prefer not to get a daily popup when I reboot telling me that there is a problem with my security settings. Do you think I'll be ok if I go that way?


It will fix the Firewall message.

If you have any further questions, let me know. If all of your questions are answered, let me know as well so that I may close this topic.

Cheers!
  • 0

#13
David08052
Posted 26 August 2009 - 08:38 AM

David08052

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I can't install Norton till next week: it's part of a package for 3 computers and my partner is using them for the first 2 computers for the rest of this week. Would you rather close this topic and then I can open a new topic next week?

Also I reran combofix and can see that it created a system restore point. However, when I go into start system control panel backup and restore center restore files, It still says "There are no backups available on this computer." I guess I will have to live with that.

Please help me with firefox or internet explorer. You say there is no way to check for a virus as part of a file download. so,
1. what virus check do you recommend? I just added DrWeb - thanks, that's a nice recommendation.
2. In the task manager, I see "SDWinSec.exe" SpyBot S&D Security Center integration. Do I try to find and kill this in msconfig? Or should I start it up and try to find the turn it off settings?

As for firewalls, I have the cable modem between me and the internet which means no one can "see" my computer's url. And, I have a router on this side of the cable modem which provides an additional level of anonymity. So, I feel save about the threat of someone trying to hack into my computer. As I see it, my only exposure is bringing some file into my computer via the download process or an email. What do you think about this?

Thanks,

David

David
  • 0

#14
Perplexus
Posted 26 August 2009 - 09:47 AM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
David,

However, when I go into start system control panel backup and restore center restore files, It still says "There are no backups available on this computer." I guess I will have to live with that.


I believe that only personal files can be backed up from this feature for Vista Home Premium. I found some info HERE. If you have not created any backups then you won't see any there :)

Please help me with firefox or internet explorer. You say there is no way to check for a virus as part of a file download. so,
1. what virus check do you recommend? I just added DrWeb - thanks, that's a nice recommendation.
2. In the task manager, I see "SDWinSec.exe" SpyBot S&D Security Center integration. Do I try to find and kill this in msconfig? Or should I start it up and try to find the turn it off settings?


1. Other than that add-on, you have to depend on your antivirus application to do it's job. You can also scan it with other tools once it's downloaded like MalwareBytes.

2. I personally quit using Spybot S&D in favor of SpywareBlaster and SpywareGuard. Teatimer will conflict with SpywareGuard, so you only want one or the other. If you are going to keep Spybot, then there is no reason to kill that process.

As for firewalls, I have the cable modem between me and the internet which means no one can "see" my computer's url. And, I have a router on this side of the cable modem which provides an additional level of anonymity. So, I feel save about the threat of someone trying to hack into my computer. As I see it, my only exposure is bringing some file into my computer via the download process or an email. What do you think about this?


Firewalls are not only to keep bad data from entering your system but to also keep good data from exiting your system without your permission. Why is that? Suppose a keylogger or backdoor does somehow slip through and get installed. What's to stop those programs from sending data "out" to the bad guy? The firewall, unless you've given it permission.

Nothing is perfect. You can only do the best you can. The best way to stay safe, is to stay away from dubious places. That's why I've also recommended the McAfee SiteAdvisor above. It aids in identifying bad sites.

At this point, you are clean of malware. If you have problems with installing Norton next week, you would probably open a thread HERE. I doubt you will have a problem. But until you get an antivirus installed, I would recommend disconnecting from the network.
  • 0

#15
David08052
Posted 26 August 2009 - 01:53 PM

David08052

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
OK,
Please close the thread. Thank you so much again.
David
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP