Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Dr Guard


  • Please log in to reply

#1
mightysparks

mightysparks

    Member

  • Member
  • PipPip
  • 18 posts
I have Dr Guard on my computer and I finally managed to run ComboFix, and I can now run my computer in normal mode. Before I ran CF, I couldn't run any programs, unless I was on safe mode. I also couldn't get onto it normally for more than a few seconds because it said Windows has encountered a critical error and it resets after 10 seconds. I still can't run Task manager or anything though, it now says it's marked for deletion or something. I also took out my LAN cord because it was worse when I was connected to the internet.

Anyway, here's my log from ComboFix. It's 1am here and I have to go to bed, but I will be back on at 9.30am (my time).


ComboFix 10-03-14.06 - Lauren 16/03/2010 0:45.1.8 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.3062.2485 [GMT 8:00]
Running from: O:\Gotcha.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\_VOIDmainqt.dll
c:\users\Lauren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
c:\windows\system32\_VOIDbmsohwpftb.dll
c:\windows\system32\_VOIDcieqbryyos.dat
c:\windows\system32\_VOIDmfeklnmal.dll
c:\windows\system32\_VOIDqplfxmxcct.dll
c:\windows\system32\_VOIDwvsvxptiss.dll
c:\windows\system32\h3xeb0r6j3.dll
c:\windows\system32\lsprst7.dll

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy__VOIDd.sys
-------\Legacy__VOIDXTBAUKWOXD
-------\Service__VOIDd.sys
-------\Service__VOIDxtbaukwoxd


((((((((((((((((((((((((( Files Created from 2010-02-15 to 2010-03-15 )))))))))))))))))))))))))))))))
.

2010-03-15 16:39 . 2010-03-15 16:40 -------- d-----w- C:\32788R22FWJFW
2010-03-15 14:40 . 2010-03-15 14:40 -------- d-----w- c:\users\Lauren\AppData\Roaming\Malwarebytes
2010-03-15 14:40 . 2009-12-30 06:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-15 14:40 . 2010-03-15 14:40 -------- d-----w- c:\programdata\Malwarebytes
2010-03-15 14:40 . 2009-12-30 06:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-15 14:40 . 2010-03-15 14:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-15 14:21 . 2010-03-15 14:21 -------- d-----w- c:\windows\_VOIDxtbaukwoxd
2010-03-15 14:21 . 2010-03-15 16:54 823296 ----a-w- c:\windows\system32\drivers\urmbuvwu.sys
2010-03-15 14:20 . 2010-03-15 14:20 -------- d-----w- c:\users\Lauren\AppData\Local\Windows Server
2010-03-15 12:10 . 2010-03-15 12:10 -------- d-----w- c:\users\Lauren\AppData\Roaming\Braintonik
2010-03-15 12:10 . 2010-03-15 12:10 -------- d-----w- c:\programdata\Braintonik
2010-03-14 12:44 . 2010-03-14 12:48 -------- d-----w- c:\users\Lauren\{e073c4df-7f59-4eb5-a354-21c607091ecb}
2010-03-14 12:32 . 2010-03-15 05:14 -------- d-----w- c:\programdata\avg8
2010-03-14 11:08 . 2010-03-15 16:01 -------- d-----w- c:\users\Lauren\AppData\Roaming\LimeWire
2010-03-14 11:03 . 2010-03-14 11:03 -------- d-----w- c:\program files\LimeWire
2010-03-13 11:12 . 2010-03-13 11:12 -------- d-----w- c:\programdata\NCH Swift Sound
2010-03-13 11:12 . 2010-03-13 11:12 -------- d-----w- c:\program files\NCH Swift Sound
2010-03-13 11:12 . 2010-03-15 14:46 -------- d-----w- c:\users\Lauren\AppData\Local\ntd3dDirect
2010-03-13 11:12 . 2010-03-13 11:12 -------- d-----w- c:\users\Lauren\AppData\Roaming\NCH Swift Sound
2010-03-04 12:49 . 2010-03-05 02:09 -------- d-----w- c:\program files\ Brain Games - Chess
2010-03-03 16:52 . 2010-03-03 16:52 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-03-03 07:05 . 2006-10-26 11:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-03-03 07:05 . 2006-10-26 11:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2010-03-03 07:03 . 2010-03-03 07:03 -------- d-----w- c:\program files\Microsoft Works
2010-03-03 07:02 . 2010-03-03 07:02 -------- d-----w- c:\program files\Microsoft.NET
2010-03-03 06:59 . 2010-03-03 07:07 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-03-03 06:58 . 2010-03-03 06:58 -------- d-----w- c:\users\Lauren\AppData\Local\Microsoft Help
2010-03-03 06:58 . 2010-03-03 07:08 -------- d-----w- c:\programdata\Microsoft Help
2010-02-28 13:59 . 2010-02-28 13:59 -------- d-----w- c:\program files\CDisplay
2010-02-25 02:00 . 2010-02-25 02:00 -------- d-----w- c:\windows\.jagex_cache_32
2010-02-24 03:51 . 2004-03-29 08:23 90112 ----a-w- c:\windows\unvise32.exe
2010-02-22 11:10 . 2010-02-22 11:10 -------- d-----w- c:\users\Lauren\.spss
2010-02-22 10:54 . 2010-02-22 10:54 -------- d-----w- c:\programdata\SafeNet Sentinel
2010-02-22 10:54 . 2010-02-22 10:54 -------- d-----w- c:\programdata\SPSS
2010-02-22 10:54 . 2010-02-22 10:54 -------- d-----w- c:\program files\Common Files\SPSS
2010-02-22 10:53 . 2010-02-22 10:53 -------- d-----w- c:\program files\SPSSInc
2010-02-22 10:53 . 2010-02-22 10:53 1025 ----a-w- c:\windows\system32\sysprs7.dll
2010-02-20 10:30 . 2010-02-20 10:30 -------- d-----w- c:\program files\MSECache
2010-02-18 06:08 . 2010-02-18 06:08 -------- d-----w- c:\program files\DjVuZone
2010-02-15 13:22 . 2010-02-15 13:22 -------- d-----w- c:\program files\Adobe Media Player
2010-02-15 12:54 . 2010-02-15 12:54 -------- d-----w- c:\users\Lauren\AppData\Local\Geckofx
2010-02-15 12:52 . 2010-02-15 12:52 -------- d-----w- c:\program files\Regensoft
2010-02-15 12:52 . 2010-02-15 12:52 -------- d-----w- c:\program files\AviSynth 2.5
2010-02-15 12:52 . 2010-02-15 12:52 -------- d-----w- c:\program files\Red Kawa
2010-02-15 12:37 . 2010-02-15 12:37 -------- dc----w- c:\windows\system32\DRVSTORE
2010-02-15 12:37 . 2009-05-18 06:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-02-15 12:37 . 2008-04-17 05:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-02-15 12:37 . 2010-02-15 12:37 -------- d-----w- c:\program files\iPod
2010-02-15 12:37 . 2010-02-15 12:37 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-15 12:37 . 2010-02-15 12:37 -------- d-----w- c:\program files\iTunes
2010-02-15 12:35 . 2010-02-15 12:35 -------- d-----w- c:\program files\Apple Software Update
2010-02-15 12:34 . 2010-02-15 12:37 -------- d-----w- c:\program files\Common Files\Apple
2010-02-15 12:34 . 2010-02-15 12:34 -------- d-----w- c:\programdata\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-15 16:54 . 2010-02-10 18:38 31966 ----a-w- c:\programdata\nvModes.dat
2010-03-15 16:54 . 2010-02-10 18:34 -------- d-----w- c:\programdata\NVIDIA
2010-03-15 14:25 . 2010-02-10 18:30 -------- d-----w- c:\users\Lauren\AppData\Roaming\vlc
2010-03-15 14:20 . 2010-02-10 17:33 -------- d-----w- c:\users\Lauren\AppData\Roaming\uTorrent
2010-03-14 12:48 . 2009-11-06 09:22 -------- d-----w- c:\program files\AVG
2010-03-14 12:32 . 2010-03-14 21:32 1033496 ----a-w- c:\programdata\avg8\update\backup\avgssff.dll
2010-03-14 12:32 . 2010-03-14 21:32 730392 ----a-w- c:\programdata\avg8\update\backup\avgcfgex.exe
2010-03-14 12:32 . 2010-03-14 21:32 681240 ----a-w- c:\programdata\avg8\update\backup\avgsrmx.dll
2010-03-14 12:32 . 2010-03-14 21:32 512280 ----a-w- c:\programdata\avg8\update\backup\avgvvx.dll
2010-03-14 12:32 . 2010-03-14 21:32 341272 ----a-w- c:\programdata\avg8\update\backup\avgsrmax.exe
2010-03-14 12:32 . 2010-03-14 21:32 298776 ----a-w- c:\programdata\avg8\update\backup\avgwdsvc.exe
2010-03-14 12:32 . 2010-03-14 21:32 1261344 ----a-w- c:\programdata\avg8\update\backup\avgwd.dll
2010-03-14 12:32 . 2010-03-14 21:32 100120 ----a-w- c:\programdata\avg8\update\backup\avgdumpx.exe
2010-03-14 12:32 . 2010-03-14 21:32 829208 ----a-w- c:\programdata\avg8\update\backup\avgcfgx.dll
2010-03-14 12:32 . 2010-03-14 21:32 760600 ----a-w- c:\programdata\avg8\update\backup\avgscanx.exe
2010-03-14 12:32 . 2010-03-14 21:32 531736 ----a-w- c:\programdata\avg8\update\backup\avgsched.dll
2010-03-14 12:32 . 2010-03-14 21:32 338712 ----a-w- c:\programdata\avg8\update\backup\avgscanx.dll
2010-03-14 12:32 . 2010-03-14 21:32 310528 ----a-w- c:\programdata\avg8\update\backup\avglngx.dll
2010-03-14 08:14 . 2010-03-14 08:14 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-03-04 11:53 . 2009-10-30 13:52 69 ----a-w- c:\users\Lauren\jagex_runescape_preferences2.dat
2010-03-04 11:49 . 2009-10-30 13:51 41 ----a-w- c:\users\Lauren\jagex_runescape_preferences.dat
2010-03-04 05:05 . 2010-02-10 17:33 -------- d-----w- c:\program files\uTorrent
2010-03-03 09:10 . 2010-02-10 16:46 142800 ----a-w- c:\users\Lauren\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-03 07:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\MSBuild
2010-02-22 11:10 . 2010-02-22 10:54 148 ----a-w- c:\programdata\SafeNet Sentinel\Sentinel RMS Development Kit\System\prsgrc.dll
2010-02-15 13:22 . 2010-02-11 06:00 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-15 12:38 . 2010-02-11 05:36 -------- d-----w- c:\users\Lauren\AppData\Roaming\Apple Computer
2010-02-15 12:37 . 2010-02-11 05:34 -------- d-----w- c:\programdata\Apple Computer
2010-02-15 12:36 . 2010-02-11 06:06 -------- d-----w- c:\program files\Bonjour
2010-02-15 12:36 . 2010-02-11 05:35 -------- d-----w- c:\program files\QuickTime
2010-02-15 10:32 . 2010-02-12 02:35 -------- d-----w- c:\programdata\NOS
2010-02-13 12:17 . 2010-02-13 12:17 -------- d-----w- c:\program files\Common Files\Java
2010-02-13 12:16 . 2010-02-13 12:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-13 12:16 . 2010-02-13 12:16 -------- d-----w- c:\program files\Java
2010-02-12 16:06 . 2010-02-12 16:04 -------- d-----w- c:\users\Lauren\AppData\Roaming\The Journal
2010-02-12 16:04 . 2010-02-12 15:54 -------- d-----w- c:\programdata\The Journal
2010-02-12 16:04 . 2010-02-12 15:54 -------- d-----w- c:\program files\DavidRM Software
2010-02-12 15:59 . 2010-02-12 15:54 -------- d-----w- c:\users\Lauren\AppData\Roaming\The Journal 5
2010-02-12 15:55 . 2010-02-12 15:51 -------- d-----w- c:\program files\LifeJournal2
2010-02-12 02:37 . 2010-02-12 02:37 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-12 02:36 . 2010-02-12 02:37 38784 ----a-w- c:\users\Lauren\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-12 02:36 . 2010-02-12 02:37 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-12 02:35 . 2010-02-12 02:35 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-02-11 08:46 . 2010-02-11 08:46 -------- d-----w- c:\users\Lauren\AppData\Roaming\FileZilla
2010-02-11 08:46 . 2010-02-11 08:46 -------- d-----w- c:\program files\FileZilla FTP Client
2010-02-11 08:40 . 2010-02-10 17:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-11 08:39 . 2010-02-11 05:34 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-11 08:39 . 2010-02-11 08:39 -------- d-----w- c:\program files\GlobalSCAPE
2010-02-11 08:37 . 2010-02-11 08:37 -------- d-----w- c:\users\Lauren\AppData\Roaming\GlobalSCAPE
2010-02-11 08:37 . 2010-02-11 08:37 -------- d-----w- c:\programdata\GlobalSCAPE
2010-02-11 08:09 . 2010-02-11 08:09 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-02-11 07:29 . 2010-02-11 07:25 -------- d-----w- c:\programdata\FLEXnet
2010-02-11 06:01 . 2010-02-11 06:01 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2010-02-11 05:58 . 2010-02-11 05:43 -------- d-----w- c:\users\Lauren\AppData\Roaming\DAEMON Tools Lite
2010-02-11 05:45 . 2010-02-11 05:45 -------- d-----w- c:\program files\PowerISO
2010-02-11 05:44 . 2010-02-11 05:43 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-02-11 05:44 . 2010-02-11 05:44 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-11 05:43 . 2010-02-11 05:43 -------- d-----w- c:\programdata\DAEMON Tools Lite
2010-02-11 05:43 . 2010-02-11 05:43 -------- d-----w- c:\program files\Tunatic
2010-02-11 05:42 . 2010-02-11 05:42 -------- d-----w- c:\program files\[bleep] NFO Viewer
2010-02-11 05:40 . 2010-02-11 05:40 -------- d-----w- c:\program files\MagicDisc
2010-02-11 05:25 . 2010-02-11 05:25 -------- d-----w- c:\users\Lauren\AppData\Roaming\ACD Systems
2010-02-11 05:24 . 2010-02-11 05:24 -------- d-----w- c:\program files\Common Files\ACD Systems
2010-02-11 05:24 . 2010-02-11 05:24 -------- d-----w- c:\programdata\ACD Systems
2010-02-11 05:24 . 2010-02-11 05:24 -------- d-----w- c:\program files\ACD Systems
2010-02-11 05:23 . 2010-02-11 05:23 -------- d-----w- c:\users\Lauren\AppData\Roaming\Corel
2010-02-11 05:23 . 2010-02-11 05:23 -------- d-----w- c:\programdata\Corel
2010-02-11 05:20 . 2010-02-11 05:19 -------- d-----w- c:\program files\Common Files\Corel
2010-02-11 05:19 . 2010-02-11 05:19 -------- d-----w- c:\program files\Corel
2010-02-11 05:17 . 2010-02-11 05:14 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-11 04:44 . 2010-02-11 04:44 -------- d-----w- c:\program files\CodeGazer
2010-02-11 04:43 . 2010-02-11 04:43 -------- d-----w- c:\program files\Microsoft ATS
2010-02-10 18:29 . 2010-02-10 18:29 -------- d-----w- c:\program files\VideoLAN
2010-02-10 18:27 . 2010-02-10 16:46 680 ----a-w- c:\users\Lauren\AppData\Local\d3d9caps.dat
2010-02-10 18:24 . 2010-02-10 18:24 -------- d-----w- c:\programdata\Blizzard
2010-02-10 18:01 . 2010-02-10 18:01 -------- d-----w- c:\programdata\Messenger Plus!
2010-02-10 18:00 . 2010-02-10 18:00 683801 ----a-w- c:\programdata\Last.fm\Client\UninstWMP\unins000.exe
2010-02-10 18:00 . 2010-02-10 18:00 54 ----a-w- c:\programdata\Last.fm\Client\uninst2.bat
2010-02-10 18:00 . 2010-02-10 18:00 -------- d-----w- c:\programdata\Last.fm
2010-02-10 17:59 . 2010-02-10 17:59 -------- d-----w- c:\program files\Last.fm
2010-02-10 17:45 . 2010-02-10 17:45 -------- d-----w- c:\program files\Messenger Plus! Live
2010-02-10 17:36 . 2010-02-10 17:36 -------- d-----w- c:\program files\Microsoft
2010-02-10 17:36 . 2010-02-10 17:35 -------- d-----w- c:\program files\Windows Live
2010-02-10 17:36 . 2010-02-10 17:36 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-02-10 17:32 . 2010-02-10 17:32 -------- d-----w- c:\program files\Common Files\Windows Live
2010-02-10 17:28 . 2010-02-10 17:28 552 ----a-w- c:\users\Lauren\AppData\Local\d3d8caps.dat
2010-02-10 17:14 . 2010-02-10 17:14 -------- d-----w- c:\program files\Realtek
2010-02-10 17:14 . 2010-02-10 17:14 -------- d-----w- c:\users\Lauren\AppData\Roaming\InstallShield
2010-02-01 13:00 . 2009-11-05 04:30 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-01-27 13:45 . 2009-11-07 05:07 -------- d-----w- c:\program files\Steam
2010-01-22 11:51 . 2010-01-22 11:51 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13785632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-13 611712]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 531272]

c:\users\Lauren\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-11 503808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
AppSecDll REG_SZ c:\users\Lauren\AppData\Local\Windows Server\gftqnn.dll

R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2010-02-11 691696]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\windows\System32\nvSCPAPISvr.exe [2009-06-09 232960]


--- Other Services/Drivers In Memory ---

*Deregistered* - urmbuvwu
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Lauren\AppData\Roaming\Mozilla\Firefox\Profiles\no5ymwls.default\
FF - prefs.js: browser.search.selectedEngine - isoHunt › BT Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{A3BA40A2-74F1-52BD-F434-00B15A2C8953} - c:\windows\system32\h3xeb0r6j3.dll
HKCU-Run-Remote System Protection - c:\windows\system32\h3xeb0r6j3.dll
SharedTaskScheduler-{A3BA40A2-74F1-52BD-F434-00B15A2C8953} - c:\windows\system32\h3xeb0r6j3.dll
SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\urmbuvwu]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.032"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ani\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ani"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.arw"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bay\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.bay"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.bmp"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.bw"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.cr2"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.crw"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cs1\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.cs1"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cur\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.cur"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.dcr"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.dcx"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.dib"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.djv"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.dng"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.emf"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.eps"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.erf"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.fff"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.fpx"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.gif"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.hdr"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.icl"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icn\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.icn"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ico"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.iff"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ilbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ilbm"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.int\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.int"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inta\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.inta"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iw4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.iw4"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.j2c"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2k\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.j2k"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jfif"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jif"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jp2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jp2"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpc"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpe"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpeg"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (S-1-5-21-3678164263-3746749041-4074714776-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpg"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpk\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpk"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.jpx"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.lbm"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.mef"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mos\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.mos"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.mrw"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.nef"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.orf"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pbm"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pcd"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pct\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pct"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pcx"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pef"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pgm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pgm"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pic\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pic"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pict\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pict"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pix\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.pix"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.png"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ppm"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.psd"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.psp"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.raf"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ras\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ras"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.raw"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.rgb"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgba\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.rgba"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.rle"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.rsb"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sgi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.sgi"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.sr2"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.srf"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.tga"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.thm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.thm"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.tif"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.tiff"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ttc"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.ttf"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10o\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.v10o"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10p\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.v10p"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10pf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.v10pf"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.wbm"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.wbmp"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.wmf"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.xbm"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.xif"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.xmp"

[HKEY_USERS\S-1-5-21-3678164263-3746749041-4074714776-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.xpm"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2364)
c:\windows\System32\NLSData0009.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\WUDFHost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-03-16 00:58:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-15 16:58

Pre-Run: 74,816,651,264 bytes free
Post-Run: 74,836,459,520 bytes free

- - End Of File - - 64914780E46EA0C01600969F8B42A425
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Not sure this will work with Vista but let's try it.

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall:

File::
c:\windows\system32\drivers\urmbuvwu.sys
c:\users\Lauren\AppData\Local\Windows Server\gftqnn.dll

Driver::
urmbuvwu

Folder::
c:\windows\_VOIDxtbaukwoxd
c:\users\Lauren\AppData\Local\Windows Server
c:\users\Lauren\{e073c4df-7f59-4eb5-a354-21c607091ecb}

RootKit::
c:\windows\system32\drivers\urmbuvwu.sys
c:\users\Lauren\AppData\Local\Windows Server\gftqnn.dll

Registry::
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\urmbuvwu]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"DisableTaskMgr"="0"


******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Drag it over to Combofix and let it start as before.

Post the new log.

Ron

Edited by RKinner, 16 March 2010 - 10:58 PM.

  • 0

#3
mightysparks

mightysparks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I forgot about this... I ended up reinstalling Vista, so don't worry about it, sorry!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP