1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Active] Google time limit redirect

Discussion in 'Spyware, Adware, Viruses and Malware Removal' started by Teebs, Jan 26, 2010.

  1. Teebs

    Teebs Techie7 New Member

    Hi, just today I noticed that any external link to a website from Google takes me to a blank page and holds me there for 10 seconds before redirecting me to the correct page.

    It has only just started... I ran Spyboy Search and Destroy and removed several threats, and now when I run it it doesn't find any, however this symptom persists.

    I'm using Windows 7 Ultimate

    Here is my Hijack This log file:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:10:03, on 26/01/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskhost.exe
    C:\Windows\System32\M-AudioTaskBarIcon.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Mediafour\MacDrive 8\MacDrive.exe
    C:\Program Files\AVG\AVG9\avgtray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\DAEMON Tools Lite\DTLite.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Users\Cormac\Downloads\HijackThis.exe
    C:\Windows\system32\SearchFilterHost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
    O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\Windows\system32\M-AudioTaskBarIcon.exe
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [MacDrive 8 application] "C:\Program Files\Mediafour\MacDrive 8\MacDrive.exe"
    O4 - HKLM\..\Run: [Getting started with MacDrive 8] "C:\Program Files\Mediafour\MacDrive 8\MDGetStarted.exe" /auto
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\Windows\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
    O4 - HKCU\..\Run: [Device Detector] DevDetect.exe -autorun
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: MacDrive service (MacDriveService) - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 8\MacDriveService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

    --
    End of file - 8423 bytes

    Thanks in advance.
     
    Last edited: Jan 26, 2010
  2. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: SUPERAntiSpyware.com - Database Definition Information.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):

    • Close browsers before scanning.
    • Terminate memory threats before quarantining.

    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.

    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.

    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 3. Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
    Alternative downloads:
    - |MG| GMER 1.0.15.15281 Download
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 4.
    Post fresh HijackThis log.
    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. Teebs

    Teebs Techie7 New Member

    Hi, here are all the requested log files... By the way it may be worth noting that my computer, when booted in normal mode, restarts after a certain amount of time and also AVG has now detected Trojan horse Rootkit-Pakes.U.

    Do you think that it's best to just backup and do a clean OS install, or do you think that I can get the system clean again?

    Thanks again.


    SUPERAntiSpyware Scan Log
    SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    Generated 01/26/2010 at 07:46 PM

    Application Version : 4.33.1000

    Core Rules Database Version : 4518
    Trace Rules Database Version: 2330

    Scan type : Complete Scan
    Total Scan Time : 01:17:41

    Memory items scanned : 377
    Memory threats detected : 0
    Registry items scanned : 7376
    Registry threats detected : 0
    File items scanned : 159654
    File threats detected : 1

    Trojan.Agent/Gen-FSG
    C:\USERS\CORMAC\DOWNLOADS\MACDRIVE 8 PACKAGE\3645JJKL\3645JJKL\MACDRIVE8\MD7\MEDIAFOUR_MACDRIVE_V7.2.8_INCL_KEYGEN-PARADOX\KEYGEN\KEYGEN.EXE












    Malwarebytes' Anti-Malware 1.44
    Database version: 3641
    Windows 6.1.7600 (Safe Mode)
    Internet Explorer 8.0.7600.16385

    26/01/2010 23:32:50
    mbam-log-2010-01-26 (23-32-50).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 275216
    Time elapsed: 26 minute(s), 47 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\BMIMZMHMFM (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\WS9E3IQBKY (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Windows\System32\spool\prtprocs\w32x86\00003c6c.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.















    GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover
    Rootkit scan 2010-01-26 23:49:20
    Windows 6.1.7600
    Running: dn06xmk2.exe; Driver: C:\Users\Cormac\AppData\Local\Temp\kfryrpoc.sys


    ---- System - GMER 1.0.15 ----

    INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A31AF8
    INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A31104
    INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A313F4
    INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1A2D8
    INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A311DC
    INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A31958
    INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A316F8
    INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A31F2C
    INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A321A8

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A91579 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB5F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    ? System32\drivers\sjnjxa.sys The system cannot find the path specified. !
    ? System32\Drivers\spku.sys The system cannot find the path specified. !
    .text USBPORT.SYS!DllUnload 8F04FCA0 5 Bytes JMP 85BE14E0
    .text aj8lkli3.SYS 8F179000 12 Bytes [44, C8, A1, 82, EE, C6, A1, ...]
    .text aj8lkli3.SYS 8F17900D 9 Bytes [A7, A1, 82, 48, CB, A1, 82, ...] {CMPSD ; MOV EAX, [0xa1cb4882]; ADD BYTE [EAX], 0x0}
    .text aj8lkli3.SYS 8F179017 170 Bytes [00, DE, 07, D8, 88, E6, 05, ...]
    .text aj8lkli3.SYS 8F1790C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
    .text aj8lkli3.SYS 8F1790CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
    .text ...
    .text peauth.sys 9B228C9D 28 Bytes [9E, BD, 53, B8, 30, 62, 2A, ...]
    .text peauth.sys 9B228CC1 28 Bytes [9E, BD, 53, B8, 30, 62, 2A, ...]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Mozilla Firefox\firefox.exe[3092] ntdll.dll!LdrLoadDll 776EF585 5 Bytes JMP 000313F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [88C84042] \SystemRoot\System32\Drivers\spku.sys
    IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [88C846D6] \SystemRoot\System32\Drivers\spku.sys
    IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [88C84800] \SystemRoot\System32\Drivers\spku.sys
    IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [88C8413E] \SystemRoot\System32\Drivers\spku.sys
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortNotification] 00147880
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortInitialize] 157B805E
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
    IAT \SystemRoot\System32\Drivers\aj8lkli3.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 84C7A1F8
    Device \FileSystem\Ntfs \Ntfs MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)
    Device \FileSystem\fastfat \FatCdrom 869B1500
    Device \Driver\volmgr \Device\VolMgrControl 84C751F8
    Device \Driver\usbuhci \Device\USBPDO-0 85E6A1F8
    Device \Driver\usbuhci \Device\USBPDO-1 85E6A1F8
    Device \Driver\usbehci \Device\USBPDO-2 85E63500
    Device \Driver\usbuhci \Device\USBPDO-3 85E6A1F8
    Device \Driver\PCI_PNP2890 \Device\00000054 spku.sys
    Device \Driver\usbuhci \Device\USBPDO-4 85E6A1F8

    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\usbuhci \Device\USBPDO-5 85E6A1F8
    Device \Driver\USBSTOR \Device\00000070 864AD1F8
    Device \Driver\usbehci \Device\USBPDO-6 85E63500
    Device \Driver\volmgr \Device\HarddiskVolume1 84C751F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\USBSTOR \Device\00000071 864AD1F8
    Device \Driver\volmgr \Device\HarddiskVolume2 84C751F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\cdrom \Device\CdRom0 85CE01F8
    Device \Driver\USBSTOR \Device\00000072 864AD1F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-2 [88EBA472] \SystemRoot\system32\DRIVERS\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\atapi \Device\Ide\IdePort0 [88EBA472] \SystemRoot\system32\DRIVERS\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\atapi \Device\Ide\IdePort1 [88EBA472] \SystemRoot\system32\DRIVERS\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\atapi \Device\Ide\IdePort2 [88EBA472] \SystemRoot\system32\DRIVERS\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\atapi \Device\Ide\IdePort3 [88EBA472] \SystemRoot\system32\DRIVERS\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\atapi \Device\Ide\IdePort4 [88EBA472] \SystemRoot\system32\DRIVERS\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\atapi \Device\Ide\IdePort5 [88EBA472] \SystemRoot\system32\DRIVERS\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-0 [88EBA472] \SystemRoot\system32\DRIVERS\atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\cdrom \Device\CdRom1 85CE01F8
    Device \Driver\USBSTOR \Device\00000073 864AD1F8
    Device \Driver\volmgr \Device\HarddiskVolume3 84C751F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\volmgr \Device\HarddiskVolume4 84C751F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\volmgr \Device\HarddiskVolume5 84C751F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\volmgr \Device\HarddiskVolume6 84C751F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\volmgr \Device\HarddiskVolume7 84C751F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\adfs \Device\ADVirtualDisk\Volume MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)
    Device \Driver\adfs \Device\ADVirtualDisk\Control MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)
    Device \Driver\NetBT \Device\NetBt_Wins_Export 85D991F8
    Device \Driver\volmgr \Device\HarddiskVolume8 84C751F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\ACPI_HAL \Device\0000004b halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
    Device \Driver\volmgr \Device\HarddiskVolume9 84C751F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\sptd \Device\595094140 spku.sys
    Device \Driver\NetBT \Device\NetBT_Tcpip_{79266487-8B7A-4713-A8CE-370E75EB45E1} 85D991F8
    Device \FileSystem\Mup \Device\Mup MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)

    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\MDPMGRNT \Device\MacDrivePartitionDriver 84C791F8
    Device \Driver\usbuhci \Device\USBFDO-0 85E6A1F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{90327790-CD49-48E9-9ABB-16C0EB1AB818} 85D991F8
    Device \Driver\USBSTOR \Device\0000006d 864AD1F8
    Device \Driver\usbuhci \Device\USBFDO-1 85E6A1F8
    Device \Driver\USBSTOR \Device\0000006e 864AD1F8
    Device \Driver\usbehci \Device\USBFDO-2 85E63500
    Device \Driver\USBSTOR \Device\0000006f 864AD1F8
    Device \Driver\usbuhci \Device\USBFDO-3 85E6A1F8
    Device \Driver\usbuhci \Device\USBFDO-4 85E6A1F8
    Device \Driver\usbuhci \Device\USBFDO-5 85E6A1F8
    Device \Driver\usbehci \Device\USBFDO-6 85E63500
    Device \Driver\aj8lkli3 \Device\Scsi\aj8lkli31 8601B500
    Device \Driver\aj8lkli3 \Device\Scsi\aj8lkli31Port6Path0Target0Lun0 8601B500
    Device \FileSystem\fastfat \Fat 869B1500

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Fs_Rec \FileSystem\ExFatRecognizer MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)
    Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)
    Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)
    Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)
    Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)
    Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer MDFSYSNT.sys (MacDrive file system driver/Mediafour Corporation)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:336] 9B30FF2E

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFB 0xA1 0xD8 0x66 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x7E 0x61 0x71 0xD0 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDB 0x9D 0x4C 0xBE ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFB 0xA1 0xD8 0x66 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x7E 0x61 0x71 0xD0 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDB 0x9D 0x4C 0xBE ...

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----















    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:52:46, on 26/01/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\M-AudioTaskBarIcon.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Mediafour\MacDrive 8\MacDrive.exe
    C:\Program Files\AVG\AVG9\avgtray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\DAEMON Tools Lite\DTLite.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Cormac\Downloads\HijackThis.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
    O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\Windows\system32\M-AudioTaskBarIcon.exe
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [MacDrive 8 application] "C:\Program Files\Mediafour\MacDrive 8\MacDrive.exe"
    O4 - HKLM\..\Run: [Getting started with MacDrive 8] "C:\Program Files\Mediafour\MacDrive 8\MDGetStarted.exe" /auto
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
    O4 - HKCU\..\Run: [Device Detector] DevDetect.exe -autorun
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O13 - Gopher Prefix:
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: MacDrive service (MacDriveService) - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 8\MacDriveService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

    --
    End of file - 8362 bytes
     
  4. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    No, no, you'll always have time to reinstall, if we fail :)

    Please download ComboFix from Here or Here to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.


    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. Teebs

    Teebs Techie7 New Member

    Here you go, it deleted a font file which I find slightly odd:

    Also I couldn't find SuperAntispyware in the process list, should I uninstall it and run combofix in safe mode again or have you got all the information you require out of these 2 logs?

    Thanks.



    ComboFix 10-01-26.02 - Cormac 27/01/2010 1:02.1.2 - x86 MINIMAL
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.2048.1218 [GMT 0:00]
    Running from: c:\users\Cormac\Downloads\ComboFix.exe
    SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\Fonts\MyriadPro-Regular.otf

    .
    ((((((((((((((((((((((((( Files Created from 2009-12-27 to 2010-01-27 )))))))))))))))))))))))))))))))
    .

    2010-01-27 00:58 . 2010-01-27 01:01 -------- d-----w- C:\32788R22FWJFW
    2010-01-26 19:56 . 2010-01-26 19:56 -------- d-----w- c:\users\Cormac\AppData\Roaming\Malwarebytes
    2010-01-26 19:56 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-26 19:56 . 2010-01-26 19:56 -------- d-----w- c:\programdata\Malwarebytes
    2010-01-26 19:56 . 2010-01-26 19:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-26 19:56 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-26 18:15 . 2010-01-26 18:15 52224 ----a-w- c:\users\Cormac\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-01-26 18:15 . 2010-01-26 18:15 117760 ----a-w- c:\users\Cormac\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-01-26 18:14 . 2010-01-26 18:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-01-26 18:14 . 2010-01-26 18:14 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-01-26 18:14 . 2010-01-26 18:14 -------- d-----w- c:\users\Cormac\AppData\Roaming\SUPERAntiSpyware.com
    2010-01-26 18:13 . 2010-01-26 18:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-01-26 09:27 . 2010-01-26 09:27 -------- d-----w- c:\users\Cormac\AppData\Roaming\Safer Networking
    2010-01-26 09:11 . 2010-01-26 10:18 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-01-26 09:11 . 2010-01-26 09:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-01-26 09:10 . 2010-01-26 09:10 -------- d-----w- c:\program files\Safer Networking
    2010-01-26 09:01 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-01-25 18:09 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-01-25 17:53 . 2010-01-25 17:53 -------- dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
    2010-01-25 17:53 . 2009-12-07 14:10 2953352 -c--a-w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
    2010-01-25 17:52 . 2010-01-25 17:52 -------- d-----w- c:\program files\Lavasoft
    2010-01-25 17:52 . 2010-01-25 18:09 -------- d-----w- c:\programdata\Lavasoft
    2010-01-24 15:35 . 2010-01-24 15:35 -------- d-----w- c:\program files\Winamp Detect
    2010-01-21 23:11 . 2009-12-19 09:02 977920 ----a-w- c:\windows\system32\wininet.dll
    2010-01-21 03:05 . 2010-01-21 03:05 -------- d-----w- c:\program files\MSXML 4.0
    2010-01-20 08:18 . 2010-01-20 08:19 -------- d-----w- c:\users\Cormac\AppData\Local\Ahead
    2010-01-20 08:17 . 2010-01-20 08:20 -------- d-----w- c:\users\Cormac\AppData\Roaming\Ahead
    2010-01-20 08:17 . 2010-01-20 08:17 -------- d-----w- c:\programdata\Ahead
    2010-01-20 08:16 . 2010-01-20 08:16 -------- d-----w- c:\program files\Common Files\Ahead
    2010-01-20 08:16 . 2010-01-20 08:16 -------- d-----w- c:\programdata\Nero
    2010-01-20 08:16 . 2010-01-20 08:16 -------- d-----w- c:\program files\Nero
    2010-01-15 00:55 . 2010-01-15 00:55 2165 ----a-w- c:\users\Cormac\AppData\Roaming\.purple\certificates\x509\tls_peers\rsi.hotmail.com
    2010-01-15 00:54 . 2010-01-15 00:54 2157 ----a-w- c:\users\Cormac\AppData\Roaming\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
    2010-01-15 00:54 . 2010-01-15 00:54 2095 ----a-w- c:\users\Cormac\AppData\Roaming\.purple\certificates\x509\tls_peers\login.live.com
    2010-01-13 11:10 . 2009-10-19 14:10 108544 ----a-w- c:\windows\system32\t2embed.dll
    2010-01-13 11:10 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
    2010-01-13 03:45 . 2010-01-21 03:22 -------- d-----w- c:\users\Cormac\AppData\Roaming\Spotify
    2010-01-13 03:45 . 2010-01-13 03:46 -------- d-----w- c:\users\Cormac\AppData\Local\Spotify
    2010-01-13 03:45 . 2010-01-13 03:45 -------- d-----w- c:\program files\Spotify
    2010-01-13 01:04 . 2010-01-15 01:22 -------- d-----w- c:\users\Cormac\AppData\Roaming\.purple
    2010-01-13 01:02 . 2010-01-13 01:03 -------- d-----w- c:\program files\Pidgin
    2010-01-13 01:02 . 2010-01-13 01:02 -------- d-----w- c:\program files\Common Files\GTK
    2010-01-13 00:11 . 2010-01-13 00:12 -------- d-----w- c:\program files\Imagenomic
    2010-01-12 03:52 . 2010-01-12 03:52 -------- d-----w- c:\users\Cormac\AppData\Roaming\dvdcss
    2010-01-12 00:56 . 2010-01-23 16:32 -------- d-----w- c:\users\Cormac\AppData\Roaming\Ableton
    2010-01-12 00:56 . 2010-01-23 16:10 -------- d-----w- c:\program files\Ableton
    2010-01-12 00:56 . 2007-12-05 01:40 368640 ----a-w- c:\windows\system32\rewire.dll
    2010-01-12 00:56 . 2007-12-05 01:40 233472 ----a-w- c:\windows\system32\rex shared library.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-26 18:19 . 2009-11-28 19:14 -------- d-----w- c:\program files\Rockstar Games
    2010-01-26 13:53 . 2009-11-25 22:54 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-01-26 09:02 . 2009-11-28 18:45 -------- d-----w- c:\users\Cormac\AppData\Roaming\FileZilla
    2010-01-25 09:57 . 2009-11-27 13:11 1 ----a-w- c:\users\Cormac\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-01-24 15:35 . 2009-11-26 01:44 -------- d-----w- c:\program files\Winamp
    2010-01-24 14:34 . 2009-11-26 01:34 -------- d-----w- c:\users\Cormac\AppData\Roaming\uTorrent
    2010-01-21 05:20 . 2009-11-30 20:37 -------- d-----w- c:\users\Cormac\AppData\Roaming\vlc
    2010-01-13 00:14 . 2009-11-30 15:31 -------- d-----w- c:\users\Cormac\AppData\Roaming\Imagenomic
    2010-01-12 17:00 . 2009-11-30 06:51 -------- d-----w- c:\users\Cormac\AppData\Roaming\Apple Computer
    2010-01-12 01:01 . 2009-11-26 01:44 -------- d-----w- c:\users\Cormac\AppData\Roaming\Winamp
    2010-01-11 15:27 . 2009-11-28 18:44 -------- d-----w- c:\program files\FileZilla FTP Client
    2009-12-15 13:42 . 2009-11-26 01:42 -------- d-----w- c:\programdata\FLEXnet
    2009-12-13 01:21 . 2009-12-13 01:21 -------- d-----w- c:\program files\DivX
    2009-12-13 01:21 . 2009-12-13 01:21 -------- d-----w- c:\program files\Common Files\DivX Shared
    2009-12-09 18:52 . 2009-11-25 22:40 -------- d-----w- c:\program files\Belkin
    2009-12-07 12:47 . 2009-11-26 00:34 -------- d-----w- c:\program files\Common Files\Adobe
    2009-12-04 20:01 . 2009-11-25 23:00 64992 ----a-w- c:\users\Cormac\AppData\Local\GDIPFONTCACHEV1.DAT
    2009-12-02 00:40 . 2009-12-02 00:40 -------- d-----w- c:\programdata\Soulseek
    2009-12-01 22:56 . 2009-11-30 06:50 -------- d-----w- c:\programdata\Apple Computer
    2009-12-01 21:31 . 2009-11-27 13:09 -------- d-----w- c:\program files\Java
    2009-12-01 08:46 . 2009-12-01 08:46 -------- d-----w- c:\program files\iTunes
    2009-12-01 08:46 . 2009-12-01 08:46 -------- d-----w- c:\program files\iPod
    2009-12-01 08:46 . 2009-11-30 06:48 -------- d-----w- c:\program files\Common Files\Apple
    2009-12-01 08:32 . 2009-12-01 08:32 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
    2009-12-01 08:32 . 2009-11-30 06:49 -------- d-----w- c:\programdata\Apple
    2009-12-01 02:13 . 2009-12-01 02:13 -------- d-----w- c:\program files\MPC HomeCinema
    2009-12-01 02:12 . 2009-12-01 02:12 -------- d-----w- c:\program files\K-Lite Codec Pack
    2009-12-01 01:09 . 2009-12-01 01:09 -------- d-----w- c:\users\Cormac\AppData\Roaming\Media Player Classic
    2009-11-30 16:35 . 2009-11-30 16:35 -------- d-----w- c:\users\Cormac\AppData\Roaming\ACD Systems
    2009-11-30 16:29 . 2009-11-30 16:29 -------- d-----w- c:\program files\Common Files\ACD Systems
    2009-11-30 16:29 . 2009-11-30 16:29 -------- d-----w- c:\programdata\ACD Systems
    2009-11-30 16:29 . 2009-11-30 16:29 -------- d-----w- c:\program files\ACD Systems
    2009-11-30 15:29 . 2009-11-30 15:29 -------- d-----w- c:\program files\VideoLAN
    2009-11-30 12:58 . 2009-11-30 12:58 -------- d-----w- c:\program files\CCleaner
    2009-11-30 12:51 . 2009-11-30 12:51 -------- d-----w- c:\users\Cormac\AppData\Roaming\com.adobe.ExMan
    2009-11-30 12:45 . 2009-11-26 00:51 -------- d-----w- c:\program files\Common Files\PX Storage Engine
    2009-11-30 06:55 . 2009-11-30 06:55 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2009-11-30 06:55 . 2009-11-30 06:55 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2009-11-30 06:55 . 2009-11-30 06:55 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2009-11-30 06:55 . 2009-11-30 06:55 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2009-11-30 06:55 . 2009-11-30 06:55 -------- d-----w- c:\program files\AVG
    2009-11-30 06:55 . 2009-11-30 06:55 -------- d-----w- c:\programdata\avg9
    2009-11-30 06:51 . 2009-11-30 06:50 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    2009-11-30 06:50 . 2009-11-30 06:50 -------- d-----w- c:\program files\Bonjour
    2009-11-30 06:50 . 2009-11-30 06:50 -------- d-----w- c:\program files\QuickTime
    2009-11-30 06:49 . 2009-11-30 06:49 -------- d-----w- c:\program files\Apple Software Update
    2009-11-28 19:45 . 2009-11-28 19:33 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
    2009-11-28 19:41 . 2009-11-28 19:41 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
    2009-11-28 19:11 . 2009-11-28 18:43 -------- d-----w- c:\users\Cormac\AppData\Roaming\DAEMON Tools Lite
    2009-11-28 18:44 . 2009-11-28 18:44 -------- d-----w- c:\program files\DAEMON Tools Lite
    2009-11-28 18:44 . 2009-11-28 18:44 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
    2009-11-28 18:43 . 2009-11-28 18:43 -------- d-----w- c:\programdata\DAEMON Tools Lite
    2009-11-25 22:56 . 2009-11-25 22:56 0 ----a-w- c:\windows\nsreg.dat
    2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
    2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
    2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
    2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
    2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
    2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
    2009-11-12 17:07 . 2009-11-12 17:07 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
    2009-11-09 18:00 . 2009-12-01 02:12 85504 ----a-w- c:\windows\system32\ff_vfw.dll
    2009-11-09 13:56 . 2009-11-09 13:56 643592 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe
    2009-11-09 13:56 . 2009-11-09 13:56 32776 ----a-w- c:\windows\system32\mausbasio.dll
    2009-11-09 13:56 . 2009-11-09 13:56 158600 ----a-w- c:\windows\system32\drivers\MAudioFastTrackPro.sys
    2009-11-09 13:56 . 2009-11-09 13:56 2526185 ----a-w- c:\windows\system32\madiousb.dll
    2009-11-06 10:59 . 2009-11-06 10:59 15406728 ----a-w- c:\windows\system32\xlive.dll
    2009-11-06 10:59 . 2009-11-06 10:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
    2009-11-02 20:42 . 2009-11-25 23:09 195456 ------w- c:\windows\system32\MpSigStub.exe
    2009-11-02 18:05 . 2009-11-02 18:05 167064 ----a-w- c:\windows\system32\xliveinstall.dll
    2009-11-02 18:05 . 2009-11-02 18:05 71832 ----a-w- c:\windows\system32\xliveinstallhost.exe
    2009-10-29 07:22 . 2009-11-27 04:46 2048 ----a-w- c:\windows\system32\tzres.dll
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2009-09-02 14:56 1175944 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Device Detector"="DevDetect.exe -autorun" [X]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "M-Audio Taskbar Icon"="c:\windows\system32\M-AudioTaskBarIcon.exe" [2009-11-09 643592]
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888]
    "MacDrive 8 application"="c:\program files\Mediafour\MacDrive 8\MacDrive.exe" [2009-06-15 202328]
    "Getting started with MacDrive 8"="c:\program files\Mediafour\MacDrive 8\MDGetStarted.exe" [2009-03-31 141312]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-02 2033432]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv"="grpconv -o" [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer1"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [25/01/2010 18:09 64288]
    S0 MDFSYSNT;MacDrive file system driver;c:\windows\System32\drivers\MDFSYSNT.SYS [22/06/2009 15:53 262144]
    S0 MDPMGRNT;MacDrive partition driver;c:\windows\System32\drivers\MDPMGRNT.SYS [28/05/2009 11:48 20992]
    S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [28/11/2009 18:44 691696]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [30/11/2009 06:55 333192]
    S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [30/11/2009 06:55 360584]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
    S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [30/11/2009 06:55 285392]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [02/12/2009 13:19 1181328]
    S2 MacDriveService;MacDrive service;c:\program files\Mediafour\MacDrive 8\MacDriveService.exe [21/05/2009 11:43 150528]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [26/01/2010 09:11 1153368]
    S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 05:46 284016]
    S3 MAUSBFASTTRACKPRO;Service for M-Audio FastTrack Pro;c:\windows\System32\drivers\MAudioFastTrackPro.sys [09/11/2009 13:56 158600]
    S3 netr73;Belkin Wireless G Plus MIMO USB Network Adapter Driver for Vista;c:\windows\System32\drivers\netr73.sys [12/11/2007 10:03 468480]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\System32\drivers\yk62x86.sys [13/07/2009 22:02 311296]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-01-27 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 18:08]

    2010-01-27 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 18:08]

    2010-01-27 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 18:08]

    2010-01-27 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 18:08]

    2010-01-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 18:08]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    FF - ProfilePath - c:\users\Cormac\AppData\Roaming\Mozilla\Firefox\Profiles\94gcgz7s.default\
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .
    - - - - ORPHANS REMOVED - - - -

    ShellIconOverlayIdentifiers-MacDrive volume icons - (no file)
    HKCU-Run-AdobeBridge - (no file)
    HKLM-Run-F5D9050 - c:\program files\Belkin\F5D9050\Belkinwcui.exe
    HKLM-RunOnce-<NO NAME> - (no file)



    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll atapi.sys >>UNKNOWN [0x853B98C8]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
    SecurityProcedure -> 0x83ceadc0
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.032"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.abr\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.abr"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ani\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.ani"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.arw"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bay\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.bay"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.bmp"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bw\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.bw"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.cr2"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.crw"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cs1\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.cs1"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cur\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.cur"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.dcr"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcx\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.dcx"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.dib"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djv\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.djv"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djvu\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.djvu"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.dng"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.emf"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.eps"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.erf"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fff\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.fff"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.fpx"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.gif"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdr\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.hdr"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icl\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.icl"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icn\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.icn"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
    @Denied: (2) (S-1-5-21-264600023-1634068068-576696168-1000)
    @Denied: (2) (LocalSystem)
    "Progid"="Winamp.File.iff"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ilbm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.ilbm"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.int\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.int"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inta\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.inta"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iw4\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.iw4"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.j2c"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2k\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.j2k"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jbr\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jbr"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jfif"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jif\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jif"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jp2\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jp2"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpc\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jpc"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jpe"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jpeg"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jpg"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpk\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jpk"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpx\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jpx"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.kdc"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.lbm"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.mef"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mos\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.mos"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.mrw"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.nef"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.orf"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pbm"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbr\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pbr"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pcd"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pct\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pct"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pcx"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pef"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pgm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pgm"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pic\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pic"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pict\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pict"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pix\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pix"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.png"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.ppm"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psd\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.psd"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psp\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.psp"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspbrush\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pspbrush"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspimage\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pspimage"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.raf"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ras\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.ras"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
    @Denied: (2) (S-1-5-21-264600023-1634068068-576696168-1000)
    @Denied: (2) (LocalSystem)
    "Progid"="Winamp.File.raw"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgb\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.rgb"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgba\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.rgba"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.rle"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsb\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.rsb"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sgi\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.sgi"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.sr2"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.srf"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.tga"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.thm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.thm"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.tif"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.tiff"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.ttc"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.ttf"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v11o\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.v11o"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v11p\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.v11p"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v11pf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.v11pf"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.wbm"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbmp\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.wbmp"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.wmf"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.xbm"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xif\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.xif"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.xmp"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.xpm"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2010-01-27 01:12:28
    ComboFix-quarantined-files.txt 2010-01-27 01:12

    Pre-Run: 24,640,974,848 bytes free
    Post-Run: 24,707,399,680 bytes free

    - - End Of File - - E085C7AE913EF1FD69B091F21FE8C70D











    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 01:16:26, on 27/01/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\M-AudioTaskBarIcon.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Mediafour\MacDrive 8\MacDrive.exe
    C:\Program Files\AVG\AVG9\avgtray.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\DAEMON Tools Lite\DTLite.exe
    C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Cormac\Downloads\HijackThis.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\Windows\system32\M-AudioTaskBarIcon.exe
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [MacDrive 8 application] "C:\Program Files\Mediafour\MacDrive 8\MacDrive.exe"
    O4 - HKLM\..\Run: [Getting started with MacDrive 8] "C:\Program Files\Mediafour\MacDrive 8\MDGetStarted.exe" /auto
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
    O4 - HKCU\..\Run: [Device Detector] DevDetect.exe -autorun
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: MacDrive service (MacDriveService) - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 8\MacDriveService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

    --
    End of file - 7595 bytes
     
  6. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    You're fine with Superantispyware.
    Did you run Combofix in Safe Mode?
    In what browser is that Google issue is present?
     
  7. Teebs

    Teebs Techie7 New Member

    I did run it in safe mode. Should I run it in normal mode?

    It's in Firefox.

    Like I say though, more worryingly my computer seems to now restart itself after about 1 hour, consistently... this is definitely not due to CPU temperature or anything like that.
     
  8. Teebs

    Teebs Techie7 New Member

    Actually scratch what I said about the computer restarting itself... it seems to have stopped doing that now.

    The browser time limit redirect is still present though.
     
  9. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Yes, please.
    Also, I'd like to know, if the redirection is present in IE.
     
  10. Teebs

    Teebs Techie7 New Member

    It is also happening in Internet Explorer (just checked now). I'll run combofix in normal mode and get back to you.
     
  11. broni

    broni Malware Annihilator Techie7 Moderator Head Security

  12. Teebs

    Teebs Techie7 New Member

    ComboFix 10-01-26.02 - Cormac 28/01/2010 9:24.2.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.2048.1053 [GMT 0:00]
    Running from: c:\users\Cormac\Downloads\ComboFix.exe
    SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    .

    ((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-28 )))))))))))))))))))))))))))))))
    .

    2010-01-28 09:32 . 2010-01-28 09:32 -------- d-----w- c:\users\Cormac\AppData\Local\temp
    2010-01-28 09:32 . 2010-01-28 09:32 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-01-28 09:32 . 2010-01-28 09:32 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-01-28 09:18 . 2010-01-28 09:21 -------- d-----w- C:\32788R22FWJFW
    2010-01-27 12:39 . 2010-01-27 12:39 15880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
    2010-01-27 12:39 . 2010-01-27 12:39 163728 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\ShellExt.dll
    2010-01-27 12:39 . 2010-01-27 12:39 327000 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\RPAPI.dll
    2010-01-27 12:39 . 2010-01-27 12:39 87496 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
    2010-01-27 09:45 . 2010-01-18 09:32 1260800 ----a-w- c:\programdata\avg9\update\backup\avgfrw.exe
    2010-01-27 09:45 . 2010-01-18 09:32 3777280 ----a-w- c:\programdata\avg9\update\backup\setup.exe
    2010-01-27 00:30 . 2009-10-31 05:45 2614272 ----a-w- c:\windows\explorer.exe
    2010-01-27 00:30 . 2009-10-28 06:17 285696 ----a-w- c:\windows\system32\winlogon.exe
    2010-01-26 19:56 . 2010-01-26 19:56 -------- d-----w- c:\users\Cormac\AppData\Roaming\Malwarebytes
    2010-01-26 19:56 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-26 19:56 . 2010-01-26 19:56 -------- d-----w- c:\programdata\Malwarebytes
    2010-01-26 19:56 . 2010-01-26 19:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-26 19:56 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-26 18:15 . 2010-01-26 18:15 52224 ----a-w- c:\users\Cormac\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-01-26 18:15 . 2010-01-26 18:15 117760 ----a-w- c:\users\Cormac\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-01-26 18:14 . 2010-01-26 18:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2010-01-26 18:14 . 2010-01-26 18:14 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-01-26 18:14 . 2010-01-26 18:14 -------- d-----w- c:\users\Cormac\AppData\Roaming\SUPERAntiSpyware.com
    2010-01-26 18:13 . 2010-01-26 18:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-01-26 09:27 . 2010-01-26 09:27 -------- d-----w- c:\users\Cormac\AppData\Roaming\Safer Networking
    2010-01-26 09:11 . 2010-01-26 10:18 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2010-01-26 09:11 . 2010-01-26 09:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-01-26 09:10 . 2010-01-26 09:10 -------- d-----w- c:\program files\Safer Networking
    2010-01-26 09:01 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-01-25 18:09 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-01-25 17:53 . 2010-01-25 17:53 -------- dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
    2010-01-25 17:53 . 2009-12-07 14:10 2953352 -c--a-w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
    2010-01-25 17:52 . 2010-01-25 17:52 -------- d-----w- c:\program files\Lavasoft
    2010-01-25 17:52 . 2010-01-25 18:09 -------- d-----w- c:\programdata\Lavasoft
    2010-01-24 15:35 . 2010-01-24 15:35 -------- d-----w- c:\program files\Winamp Detect
    2010-01-21 23:11 . 2009-12-19 09:02 977920 ----a-w- c:\windows\system32\wininet.dll
    2010-01-21 03:05 . 2010-01-21 03:05 -------- d-----w- c:\program files\MSXML 4.0
    2010-01-20 08:18 . 2010-01-20 08:19 -------- d-----w- c:\users\Cormac\AppData\Local\Ahead
    2010-01-20 08:17 . 2010-01-20 08:20 -------- d-----w- c:\users\Cormac\AppData\Roaming\Ahead
    2010-01-20 08:17 . 2010-01-20 08:17 -------- d-----w- c:\programdata\Ahead
    2010-01-20 08:16 . 2010-01-20 08:16 -------- d-----w- c:\program files\Common Files\Ahead
    2010-01-20 08:16 . 2010-01-20 08:16 -------- d-----w- c:\programdata\Nero
    2010-01-20 08:16 . 2010-01-20 08:16 -------- d-----w- c:\program files\Nero
    2010-01-15 00:55 . 2010-01-15 00:55 2165 ----a-w- c:\users\Cormac\AppData\Roaming\.purple\certificates\x509\tls_peers\rsi.hotmail.com
    2010-01-15 00:54 . 2010-01-15 00:54 2157 ----a-w- c:\users\Cormac\AppData\Roaming\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
    2010-01-15 00:54 . 2010-01-15 00:54 2095 ----a-w- c:\users\Cormac\AppData\Roaming\.purple\certificates\x509\tls_peers\login.live.com
    2010-01-13 11:10 . 2009-10-19 14:10 108544 ----a-w- c:\windows\system32\t2embed.dll
    2010-01-13 11:10 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
    2010-01-13 03:45 . 2010-01-21 03:22 -------- d-----w- c:\users\Cormac\AppData\Roaming\Spotify
    2010-01-13 03:45 . 2010-01-13 03:46 -------- d-----w- c:\users\Cormac\AppData\Local\Spotify
    2010-01-13 03:45 . 2010-01-13 03:45 -------- d-----w- c:\program files\Spotify
    2010-01-13 01:04 . 2010-01-15 01:22 -------- d-----w- c:\users\Cormac\AppData\Roaming\.purple
    2010-01-13 01:02 . 2010-01-13 01:03 -------- d-----w- c:\program files\Pidgin
    2010-01-13 01:02 . 2010-01-13 01:02 -------- d-----w- c:\program files\Common Files\GTK
    2010-01-13 00:11 . 2010-01-13 00:12 -------- d-----w- c:\program files\Imagenomic
    2010-01-12 03:52 . 2010-01-12 03:52 -------- d-----w- c:\users\Cormac\AppData\Roaming\dvdcss
    2010-01-12 00:56 . 2010-01-23 16:32 -------- d-----w- c:\users\Cormac\AppData\Roaming\Ableton
    2010-01-12 00:56 . 2010-01-23 16:10 -------- d-----w- c:\program files\Ableton
    2010-01-12 00:56 . 2007-12-05 01:40 368640 ----a-w- c:\windows\system32\rewire.dll
    2010-01-12 00:56 . 2007-12-05 01:40 233472 ----a-w- c:\windows\system32\rex shared library.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-27 10:50 . 2009-11-30 20:37 -------- d-----w- c:\users\Cormac\AppData\Roaming\vlc
    2010-01-26 18:19 . 2009-11-28 19:14 -------- d-----w- c:\program files\Rockstar Games
    2010-01-26 13:53 . 2009-11-25 22:54 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-01-26 09:02 . 2009-11-28 18:45 -------- d-----w- c:\users\Cormac\AppData\Roaming\FileZilla
    2010-01-25 09:57 . 2009-11-27 13:11 1 ----a-w- c:\users\Cormac\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-01-24 15:35 . 2009-11-26 01:44 -------- d-----w- c:\program files\Winamp
    2010-01-24 14:34 . 2009-11-26 01:34 -------- d-----w- c:\users\Cormac\AppData\Roaming\uTorrent
    2010-01-13 00:14 . 2009-11-30 15:31 -------- d-----w- c:\users\Cormac\AppData\Roaming\Imagenomic
    2010-01-12 17:00 . 2009-11-30 06:51 -------- d-----w- c:\users\Cormac\AppData\Roaming\Apple Computer
    2010-01-12 01:01 . 2009-11-26 01:44 -------- d-----w- c:\users\Cormac\AppData\Roaming\Winamp
    2010-01-11 15:27 . 2009-11-28 18:44 -------- d-----w- c:\program files\FileZilla FTP Client
    2009-12-15 13:42 . 2009-11-26 01:42 -------- d-----w- c:\programdata\FLEXnet
    2009-12-13 01:21 . 2009-12-13 01:21 -------- d-----w- c:\program files\DivX
    2009-12-13 01:21 . 2009-12-13 01:21 -------- d-----w- c:\program files\Common Files\DivX Shared
    2009-12-09 18:52 . 2009-11-25 22:40 -------- d-----w- c:\program files\Belkin
    2009-12-07 12:47 . 2009-11-26 00:34 -------- d-----w- c:\program files\Common Files\Adobe
    2009-12-04 20:01 . 2009-11-25 23:00 64992 ----a-w- c:\users\Cormac\AppData\Local\GDIPFONTCACHEV1.DAT
    2009-12-02 00:40 . 2009-12-02 00:40 -------- d-----w- c:\programdata\Soulseek
    2009-12-01 22:56 . 2009-11-30 06:50 -------- d-----w- c:\programdata\Apple Computer
    2009-12-01 21:31 . 2009-11-27 13:09 -------- d-----w- c:\program files\Java
    2009-12-01 08:46 . 2009-12-01 08:46 -------- d-----w- c:\program files\iTunes
    2009-12-01 08:46 . 2009-12-01 08:46 -------- d-----w- c:\program files\iPod
    2009-12-01 08:46 . 2009-11-30 06:48 -------- d-----w- c:\program files\Common Files\Apple
    2009-12-01 08:32 . 2009-12-01 08:32 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
    2009-12-01 08:32 . 2009-11-30 06:49 -------- d-----w- c:\programdata\Apple
    2009-12-01 02:13 . 2009-12-01 02:13 -------- d-----w- c:\program files\MPC HomeCinema
    2009-12-01 02:12 . 2009-12-01 02:12 -------- d-----w- c:\program files\K-Lite Codec Pack
    2009-12-01 01:09 . 2009-12-01 01:09 -------- d-----w- c:\users\Cormac\AppData\Roaming\Media Player Classic
    2009-11-30 16:35 . 2009-11-30 16:35 -------- d-----w- c:\users\Cormac\AppData\Roaming\ACD Systems
    2009-11-30 16:29 . 2009-11-30 16:29 -------- d-----w- c:\program files\Common Files\ACD Systems
    2009-11-30 16:29 . 2009-11-30 16:29 -------- d-----w- c:\programdata\ACD Systems
    2009-11-30 16:29 . 2009-11-30 16:29 -------- d-----w- c:\program files\ACD Systems
    2009-11-30 15:29 . 2009-11-30 15:29 -------- d-----w- c:\program files\VideoLAN
    2009-11-30 12:58 . 2009-11-30 12:58 -------- d-----w- c:\program files\CCleaner
    2009-11-30 12:51 . 2009-11-30 12:51 -------- d-----w- c:\users\Cormac\AppData\Roaming\com.adobe.ExMan
    2009-11-30 12:45 . 2009-11-26 00:51 -------- d-----w- c:\program files\Common Files\PX Storage Engine
    2009-11-30 06:55 . 2009-11-30 06:55 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2009-11-30 06:55 . 2009-11-30 06:55 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2009-11-30 06:55 . 2009-11-30 06:55 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2009-11-30 06:55 . 2009-11-30 06:55 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2009-11-30 06:55 . 2009-11-30 06:55 -------- d-----w- c:\program files\AVG
    2009-11-30 06:55 . 2009-11-30 06:55 -------- d-----w- c:\programdata\avg9
    2009-11-30 06:51 . 2009-11-30 06:50 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    2009-11-30 06:50 . 2009-11-30 06:50 -------- d-----w- c:\program files\Bonjour
    2009-11-30 06:50 . 2009-11-30 06:50 -------- d-----w- c:\program files\QuickTime
    2009-11-30 06:49 . 2009-11-30 06:49 -------- d-----w- c:\program files\Apple Software Update
    2009-11-28 19:41 . 2009-11-28 19:41 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
    2009-11-28 18:44 . 2009-11-28 18:44 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
    2009-11-25 22:56 . 2009-11-25 22:56 0 ----a-w- c:\windows\nsreg.dat
    2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
    2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
    2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
    2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
    2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
    2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
    2009-11-12 17:07 . 2009-11-12 17:07 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
    2009-11-09 18:00 . 2009-12-01 02:12 85504 ----a-w- c:\windows\system32\ff_vfw.dll
    2009-11-09 13:56 . 2009-11-09 13:56 643592 ----a-w- c:\windows\system32\M-AudioTaskBarIcon.exe
    2009-11-09 13:56 . 2009-11-09 13:56 32776 ----a-w- c:\windows\system32\mausbasio.dll
    2009-11-09 13:56 . 2009-11-09 13:56 158600 ----a-w- c:\windows\system32\drivers\MAudioFastTrackPro.sys
    2009-11-09 13:56 . 2009-11-09 13:56 2526185 ----a-w- c:\windows\system32\madiousb.dll
    2009-11-06 10:59 . 2009-11-06 10:59 15406728 ----a-w- c:\windows\system32\xlive.dll
    2009-11-06 10:59 . 2009-11-06 10:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
    2009-11-02 20:42 . 2009-11-25 23:09 195456 ------w- c:\windows\system32\MpSigStub.exe
    2009-11-02 18:05 . 2009-11-02 18:05 167064 ----a-w- c:\windows\system32\xliveinstall.dll
    2009-11-02 18:05 . 2009-11-02 18:05 71832 ----a-w- c:\windows\system32\xliveinstallhost.exe
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-01-27_01.09.40 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-11-25 22:35 . 2010-01-27 01:16 26046 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 04:55 . 2010-01-28 09:24 40866 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2009-11-25 21:28 . 2010-01-28 09:15 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-11-25 21:28 . 2010-01-26 23:51 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-11-25 21:28 . 2010-01-26 23:51 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-11-25 21:28 . 2010-01-28 09:15 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:41 . 2010-01-26 23:51 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:41 . 2010-01-28 09:15 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-11-25 22:55 . 2010-01-26 23:51 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-11-25 22:55 . 2010-01-28 09:25 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:34 . 2010-01-27 07:56 71944 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    - 2009-11-25 22:55 . 2010-01-26 23:51 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-11-25 22:55 . 2010-01-28 09:25 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-11-25 22:55 . 2010-01-28 09:25 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-11-25 22:55 . 2010-01-26 23:51 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-11-25 22:55 . 2010-01-26 23:51 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-11-25 22:55 . 2010-01-28 09:25 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-11-26 22:13 . 2010-01-27 00:12 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    + 2009-11-26 22:13 . 2010-01-28 09:16 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    + 2009-11-26 22:13 . 2010-01-28 09:16 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
    - 2009-11-26 22:13 . 2010-01-27 00:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
    + 2009-11-26 22:13 . 2010-01-28 09:16 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
    - 2009-11-26 22:13 . 2010-01-27 00:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
    - 2009-11-25 22:55 . 2010-01-27 00:12 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-11-25 22:55 . 2010-01-28 09:25 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-11-25 22:55 . 2010-01-28 09:25 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-11-25 22:55 . 2010-01-26 23:51 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-11-28 21:46 . 2010-01-28 09:21 6190 c:\windows\System32\wdi\ERCQueuedResolutions.dat
    + 2009-12-06 17:36 . 2010-01-28 09:14 2330 c:\windows\System32\wdi\{88d4896f-f553-446a-9c75-9dec124ff8b7}.bin
    - 2009-12-06 17:36 . 2009-12-18 21:31 2330 c:\windows\System32\wdi\{88d4896f-f553-446a-9c75-9dec124ff8b7}.bin
    + 2009-11-25 22:19 . 2010-01-28 09:24 7408 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-264600023-1634068068-576696168-1000_UserData.bin
    + 2010-01-28 09:22 . 2010-01-28 09:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2010-01-27 00:57 . 2010-01-27 00:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2010-01-27 00:57 . 2010-01-27 00:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-01-28 09:22 . 2010-01-28 09:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-01-27 00:30 . 2009-10-28 05:52 285696 c:\windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe
    + 2010-01-27 00:30 . 2009-10-28 06:17 285696 c:\windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe
    + 2009-11-26 09:22 . 2010-01-28 09:14 169476 c:\windows\System32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
    - 2009-07-14 02:05 . 2010-01-27 01:05 619206 c:\windows\System32\perfh009.dat
    + 2009-07-14 02:05 . 2010-01-28 09:29 619206 c:\windows\System32\perfh009.dat
    - 2009-07-14 02:05 . 2010-01-27 01:05 107388 c:\windows\System32\perfc009.dat
    + 2009-07-14 02:05 . 2010-01-28 09:29 107388 c:\windows\System32\perfc009.dat
    + 2009-11-25 21:31 . 2010-01-28 09:15 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    - 2009-11-25 21:31 . 2010-01-26 23:51 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    + 2010-01-27 00:30 . 2009-10-31 06:00 2614272 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe
    + 2010-01-27 00:30 . 2009-10-31 05:45 2614272 c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe
    + 2009-07-14 02:03 . 2010-01-28 03:00 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
    - 2009-07-14 02:03 . 2010-01-27 00:30 6815744 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
    - 2009-07-14 04:34 . 2010-01-24 14:36 3607895 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    + 2009-07-14 04:34 . 2010-01-27 07:55 3607895 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2009-09-02 14:56 1175944 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Device Detector"="DevDetect.exe -autorun" [X]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "M-Audio Taskbar Icon"="c:\windows\system32\M-AudioTaskBarIcon.exe" [2009-11-09 643592]
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
    "WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888]
    "MacDrive 8 application"="c:\program files\Mediafour\MacDrive 8\MacDrive.exe" [2009-06-15 202328]
    "Getting started with MacDrive 8"="c:\program files\Mediafour\MacDrive 8\MDGetStarted.exe" [2009-03-31 141312]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-02 2033432]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer1"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [25/01/2010 18:09 64288]
    R0 MDFSYSNT;MacDrive file system driver;c:\windows\System32\drivers\MDFSYSNT.SYS [22/06/2009 15:53 262144]
    R0 MDPMGRNT;MacDrive partition driver;c:\windows\System32\drivers\MDPMGRNT.SYS [28/05/2009 11:48 20992]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [30/11/2009 06:55 333192]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [30/11/2009 06:55 360584]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [30/11/2009 06:55 285392]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [02/12/2009 13:19 1181328]
    R2 MacDriveService;MacDrive service;c:\program files\Mediafour\MacDrive 8\MacDriveService.exe [21/05/2009 11:43 150528]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [26/01/2010 09:11 1153368]
    R3 MAUSBFASTTRACKPRO;Service for M-Audio FastTrack Pro;c:\windows\System32\drivers\MAudioFastTrackPro.sys [09/11/2009 13:56 158600]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\System32\drivers\yk62x86.sys [13/07/2009 22:02 311296]
    S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [28/11/2009 18:44 691696]
    S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15/08/2008 05:46 284016]
    S3 netr73;Belkin Wireless G Plus MIMO USB Network Adapter Driver for Vista;c:\windows\System32\drivers\netr73.sys [12/11/2007 10:03 468480]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    FF - ProfilePath - c:\users\Cormac\AppData\Roaming\Mozilla\Firefox\Profiles\94gcgz7s.default\
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
    .

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll atapi.sys >>UNKNOWN [0x869B38C8]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    IoDeviceObjectType -> DumpProcedure -> 0x7866744e
    SecurityProcedure -> 0x40001
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.032"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.abr\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.abr"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ani\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.ani"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.arw"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bay\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.bay"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.bmp"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bw\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.bw"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.cr2"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.crw"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cs1\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.cs1"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cur\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.cur"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.dcr"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcx\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.dcx"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.dib"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djv\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.djv"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djvu\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.djvu"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.dng"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.emf"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.eps"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.erf"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fff\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.fff"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.fpx"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.gif"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdr\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.hdr"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icl\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.icl"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icn\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.icn"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
    @Denied: (2) (S-1-5-21-264600023-1634068068-576696168-1000)
    @Denied: (2) (LocalSystem)
    "Progid"="Winamp.File.iff"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ilbm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.ilbm"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.int\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.int"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inta\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.inta"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iw4\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.iw4"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.j2c"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2k\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.j2k"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jbr\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jbr"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jfif"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jif\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jif"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jp2\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jp2"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpc\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jpc"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jpe"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jpeg"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jpg"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpk\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jpk"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpx\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.jpx"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.kdc"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.lbm"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.mef"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mos\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.mos"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.mrw"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.nef"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.orf"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pbm"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbr\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pbr"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pcd"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pct\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pct"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pcx"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pef"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pgm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pgm"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pic\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pic"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pict\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pict"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pix\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pix"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.png"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.ppm"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psd\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.psd"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psp\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.psp"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspbrush\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pspbrush"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspimage\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.pspimage"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.raf"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ras\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.ras"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
    @Denied: (2) (S-1-5-21-264600023-1634068068-576696168-1000)
    @Denied: (2) (LocalSystem)
    "Progid"="Winamp.File.raw"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgb\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.rgb"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgba\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.rgba"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.rle"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsb\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.rsb"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sgi\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.sgi"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.sr2"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.srf"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.tga"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.thm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.thm"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.tif"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.tiff"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttc\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.ttc"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ttf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.ttf"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v11o\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.v11o"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v11p\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.v11p"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v11pf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.v11pf"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.wbm"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbmp\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.wbmp"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.wmf"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.xbm"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xif\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.xif"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.xmp"

    [HKEY_USERS\S-1-5-21-264600023-1634068068-576696168-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]
    @Denied: (2) (LocalSystem)
    "Progid"="ACDSee Photo Manager 2009.xpm"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2010-01-28 09:36:12
    ComboFix-quarantined-files.txt 2010-01-28 09:36
    ComboFix2.txt 2010-01-27 01:12

    Pre-Run: 23,735,668,736 bytes free
    Post-Run: 23,532,961,792 bytes free

    - - End Of File - - DA87E3061478FEC0C79B2D4B79B01B37











    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 09:38:03, on 28/01/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Windows\system32\notepad.exe
    C:\Windows\explorer.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Users\Cormac\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
    O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\Windows\system32\M-AudioTaskBarIcon.exe
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [MacDrive 8 application] "C:\Program Files\Mediafour\MacDrive 8\MacDrive.exe"
    O4 - HKLM\..\Run: [Getting started with MacDrive 8] "C:\Program Files\Mediafour\MacDrive 8\MDGetStarted.exe" /auto
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
    O4 - HKCU\..\Run: [Device Detector] DevDetect.exe -autorun
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: MacDrive service (MacDriveService) - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 8\MacDriveService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

    --
    End of file - 7016 bytes
     
  13. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Please download The Avenger by Swandog46 to your Desktop.
    - Right click on the Avenger.zip folder and select Extract All...
    - Follow the prompts and extract the avenger folder to your desktop

    Double click on avenger.exe.
    Click OK in pop-up window.

    Avenger window will open.

    Click on Execute button.
    Click OK in two consecutive pop-up windows.

    Your computer will re-boot now.

    Upon re-boot, Notepad window will open.
    Select all text, copy it, and paste it into next reply.

    NOTE. If the log doesn't open on reboot, open Avenger again, and go File>Open Log File.
     
  14. Teebs

    Teebs Techie7 New Member

    Nothing found it seems.


    Logfile of The Avenger Version 2.0, (c) by Swandog46
    Swandog46's Public Anti-Malware Tools

    Platform: Windows Vista

    *******************

    Script file opened successfully.
    Script file read successfully.

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Rootkit scan active.
    No rootkits found!


    Completed script processing.

    *******************

    Finished! Terminate.
     
  15. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

    * Doubleclick mbr.exe and follow prompts.
    * A black DOS window will quickly appear then disappear.
    * When mbr.exe is finished it will create a log on your desktop.
    * Copy and paste contents of that log (mbr.log) file to your next reply.
     
  16. Teebs

    Teebs Techie7 New Member

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK
     
  17. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Download Kenco.exe to your desktop

    • Close all windows and run the program.
    • It wont take long to run.
    • Kenco will reboot the system if it finds anything.
    • Post the log it gives you ( it will be saved in the same place as Kenco.exe).
     
  18. Teebs

    Teebs Techie7 New Member

    Kenco by jpshortstuff (31.12.09.1)
    Log created at 23:43 on 30/01/2010 (Cormac)

    ========== Task Unlocker ==========

    ========== KencoScan ==========
    C:\Windows\system32\shacct.dll -> Error setting security information [5]!

    ========== C:\Windows\Tasks ==========

    -=E.O.F=-
     
  19. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2


    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      atapi.sys
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  20. Teebs

    Teebs Techie7 New Member

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 20:01 on 31/01/2010 by Cormac (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "atapi.sys"
    C:\Windows\ERDNT\cache\atapi.sys --a--- 21584 bytes [01:10 27/01/2010] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
    C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
    C:\Windows\System32\drivers\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E
    C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys --a--- 21584 bytes [23:11 13/07/2009] [01:26 14/07/2009] 338C86357871C167A96AB976519BF59E

    -=End Of File=-