TechSpot

Not sure if I am infected

Solved
By cheesehead9099
Jul 25, 2012
  1. Today I found some suspicious folders in the C: drive - they are both random numbers and letters, and one has the files $shtdwn$.req, mrt.exe._p, and mrtstub.exe in it. When I try to open the files, it says "you do not have permission to open these files. contact the administrator or owner for permission." The other has spinstall.exe as well as another folder with a long name of numbers and letters, which opens up to reveal 20-25 folders with the name pt-br, pt-pt, ro-ro, etc. All of these folders have the same 4 files in them: acres.dll.mui, spcmsg.dll.mui, sperror.dll.mui, and spwizui.dll.mui. I need to know whether these files are viruses or not.. I've run all the required scans and have pasted the logs below. The computer has had virus problems in the past and I have found and removed some trojans and adware programs with MBAM, MSE, and more. Computer is running win 7 x32 and is sometimes glitchy (I.e. cursor jumps around, random programs 'not responding')

    Please help me in determining whether or not this computer is infected

    DDS log:
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421
    Run by jatbai at 21:13:03 on 2012-07-25
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.3033.2041 [GMT -4:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\Microsoft\BingDesktop\BingDesktopUpdater.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Lenovo\ReadyComm\common\IGRS.exe
    C:\Windows\System32\IgrsSvcs.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Lenovo\Energy Management\utility.exe
    C:\Program Files\Lenovo\Energy Management\Energy Management.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Apoint2K\ApMsgFwd.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Windows\system32\StikyNot.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\conhost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.ca/
    uDefault_Page_URL = hxxp://www.lenovo.com
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [GameXN GO] "c:\programdata\gamexn\GameXNGO.exe" /startup
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
    mRun: [EnergyUtility] c:\program files\lenovo\energy management\utility.exe
    mRun: [Energy Management] c:\program files\lenovo\energy management\Energy Management.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [UpdateP2GShortCut] "c:\program files\lenovo\power2go\muitransfer\muistartmenu.exe" "c:\program files\lenovo\power2go" updatewithcreateonce "software\cyberlink\power2go\5.0"
    mRun: [VeriFaceManager] c:\program files\lenovo\veriface\PManage.exe
    mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
    mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
    mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [BingDesktop] c:\program files\microsoft\bingdesktop\BingDesktop.exe /fromkey
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-in.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{4CC6A505-9C22-4EF0-9789-F170B0606A81} : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{4CC6A505-9C22-4EF0-9789-F170B0606A81}\2454C4C4731393 : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{4CC6A505-9C22-4EF0-9789-F170B0606A81}\64255454023554C4543445023514E44475943484027594D26494 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{4CC6A505-9C22-4EF0-9789-F170B0606A81}\75C414E4 : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{4CC6A505-9C22-4EF0-9789-F170B0606A81}\845627F6 : DhcpNameServer = 192.168.0.1
    Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 171064]
    R1 funfrm;funfrm;c:\windows\system32\drivers\funfrm.sys [2009-12-12 54800]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
    R2 BingDesktopUpdate;Bing Desktop Update service;c:\program files\microsoft\bingdesktop\BingDesktopUpdater.exe [2012-3-30 151656]
    R2 IGRS;IGRS;c:\program files\lenovo\readycomm\common\IGRS.exe [2009-7-14 38152]
    R2 ReadyComm.DirectRouter;ReadyComm.DirectRouter;c:\windows\system32\igrssvcs.exe -k igrssvcs --> c:\windows\system32\IgrsSvcs.exe -k IgrsSvcs [?]
    R2 Viewpoint Service;Viewpoint Service;c:\program files\viewpoint\common\ViewpointService.exe [2010-8-11 30152]
    R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2010-1-20 23136]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2012-6-19 374648]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
    R3 wdmirror;wdmirror;c:\windows\system32\drivers\WDMirror.sys [2009-12-12 11792]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-5 135664]
    S3 Bridge0;Bridge0;c:\windows\system32\drivers\wdbridge.sys [2009-12-12 63240]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-5 135664]
    S3 Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc;c:\program files\lenovo\readycomm\AppSvc.exe [2009-12-12 414984]
    S3 Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc;c:\program files\lenovo\readycomm\ConnSvc.exe [2009-12-12 472328]
    S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 74112]
    S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
    S3 PS_MDP;ReadyComm Presentation Space Helper Service;c:\windows\system32\igrssvcs.exe -k igrssvcs --> c:\windows\system32\IgrsSvcs.exe -k IgrsSvcs [?]
    S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb20 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB20 [?]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-7-21 52224]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-13 1343400]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
    S3 wsvd;wsvd;c:\windows\system32\drivers\wsvd.sys [2009-7-22 81704]
    .
    =============== Created Last 30 ================
    .
    2012-07-25 18:45:126891424----a-w-c:\programdata\microsoft\microsoft antimalware\definition updates\{fd054265-0189-42c1-aea2-17db5d9e967c}\mpengine.dll
    2012-07-25 18:40:59766976----a-w-c:\program files\common files\microsoft shared\vgx\VGX.dll
    2012-07-25 18:36:40--------d-----w-c:\users\jatbai\appdata\local\{AC1AED8E-2441-438F-95B8-A4376366CFC1}
    2012-07-25 18:35:42--------d-----w-c:\users\jatbai\appdata\local\{E72604DC-7FC1-4B47-8660-B3ABFF61CE9D}
    2012-07-23 02:12:22--------d-----w-c:\users\jatbai\appdata\roaming\SUPERAntiSpyware.com
    2012-07-23 02:12:11--------d-----w-c:\programdata\SUPERAntiSpyware.com
    2012-07-23 02:12:11--------d-----w-c:\program files\SUPERAntiSpyware
    2012-07-22 22:39:236891424----a-w-c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2012-07-22 22:19:04--------d-----w-c:\program files\Microsoft
    2012-07-22 22:18:236891424----a-w-c:\programdata\microsoft\windows defender\definition updates\{3da8dcec-e03a-4f6c-ab90-ecceb8dbdadd}\mpengine.dll
    2012-07-22 22:15:53514560----a-w-c:\windows\system32\qdvd.dll
    2012-07-22 22:15:39478720----a-w-c:\windows\system32\timedate.cpl
    2012-07-22 22:15:03288256----a-w-c:\windows\system32\XpsGdiConverter.dll
    2012-07-22 22:14:43442880----a-w-c:\windows\system32\ntshrui.dll
    2012-07-22 22:14:4027008----a-w-c:\windows\system32\drivers\Diskdump.sys
    2012-07-22 16:13:42--------d-----w-c:\program files\ESET
    2012-07-22 16:10:531549312----a-w-c:\windows\system32\tquery.dll
    2012-07-22 16:07:23219008----a-w-c:\windows\system32\drivers\dxgmms1.sys
    2012-07-22 16:03:34--------d-----w-c:\users\jatbai\appdata\local\{48D5729A-2169-4CB6-91CF-90C03861011A}
    2012-07-22 16:03:22--------d-----w-c:\users\jatbai\appdata\local\{948E9AE0-FE1A-46F6-9AB8-4ABA0535D399}
    2012-07-21 21:31:37--------d-----w-c:\windows\system32\SPReview
    2012-07-21 21:28:59744448----a-w-c:\windows\system32\ActionCenter.dll
    2012-07-21 21:03:12--------d-----w-c:\users\jatbai\appdata\local\{485FBE4F-AEA4-4604-907E-8AEE3C29F09F}
    2012-07-21 21:03:01--------d-----w-c:\users\jatbai\appdata\local\{5879D6F2-0CC1-4B19-91C7-51F5D04A4A49}
    2012-07-21 20:41:306260088----a-w-c:\program files\common files\windows live\.cache\342afc661cd678109\Silverlight.4.0.exe
    2012-07-21 20:41:15--------d-----w-c:\users\jatbai\appdata\local\Windows Live
    2012-07-21 19:53:55--------d-----w-c:\program files\CCleaner
    2012-07-21 19:00:33--------d-----w-C:\TDSSKiller_Quarantine
    2012-07-21 18:39:3722344----a-w-c:\windows\system32\drivers\mbam.sys
    2012-07-12 04:42:482345984----a-w-c:\windows\system32\win32k.sys
    2012-07-11 13:49:501158656----a-w-c:\windows\system32\crypt32.dll
    2012-07-11 13:49:49140288----a-w-c:\windows\system32\cryptsvc.dll
    2012-07-11 13:49:49103936----a-w-c:\windows\system32\cryptnet.dll
    2012-07-03 23:59:41713784------w-c:\programdata\microsoft\microsoft antimalware\definition updates\{42dea5b7-d546-4254-a630-fc4acb26b3f7}\gapaengine.dll
    .
    ==================== Find3M ====================
    .
    2012-07-25 18:40:59420864----a-w-c:\windows\system32\vbscript.dll
    2012-07-25 18:40:5935840----a-w-c:\windows\system32\imgutil.dll
    2012-07-25 18:40:592382848----a-w-c:\windows\system32\mshtml.tlb
    2012-07-25 18:40:591800192----a-w-c:\windows\system32\jscript9.dll
    2012-07-25 18:40:59142848----a-w-c:\windows\system32\ieUnatt.exe
    2012-07-25 18:40:5911776----a-w-c:\windows\system32\mshta.exe
    2012-07-25 18:40:59101888----a-w-c:\windows\system32\admparse.dll
    2012-07-21 21:39:05152576----a-w-c:\windows\system32\msclmd.dll
    2012-06-19 04:32:12374648----a-w-c:\windows\system32\drivers\b57nd60x.sys
    2012-06-06 05:05:521390080----a-w-c:\windows\system32\msxml6.dll
    2012-06-06 05:05:521236992----a-w-c:\windows\system32\msxml3.dll
    2012-06-06 05:03:06805376----a-w-c:\windows\system32\cdosys.dll
    2012-06-02 22:12:322422272----a-w-c:\windows\system32\wucltux.dll
    2012-06-02 22:12:1388576----a-w-c:\windows\system32\wudriver.dll
    2012-06-02 19:19:42171904----a-w-c:\windows\system32\wuwebv.dll
    2012-06-02 19:12:2033792----a-w-c:\windows\system32\wuapp.exe
    2012-06-02 04:45:0467440----a-w-c:\windows\system32\drivers\ksecdd.sys
    2012-06-02 04:45:03134000----a-w-c:\windows\system32\drivers\ksecpkg.sys
    2012-06-02 04:40:59369336----a-w-c:\windows\system32\drivers\cng.sys
    2012-06-02 04:40:39225280----a-w-c:\windows\system32\schannel.dll
    2012-06-02 04:39:10219136----a-w-c:\windows\system32\ncrypt.dll
    2012-05-01 04:44:12164352----a-w-c:\windows\system32\profsvc.dll
    2012-04-28 03:17:07183808----a-w-c:\windows\system32\drivers\rdpwd.sys
    .
    ============= FINISH: 21:13:42.41 ===============
    Attach.txt:
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 09/01/2010 12:45:45 AM
    System Uptime: 25/07/2012 7:57:18 PM (2 hours ago)
    .
    Motherboard: LENOVO | | NITU1
    Processor: Pentium(R) Dual-Core CPU T4300 @ 2.10GHz | U2E1 | 1197/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 189 GiB total, 152.731 GiB free.
    D: is FIXED (NTFS) - 29 GiB total, 0.001 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    32 Bit HP CIO Components Installer
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.0.1
    ALPS Touch Pad Driver
    Bing Desktop
    Broadcom 802.11 Wireless Driver
    Broadcom Gigabit Integrated Controller
    Canon MF Toolbox 4.9.1.1.mf03
    Canon MF4100 Series
    CCleaner
    Conexant HD Audio
    D3DX10
    EasyCapture
    Energy Management
    ESET Online Scanner v3
    Facebook Video Calling 1.2.0.159
    Google Chrome
    Google Talk Plugin
    Google Toolbar for Internet Explorer
    Google Update Helper
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) TV Wizard
    Intel® Matrix Storage Manager
    Lenovo EasyCamera
    Lenovo OneKey Recovery
    Lenovo ReadyComm 5
    Lenovo ReadyComm 5.0 Service
    Malwarebytes Anti-Malware version 1.62.0.1300
    Microsoft Application Error Reporting
    Microsoft Office 2003 Primary Interop Assemblies
    Microsoft Office File Validation Add-In
    Microsoft Office Professional Edition 2003
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual Studio 2005 Tools for Office Runtime
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    Power2Go
    QuickBooks
    QuickBooks Premier: Accountant Edition 2011
    Realtek USB 2.0 Card Reader
    ScanSoft OmniPage SE 4.0
    Security Update for CAPICOM (KB931906)
    Skype Toolbars
    Skype™ 4.2
    SUPERAntiSpyware
    SupportSoft Assisted Service
    VeriFace
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player
    Visual Studio 2005 Tools for Office Second Edition Runtime
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Messenger
    Windows Live Photo Common
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    .
    ==== Event Viewer Messages From Past Week ========
    .
    21/07/2012 5:38:29 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800706be: Windows 7 Service Pack 1 (KB976932).
    21/07/2012 4:59:57 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    21/07/2012 4:59:57 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.
    21/07/2012 4:51:43 PM, Error: Service Control Manager [7043] - The Windows Update service did not shut down properly after receiving a preshutdown control.
    21/07/2012 4:45:49 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Windows 7 Service Pack 1 (KB976932).
    .
    ==== End Of File ===========================
    Malwarebytes Log:
    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org
    Database version: v2012.07.21.09
    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    jatbai :: JATBAI-PC [administrator]
    25/07/2012 8:59:29 PM
    mbam-log-2012-07-25 (20-59-29).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 219713
    Time elapsed: 9 minute(s), 43 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
    And finally, the GMER log:
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-07-25 21:54:10
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.11.0
    Running: rcjoy6of.exe; Driver: C:\Users\jatbai\AppData\Local\Temp\uxdiqpog.sys
    ---- Kernel code sections - GMER 1.0.15 ----
    .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82C753C9 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CAED52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text peauth.sys 9983FC9D 28 Bytes CALL CF083232
    .text peauth.sys 9983FCC1 28 Bytes CALL CF083256
    ? C:\Users\jatbai\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
    ---- User IAT/EAT - GMER 1.0.15 ----
    IAT C:\Windows\Explorer.EXE[3484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [72C124CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [72BF562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [72BF56EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [72C12546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [72C085AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [72C04D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [72C05105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [72C051DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [72C06707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [72C08301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [72C08850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [72C090B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [72C0E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[3484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [72C04C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    Device \Driver\ACPI_HAL \Device\0000004d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
    ---- EOF - GMER 1.0.15 ----
    Thanks for your help :)
  2. Broni

    Broni Malware Annihilator Posts: 46,748   +254

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==========================================

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :dir
      c:\
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  3. cheesehead9099

    cheesehead9099 TS Rookie Topic Starter

    Hi, thanks for the reply. Here is my systemlook log:
    SystemLook 30.07.11 by jpshortstuff
    Log created at 12:17 on 26/07/2012 by jatbai
    Administrator - Elevation successful

    ========== dir ==========

    c: - Parameters: "(none)"

    ---Files---
    AtmApInit.txt--a---- 89 bytes[07:33 12/12/2009][07:50 12/12/2009]
    autoexec.bat--a---- 24 bytes[02:04 14/07/2009][21:42 10/06/2009]
    bootmgr-rahs-- 383786 bytes[07:03 12/12/2009][12:40 20/11/2010]
    BOOTSECT.BAK-rahs-- 8192 bytes[07:03 12/12/2009][07:03 12/12/2009]
    config.sys--a---- 10 bytes[02:04 14/07/2009][21:42 10/06/2009]
    EasyCapture.log--a---- 32 bytes[07:37 12/12/2009][07:37 12/12/2009]
    FaceProv.log--a---- 13042370 bytes[07:46 12/12/2009][16:13 26/07/2012]
    hiberfil.sys--ahs-- -1910034432 bytes[21:37 09/01/2010][16:05 26/07/2012]
    pagefile.sys--ahs-- -1115054080 bytes[21:37 09/01/2010][16:05 26/07/2012]
    TDSSKiller.2.7.46.0_21.07.2012_14.59.21_log.txt--a---- 125650 bytes[18:59 21/07/2012][19:00 21/07/2012]
    TDSSKiller.2.7.46.0_22.07.2012_23.38.25_log.txt--a---- 121742 bytes[03:38 23/07/2012][03:39 23/07/2012]

    ---Folders---
    $RECYCLE.BINd--hs--[05:46 09/01/2010]
    9109402f765c3bfd51c6d------[02:41 14/05/2010]
    a6a0cc020b5c6777ed453e44976ec2d------[19:30 17/11/2011]
    Bootd--hs--[07:03 12/12/2009]
    CanonMFd--h---[03:37 13/05/2010]
    Documents and Settingsd--hs--[04:53 14/07/2009]
    Driversd------[07:19 12/12/2009]
    found.000d--hs--[04:30 18/06/2011]
    HP Universal Print Driverd------[13:17 02/04/2012]
    Inteld------[07:21 12/12/2009]
    MSOCachedr-h---[15:47 28/02/2010]
    PerfLogsd------[02:37 14/07/2009]
    Program Filesdr-----[02:37 14/07/2009]
    ProgramDatad--h---[02:37 14/07/2009]
    Recoveryd--hs--[05:44 09/01/2010]
    System Volume Informationd--hs--[18:56 15/12/2009]
    TDSSKiller_Quarantined------[19:00 21/07/2012]
    Usersdr-----[02:37 14/07/2009]
    Windowsd------[02:37 14/07/2009]

    -= EOF =-

    The computer has not gotten any worse, but there is still the periodic freezing in different programs. Also, I'd like to note that when I checked the properties of the mrtstub.exe file, there was NO 'digital signatures' tab - is this troubling? Also, when I tried to upload the file to virustotal, it said that I did not have permission to do so.
  4. Broni

    Broni Malware Annihilator Posts: 46,748   +254

    Are you talking about these folders?
    a6a0cc020b5c6777ed453e44976ec2d
    9109402f765c3bfd51c6d

    Re-run System Look with this code:

    Code:
    :dir
    c:\9109402f765c3bfd51c6d /s
    c:\a6a0cc020b5c6777ed453e44976ec2d /s
    
  5. cheesehead9099

    cheesehead9099 TS Rookie Topic Starter

    It's not working..it says that it was unable to find the folder.

    SystemLook 30.07.11 by jpshortstuff
    Log created at 19:20 on 26/07/2012 by jatbai
    Administrator - Elevation successful

    ========== dir ==========

    9109402f765c3bfd51c6d - Unable to find folder.

    a6a0cc020b5c6777ed453e44976ec2d - Unable to find folder.

    -= EOF =-

    Should I try and delete these folders? I'd also like to add that I found a file called _rglp in my documents, and I deleted that along with a folder from a leftover game that my kid installed - EscapetheMuseum.

    By the way, is there anything that seems wrong with the computer, or does it seem fine other than the folders I mentioned? I'd also like to ask if it is ok for me to download Windows updates
  6. Broni

    Broni Malware Annihilator Posts: 46,748   +254

    Ooops...my fault.
    I just edited my script.
    Try again.
  7. cheesehead9099

    cheesehead9099 TS Rookie Topic Starter

    Same thing:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 19:53 on 26/07/2012 by jatbai
    Administrator - Elevation successful

    ========== dir ==========

    c:\9109402f765c3bfd51c6d - Unable to find folder.

    c:\a6a0cc020b5c6777ed453e44976ec2d - Unable to find folder.

    -= EOF =-

    Also wanted to let you know that I went ahead and installed the Windows updates - they were important security updates so I didn't want to take a chance. Is that ok or did I just screw up big time?
  8. cheesehead9099

    cheesehead9099 TS Rookie Topic Starter

    Hello, I ran systemlook again, but I took away the 'd' at the end of the file names that you added - the files on my computer do not have a d there (they end as c6 and c2)
    This is what it gave me:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 19:57 on 26/07/2012 by jatbai
    Administrator - Elevation successful

    ========== dir ==========

    c:\9109402f765c3bfd51c6 - Parameters: "/s"

    ---Files---
    $shtdwn$.req--ah--- 788 bytes[02:41 14/05/2010][02:41 14/05/2010]
    mrt.exe._p--a---- 1198499 bytes[16:09 30/04/2010][16:09 30/04/2010]
    mrtstub.exe--a---- 58312 bytes[15:51 30/04/2010][15:51 30/04/2010]

    No folders found.

    c:\a6a0cc020b5c6777ed453e44976ec2 - Parameters: "/s"

    ---Files---
    spinstall.exe--a---- 463120 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8fd------[19:30 17/11/2011]
    acres.dll--a---- 2560 bytes[19:30 17/11/2011][19:30 17/11/2011]
    drvmain.sdb--a---- 151630 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sdbapiu.dll--a---- 103424 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spc.cat--a---- 10052 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spc.xml--a---- 3721 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcinstrumentation.man--a---- 8280 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll--a---- 12288 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll--a---- 190464 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spreview.exe--a---- 280576 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll--a---- 253952 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sysmain.sdb--a---- 4075336 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\ar-sad------[19:30 17/11/2011]
    acres.dll.mui--a---- 271360 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 4608 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 126464 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\bg-bgd------[19:30 17/11/2011]
    acres.dll.mui--a---- 292352 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 22016 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\cs-czd------[19:30 17/11/2011]
    acres.dll.mui--a---- 314368 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 20992 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\da-dkd------[19:30 17/11/2011]
    acres.dll.mui--a---- 306688 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 20992 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\de-ded------[19:30 17/11/2011]
    acres.dll.mui--a---- 343040 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4608 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5632 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 23040 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\el-grd------[19:30 17/11/2011]
    acres.dll.mui--a---- 359424 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4608 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5632 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 23552 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\en-usd------[19:30 17/11/2011]
    acres.dll.mui--a---- 292352 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 4608 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 19968 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\es-esd------[19:30 17/11/2011]
    acres.dll.mui--a---- 338432 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4608 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 22016 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\et-eed------[19:30 17/11/2011]
    acres.dll.mui--a---- 292352 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 20992 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eulad------[19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\ar-sad------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 34885 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\bg-bgd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 2479 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\cs-czd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1399 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\da-dkd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1136 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\de-ded------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1380 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\el-grd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 2771 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\en-usd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1055 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\es-esd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1322 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\et-eed------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1199 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\fi-fid------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1315 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\fr-frd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1398 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\he-ild------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 35066 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\hr-hrd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1357 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\hu-hud------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1285 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\it-itd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1383 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\ja-jpd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 3349 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\ko-krd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 4164 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\lt-ltd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1604 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\lv-lvd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1696 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\nb-nod------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1124 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\nl-nld------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1235 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\pl-pld------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1499 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\pt-brd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1286 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\pt-ptd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1261 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\ro-rod------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1512 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\ru-rud------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 3441 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\sk-skd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1338 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\sl-sid------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1211 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\sr-latn-csd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1277 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\sv-sed------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1285 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\th-thd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 3025 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\tr-trd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 1367 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\uk-uad------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 2999 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\zh-cnd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 2234 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\zh-hkd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 2089 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\eula\zh-twd------[19:30 17/11/2011]
    server_license_addendum_1.rtf--a---- 2089 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\fi-fid------[19:30 17/11/2011]
    acres.dll.mui--a---- 309248 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 20992 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\fr-frd------[19:30 17/11/2011]
    acres.dll.mui--a---- 340992 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4608 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 22528 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\he-ild------[19:30 17/11/2011]
    acres.dll.mui--a---- 258560 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 3584 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 4608 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 18432 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\hr-hrd------[19:30 17/11/2011]
    acres.dll.mui--a---- 292352 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 22016 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\hu-hud------[19:30 17/11/2011]
    acres.dll.mui--a---- 335872 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 22016 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\it-itd------[19:30 17/11/2011]
    acres.dll.mui--a---- 342528 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 22016 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\ja-jpd------[19:30 17/11/2011]
    acres.dll.mui--a---- 210944 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 3584 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 15360 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\ko-krd------[19:30 17/11/2011]
    acres.dll.mui--a---- 199680 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 3584 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 3584 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 14336 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\lt-ltd------[19:30 17/11/2011]
    acres.dll.mui--a---- 292352 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 20992 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\lv-lvd------[19:30 17/11/2011]
    acres.dll.mui--a---- 292352 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 21504 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\nb-nod------[19:30 17/11/2011]
    acres.dll.mui--a---- 307712 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 20992 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\nl-nld------[19:30 17/11/2011]
    acres.dll.mui--a---- 347648 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 22016 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\pl-pld------[19:30 17/11/2011]
    acres.dll.mui--a---- 348160 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 22528 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\pt-brd------[19:30 17/11/2011]
    acres.dll.mui--a---- 323584 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 21504 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\pt-ptd------[19:30 17/11/2011]
    acres.dll.mui--a---- 326144 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 22016 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\ro-rod------[19:30 17/11/2011]
    acres.dll.mui--a---- 292352 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5632 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 21504 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\ru-rud------[19:30 17/11/2011]
    acres.dll.mui--a---- 321536 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 21504 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\sk-skd------[19:30 17/11/2011]
    acres.dll.mui--a---- 292352 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 21504 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\sl-sid------[19:30 17/11/2011]
    acres.dll.mui--a---- 292352 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 22016 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\sr-latn-csd------[19:30 17/11/2011]
    acres.dll.mui--a---- 292352 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 21504 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\sv-sed------[19:30 17/11/2011]
    acres.dll.mui--a---- 316928 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 20992 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\th-thd------[19:30 17/11/2011]
    acres.dll.mui--a---- 292352 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 4608 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 19968 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\tr-trd------[19:30 17/11/2011]
    acres.dll.mui--a---- 303616 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 20480 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\uk-uad------[19:30 17/11/2011]
    acres.dll.mui--a---- 292352 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 4096 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 5120 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 21504 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\zh-cnd------[19:30 17/11/2011]
    acres.dll.mui--a---- 161280 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 3072 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 3584 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 12288 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\zh-hkd------[19:30 17/11/2011]
    acres.dll.mui--a---- 160256 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 3072 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 3584 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 12800 bytes[19:30 17/11/2011][19:30 17/11/2011]

    c:\a6a0cc020b5c6777ed453e44976ec2\2649b0be4342043f7dbf5fd2ecfb8f\zh-twd------[19:30 17/11/2011]
    acres.dll.mui--a---- 160256 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spcmsg.dll.mui--a---- 3072 bytes[19:30 17/11/2011][19:30 17/11/2011]
    sperror.dll.mui--a---- 3584 bytes[19:30 17/11/2011][19:30 17/11/2011]
    spwizui.dll.mui--a---- 12800 bytes[19:30 17/11/2011][19:30 17/11/2011]

    -= EOF =-

    I thought this might be helpful.
  9. Broni

    Broni Malware Annihilator Posts: 46,748   +254

    Those are temporary folders (leftovers) from various MS updates.
    You can safely delete those folders.
  10. cheesehead9099

    cheesehead9099 TS Rookie Topic Starter

    I deleted the folders, thanks! :)

    I just wanted to ask: Is there anything else wrong with the computer that you found in the logs? Or am I clean?
  11. Broni

    Broni Malware Annihilator Posts: 46,748   +254

    I don't see anything suspicious.
     
  12. cheesehead9099

    cheesehead9099 TS Rookie Topic Starter

    Hi, thanks for all your help. I know I seem really paranoid but I just ran a scan with aswMBR and this file was highlighted in yellow:

    21:28:07.217 Service MpKslfd9daf5a c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B47B4F54-803B-4438-8991-368FB18A8121}\MpKslfd9daf5a.sys **LOCKED** 32

    Here is the log:

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-07-26 21:23:25
    -----------------------------
    21:23:25.627 OS Version: Windows 6.1.7601 Service Pack 1
    21:23:25.627 Number of processors: 2 586 0x170A
    21:23:25.627 ComputerName: JATBAI-PC UserName: jatbai
    21:24:00.590 Initialize success
    21:25:51.946 AVAST engine defs: 12072602
    21:27:21.949 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
    21:27:21.954 Disk 0 Vendor: WDC_WD25 11.0 Size: 238475MB BusType: 3
    21:27:21.986 Disk 0 MBR read successfully
    21:27:21.991 Disk 0 MBR scan
    21:27:22.004 Disk 0 Windows 7 default MBR code
    21:27:22.022 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 193468 MB offset 2048
    21:27:22.093 Disk 0 Partition - 00 0F Extended LBA 30150 MB offset 396224512
    21:27:22.135 Disk 0 Partition 2 00 12 Compaq diag NTFS 14856 MB offset 457971712
    21:27:22.187 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 30149 MB offset 396226560
    21:27:22.216 Disk 0 scanning sectors +488397168
    21:27:22.665 Disk 0 scanning C:\Windows\system32\drivers
    21:27:49.043 Service scanning
    21:28:07.217 Service MpKslfd9daf5a c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B47B4F54-803B-4438-8991-368FB18A8121}\MpKslfd9daf5a.sys **LOCKED** 32
    21:28:34.180 Modules scanning
    21:28:45.436 Disk 0 trace - called modules:
    21:28:45.451 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
    21:28:45.482 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86ca2948]
    21:28:45.482 3 CLASSPNP.SYS[8b77759e] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x85e65028]
    21:28:46.871 AVAST engine scan C:\Windows
    21:28:50.896 AVAST engine scan C:\Windows\system32
    21:33:58.720 AVAST engine scan C:\Windows\system32\drivers
    21:34:12.261 AVAST engine scan C:\Users\jatbai
    21:34:51.245 Disk 0 MBR has been saved successfully to "C:\Users\jatbai\Desktop\MBR.dat"
    21:34:51.245 The log file has been saved successfully to "C:\Users\jatbai\Desktop\aswMBR.txt"
    21:35:40.212 AVAST engine scan C:\ProgramData
    21:36:47.339 Scan finished successfully
    21:37:18.607 Disk 0 MBR has been saved successfully to "C:\Users\jatbai\Desktop\MBR.dat"
    21:37:18.623 The log file has been saved successfully to "C:\Users\jatbai\Desktop\aswMBR.txt"

    Is this something to be worried about? I know I seem really really paranoid but I just want to be completely sure because I have one other computer that will need to be formatted completely with a reinstall of Windows due to viruses.

    Thank you so much for all your help :)
  13. Broni

    Broni Malware Annihilator Posts: 46,748   +254

    There is nothing to worry about.
  14. cheesehead9099

    cheesehead9099 TS Rookie Topic Starter

    Okay, thank you so much :)
  15. Broni

    Broni Malware Annihilator Posts: 46,748   +254

    Any time :)
  16. cheesehead9099

    cheesehead9099 TS Rookie Topic Starter

    Hi, I'm back. I'm just wondering - what does the yellow line on the aswMBR scan mean if it's nothing to worry about? Why would the program highlight that file in yellow if it's safe?

    I'm just wondering because the computer is still sort of slow, and I'm worried that I could have an MBR rootkit.

    Thanks for any clarification you can provide :)
  17. Broni

    Broni Malware Annihilator Posts: 46,748   +254

  18. cheesehead9099

    cheesehead9099 TS Rookie Topic Starter

    Hello,
    I understand that it is nothing, but I was just looking for some clarification as to what it actually is..I realize that you guys are really busy here but I'm just looking for some peace of mind :)
  19. Broni

    Broni Malware Annihilator Posts: 46,748   +254

    It's a safe file belonging to Microsoft Antimalware\Definition Updates.
  20. cheesehead9099

    cheesehead9099 TS Rookie Topic Starter

    Okay, so it's locked because MS tries to ensure that the files aren't tampered with?

    Thank you so much, I love this site :D
  21. Broni

    Broni Malware Annihilator Posts: 46,748   +254

    Most likely.
  22. cheesehead9099

    cheesehead9099 TS Rookie Topic Starter

    Hello Broni,

    I am really not contented with this file; I tried to find it in the specified folder and it is not there. Can we please do some more investigative work to see if this file is really as safe as it seems..?
  23. Broni

    Broni Malware Annihilator Posts: 46,748   +254

    Well, I told you three times already it's a safe file so I'm saying this for the forth time....and last.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.