Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yahoo/Google/Firefox Search Redirects + web pages taking very long to load


  • This topic is locked This topic is locked
35 replies to this topic

#16 kkallstar

kkallstar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 25 November 2010 - 06:57 AM

Hi, got my laptop back this morning quicker than I expected! Followed the instructions and here is the report:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Basic Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Acer
BIOS Manufacturer: Phoenix Technologies LTD
System Manufacturer: Acer
System Product Name: Aspire 5735
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 153):
0x82204000 \SystemRoot\system32\ntkrnlpa.exe
0x825BD000 \SystemRoot\system32\hal.dll
0x80408000 \SystemRoot\system32\kdcom.dll
0x8040F000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8047F000 \SystemRoot\system32\PSHED.dll
0x80490000 \SystemRoot\system32\BOOTVID.dll
0x80498000 \SystemRoot\system32\CLFS.SYS
0x804D9000 \SystemRoot\system32\CI.dll
0x80602000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8067E000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8068B000 \SystemRoot\system32\drivers\acpi.sys
0x806D1000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806DA000 \SystemRoot\system32\drivers\msisadrv.sys
0x806E2000 \SystemRoot\system32\drivers\pci.sys
0x80709000 \SystemRoot\System32\drivers\partmgr.sys
0x80718000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8071B000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x80725000 \SystemRoot\system32\drivers\volmgr.sys
0x80734000 \SystemRoot\System32\drivers\volmgrx.sys
0x8077E000 \SystemRoot\System32\drivers\mountmgr.sys
0x8078E000 \SystemRoot\System32\Drivers\UBHelper.sys
0x80796000 \SystemRoot\system32\drivers\atapi.sys
0x8079E000 \SystemRoot\system32\drivers\ataport.SYS
0x807BC000 \SystemRoot\system32\drivers\msahci.sys
0x807C6000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x805B9000 \SystemRoot\system32\drivers\fltmgr.sys
0x807D4000 \SystemRoot\system32\drivers\fileinfo.sys
0x8A006000 \SystemRoot\system32\drivers\mfehidk.sys
0x8A063000 \SystemRoot\system32\DRIVERS\psdfilter.sys
0x8A06C000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8A0DD000 \SystemRoot\system32\drivers\ndis.sys
0x8A20D000 \SystemRoot\system32\drivers\msrpc.sys
0x8A238000 \SystemRoot\system32\drivers\NETIO.SYS
0x8A273000 \SystemRoot\System32\drivers\tcpip.sys
0x8A35D000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8A406000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8A516000 \SystemRoot\system32\drivers\volsnap.sys
0x8A54F000 \SystemRoot\System32\Drivers\spldr.sys
0x8A557000 \SystemRoot\System32\Drivers\mup.sys
0x8A566000 \SystemRoot\System32\drivers\ecache.sys
0x8A58D000 \SystemRoot\system32\drivers\disk.sys
0x8A59E000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x8A5BF000 \SystemRoot\system32\drivers\crcdisk.sys
0x8A5EA000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8A5F5000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8DE09000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8E726000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8E7C7000 \SystemRoot\System32\drivers\watchdog.sys
0x8E7D3000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8A378000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8E7DE000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8EA0D000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8EA9A000 \SystemRoot\system32\DRIVERS\yk60x86.sys
0x8EAE6000 \SystemRoot\system32\DRIVERS\athr.sys
0x8EBCD000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8EBD1000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8EBE4000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
0x8EBEE000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8A3B6000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8EBF9000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8EA00000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8A3E6000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8E7ED000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8A1E8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8EC01000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8EC30000 \SystemRoot\system32\DRIVERS\storport.sys
0x8EC71000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8EC7C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8EC93000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8EC9E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8ECC1000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8ECD0000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8ECE4000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8ECF9000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8ED09000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8ED0B000 \SystemRoot\system32\DRIVERS\ks.sys
0x8ED35000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8ED3F000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8ED4C000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8ED81000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8EE0A000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8F017000 \SystemRoot\system32\drivers\portcls.sys
0x8F044000 \SystemRoot\system32\drivers\drmk.sys
0x8F069000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0x8F18F000 \SystemRoot\system32\drivers\modem.sys
0x8F19C000 \SystemRoot\system32\DRIVERS\MOBK.sys
0x8F1AF000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8F1B8000 \SystemRoot\System32\Drivers\Null.SYS
0x8F1BF000 \SystemRoot\System32\Drivers\Beep.SYS
0x8F1C6000 \SystemRoot\System32\drivers\vga.sys
0x8F1D2000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8F1F3000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8EE00000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8ED92000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8EDA9000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8EDB4000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8EDC2000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8EDCB000 \SystemRoot\system32\drivers\mfewfpk.sys
0x8F200000 \SystemRoot\System32\Drivers\usbvideo.sys
0x8F221000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8F237000 \SystemRoot\system32\DRIVERS\smb.sys
0x8F24B000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8F27D000 \SystemRoot\system32\drivers\afd.sys
0x8F2C5000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8F2DB000 \SystemRoot\system32\DRIVERS\mfenlfk.sys
0x8F2E9000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8F2F7000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8F30A000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8F346000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8F350000 \SystemRoot\System32\Drivers\dfsc.sys
0x8F367000 \SystemRoot\system32\drivers\mfeavfk.sys
0x8F38B000 \SystemRoot\system32\drivers\mfefirek.sys
0x8F3D6000 \SystemRoot\system32\drivers\RTSTOR.SYS
0x8FC08000 \SystemRoot\System32\Drivers\fastfat.SYS
0x8FC30000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8FC3D000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8FC48000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x97C20000 \SystemRoot\System32\win32k.sys
0x8FC52000 \SystemRoot\System32\drivers\Dxapi.sys
0x8FC5C000 \SystemRoot\system32\DRIVERS\monitor.sys
0x97E40000 \SystemRoot\System32\TSDDD.dll
0x97E60000 \SystemRoot\System32\cdd.dll
0x8FC6B000 \SystemRoot\system32\drivers\luafv.sys
0x8FC86000 \SystemRoot\system32\drivers\spsys.sys
0x8FD36000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0x8FD48000 \SystemRoot\system32\DRIVERS\irda.sys
0x8FD66000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x8FD76000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8FDA0000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x8FDAA000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xAA803000 \SystemRoot\system32\drivers\HTTP.sys
0xAA870000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xAA88D000 \SystemRoot\system32\DRIVERS\bowser.sys
0xAA8A6000 \SystemRoot\System32\drivers\mpsdrv.sys
0xAA8BB000 \SystemRoot\system32\drivers\mrxdav.sys
0xAA8DC000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAA8FB000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xAA934000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xAA94C000 \SystemRoot\System32\DRIVERS\srv2.sys
0xAA974000 \SystemRoot\System32\DRIVERS\srv.sys
0xAA9DA000 \??\C:\Windows\system32\drivers\int15.sys
0xAA9E1000 \??\C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys
0xAF001000 \SystemRoot\system32\drivers\peauth.sys
0xAF0DF000 \SystemRoot\system32\DRIVERS\PSDNServ.sys
0xAF0E8000 \SystemRoot\system32\DRIVERS\PSDVdisk.sys
0xAF0FA000 \SystemRoot\System32\Drivers\secdrv.SYS
0xAF104000 \SystemRoot\System32\drivers\tcpipreg.sys
0xAF110000 \??\C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl
0xAF155000 \SystemRoot\system32\drivers\cfwids.sys
0xAF161000 \SystemRoot\system32\drivers\mfeapfk.sys
0xAF177000 \SystemRoot\system32\drivers\mfebopk.sys
0xAF182000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77220000 \Windows\System32\ntdll.dll

Processes (total 101):
0 System Idle Process
4 System
548 C:\Windows\System32\smss.exe
668 csrss.exe
712 C:\Windows\System32\wininit.exe
724 csrss.exe
772 C:\Windows\System32\winlogon.exe
796 C:\Windows\System32\services.exe
812 C:\Windows\System32\lsass.exe
820 C:\Windows\System32\lsm.exe
976 C:\Windows\System32\svchost.exe
1044 C:\Windows\System32\svchost.exe
1140 C:\Windows\System32\svchost.exe
1216 C:\Windows\System32\svchost.exe
1264 C:\Windows\System32\svchost.exe
1364 C:\Windows\System32\audiodg.exe
1388 C:\Windows\System32\svchost.exe
1468 C:\Windows\System32\SLsvc.exe
1492 C:\Windows\System32\svchost.exe
1656 C:\Windows\System32\svchost.exe
1848 C:\Windows\System32\spoolsv.exe
1948 C:\Windows\System32\svchost.exe
604 C:\Windows\System32\taskeng.exe
832 C:\Windows\System32\agrsmsvc.exe
960 C:\Windows\System32\dwm.exe
884 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
1616 C:\Windows\explorer.exe
1760 C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
676 C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
2156 C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
2204 C:\Windows\System32\igfxsrvc.exe
2292 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2312 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
2324 C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
2360 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2416 C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
2424 C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
2432 C:\Windows\RtHDVCpl.exe
2448 C:\Windows\PLFSetI.exe
2516 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
2544 C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe
2572 C:\Windows\System32\rundll32.exe
2608 C:\Acer\Mobility Center\MobilityService.exe
2644 C:\Program Files\McAfee Online Backup\MOBKbackup.exe
2712 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
2776 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
2804 C:\Program Files\McAfee Online Backup\MOBKbackup.exe
2856 C:\Windows\System32\svchost.exe
2880 C:\Program Files\Cyberlink\Shared files\RichVideo.exe
2940 C:\Windows\System32\svchost.exe
2988 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
3056 C:\ProgramData\AUDIOKSE32.exe
3104 C:\Windows\System32\svchost.exe
3128 C:\Windows\System32\SearchIndexer.exe
3192 C:\ProgramData\hbaapi32.exe
3292 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
3448 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
3588 C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
1956 C:\Windows\System32\VSSVC.exe
1256 unsecapp.exe
1908 WmiPrvSE.exe
3500 C:\Program Files\Launch Manager\LManager.exe
3492 C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
3528 C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
1416 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
2500 C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
3084 C:\Program Files\McAfee.com\Agent\mcagent.exe
3420 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3924 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
4076 C:\Windows\lsass.exe
1120 C:\Windows\System32\igfxtray.exe
1088 C:\Windows\System32\hkcmd.exe
1084 C:\Windows\System32\igfxpers.exe
2308 C:\Windows\bcdsrvwow.exe
608 C:\Windows\propdefswow.exe
4084 C:\Windows\ctl3dv2wow.exe
2124 C:\Windows\ssdpsrvwow.exe
3540 C:\Windows\CompatUIwow.exe
2116 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3668 C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
1420 C:\Program Files\Windows Media Player\wmpnscfg.exe
3716 C:\Windows\propdefswow.exe
3724 C:\Windows\bcdsrvwow.exe
3764 C:\Windows\ctl3dv2wow.exe
3748 C:\Program Files\uTorrent\uTorrent.exe
3776 C:\Windows\ssdpsrvwow.exe
3760 C:\Windows\CompatUIwow.exe
4200 C:\Windows\System32\taskeng.exe
4912 C:\Windows\System32\igfxext.exe
4980 C:\Program Files\OpenOffice.org 3\program\soffice.exe
5256 C:\Windows\System32\wbem\unsecapp.exe
5416 C:\Program Files\Windows Media Player\wmpnetwk.exe
5516 C:\Windows\System32\notepad.exe
5536 C:\Windows\System32\igfxsrvc.exe
5636 C:\Program Files\OpenOffice.org 3\program\soffice.bin
5808 C:\Users\EOINPH~1\AppData\Local\Temp\RtkBtMnt.exe
1988 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
2092 <unknown>
5532 WmiPrvSE.exe
4592 C:\Users\eoinphelan\Downloads\MBRCheck.exe
2564 C:\Windows\System32\conime.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`71100000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001e`55400000 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS543225L9A300, Rev: FBEOC40C

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: DA67949D8E80AE4B877B861155C27C0550D2F7A3


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

BC AdBot (Login to Remove)

 


#17 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 PM

Posted 25 November 2010 - 07:30 AM

Good news about the drive.

You need to do more than the scan with MBRCheck though. Please follow the fix as shown four posts back
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#18 kkallstar

kkallstar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 25 November 2010 - 09:05 AM

Ok I followed the steps to fix the MBR and here is the report:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Basic Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Acer
BIOS Manufacturer: Phoenix Technologies LTD
System Manufacturer: Acer
System Product Name: Aspire 5735
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 154):
0x8220A000 \SystemRoot\system32\ntkrnlpa.exe
0x825C3000 \SystemRoot\system32\hal.dll
0x80400000 \SystemRoot\system32\kdcom.dll
0x80407000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80477000 \SystemRoot\system32\PSHED.dll
0x80488000 \SystemRoot\system32\BOOTVID.dll
0x80490000 \SystemRoot\system32\CLFS.SYS
0x804D1000 \SystemRoot\system32\CI.dll
0x8060A000 \SystemRoot\system32\drivers\Wdf01000.sys
0x80686000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80693000 \SystemRoot\system32\drivers\acpi.sys
0x806D9000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806E2000 \SystemRoot\system32\drivers\msisadrv.sys
0x806EA000 \SystemRoot\system32\drivers\pci.sys
0x80711000 \SystemRoot\System32\drivers\partmgr.sys
0x80720000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80723000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8072D000 \SystemRoot\system32\drivers\volmgr.sys
0x8073C000 \SystemRoot\System32\drivers\volmgrx.sys
0x80786000 \SystemRoot\System32\drivers\mountmgr.sys
0x80796000 \SystemRoot\System32\Drivers\UBHelper.sys
0x8079E000 \SystemRoot\system32\drivers\atapi.sys
0x807A6000 \SystemRoot\system32\drivers\ataport.SYS
0x807C4000 \SystemRoot\system32\drivers\msahci.sys
0x807CE000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x805B1000 \SystemRoot\system32\drivers\fltmgr.sys
0x807DC000 \SystemRoot\system32\drivers\fileinfo.sys
0x8A00B000 \SystemRoot\system32\drivers\mfehidk.sys
0x8A068000 \SystemRoot\system32\DRIVERS\psdfilter.sys
0x8A071000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8A0E2000 \SystemRoot\system32\drivers\ndis.sys
0x8A206000 \SystemRoot\system32\drivers\msrpc.sys
0x8A231000 \SystemRoot\system32\drivers\NETIO.SYS
0x8A26C000 \SystemRoot\System32\drivers\tcpip.sys
0x8A356000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8A403000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8A513000 \SystemRoot\system32\drivers\volsnap.sys
0x8A54C000 \SystemRoot\System32\Drivers\spldr.sys
0x8A554000 \SystemRoot\System32\Drivers\mup.sys
0x8A563000 \SystemRoot\System32\drivers\ecache.sys
0x8A58A000 \SystemRoot\system32\drivers\disk.sys
0x8A59B000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x8A5BC000 \SystemRoot\system32\drivers\crcdisk.sys
0x8A5E7000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8A5F2000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8DA01000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8E31E000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8E3BF000 \SystemRoot\System32\drivers\watchdog.sys
0x8E3CB000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8A371000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8E3D6000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8E609000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8E696000 \SystemRoot\system32\DRIVERS\yk60x86.sys
0x8E6E2000 \SystemRoot\system32\DRIVERS\athr.sys
0x8E7C9000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8E7CD000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8E7E0000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
0x8E7EA000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8A3AF000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8E7F5000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8E3E5000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8A3DF000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8E7F7000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8E3F0000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8E801000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8E830000 \SystemRoot\system32\DRIVERS\storport.sys
0x8E871000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8E87C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8E893000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8E89E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8E8C1000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8E8D0000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8E8E4000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8E8F9000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8E909000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8E90B000 \SystemRoot\system32\DRIVERS\ks.sys
0x8E935000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8E93F000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8E94C000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8E981000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8EA01000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8EC0E000 \SystemRoot\system32\drivers\portcls.sys
0x8EC3B000 \SystemRoot\system32\drivers\drmk.sys
0x8EC60000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0x8ED86000 \SystemRoot\system32\drivers\modem.sys
0x8ED93000 \SystemRoot\system32\DRIVERS\MOBK.sys
0x8EDA6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8EDAF000 \SystemRoot\System32\Drivers\Null.SYS
0x8EDB6000 \SystemRoot\System32\Drivers\Beep.SYS
0x8EDBD000 \SystemRoot\System32\drivers\vga.sys
0x8EDC9000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8EDEA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8EDF2000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8E992000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8E99D000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8E9AB000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8E9B4000 \SystemRoot\system32\drivers\mfewfpk.sys
0x8E9DB000 \SystemRoot\system32\DRIVERS\tdx.sys
0x807EC000 \SystemRoot\system32\DRIVERS\smb.sys
0x8F00F000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8F041000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8F058000 \SystemRoot\system32\drivers\afd.sys
0x8F0A0000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8F0B6000 \SystemRoot\System32\Drivers\usbvideo.sys
0x8F0D7000 \SystemRoot\system32\DRIVERS\mfenlfk.sys
0x8F0E5000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8F0F3000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8F106000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8F142000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8F14C000 \SystemRoot\System32\Drivers\dfsc.sys
0x8F163000 \SystemRoot\system32\drivers\mfeavfk.sys
0x8F187000 \SystemRoot\system32\drivers\mfefirek.sys
0x8F1D2000 \SystemRoot\system32\drivers\RTSTOR.SYS
0x8FA00000 \SystemRoot\System32\Drivers\fastfat.SYS
0x8FA28000 \SystemRoot\system32\DRIVERS\udfs.sys
0x8FA63000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8FA70000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8FA7B000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x97600000 \SystemRoot\System32\win32k.sys
0x8FA85000 \SystemRoot\System32\drivers\Dxapi.sys
0x8FA8F000 \SystemRoot\system32\DRIVERS\monitor.sys
0x97820000 \SystemRoot\System32\TSDDD.dll
0x97840000 \SystemRoot\System32\cdd.dll
0x8FA9E000 \SystemRoot\system32\drivers\luafv.sys
0x8FAB9000 \SystemRoot\system32\drivers\spsys.sys
0x8FB69000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0x8FB7B000 \SystemRoot\system32\DRIVERS\irda.sys
0x8FB99000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x8FBA9000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8FBD3000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x8FBDD000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xAA808000 \SystemRoot\system32\drivers\HTTP.sys
0xAA875000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xAA892000 \SystemRoot\system32\DRIVERS\bowser.sys
0xAA8AB000 \SystemRoot\System32\drivers\mpsdrv.sys
0xAA8C0000 \SystemRoot\system32\drivers\mrxdav.sys
0xAA8E1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAA900000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xAA939000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xAA951000 \SystemRoot\System32\DRIVERS\srv2.sys
0xAA979000 \SystemRoot\System32\DRIVERS\srv.sys
0xAA9DF000 \??\C:\Windows\system32\drivers\int15.sys
0x8A5C5000 \??\C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys
0xAEE06000 \SystemRoot\system32\drivers\peauth.sys
0xAEEE4000 \SystemRoot\system32\DRIVERS\PSDNServ.sys
0xAEEED000 \SystemRoot\system32\DRIVERS\PSDVdisk.sys
0xAEEFF000 \SystemRoot\System32\Drivers\secdrv.SYS
0xAEF09000 \SystemRoot\System32\drivers\tcpipreg.sys
0xAEF15000 \??\C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl
0xAEF5A000 \SystemRoot\system32\drivers\cfwids.sys
0xAEF66000 \SystemRoot\system32\drivers\mfeapfk.sys
0xAEF7C000 \SystemRoot\system32\drivers\mfebopk.sys
0xAEF87000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77A30000 \Windows\System32\ntdll.dll

Processes (total 106):
0 System Idle Process
4 System
524 C:\Windows\System32\smss.exe
672 csrss.exe
716 C:\Windows\System32\wininit.exe
728 csrss.exe
776 C:\Windows\System32\winlogon.exe
800 C:\Windows\System32\services.exe
816 C:\Windows\System32\lsass.exe
824 C:\Windows\System32\lsm.exe
980 C:\Windows\System32\svchost.exe
1044 C:\Windows\System32\svchost.exe
1148 C:\Windows\System32\svchost.exe
1220 C:\Windows\System32\svchost.exe
1268 C:\Windows\System32\svchost.exe
1372 C:\Windows\System32\audiodg.exe
1396 C:\Windows\System32\svchost.exe
1480 C:\Windows\System32\SLsvc.exe
1508 C:\Windows\System32\svchost.exe
1664 C:\Windows\System32\svchost.exe
1852 C:\Windows\System32\spoolsv.exe
1960 C:\Windows\System32\svchost.exe
736 C:\Windows\System32\taskeng.exe
852 C:\Windows\System32\agrsmsvc.exe
1672 C:\Windows\System32\dwm.exe
892 C:\Windows\explorer.exe
1452 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
1200 C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
1332 C:\Windows\System32\igfxsrvc.exe
1568 C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
1288 C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
2108 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
2116 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
2132 C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
2144 C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
2156 C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
2164 C:\Windows\RtHDVCpl.exe
2184 C:\Windows\PLFSetI.exe
2240 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2308 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
2340 C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe
2372 C:\Windows\System32\rundll32.exe
2404 C:\Acer\Mobility Center\MobilityService.exe
2444 C:\Program Files\McAfee Online Backup\MOBKbackup.exe
2508 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
2584 C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
2624 C:\Program Files\McAfee Online Backup\MOBKbackup.exe
2684 C:\Windows\System32\svchost.exe
2708 C:\Program Files\Cyberlink\Shared files\RichVideo.exe
2772 C:\Windows\System32\svchost.exe
2808 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
2860 C:\ProgramData\AUDIOKSE32.exe
2940 C:\Windows\System32\svchost.exe
2960 C:\Windows\System32\SearchIndexer.exe
3008 C:\ProgramData\hbaapi32.exe
3132 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
3272 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
3500 C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
4076 C:\Windows\System32\VSSVC.exe
4084 unsecapp.exe
1308 WmiPrvSE.exe
3384 C:\Program Files\Launch Manager\LManager.exe
3376 C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
3368 C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
3360 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
1412 C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
2268 C:\Program Files\McAfee.com\Agent\mcagent.exe
3388 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3668 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
3900 C:\Windows\lsass.exe
1932 C:\Windows\System32\igfxtray.exe
3484 C:\Windows\System32\hkcmd.exe
1316 C:\Windows\System32\igfxpers.exe
1264 C:\Windows\bcdsrvwow.exe
3648 C:\Windows\propdefswow.exe
3632 C:\Windows\ctl3dv2wow.exe
3412 C:\Windows\ssdpsrvwow.exe
3636 C:\Windows\CompatUIwow.exe
3652 C:\Windows\mydocswow.exe
1448 C:\Windows\tapiperfwow.exe
1988 C:\Windows\KBDIT142wow.exe
1324 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
2124 C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
2572 C:\Program Files\Windows Media Player\wmpnscfg.exe
3608 C:\Windows\propdefswow.exe
2128 C:\Windows\bcdsrvwow.exe
3180 C:\Windows\ctl3dv2wow.exe
2460 C:\Program Files\uTorrent\uTorrent.exe
2456 C:\Windows\ssdpsrvwow.exe
636 C:\Windows\CompatUIwow.exe
3988 C:\Windows\mydocswow.exe
2896 C:\Windows\tapiperfwow.exe
4332 C:\Windows\System32\taskeng.exe
5244 C:\Windows\System32\igfxext.exe
5316 C:\Users\EOINPH~1\AppData\Local\Temp\RtkBtMnt.exe
5416 C:\Windows\System32\igfxsrvc.exe
5448 C:\Program Files\Windows Media Player\wmpnetwk.exe
5580 C:\Program Files\OpenOffice.org 3\program\soffice.exe
5888 C:\Windows\System32\wbem\unsecapp.exe
4468 C:\Program Files\OpenOffice.org 3\program\soffice.bin
4452 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
4964 C:\Program Files\Mozilla Firefox\firefox.exe
5760 C:\Windows\System32\notepad.exe
5116 C:\Windows\servicing\TrustedInstaller.exe
5648 C:\Windows\System32\conime.exe
2716 C:\Users\eoinphelan\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`71100000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001e`55400000 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS543225L9A300, Rev: FBEOC40C

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!

#19 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 PM

Posted 25 November 2010 - 09:24 AM

Please now try and run Combofix :)
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#20 kkallstar

kkallstar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 25 November 2010 - 10:45 AM

ComboFix log as requested:

ComboFix 10-11-24.04 - eoinphelan 25/11/2010 15:15:44.3.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.353.1033.18.3000.2064 [GMT 0:00]
Running from: c:\users\eoinphelan\Desktop\comfix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\unrar.exe
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{3c04042f-9d4a-4354-8bb5-ad93e1915136}
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{3c04042f-9d4a-4354-8bb5-ad93e1915136}\chrome.manifest
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{3c04042f-9d4a-4354-8bb5-ad93e1915136}\chrome\xulcache.jar
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{3c04042f-9d4a-4354-8bb5-ad93e1915136}\defaults\preferences\xulcache.js
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{3c04042f-9d4a-4354-8bb5-ad93e1915136}\install.rdf
c:\windows\bcdsrvwow.exe
c:\windows\CompatUIwow.exe
c:\windows\ctl3dv2wow.exe
c:\windows\KBDIT142wow.exe
c:\windows\lsass.exe
c:\windows\mydocswow.exe
c:\windows\propdefswow.exe
c:\windows\ssdpsrvwow.exe
c:\windows\tapiperfwow.exe
.
---- Previous Run -------
.
c:\programdata\unrar.exe
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{1dfb3671-60e4-4ce7-954b-6ebd5a38c814}
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{1dfb3671-60e4-4ce7-954b-6ebd5a38c814}\chrome.manifest
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{1dfb3671-60e4-4ce7-954b-6ebd5a38c814}\chrome\xulcache.jar
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{1dfb3671-60e4-4ce7-954b-6ebd5a38c814}\defaults\preferences\xulcache.js
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{1dfb3671-60e4-4ce7-954b-6ebd5a38c814}\install.rdf
c:\windows\lsass.exe

-- Previous Run --

c:\windows\system32\userinit.exe . . . is infected!!

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_WinRM32


((((((((((((((((((((((((( Files Created from 2010-10-25 to 2010-11-25 )))))))))))))))))))))))))))))))
.

2010-11-25 15:31 . 2010-11-25 15:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-24 16:05 . 2010-11-24 16:05 181760 ----a-w- c:\windows\system32\HMPV2_ENC_MMX32.exe
2010-11-24 13:04 . 2010-11-24 13:04 -------- d-----w- c:\program files\uTorrent
2010-11-24 13:04 . 2010-11-25 15:28 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\uTorrent
2010-11-24 13:02 . 2010-11-25 11:40 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\ImgBurn
2010-11-24 12:52 . 2010-11-24 12:52 -------- d-----w- c:\program files\ImgBurn
2010-11-24 12:42 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-11-23 13:34 . 2010-11-04 13:13 1369600 ----a-w- c:\programdata\hbaapi32.exe
2010-11-23 13:27 . 2010-11-04 13:13 1369600 ----a-w- c:\programdata\AUDIOKSE32.exe
2010-11-23 12:24 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7B053012-B6C8-4B91-B9EC-685BC11D1EF6}\mpengine.dll
2010-11-15 00:37 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2010-11-15 00:37 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2010-11-15 00:37 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
2010-11-15 00:37 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
2010-11-15 00:37 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2010-11-15 00:37 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\winrssrv.dll
2010-11-15 00:37 . 2009-10-09 21:55 79872 ----a-w- c:\windows\system32\wecutil.exe
2010-11-15 00:37 . 2009-10-09 21:55 54272 ----a-w- c:\windows\system32\WsmRes.dll
2010-11-15 00:37 . 2009-10-09 21:55 146944 ----a-w- c:\windows\system32\wecsvc.dll
2010-11-15 00:37 . 2009-10-09 21:55 81408 ----a-w- c:\windows\system32\wevtfwd.dll
2010-11-15 00:37 . 2009-10-09 21:55 56320 ----a-w- c:\windows\system32\wecapi.dll
2010-11-15 00:37 . 2009-10-09 21:56 41472 ----a-w- c:\windows\system32\pwrshplugin.dll
2010-11-15 00:36 . 2009-08-01 06:27 201184 ----a-w- c:\windows\system32\winrm.vbs
2010-11-15 00:36 . 2009-10-09 21:56 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2010-11-15 00:36 . 2009-10-09 21:56 241152 ----a-w- c:\windows\system32\winrscmd.dll
2010-11-15 00:36 . 2009-10-09 21:56 145408 ----a-w- c:\windows\system32\WsmAuto.dll
2010-11-15 00:36 . 2009-10-09 21:56 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2010-11-15 00:36 . 2009-10-09 21:55 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2010-11-15 00:36 . 2009-10-09 21:56 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2010-11-15 00:36 . 2010-11-15 00:36 -------- d-----w- c:\windows\system32\x64
2010-11-11 13:54 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-11-11 12:00 . 2010-11-11 12:00 -------- d-sh--w- c:\windows\system32\%APPDATA%
2010-11-09 00:41 . 2010-11-09 00:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-11-08 15:35 . 2010-11-08 15:35 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\FloodLightGames
2010-11-08 12:04 . 2010-11-08 12:04 -------- d-----w- c:\programdata\Oberon Games
2010-11-08 11:26 . 2010-11-08 11:26 -------- d-----w- c:\users\eoinphelan\AppData\Local\ElevatedDiagnostics
2010-11-08 11:18 . 2010-11-08 11:24 -------- d-----w- c:\program files\Microsoft ATS
2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2010-11-04 17:26 . 2010-10-27 06:13 553696 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
2010-11-04 17:26 . 2010-10-27 06:13 25048 ----a-w- c:\program files\Mozilla Firefox\components\browserdirprovider.dll
2010-11-04 17:26 . 2010-10-27 06:13 140248 ----a-w- c:\program files\Mozilla Firefox\components\brwsrcmp.dll
2010-11-04 17:26 . 2010-10-27 06:13 66520 ----a-w- c:\program files\Mozilla Firefox\plugins\npnul32.dll
2010-11-04 16:01 . 2010-11-07 23:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-04 16:01 . 2010-11-04 17:17 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-11-04 13:16 . 2010-11-04 13:16 -------- d-----w- c:\users\eoinphelan\AppData\Local\Apple Computer
2010-11-04 13:15 . 2010-11-25 13:02 -------- d-sh--w- c:\programdata\2D940B90985020252108E2D501B62DEF
2010-11-04 13:15 . 2010-11-25 15:02 -------- d-----w- c:\programdata\1748128816
2010-11-04 13:14 . 2010-11-04 13:14 264192 ----a-w- c:\programdata\AUDIOKSE32.dll
2010-11-04 13:13 . 2010-11-04 13:13 362496 ----a-w- c:\windows\system32\AUDIOKSE32.dll
2010-11-04 13:09 . 2010-11-04 13:09 -------- d-----w- c:\programdata\Apple Computer
2010-11-04 13:08 . 2010-11-04 13:08 -------- d-----w- c:\program files\Common Files\Apple
2010-11-04 13:07 . 2010-11-04 13:07 -------- d-----w- c:\users\eoinphelan\AppData\Local\Apple
2010-11-04 13:07 . 2010-11-04 13:07 -------- d-----w- c:\program files\Apple Software Update
2010-11-04 13:07 . 2010-11-04 13:07 -------- d-----w- c:\programdata\Apple
2010-11-04 12:44 . 2010-11-04 13:18 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\FrostWire
2010-11-02 17:50 . 2010-11-02 17:50 -------- d-----w- c:\programdata\ScanSoft
2010-11-02 14:29 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-11-02 14:29 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-11-02 14:29 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-11-02 11:54 . 2010-11-23 13:11 -------- d-----w- c:\users\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 10:41 . 2010-06-20 18:34 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-13 22:28 . 2010-06-20 10:37 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-13 22:28 . 2010-06-20 10:37 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-13 22:28 . 2010-06-20 10:37 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-10-13 22:28 . 2010-06-20 10:37 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-13 22:28 . 2010-06-20 10:37 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-13 22:28 . 2010-06-20 10:37 164840 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-10-13 22:28 . 2010-06-20 10:37 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-10-13 22:28 . 2010-06-20 10:37 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-13 22:28 . 2010-04-14 11:50 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-13 22:28 . 2010-04-14 11:50 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-09-15 04:50 . 2010-06-30 12:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-13 13:56 . 2010-10-13 04:49 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 11:17 . 2010-09-08 11:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 11:17 . 2010-09-08 11:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-08 06:01 . 2010-10-13 04:47 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-13 04:47 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-13 04:47 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-13 04:47 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-13 04:47 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-13 04:47 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-13 04:47 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-13 04:47 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-13 04:48 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-13 04:48 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-13 04:48 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-13 04:48 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-13 04:48 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-31 15:46 . 2010-10-13 04:44 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-13 04:44 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-13 04:39 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-13 04:44 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-07-07 23:05 . 2010-07-07 23:05 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2010-10-13 22:28 . 2010-06-20 10:37 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01C0DA96-AFCE-4F59-BC8E-77ADDA481218}]
2010-11-04 13:13 362496 ----a-w- c:\windows\System32\AUDIOKSE32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA83C0CD-C9A3-BE05-F70A-CA125237C8C3}]
2010-11-04 13:14 264192 ----a-w- c:\programdata\AUDIOKSE32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-15 01:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-13 68856]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-11-24 395128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-04-10 147456]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-04-10 167936]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-04-18 167936]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-15 526896]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-07 30192]
"ProductReg"="c:\program files\Acer\WR_PopUp\ProductReg.exe" [2008-09-23 6144]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" [2003-07-07 729088]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]

c:\users\eoinphelan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\programdata\AUDIOKSE32.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\programdata\AUDIOKSE32.dll c:\programdata\AUDIOKSE32.dll c:\programdata\AUDIOKSE32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
R2 WebClient32;WebClient ;c:\programdata\AUDIOKSE32.exe [2010-11-04 1369600]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-07 30192]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-13 84264]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-13 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-13 164840]
S1 MOBKFilter;MOBKFilter;c:\windows\system32\DRIVERS\MOBK.sys [2010-04-13 54776]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-04-18 61424]
S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
S2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-17 81504]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-13 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-10-13 141792]
S2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2010-04-13 229688]
S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
S2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-17 122368]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-13 55840]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-13 313288]


--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-11-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-13 13:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1809&s=2&o=vb32&d=1108&m=aspire_5735
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath - c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - www.google.ie
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\eoinphelan\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-RTHDBPL - c:\users\eoinphelan\AppData\Roaming\SysWin\lsass.exe
HKCU-Run-mssvpwow.exe - c:\windows\mssvpwow.exe
HKCU-Run-KBDSORSTwow.exe - c:\windows\KBDSORSTwow.exe
HKCU-Run-umbwow.exe - c:\windows\umbwow.exe
HKCU-Run-xolehlpwow.exe - c:\windows\xolehlpwow.exe
HKCU-Run-KBDUKXwow.exe - c:\windows\KBDUKXwow.exe
HKCU-Run-KBDUKwow.exe - c:\windows\KBDUKwow.exe
HKCU-Run-serwvdrvwow.exe - c:\windows\serwvdrvwow.exe
HKCU-Run-NlsData000awow.exe - c:\windows\NlsData000awow.exe
HKCU-Run-syncuiwow.exe - c:\windows\syncuiwow.exe
HKCU-Run-winhttpwow.exe - c:\windows\winhttpwow.exe
HKCU-Run-ws2_32wow.exe - c:\windows\ws2_32wow.exe
HKCU-Run-kbdnecwow.exe - c:\windows\kbdnecwow.exe
HKCU-Run-odbctracwow.exe - c:\windows\odbctracwow.exe
HKCU-Run-EhStorAPIwow.exe - c:\windows\EhStorAPIwow.exe
HKCU-Run-usbmonwow.exe - c:\windows\usbmonwow.exe
HKCU-Run-KBDESTwow.exe - c:\windows\KBDESTwow.exe
HKCU-Run-themecplwow.exe - c:\windows\themecplwow.exe
HKCU-Run-RDPENCDDwow.exe - c:\windows\RDPENCDDwow.exe
HKCU-Run-icardiewow.exe - c:\windows\icardiewow.exe
HKCU-Run-brdgcfgwow.exe - c:\windows\brdgcfgwow.exe
HKCU-Run-propdefswow.exe - c:\windows\propdefswow.exe
HKCU-Run-bcdsrvwow.exe - c:\windows\bcdsrvwow.exe
HKCU-Run-ctl3dv2wow.exe - c:\windows\ctl3dv2wow.exe
HKCU-Run-ssdpsrvwow.exe - c:\windows\ssdpsrvwow.exe
HKCU-Run-CompatUIwow.exe - c:\windows\CompatUIwow.exe
HKCU-Run-mydocswow.exe - c:\windows\mydocswow.exe
HKCU-Run-tapiperfwow.exe - c:\windows\tapiperfwow.exe
HKCU-Run-KBDIT142wow.exe - c:\windows\KBDIT142wow.exe
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-RTHDBPL - c:\windows\lsass.exe
HKLM-Run-KBDSORSTwow.exe - c:\windows\KBDSORSTwow.exe
HKLM-Run-umbwow.exe - c:\windows\umbwow.exe
HKLM-Run-xolehlpwow.exe - c:\windows\xolehlpwow.exe
HKLM-Run-KBDUKXwow.exe - c:\windows\KBDUKXwow.exe
HKLM-Run-KBDUKwow.exe - c:\windows\KBDUKwow.exe
HKLM-Run-serwvdrvwow.exe - c:\windows\serwvdrvwow.exe
HKLM-Run-NlsData000awow.exe - c:\windows\NlsData000awow.exe
HKLM-Run-syncuiwow.exe - c:\windows\syncuiwow.exe
HKLM-Run-winhttpwow.exe - c:\windows\winhttpwow.exe
HKLM-Run-ws2_32wow.exe - c:\windows\ws2_32wow.exe
HKLM-Run-kbdnecwow.exe - c:\windows\kbdnecwow.exe
HKLM-Run-odbctracwow.exe - c:\windows\odbctracwow.exe
HKLM-Run-SmiInstallerwow.exe - c:\windows\SmiInstallerwow.exe
HKLM-Run-EhStorAPIwow.exe - c:\windows\EhStorAPIwow.exe
HKLM-Run-usbmonwow.exe - c:\windows\usbmonwow.exe
HKLM-Run-KBDESTwow.exe - c:\windows\KBDESTwow.exe
HKLM-Run-themecplwow.exe - c:\windows\themecplwow.exe
HKLM-Run-icardiewow.exe - c:\windows\icardiewow.exe
HKLM-Run-RDPENCDDwow.exe - c:\windows\RDPENCDDwow.exe
HKLM-Run-brdgcfgwow.exe - c:\windows\brdgcfgwow.exe
HKLM-Run-bcdsrvwow.exe - c:\windows\bcdsrvwow.exe
HKLM-Run-propdefswow.exe - c:\windows\propdefswow.exe
HKLM-Run-ctl3dv2wow.exe - c:\windows\ctl3dv2wow.exe
HKLM-Run-ssdpsrvwow.exe - c:\windows\ssdpsrvwow.exe
HKLM-Run-CompatUIwow.exe - c:\windows\CompatUIwow.exe
HKLM-Run-mydocswow.exe - c:\windows\mydocswow.exe
HKLM-Run-tapiperfwow.exe - c:\windows\tapiperfwow.exe
HKLM-Run-KBDIT142wow.exe - c:\windows\KBDIT142wow.exe
AddRemove-UnityWebPlayer - c:\users\eoinphelan\AppData\Local\Unity\WebPlayer\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-25 15:31
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
RTHDBPL = c:\windows\lsass.exe?tmp???????????????????????????????????????????????????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RTHDBPL = c:\users\eoinphelan\AppData\Roaming\SysWin\lsass.exe???????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-11-25 15:34:03
ComboFix-quarantined-files.txt 2010-11-25 15:33

Pre-Run: 19,861,397,504 bytes free
Post-Run: 19,783,815,168 bytes free

- - End Of File - - 858C7D6BEAD5E004D1BF549CE42715E3

#21 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 PM

Posted 25 November 2010 - 11:56 AM

Now we're cooking :P

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDBPL"=-


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#22 kkallstar

kkallstar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 27 November 2010 - 12:59 PM

Latest ComboFix log as requested:

ComboFix 10-11-26.07 - eoinphelan 27/11/2010 17:10:10.4.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.353.1033.18.3000.1919 [GMT 0:00]
Running from: c:\users\eoinphelan\Desktop\comfix.exe
Command switches used :: c:\users\eoinphelan\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\unrar.exe
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{49141cfc-19da-4c59-b982-36d564e4026c}
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{49141cfc-19da-4c59-b982-36d564e4026c}\chrome.manifest
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{49141cfc-19da-4c59-b982-36d564e4026c}\chrome\xulcache.jar
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{49141cfc-19da-4c59-b982-36d564e4026c}\defaults\preferences\xulcache.js
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{49141cfc-19da-4c59-b982-36d564e4026c}\install.rdf
c:\windows\lsass.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-27 to 2010-11-27 )))))))))))))))))))))))))))))))
.

2010-11-27 17:44 . 2010-11-27 17:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-27 15:42 . 2010-11-27 15:42 509440 --sh--w- c:\windows\spwizengwow.exe
2010-11-27 00:16 . 2010-11-27 00:15 509440 --sh--w- c:\windows\WLanConnwow.exe
2010-11-25 15:36 . 2010-11-25 15:36 0 ---ha-w- c:\users\eoinphelan\xibzhuxmha.tmp
2010-11-25 15:09 . 2010-11-25 15:34 -------- d-----w- C:\comfix
2010-11-24 16:05 . 2010-11-24 16:05 181760 ----a-w- c:\windows\system32\HMPV2_ENC_MMX32.exe
2010-11-24 13:04 . 2010-11-24 13:04 -------- d-----w- c:\program files\uTorrent
2010-11-24 13:04 . 2010-11-27 17:43 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\uTorrent
2010-11-24 13:02 . 2010-11-25 11:40 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\ImgBurn
2010-11-24 12:52 . 2010-11-24 12:52 -------- d-----w- c:\program files\ImgBurn
2010-11-24 12:42 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-11-23 13:34 . 2010-11-04 13:13 1369600 ----a-w- c:\programdata\hbaapi32.exe
2010-11-23 13:27 . 2010-11-04 13:13 1369600 ----a-w- c:\programdata\AUDIOKSE32.exe
2010-11-23 12:24 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7B053012-B6C8-4B91-B9EC-685BC11D1EF6}\mpengine.dll
2010-11-15 00:37 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2010-11-15 00:37 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2010-11-15 00:37 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
2010-11-15 00:37 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
2010-11-15 00:37 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2010-11-15 00:37 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\winrssrv.dll
2010-11-15 00:37 . 2009-10-09 21:55 79872 ----a-w- c:\windows\system32\wecutil.exe
2010-11-15 00:37 . 2009-10-09 21:55 54272 ----a-w- c:\windows\system32\WsmRes.dll
2010-11-15 00:37 . 2009-10-09 21:55 146944 ----a-w- c:\windows\system32\wecsvc.dll
2010-11-15 00:37 . 2009-10-09 21:55 81408 ----a-w- c:\windows\system32\wevtfwd.dll
2010-11-15 00:37 . 2009-10-09 21:55 56320 ----a-w- c:\windows\system32\wecapi.dll
2010-11-15 00:37 . 2009-10-09 21:56 41472 ----a-w- c:\windows\system32\pwrshplugin.dll
2010-11-15 00:36 . 2009-08-01 06:27 201184 ----a-w- c:\windows\system32\winrm.vbs
2010-11-15 00:36 . 2009-10-09 21:56 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2010-11-15 00:36 . 2009-10-09 21:56 241152 ----a-w- c:\windows\system32\winrscmd.dll
2010-11-15 00:36 . 2009-10-09 21:56 145408 ----a-w- c:\windows\system32\WsmAuto.dll
2010-11-15 00:36 . 2009-10-09 21:56 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2010-11-15 00:36 . 2009-10-09 21:55 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2010-11-15 00:36 . 2009-10-09 21:56 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2010-11-15 00:36 . 2010-11-15 00:36 -------- d-----w- c:\windows\system32\x64
2010-11-11 13:54 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-11-11 12:00 . 2010-11-11 12:00 -------- d-sh--w- c:\windows\system32\%APPDATA%
2010-11-09 00:41 . 2010-11-09 00:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-11-08 15:35 . 2010-11-08 15:35 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\FloodLightGames
2010-11-08 12:04 . 2010-11-08 12:04 -------- d-----w- c:\programdata\Oberon Games
2010-11-08 11:26 . 2010-11-08 11:26 -------- d-----w- c:\users\eoinphelan\AppData\Local\ElevatedDiagnostics
2010-11-08 11:18 . 2010-11-08 11:24 -------- d-----w- c:\program files\Microsoft ATS
2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2010-11-04 17:26 . 2010-10-27 06:13 553696 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
2010-11-04 17:26 . 2010-10-27 06:13 25048 ----a-w- c:\program files\Mozilla Firefox\components\browserdirprovider.dll
2010-11-04 17:26 . 2010-10-27 06:13 140248 ----a-w- c:\program files\Mozilla Firefox\components\brwsrcmp.dll
2010-11-04 17:26 . 2010-10-27 06:13 66520 ----a-w- c:\program files\Mozilla Firefox\plugins\npnul32.dll
2010-11-04 16:01 . 2010-11-07 23:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-04 16:01 . 2010-11-04 17:17 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-11-04 13:16 . 2010-11-04 13:16 -------- d-----w- c:\users\eoinphelan\AppData\Local\Apple Computer
2010-11-04 13:15 . 2010-11-25 13:02 -------- d-sh--w- c:\programdata\2D940B90985020252108E2D501B62DEF
2010-11-04 13:15 . 2010-11-27 15:56 -------- d-----w- c:\programdata\1748128816
2010-11-04 13:14 . 2010-11-04 13:14 264192 ----a-w- c:\programdata\AUDIOKSE32.dll
2010-11-04 13:13 . 2010-11-04 13:13 362496 ----a-w- c:\windows\system32\AUDIOKSE32.dll
2010-11-04 13:09 . 2010-11-04 13:09 -------- d-----w- c:\programdata\Apple Computer
2010-11-04 13:08 . 2010-11-04 13:08 -------- d-----w- c:\program files\Common Files\Apple
2010-11-04 13:07 . 2010-11-04 13:07 -------- d-----w- c:\users\eoinphelan\AppData\Local\Apple
2010-11-04 13:07 . 2010-11-04 13:07 -------- d-----w- c:\program files\Apple Software Update
2010-11-04 13:07 . 2010-11-04 13:07 -------- d-----w- c:\programdata\Apple
2010-11-04 12:44 . 2010-11-04 13:18 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\FrostWire
2010-11-02 17:50 . 2010-11-02 17:50 -------- d-----w- c:\programdata\ScanSoft
2010-11-02 14:29 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-11-02 14:29 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-11-02 14:29 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-11-02 11:54 . 2010-11-23 13:11 -------- d-----w- c:\users\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 10:41 . 2010-06-20 18:34 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-13 22:28 . 2010-06-20 10:37 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-13 22:28 . 2010-06-20 10:37 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-13 22:28 . 2010-06-20 10:37 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-10-13 22:28 . 2010-06-20 10:37 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-13 22:28 . 2010-06-20 10:37 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-13 22:28 . 2010-06-20 10:37 164840 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-10-13 22:28 . 2010-06-20 10:37 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-10-13 22:28 . 2010-06-20 10:37 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-13 22:28 . 2010-04-14 11:50 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-13 22:28 . 2010-04-14 11:50 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-09-15 04:50 . 2010-06-30 12:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-13 13:56 . 2010-10-13 04:49 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 11:17 . 2010-09-08 11:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 11:17 . 2010-09-08 11:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-08 06:01 . 2010-10-13 04:47 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-13 04:47 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-13 04:47 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-13 04:47 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-13 04:47 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-13 04:47 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-13 04:47 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-13 04:47 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-13 04:48 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-13 04:48 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-13 04:48 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-13 04:48 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-13 04:48 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-31 15:46 . 2010-10-13 04:44 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-13 04:44 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-13 04:39 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-13 04:44 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-07-07 23:05 . 2010-07-07 23:05 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2010-10-13 22:28 . 2010-06-20 10:37 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01C0DA96-AFCE-4F59-BC8E-77ADDA481218}]
2010-11-04 13:13 362496 ----a-w- c:\windows\System32\AUDIOKSE32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA83C0CD-C9A3-BE05-F70A-CA125237C8C3}]
2010-11-04 13:14 264192 ----a-w- c:\programdata\AUDIOKSE32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-15 01:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-13 68856]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-11-24 395128]
"RTHDBPL"="c:\users\eoinphelan\AppData\Roaming\SysWin\lsass.exe" [BU]
"WLanConnwow.exe"="c:\windows\WLanConnwow.exe" [2010-11-27 509440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-04-10 147456]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-04-10 167936]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-04-18 167936]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-15 526896]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-07 30192]
"ProductReg"="c:\program files\Acer\WR_PopUp\ProductReg.exe" [2008-09-23 6144]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" [2003-07-07 729088]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"WLanConnwow.exe"="c:\windows\WLanConnwow.exe" [2010-11-27 509440]
"spwizengwow.exe"="c:\windows\spwizengwow.exe" [2010-11-27 509440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\programdata\AUDIOKSE32.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\programdata\AUDIOKSE32.dll c:\programdata\AUDIOKSE32.dll c:\programdata\AUDIOKSE32.dll c:\programdata\AUDIOKSE32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
R2 WebClient32;WebClient ;c:\programdata\AUDIOKSE32.exe [2010-11-04 1369600]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-07 30192]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-13 84264]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-13 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-13 164840]
S1 MOBKFilter;MOBKFilter;c:\windows\system32\DRIVERS\MOBK.sys [2010-04-13 54776]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-04-18 61424]
S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
S2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-17 81504]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-13 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-10-13 141792]
S2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2010-04-13 229688]
S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
S2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-17 122368]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-13 55840]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-13 313288]


--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-11-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-13 13:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1809&s=2&o=vb32&d=1108&m=aspire_5735
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath - c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - www.google.ie
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\eoinphelan\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-27 17:44
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RTHDBPL = c:\users\eoinphelan\AppData\Roaming\SysWin\lsass.exe???????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-11-27 17:49:08
ComboFix-quarantined-files.txt 2010-11-27 17:49
ComboFix2.txt 2010-11-25 15:34

Pre-Run: 19,310,190,592 bytes free
Post-Run: 19,268,927,488 bytes free

- - End Of File - - F3E925D7A404320425531CD5EFFD9554

#23 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 PM

Posted 27 November 2010 - 06:24 PM

Sticky trojan here. Let's try and prize it off.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

File::
c:\users\eoinphelan\AppData\Roaming\SysWin\lsass.exe

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDBPL"=-


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#24 kkallstar

kkallstar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 28 November 2010 - 06:36 PM

Latest ComboFix log:

ComboFix 10-11-28.01 - eoinphelan 28/11/2010 21:35:37.5.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.353.1033.18.3000.1851 [GMT 0:00]
Running from: c:\users\eoinphelan\Desktop\comfix.exe
Command switches used :: c:\users\eoinphelan\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\eoinphelan\AppData\Roaming\SysWin\lsass.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\unrar.exe
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{44dd9494-6f9e-43b4-a424-530e9db4549e}
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{44dd9494-6f9e-43b4-a424-530e9db4549e}\chrome.manifest
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{44dd9494-6f9e-43b4-a424-530e9db4549e}\chrome\xulcache.jar
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{44dd9494-6f9e-43b4-a424-530e9db4549e}\defaults\preferences\xulcache.js
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{44dd9494-6f9e-43b4-a424-530e9db4549e}\install.rdf
c:\windows\lsass.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 )))))))))))))))))))))))))))))))
.

2010-11-28 22:13 . 2010-11-28 22:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-28 20:59 . 2010-11-28 20:59 509440 --sh--w- c:\windows\typelibwow.exe
2010-11-28 20:57 . 2010-11-28 20:57 509440 --sh--w- c:\windows\DevicePairingwow.exe
2010-11-28 20:55 . 2010-11-28 20:55 509440 --sh--w- c:\windows\KBDBEwow.exe
2010-11-27 23:50 . 2010-11-27 23:50 509440 --sh--w- c:\windows\KBDTH2wow.exe
2010-11-27 15:42 . 2010-11-27 15:42 509440 --sh--w- c:\windows\spwizengwow.exe
2010-11-27 00:16 . 2010-11-27 00:15 509440 --sh--w- c:\windows\WLanConnwow.exe
2010-11-25 15:36 . 2010-11-25 15:36 0 ---ha-w- c:\users\eoinphelan\xibzhuxmha.tmp
2010-11-25 15:09 . 2010-11-25 15:34 -------- d-----w- C:\comfix
2010-11-24 16:05 . 2010-11-24 16:05 181760 ----a-w- c:\windows\system32\HMPV2_ENC_MMX32.exe
2010-11-24 13:04 . 2010-11-24 13:04 -------- d-----w- c:\program files\uTorrent
2010-11-24 13:04 . 2010-11-28 22:11 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\uTorrent
2010-11-24 13:02 . 2010-11-25 11:40 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\ImgBurn
2010-11-24 12:52 . 2010-11-24 12:52 -------- d-----w- c:\program files\ImgBurn
2010-11-24 12:42 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-11-23 13:34 . 2010-11-04 13:13 1369600 ----a-w- c:\programdata\hbaapi32.exe
2010-11-23 13:27 . 2010-11-04 13:13 1369600 ----a-w- c:\programdata\AUDIOKSE32.exe
2010-11-23 12:24 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7B053012-B6C8-4B91-B9EC-685BC11D1EF6}\mpengine.dll
2010-11-15 00:37 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2010-11-15 00:37 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2010-11-15 00:37 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
2010-11-15 00:37 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
2010-11-15 00:37 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2010-11-15 00:37 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\winrssrv.dll
2010-11-15 00:37 . 2009-10-09 21:55 79872 ----a-w- c:\windows\system32\wecutil.exe
2010-11-15 00:37 . 2009-10-09 21:55 54272 ----a-w- c:\windows\system32\WsmRes.dll
2010-11-15 00:37 . 2009-10-09 21:55 146944 ----a-w- c:\windows\system32\wecsvc.dll
2010-11-15 00:37 . 2009-10-09 21:55 81408 ----a-w- c:\windows\system32\wevtfwd.dll
2010-11-15 00:37 . 2009-10-09 21:55 56320 ----a-w- c:\windows\system32\wecapi.dll
2010-11-15 00:37 . 2009-10-09 21:56 41472 ----a-w- c:\windows\system32\pwrshplugin.dll
2010-11-15 00:36 . 2009-08-01 06:27 201184 ----a-w- c:\windows\system32\winrm.vbs
2010-11-15 00:36 . 2009-10-09 21:56 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2010-11-15 00:36 . 2009-10-09 21:56 241152 ----a-w- c:\windows\system32\winrscmd.dll
2010-11-15 00:36 . 2009-10-09 21:56 145408 ----a-w- c:\windows\system32\WsmAuto.dll
2010-11-15 00:36 . 2009-10-09 21:56 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2010-11-15 00:36 . 2009-10-09 21:55 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2010-11-15 00:36 . 2009-10-09 21:56 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2010-11-15 00:36 . 2010-11-15 00:36 -------- d-----w- c:\windows\system32\x64
2010-11-11 13:54 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-11-11 12:00 . 2010-11-11 12:00 -------- d-sh--w- c:\windows\system32\%APPDATA%
2010-11-09 00:41 . 2010-11-09 00:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-11-08 15:35 . 2010-11-08 15:35 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\FloodLightGames
2010-11-08 12:04 . 2010-11-08 12:04 -------- d-----w- c:\programdata\Oberon Games
2010-11-08 11:26 . 2010-11-08 11:26 -------- d-----w- c:\users\eoinphelan\AppData\Local\ElevatedDiagnostics
2010-11-08 11:18 . 2010-11-08 11:24 -------- d-----w- c:\program files\Microsoft ATS
2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2010-11-04 17:26 . 2010-10-27 06:13 553696 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
2010-11-04 17:26 . 2010-10-27 06:13 25048 ----a-w- c:\program files\Mozilla Firefox\components\browserdirprovider.dll
2010-11-04 17:26 . 2010-10-27 06:13 140248 ----a-w- c:\program files\Mozilla Firefox\components\brwsrcmp.dll
2010-11-04 17:26 . 2010-10-27 06:13 66520 ----a-w- c:\program files\Mozilla Firefox\plugins\npnul32.dll
2010-11-04 16:01 . 2010-11-07 23:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-04 16:01 . 2010-11-04 17:17 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-11-04 13:16 . 2010-11-04 13:16 -------- d-----w- c:\users\eoinphelan\AppData\Local\Apple Computer
2010-11-04 13:15 . 2010-11-25 13:02 -------- d-sh--w- c:\programdata\2D940B90985020252108E2D501B62DEF
2010-11-04 13:15 . 2010-11-28 21:14 -------- d-----w- c:\programdata\1748128816
2010-11-04 13:14 . 2010-11-04 13:14 264192 ----a-w- c:\programdata\AUDIOKSE32.dll
2010-11-04 13:13 . 2010-11-04 13:13 362496 ----a-w- c:\windows\system32\AUDIOKSE32.dll
2010-11-04 13:09 . 2010-11-04 13:09 -------- d-----w- c:\programdata\Apple Computer
2010-11-04 13:08 . 2010-11-04 13:08 -------- d-----w- c:\program files\Common Files\Apple
2010-11-04 13:07 . 2010-11-04 13:07 -------- d-----w- c:\users\eoinphelan\AppData\Local\Apple
2010-11-04 13:07 . 2010-11-04 13:07 -------- d-----w- c:\program files\Apple Software Update
2010-11-04 13:07 . 2010-11-04 13:07 -------- d-----w- c:\programdata\Apple
2010-11-04 12:44 . 2010-11-04 13:18 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\FrostWire
2010-11-02 17:50 . 2010-11-02 17:50 -------- d-----w- c:\programdata\ScanSoft
2010-11-02 14:29 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-11-02 14:29 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-11-02 14:29 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-11-02 11:54 . 2010-11-23 13:11 -------- d-----w- c:\users\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 10:41 . 2010-06-20 18:34 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-13 22:28 . 2010-06-20 10:37 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-13 22:28 . 2010-06-20 10:37 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-13 22:28 . 2010-06-20 10:37 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-10-13 22:28 . 2010-06-20 10:37 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-13 22:28 . 2010-06-20 10:37 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-13 22:28 . 2010-06-20 10:37 164840 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-10-13 22:28 . 2010-06-20 10:37 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-10-13 22:28 . 2010-06-20 10:37 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-13 22:28 . 2010-04-14 11:50 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-13 22:28 . 2010-04-14 11:50 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-09-15 04:50 . 2010-06-30 12:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-13 13:56 . 2010-10-13 04:49 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 11:17 . 2010-09-08 11:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 11:17 . 2010-09-08 11:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-08 06:01 . 2010-10-13 04:47 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-13 04:47 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-13 04:47 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-13 04:47 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-13 04:47 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-13 04:47 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-13 04:47 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-13 04:47 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-13 04:48 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-13 04:48 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-13 04:48 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-13 04:48 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-13 04:48 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-31 15:46 . 2010-10-13 04:44 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-13 04:44 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-13 04:39 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-13 04:44 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-07-07 23:05 . 2010-07-07 23:05 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2010-10-13 22:28 . 2010-06-20 10:37 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01C0DA96-AFCE-4F59-BC8E-77ADDA481218}]
2010-11-04 13:13 362496 ----a-w- c:\windows\System32\AUDIOKSE32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA83C0CD-C9A3-BE05-F70A-CA125237C8C3}]
2010-11-04 13:14 264192 ----a-w- c:\programdata\AUDIOKSE32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-15 01:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-13 68856]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-11-24 395128]
"RTHDBPL"="c:\users\eoinphelan\AppData\Roaming\SysWin\lsass.exe" [BU]
"WLanConnwow.exe"="c:\windows\WLanConnwow.exe" [2010-11-27 509440]
"spwizengwow.exe"="c:\windows\spwizengwow.exe" [2010-11-27 509440]
"KBDBEwow.exe"="c:\windows\KBDBEwow.exe" [2010-11-28 509440]
"KBDTH2wow.exe"="c:\windows\KBDTH2wow.exe" [2010-11-27 509440]
"DevicePairingwow.exe"="c:\windows\DevicePairingwow.exe" [2010-11-28 509440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-04-10 147456]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-04-10 167936]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-04-18 167936]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-15 526896]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-07 30192]
"ProductReg"="c:\program files\Acer\WR_PopUp\ProductReg.exe" [2008-09-23 6144]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" [2003-07-07 729088]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"WLanConnwow.exe"="c:\windows\WLanConnwow.exe" [2010-11-27 509440]
"spwizengwow.exe"="c:\windows\spwizengwow.exe" [2010-11-27 509440]
"KBDTH2wow.exe"="c:\windows\KBDTH2wow.exe" [2010-11-27 509440]
"KBDBEwow.exe"="c:\windows\KBDBEwow.exe" [2010-11-28 509440]
"DevicePairingwow.exe"="c:\windows\DevicePairingwow.exe" [2010-11-28 509440]
"typelibwow.exe"="c:\windows\typelibwow.exe" [2010-11-28 509440]

c:\users\eoinphelan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\programdata\AUDIOKSE32.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\programdata\AUDIOKSE32.dll c:\programdata\AUDIOKSE32.dll c:\programdata\AUDIOKSE32.dll c:\programdata\AUDIOKSE32.dll c:\programdata\AUDIOKSE32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
R2 WebClient32;WebClient ;c:\programdata\AUDIOKSE32.exe [2010-11-04 1369600]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-07 30192]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-13 84264]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-13 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-13 164840]
S1 MOBKFilter;MOBKFilter;c:\windows\system32\DRIVERS\MOBK.sys [2010-04-13 54776]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-04-18 61424]
S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
S2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-17 81504]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-13 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-10-13 141792]
S2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2010-04-13 229688]
S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
S2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-17 122368]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-13 55840]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-13 313288]


--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-11-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-13 13:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1809&s=2&o=vb32&d=1108&m=aspire_5735
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath - c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - www.google.ie
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\eoinphelan\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-28 22:14
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RTHDBPL = c:\users\eoinphelan\AppData\Roaming\SysWin\lsass.exe???????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2348)
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\windows\System32\SysHook.dll
.
Completion time: 2010-11-28 22:19:16
ComboFix-quarantined-files.txt 2010-11-28 22:19
ComboFix2.txt 2010-11-27 17:49
ComboFix3.txt 2010-11-25 15:34

Pre-Run: 19,404,566,528 bytes free
Post-Run: 19,152,916,480 bytes free

- - End Of File - - F896E217D8C7C3069A165B0E6ADC2585

#25 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 PM

Posted 28 November 2010 - 07:00 PM

Combofix is telling me that something is restoring the malware and it looks like I missed a bad driver. Let's hope this does the trick

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

File::
c:\users\eoinphelan\AppData\Roaming\SysWin\lsass.exe
c:\programdata\AUDIOKSE32.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDBPL"=-

Driver::
WebClient32


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by m0le, 28 November 2010 - 07:00 PM.

[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#26 kkallstar

kkallstar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 29 November 2010 - 07:55 AM

Latest ComboFix log:

ComboFix 10-11-28.05 - eoinphelan 29/11/2010 12:01:48.7.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.353.1033.18.3000.1832 [GMT 0:00]
Running from: c:\users\eoinphelan\Desktop\comfix.exe
Command switches used :: c:\users\eoinphelan\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\programdata\AUDIOKSE32.exe"
"c:\users\eoinphelan\AppData\Roaming\SysWin\lsass.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{19721d37-9a51-409a-98ff-a1b1fed76892}
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{19721d37-9a51-409a-98ff-a1b1fed76892}\chrome.manifest
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{19721d37-9a51-409a-98ff-a1b1fed76892}\chrome\xulcache.jar
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{19721d37-9a51-409a-98ff-a1b1fed76892}\defaults\preferences\xulcache.js
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{19721d37-9a51-409a-98ff-a1b1fed76892}\install.rdf
c:\windows\cicwow.exe
.
---- Previous Run -------
.
c:\programdata\AUDIOKSE32.exe
c:\programdata\unrar.exe
c:\windows\DevicePairingwow.exe
c:\windows\KBDBEwow.exe
c:\windows\KBDINUK2wow.exe
c:\windows\KBDTH2wow.exe
c:\windows\lsass.exe
c:\windows\spwizengwow.exe
c:\windows\typelibwow.exe
c:\windows\WLanConnwow.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_WebClient32


((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 )))))))))))))))))))))))))))))))
.

2010-11-29 12:11 . 2010-11-29 12:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-28 23:51 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F9F597C1-D5E0-4F9F-9542-19E2DC992FB4}\mpengine.dll
2010-11-25 15:36 . 2010-11-25 15:36 0 ---ha-w- c:\users\eoinphelan\xibzhuxmha.tmp
2010-11-25 15:09 . 2010-11-25 15:34 -------- d-----w- C:\comfix
2010-11-24 16:05 . 2010-11-24 16:05 181760 ----a-w- c:\windows\system32\HMPV2_ENC_MMX32.exe
2010-11-24 13:04 . 2010-11-24 13:04 -------- d-----w- c:\program files\uTorrent
2010-11-24 13:04 . 2010-11-29 12:06 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\uTorrent
2010-11-24 13:02 . 2010-11-25 11:40 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\ImgBurn
2010-11-24 12:52 . 2010-11-24 12:52 -------- d-----w- c:\program files\ImgBurn
2010-11-24 12:42 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-11-23 13:34 . 2010-11-04 13:13 1369600 ----a-w- c:\programdata\hbaapi32.exe
2010-11-15 00:37 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2010-11-15 00:37 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2010-11-15 00:37 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
2010-11-15 00:37 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
2010-11-15 00:37 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2010-11-15 00:37 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\winrssrv.dll
2010-11-15 00:37 . 2009-10-09 21:55 79872 ----a-w- c:\windows\system32\wecutil.exe
2010-11-15 00:37 . 2009-10-09 21:55 54272 ----a-w- c:\windows\system32\WsmRes.dll
2010-11-15 00:37 . 2009-10-09 21:55 146944 ----a-w- c:\windows\system32\wecsvc.dll
2010-11-15 00:37 . 2009-10-09 21:55 81408 ----a-w- c:\windows\system32\wevtfwd.dll
2010-11-15 00:37 . 2009-10-09 21:55 56320 ----a-w- c:\windows\system32\wecapi.dll
2010-11-15 00:37 . 2009-10-09 21:56 41472 ----a-w- c:\windows\system32\pwrshplugin.dll
2010-11-15 00:36 . 2009-08-01 06:27 201184 ----a-w- c:\windows\system32\winrm.vbs
2010-11-15 00:36 . 2009-10-09 21:56 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2010-11-15 00:36 . 2009-10-09 21:56 241152 ----a-w- c:\windows\system32\winrscmd.dll
2010-11-15 00:36 . 2009-10-09 21:56 145408 ----a-w- c:\windows\system32\WsmAuto.dll
2010-11-15 00:36 . 2009-10-09 21:56 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2010-11-15 00:36 . 2009-10-09 21:55 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2010-11-15 00:36 . 2009-10-09 21:56 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2010-11-15 00:36 . 2010-11-15 00:36 -------- d-----w- c:\windows\system32\x64
2010-11-11 13:54 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-11-11 12:00 . 2010-11-11 12:00 -------- d-sh--w- c:\windows\system32\%APPDATA%
2010-11-09 00:41 . 2010-11-09 00:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-11-08 15:35 . 2010-11-08 15:35 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\FloodLightGames
2010-11-08 12:04 . 2010-11-08 12:04 -------- d-----w- c:\programdata\Oberon Games
2010-11-08 11:26 . 2010-11-08 11:26 -------- d-----w- c:\users\eoinphelan\AppData\Local\ElevatedDiagnostics
2010-11-08 11:18 . 2010-11-08 11:24 -------- d-----w- c:\program files\Microsoft ATS
2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2010-11-04 17:26 . 2010-10-27 06:13 553696 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
2010-11-04 17:26 . 2010-10-27 06:13 25048 ----a-w- c:\program files\Mozilla Firefox\components\browserdirprovider.dll
2010-11-04 17:26 . 2010-10-27 06:13 140248 ----a-w- c:\program files\Mozilla Firefox\components\brwsrcmp.dll
2010-11-04 17:26 . 2010-10-27 06:13 66520 ----a-w- c:\program files\Mozilla Firefox\plugins\npnul32.dll
2010-11-04 16:01 . 2010-11-07 23:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-04 16:01 . 2010-11-04 17:17 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-11-04 13:16 . 2010-11-04 13:16 -------- d-----w- c:\users\eoinphelan\AppData\Local\Apple Computer
2010-11-04 13:15 . 2010-11-25 13:02 -------- d-sh--w- c:\programdata\2D940B90985020252108E2D501B62DEF
2010-11-04 13:15 . 2010-11-29 10:00 -------- d-----w- c:\programdata\1748128816
2010-11-04 13:14 . 2010-11-04 13:14 264192 ----a-w- c:\programdata\AUDIOKSE32.dll
2010-11-04 13:13 . 2010-11-04 13:13 362496 ----a-w- c:\windows\system32\AUDIOKSE32.dll
2010-11-04 13:09 . 2010-11-04 13:09 -------- d-----w- c:\programdata\Apple Computer
2010-11-04 13:08 . 2010-11-04 13:08 -------- d-----w- c:\program files\Common Files\Apple
2010-11-04 13:07 . 2010-11-04 13:07 -------- d-----w- c:\users\eoinphelan\AppData\Local\Apple
2010-11-04 13:07 . 2010-11-04 13:07 -------- d-----w- c:\program files\Apple Software Update
2010-11-04 13:07 . 2010-11-04 13:07 -------- d-----w- c:\programdata\Apple
2010-11-04 12:44 . 2010-11-04 13:18 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\FrostWire
2010-11-02 17:50 . 2010-11-02 17:50 -------- d-----w- c:\programdata\ScanSoft
2010-11-02 14:29 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-11-02 14:29 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-11-02 14:29 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-11-02 11:54 . 2010-11-23 13:11 -------- d-----w- c:\users\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 10:41 . 2010-06-20 18:34 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-13 22:28 . 2010-06-20 10:37 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-13 22:28 . 2010-06-20 10:37 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-13 22:28 . 2010-06-20 10:37 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-10-13 22:28 . 2010-06-20 10:37 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-13 22:28 . 2010-06-20 10:37 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-13 22:28 . 2010-06-20 10:37 164840 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-10-13 22:28 . 2010-06-20 10:37 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-10-13 22:28 . 2010-06-20 10:37 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-13 22:28 . 2010-04-14 11:50 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-13 22:28 . 2010-04-14 11:50 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-09-15 04:50 . 2010-06-30 12:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-13 13:56 . 2010-10-13 04:49 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 11:17 . 2010-09-08 11:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 11:17 . 2010-09-08 11:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-08 06:01 . 2010-10-13 04:47 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-13 04:47 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-13 04:47 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-13 04:47 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-13 04:47 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-13 04:47 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-13 04:47 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-13 04:47 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-13 04:48 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-13 04:48 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-13 04:48 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-13 04:48 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-13 04:48 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-31 15:46 . 2010-10-13 04:44 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-13 04:44 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-13 04:39 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-13 04:44 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-07-07 23:05 . 2010-07-07 23:05 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2010-10-13 22:28 . 2010-06-20 10:37 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01C0DA96-AFCE-4F59-BC8E-77ADDA481218}]
2010-11-04 13:13 362496 ----a-w- c:\windows\System32\AUDIOKSE32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA83C0CD-C9A3-BE05-F70A-CA125237C8C3}]
2010-11-04 13:14 264192 ----a-w- c:\programdata\AUDIOKSE32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-15 01:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-13 68856]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-11-24 395128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-04-10 147456]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-04-10 167936]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-04-18 167936]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-15 526896]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-07 30192]
"ProductReg"="c:\program files\Acer\WR_PopUp\ProductReg.exe" [2008-09-23 6144]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" [2003-07-07 729088]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"RTHDBPL"="c:\windows\lsass.exe" [BU]

c:\users\eoinphelan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\programdata\AUDIOKSE32.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\programdata\AUDIOKSE32.dll c:\programdata\AUDIOKSE32.dll c:\programdata\AUDIOKSE32.dll c:\programdata\AUDIOKSE32.dll c:\programdata\AUDIOKSE32.dll c:\programdata\AUDIOKSE32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-07 30192]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-13 84264]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-13 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-13 164840]
S1 MOBKFilter;MOBKFilter;c:\windows\system32\DRIVERS\MOBK.sys [2010-04-13 54776]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-04-18 61424]
S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
S2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-17 81504]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-13 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-10-13 141792]
S2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2010-04-13 229688]
S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
S2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-17 122368]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-13 55840]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-13 313288]


--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-11-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-13 13:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1809&s=2&o=vb32&d=1108&m=aspire_5735
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath - c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - www.google.ie
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\eoinphelan\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-WLanConnwow.exe - c:\windows\WLanConnwow.exe
HKCU-Run-spwizengwow.exe - c:\windows\spwizengwow.exe
HKCU-Run-KBDBEwow.exe - c:\windows\KBDBEwow.exe
HKCU-Run-KBDTH2wow.exe - c:\windows\KBDTH2wow.exe
HKCU-Run-DevicePairingwow.exe - c:\windows\DevicePairingwow.exe
HKCU-Run-typelibwow.exe - c:\windows\typelibwow.exe
HKCU-Run-KBDINUK2wow.exe - c:\windows\KBDINUK2wow.exe
HKCU-Run-cicwow.exe - c:\windows\cicwow.exe
HKLM-Run-WLanConnwow.exe - c:\windows\WLanConnwow.exe
HKLM-Run-spwizengwow.exe - c:\windows\spwizengwow.exe
HKLM-Run-KBDTH2wow.exe - c:\windows\KBDTH2wow.exe
HKLM-Run-KBDBEwow.exe - c:\windows\KBDBEwow.exe
HKLM-Run-DevicePairingwow.exe - c:\windows\DevicePairingwow.exe
HKLM-Run-typelibwow.exe - c:\windows\typelibwow.exe
HKLM-Run-KBDINUK2wow.exe - c:\windows\KBDINUK2wow.exe
HKLM-Run-cicwow.exe - c:\windows\cicwow.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-29 12:11
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
RTHDBPL = c:\windows\lsass.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-11-29 12:14:29
ComboFix-quarantined-files.txt 2010-11-29 12:14
ComboFix2.txt 2010-11-28 22:19
ComboFix3.txt 2010-11-27 17:49
ComboFix4.txt 2010-11-25 15:34

Pre-Run: 19,583,234,048 bytes free
Post-Run: 19,539,750,912 bytes free

- - End Of File - - ADA9ED2CF0F3BDC6C8033A489D608048

#27 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 PM

Posted 29 November 2010 - 04:57 PM

Now more of it gets uncovered, nasty customer:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

File::
c:\windows\System32\AUDIOKSE32.dll
c:\programdata\AUDIOKSE32.dll
c:\users\eoinphelan\xibzhuxmha.tmp
c:\windows\lsass.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01C0DA96-AFCE-4F59-BC8E-77ADDA481218}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA83C0CD-C9A3-BE05-F70A-CA125237C8C3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDBPL"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please also now run MBAM

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Edited by m0le, 29 November 2010 - 04:58 PM.

[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#28 kkallstar

kkallstar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 30 November 2010 - 07:14 AM

Latest ComboFix log. MBAM log is included as an attachment.

ComboFix 10-11-29.05 - eoinphelan 30/11/2010 10:16:49.9.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.353.1033.18.3000.1893 [GMT 0:00]
Running from: c:\users\eoinphelan\Desktop\comfix.exe
Command switches used :: c:\users\eoinphelan\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\programdata\AUDIOKSE32.dll"
"c:\users\eoinphelan\xibzhuxmha.tmp"
"c:\windows\lsass.exe"
"c:\windows\System32\AUDIOKSE32.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\programdata\AUDIOKSE32.dll
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{d76807d7-0b7f-4edc-a586-b12bf307ba7b}
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{d76807d7-0b7f-4edc-a586-b12bf307ba7b}\chrome.manifest
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{d76807d7-0b7f-4edc-a586-b12bf307ba7b}\chrome\xulcache.jar
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{d76807d7-0b7f-4edc-a586-b12bf307ba7b}\defaults\preferences\xulcache.js
c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{d76807d7-0b7f-4edc-a586-b12bf307ba7b}\install.rdf
c:\users\eoinphelan\xibzhuxmha.tmp
c:\windows\System32\AUDIOKSE32.dll

-- Previous Run --

Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\ntfs.sys

--------

.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-30 )))))))))))))))))))))))))))))))
.

2010-11-30 10:32 . 2010-11-30 10:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-30 10:13 . 2010-11-30 10:13 -------- d-----w- C:\32788R22FWJFW
2010-11-30 00:46 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-30 00:46 . 2010-11-30 00:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-30 00:46 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-28 23:51 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F9F597C1-D5E0-4F9F-9542-19E2DC992FB4}\mpengine.dll
2010-11-25 15:09 . 2010-11-25 15:34 -------- d-----w- C:\comfix
2010-11-24 16:05 . 2010-11-24 16:05 181760 ----a-w- c:\windows\system32\HMPV2_ENC_MMX32.exe
2010-11-24 13:04 . 2010-11-24 13:04 -------- d-----w- c:\program files\uTorrent
2010-11-24 13:04 . 2010-11-30 10:30 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\uTorrent
2010-11-24 13:02 . 2010-11-25 11:40 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\ImgBurn
2010-11-24 12:52 . 2010-11-24 12:52 -------- d-----w- c:\program files\ImgBurn
2010-11-24 12:42 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-11-23 13:34 . 2010-11-04 13:13 1369600 ----a-w- c:\programdata\hbaapi32.exe
2010-11-15 00:37 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2010-11-15 00:37 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2010-11-15 00:37 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
2010-11-15 00:37 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
2010-11-15 00:37 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2010-11-15 00:37 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\winrssrv.dll
2010-11-15 00:37 . 2009-10-09 21:55 79872 ----a-w- c:\windows\system32\wecutil.exe
2010-11-15 00:37 . 2009-10-09 21:55 54272 ----a-w- c:\windows\system32\WsmRes.dll
2010-11-15 00:37 . 2009-10-09 21:55 146944 ----a-w- c:\windows\system32\wecsvc.dll
2010-11-15 00:37 . 2009-10-09 21:55 81408 ----a-w- c:\windows\system32\wevtfwd.dll
2010-11-15 00:37 . 2009-10-09 21:55 56320 ----a-w- c:\windows\system32\wecapi.dll
2010-11-15 00:37 . 2009-10-09 21:56 41472 ----a-w- c:\windows\system32\pwrshplugin.dll
2010-11-15 00:36 . 2009-08-01 06:27 201184 ----a-w- c:\windows\system32\winrm.vbs
2010-11-15 00:36 . 2009-10-09 21:56 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2010-11-15 00:36 . 2009-10-09 21:56 241152 ----a-w- c:\windows\system32\winrscmd.dll
2010-11-15 00:36 . 2009-10-09 21:56 145408 ----a-w- c:\windows\system32\WsmAuto.dll
2010-11-15 00:36 . 2009-10-09 21:56 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2010-11-15 00:36 . 2009-10-09 21:55 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2010-11-15 00:36 . 2009-10-09 21:56 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2010-11-15 00:36 . 2010-11-15 00:36 -------- d-----w- c:\windows\system32\x64
2010-11-11 13:54 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-11-11 12:00 . 2010-11-11 12:00 -------- d-sh--w- c:\windows\system32\%APPDATA%
2010-11-09 00:41 . 2010-11-09 00:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-11-08 15:35 . 2010-11-08 15:35 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\FloodLightGames
2010-11-08 12:04 . 2010-11-08 12:04 -------- d-----w- c:\programdata\Oberon Games
2010-11-08 11:26 . 2010-11-08 11:26 -------- d-----w- c:\users\eoinphelan\AppData\Local\ElevatedDiagnostics
2010-11-08 11:18 . 2010-11-08 11:24 -------- d-----w- c:\program files\Microsoft ATS
2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2010-11-04 17:26 . 2010-10-27 06:13 553696 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
2010-11-04 17:26 . 2010-10-27 06:13 25048 ----a-w- c:\program files\Mozilla Firefox\components\browserdirprovider.dll
2010-11-04 17:26 . 2010-10-27 06:13 140248 ----a-w- c:\program files\Mozilla Firefox\components\brwsrcmp.dll
2010-11-04 17:26 . 2010-10-27 06:13 66520 ----a-w- c:\program files\Mozilla Firefox\plugins\npnul32.dll
2010-11-04 16:01 . 2010-11-07 23:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-11-04 16:01 . 2010-11-04 17:17 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-11-04 13:16 . 2010-11-04 13:16 -------- d-----w- c:\users\eoinphelan\AppData\Local\Apple Computer
2010-11-04 13:15 . 2010-11-25 13:02 -------- d-sh--w- c:\programdata\2D940B90985020252108E2D501B62DEF
2010-11-04 13:15 . 2010-11-29 10:00 -------- d-----w- c:\programdata\1748128816
2010-11-04 13:09 . 2010-11-04 13:09 -------- d-----w- c:\programdata\Apple Computer
2010-11-04 13:08 . 2010-11-04 13:08 -------- d-----w- c:\program files\Common Files\Apple
2010-11-04 13:07 . 2010-11-04 13:07 -------- d-----w- c:\users\eoinphelan\AppData\Local\Apple
2010-11-04 13:07 . 2010-11-04 13:07 -------- d-----w- c:\program files\Apple Software Update
2010-11-04 13:07 . 2010-11-04 13:07 -------- d-----w- c:\programdata\Apple
2010-11-04 12:44 . 2010-11-04 13:18 -------- d-----w- c:\users\eoinphelan\AppData\Roaming\FrostWire
2010-11-02 17:50 . 2010-11-02 17:50 -------- d-----w- c:\programdata\ScanSoft
2010-11-02 14:29 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-11-02 14:29 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-11-02 14:29 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-11-02 11:54 . 2010-11-23 13:11 -------- d-----w- c:\users\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 10:41 . 2010-06-20 18:34 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-13 22:28 . 2010-06-20 10:37 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-13 22:28 . 2010-06-20 10:37 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-13 22:28 . 2010-06-20 10:37 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2010-10-13 22:28 . 2010-06-20 10:37 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-13 22:28 . 2010-06-20 10:37 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-13 22:28 . 2010-06-20 10:37 164840 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2010-10-13 22:28 . 2010-06-20 10:37 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-10-13 22:28 . 2010-06-20 10:37 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-13 22:28 . 2010-04-14 11:50 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-13 22:28 . 2010-04-14 11:50 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-09-15 04:50 . 2010-06-30 12:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-13 13:56 . 2010-10-13 04:49 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 11:17 . 2010-09-08 11:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 11:17 . 2010-09-08 11:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-08 06:01 . 2010-10-13 04:47 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-13 04:47 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-13 04:47 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-13 04:47 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56 . 2010-10-13 04:47 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04 . 2010-10-13 04:47 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-13 04:47 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-13 04:47 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-13 04:48 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-13 04:48 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-13 04:48 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-13 04:48 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-13 04:48 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-07-07 23:05 . 2010-07-07 23:05 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2010-10-13 22:28 . 2010-06-20 10:37 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-15 01:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-13 19:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-13 68856]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-11-24 395128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-04-10 147456]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-04-10 167936]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-04-18 167936]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-15 526896]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-07 30192]
"ProductReg"="c:\program files\Acer\WR_PopUp\ProductReg.exe" [2008-09-23 6144]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" [2003-07-07 729088]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]

c:\users\eoinphelan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-07 30192]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-13 84264]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-13 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-13 164840]
S1 MOBKFilter;MOBKFilter;c:\windows\system32\DRIVERS\MOBK.sys [2010-04-13 54776]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-04-18 61424]
S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
S2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-17 81504]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-03-21 24576]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-13 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-10-13 141792]
S2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2010-04-13 229688]
S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
S2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-17 122368]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-13 55840]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-13 313288]


--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-11-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-13 13:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1809&s=2&o=vb32&d=1108&m=aspire_5735
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
FF - ProfilePath - c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - www.google.ie
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\eoinphelan\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\eoinphelan\AppData\Roaming\Mozilla\Firefox\Profiles\wymjiw9t.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-30 10:33
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2444)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\windows\System32\SysHook.dll
.
Completion time: 2010-11-30 10:37:31
ComboFix-quarantined-files.txt 2010-11-30 10:37
ComboFix2.txt 2010-11-29 12:14
ComboFix3.txt 2010-11-28 22:19
ComboFix4.txt 2010-11-27 17:49
ComboFix5.txt 2010-11-30 09:47

Pre-Run: 19,258,994,688 bytes free
Post-Run: 19,228,217,344 bytes free

- - End Of File - - 61E9FC5BACD2CD3EF6C17B0BEC5A3EF2

Attached Files



#29 m0le

m0le

    Can U Dig It?


  • Malware Response Instructor
  • 33,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:51 PM

Posted 30 November 2010 - 07:13 PM

That is one nasty trojan, and new to me.

MBAM has done a great job of clearing up but I have to ask you to run it again for me as I don't trust this malware. Use the same instructions as before and post or attach the log.


When that's done please run ESET online as shown below

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Leave the top box checked and then check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
[If I have helped you fix your PC then please donate. Thanks
jetian6yw.jpg
m0le is a proud member of UNITE

#30 kkallstar

kkallstar
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 01 December 2010 - 04:38 PM

I have attached the ESET log. When I ran ESET the first time it found and fixed 18 threats. However, the scan stalled at 46% (49,419 files scanned) and did not proceed after this (I left it for 4 hours at one stage). I stopped the scan and it produced the log. I then tried to run the scan again a couple of more times and it stalled at the same point (46%).

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5214

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

01/12/2010 11:44:38
mbam-log-2010-12-01 (11-44-38).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 293896
Time elapsed: 1 hour(s), 52 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users