BleepingComputer.com: Phantom Virus - Posssible Worm Suffix?

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Phantom Virus - Posssible Worm Suffix? Eating Hard Drive Space - Don't Know How To Remove!

#1 User is offline   geoph 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 26-April 11

Posted 26 April 2011 - 06:11 PM

It's created a virtual drive and storing files there. It keeps moving files that i cannot access after it has moved it. My hard drive keeps getting smaller and smaller Please Help!

DDS Logs

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by geoff at 11:44:31.18 on 26/04/2011
Internet Explorer: 9.0.8112.16421
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2814.1649 [GMT -4:00]
.
AV: Bell Internet Security Services Anti-Virus *Disabled/Updated* {A61154FD-4365-E00F-9A33-13A09AD54B56}
SP: Bell Internet Security Services Anti-Spyware *Disabled/Updated* {1D70B519-655F-EF81-A083-28D2E15201EB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Bell Internet Security Services Firewall *Disabled* {9E2AD5D8-090A-E157-B16C-BA9564060C2D}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Bell\Bell Internet Security Services\Fws.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
C:\Program Files\Acer\Empowering Technology\SysMonitor.exe
C:\Program Files\Acer\Empowering Technology\Framework.Launcher.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\D-Link\DWA-125 revA\AirGCFG.exe
C:\Program Files\BellCanada\McciTrayApp.exe
C:\Program Files\Bell\Internet Service Advisor\BISA.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Program Files\D-Link\DWA-125 revA\ANIWZCSdS.exe
C:\Program Files\D-Link\DWA-125 revA\ANIWConnService.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Bell\Bell Internet Security Services\RpsSecurityAwareR.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Bell\Internet Service Advisor\ServicepointService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Personal Vault Backup Manager\VaultClientSRV.exe
C:\Program Files\Personal Vault Backup Manager\VaultClientUpgrade.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10o_ActiveX.exe
C:\Windows\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\geoff\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UUHP3YZW\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.sympatico.ca/
mStart Page = about:blank
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Acer Empowering Technology Monitor] c:\program files\acer\empowering technology\SysMonitor.exe
mRun: [EmpoweringTechnology] c:\program files\acer\empowering technology\Framework.Launcher.exe boot
mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe
mRun: [eRecoveryService]
mRun: [D-Link D-Link DWA-125] c:\program files\d-link\dwa-125 reva\AirGCFG.exe
mRun: [BellCanada_McciTrayApp] "c:\program files\bellcanada\McciTrayApp.exe"
mRun: [BISA.exe] "c:\program files\bell\internet service advisor\BISA.exe" /AUTORUN
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRunOnce: [NoIE4StubProcessing] c:\windows\system32\reg.exe delete "hklm\software\microsoft\active setup\Installed Components" /v "NoIE4StubProcessing" /f
mRunOnce: [wextract_cleanup0] rundll32.exe c:\windows\system32\advpack.dll,delnoderundll32 "c:\windows\temp\ixp000.tmp\"
StartupFolder: c:\users\geoff\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\programs\partygaming\partypoker\RunApp.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\programs\partygaming.net\partypokernet\RunPF.exe
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} - {7A3D6D17-9DD5-4C60-8076-D1784DABAF8C}
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
TCP: {535B8C3A-C6E0-40EF-A618-94E961B89A1A} = 192.168.2.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-4-15 25608]
R1 anodlwf;ANOD Network Security Filter driver;c:\windows\system32\drivers\anodlwf.sys [2010-9-29 12800]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\acer arcade live\acer homemedia connect\kernel\dms\CLMSServer.exe [2008-8-21 269448]
R2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\d-link\dwa-125 reva\ANIWZCSdS.exe [2010-9-29 126976]
R2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\d-link\dwa-125 reva\ANIWConnService.exe [2010-9-29 40960]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-8-21 24576]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 Radialpoint Security Services;Bell Internet Security Services;c:\program files\bell\bell internet security services\RpsSecurityAwareR.exe [2010-1-18 165408]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\bell\bell internet security services\avg\identity protection\agent\bin\AVGIDSAgent.exe [2010-9-30 5832712]
R2 ServicepointService;ServicepointService;c:\program files\bell\internet service advisor\ServicepointService.exe [2010-9-30 689392]
R2 VaultClientSRV;Personal Vault Backup Manager Service;c:\program files\personal vault backup manager\VaultClientSRV.exe [2010-1-17 1051728]
R2 VaultClientUpgrade;Personal Vault Backup Manager Upgrade Service;c:\program files\personal vault backup manager\VaultClientUpgrade.exe [2010-1-17 56400]
R3 netr28u;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\Dnetr28u.sys [2010-9-29 798208]
R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\bell\bell internet security services\avg\identity protection\agent\drivers\AVGIDSDriver.sys [2010-9-30 122376]
R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\bell\bell internet security services\avg\identity protection\agent\drivers\AVGIDSfilter.sys [2010-9-30 30216]
R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\bell\bell internet security services\avg\identity protection\agent\drivers\AVGIDSShim.sys [2010-9-30 27800]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MSMQSVC;Message Queuing Service;c:\windows\system32\mqsv32.exe --> c:\windows\system32\mqsv32.exe [?]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-20 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2011-04-26 15:28:50 388096 ----a-r- c:\users\geoff\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-04-26 05:43:08 7071056 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{58a975fd-3937-48f3-ad91-9199fab3437f}\mpengine.dll
2011-04-23 14:23:25 -------- d-----w- c:\program files\GOG.com
2011-04-23 02:54:52 -------- d-----w- c:\users\geoff\FrostWire
2011-04-23 02:54:37 -------- d-----w- c:\program files\Ask.com
2011-04-23 02:54:22 -------- d-----w- c:\program files\FrostWire
2011-04-22 22:17:14 -------- d-----w- c:\program files\1C
2011-04-22 13:49:40 -------- d-----w- c:\windows\CheckSur
2011-04-17 23:22:39 696320 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iKernel.dll
2011-04-17 23:22:39 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\ctor.dll
2011-04-17 23:22:39 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\DotNetInstaller.exe
2011-04-17 23:22:39 282756 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\setup.dll
2011-04-17 23:22:39 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iscript.dll
2011-04-17 23:22:39 163972 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iGdi.dll
2011-04-17 23:22:39 155648 ----a-w- c:\program files\common files\installshield\professional\runtime\0701\intel32\iuser.dll
2011-04-16 16:09:50 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-16 16:08:45 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-04-16 14:23:03 -------- d-----w- c:\program files\uTorrent
2011-04-16 14:22:21 -------- d-----w- c:\users\geoff\appdata\roaming\uTorrent
2011-04-16 14:15:39 -------- d-----w- C:\extensions
2011-04-16 03:01:45 25608 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2011-04-15 20:55:51 -------- d--h--w- C:\$AVG
2011-04-15 20:46:10 -------- d--h--w- c:\users\geoff\appdata\roaming\AVG10
2011-04-15 20:45:35 -------- d--h--w- c:\progra~2\Common Files
2011-04-15 20:43:37 -------- d--h--w- c:\progra~2\AVG10
2011-04-15 20:42:46 -------- d-----w- c:\program files\AVG
2011-04-15 20:39:06 -------- d--h--w- c:\progra~2\MFAData
2011-04-15 13:52:07 475136 ---ha-w- c:\progra~2\41017096.exe
2011-04-15 05:41:23 552960 ---ha-w- c:\progra~2\yelHNrXgoh.exe
2011-04-14 13:46:03 -------- d--h--w- c:\progra~2\nDf31001eMpGp31001
2011-04-11 19:10:39 -------- d--h--w- c:\progra~2\bKn31001gBoCo31001
2011-03-30 14:50:11 605960 ---ha-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
2011-03-30 01:46:02 18944 ----a-w- c:\windows\system32\drivers\PELMOUSE.SYS
2011-03-30 01:46:02 17920 ----a-w- c:\windows\system32\drivers\pelusblf.sys
.
==================== Find3M ====================
.
2011-04-13 19:50:00 279 ---ha-w- c:\windows\tmpcpyis.bat
2011-04-13 19:50:00 122 ---ha-w- c:\windows\tmpdelis.bat
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13:01 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33:12 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33:09 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-16 16:16:37 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-16 14:02:23 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-02-02 22:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-30 16:10:31 26 ---ha-w- c:\windows\winstart.bat
.
============= FINISH: 11:45:13.97 ===============

GMER Log

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-26 16:07:17
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200AAJS-22B4A0 rev.01.03A01
Running: gmer.exe; Driver: C:\Users\geoff\AppData\Local\Temp\uwdoqpob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys ZwOpenProcess [0x83D29620]
SSDT \??\C:\Program Files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys ZwTerminateProcess [0x83D296D0]
SSDT \??\C:\Program Files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys ZwTerminateThread [0x83D29770]
SSDT \??\C:\Program Files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys ZwWriteVirtualMemory [0x83D29810]

INT 0x62 ? 8877DBF8
INT 0x72 ? 8877DBF8
INT 0x72 ? 8877DBF8
INT 0x72 ? 8877DBF8
INT 0x81 ? 87561BF8
INT 0x91 ? 87561BF8
INT 0x92 ? 8877DBF8
INT 0x92 ? 8877DBF8
INT 0x92 ? 8877DBF8
INT 0xA1 ? 87561BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 3F1 842BDB74 4 Bytes [20, 96, D2, 83]
.text ntkrnlpa.exe!KeSetEvent + 621 842BDDA4 8 Bytes [D0, 96, D2, 83, 70, 97, D2, ...]
.text ntkrnlpa.exe!KeSetEvent + 681 842BDE04 4 Bytes [10, 98, D2, 83]
? System32\Drivers\spop.sys The system cannot find the path specified. !
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91C0B000, 0x213CB7, 0xE8000020]
.text USBPORT.SYS!DllUnload 9257041B 5 Bytes JMP 8877D1D8
.text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xA590A300, 0x3ACC8, 0xE8000020]
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xA5954300, 0x1B7E, 0xE8000020]
? System32\Drivers\e56be811.sys The system cannot find the path specified. !
? C:\Users\geoff\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[428] SHELL32.dll!SHGetFolderPathAndSubDirW + 81C5 762BB37C 4 Bytes [00, 26, 00, 10] {ADD [ESI], AH; ADD [EAX], DL}
.text C:\Program Files\Internet Explorer\iexplore.exe[4152] USER32.dll!EnableWindow 77B2CD8B 5 Bytes JMP 6FB49884 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4152] USER32.dll!DialogBoxParamW 77B510B0 5 Bytes JMP 6FAA15BB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4152] USER32.dll!DialogBoxIndirectParamW 77B52EF5 5 Bytes JMP 6FC9590F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4152] USER32.dll!DialogBoxParamA 77B68152 5 Bytes JMP 6FC958AA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4152] USER32.dll!DialogBoxIndirectParamA 77B6847D 5 Bytes JMP 6FC95974 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4152] USER32.dll!MessageBoxIndirectA 77B7D4D9 5 Bytes JMP 6FC95831 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4152] USER32.dll!MessageBoxIndirectW 77B7D5D3 5 Bytes JMP 6FC957B8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4152] USER32.dll!MessageBoxExA 77B7D639 5 Bytes JMP 6FC95754 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4152] USER32.dll!MessageBoxExW 77B7D65D 5 Bytes JMP 6FC956F0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] kernel32.dll!CreateThread 76EBC90E 5 Bytes JMP 6FB07133 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!CreateDialogParamW 77B272A2 5 Bytes JMP 6FC95C79 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!GetAsyncKeyState 77B2863C 2 Bytes JMP 6FAEDC09 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!GetAsyncKeyState + 3 77B2863F 2 Bytes [FC, F7]
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!SetWindowsHookExW 77B287AD 5 Bytes JMP 6FB41FE4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!CallNextHookEx 77B28E3B 5 Bytes JMP 6FB67AEF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!UnhookWindowsHookEx 77B298DB 5 Bytes JMP 6FB8EB70 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!EnableWindow 77B2CD8B 5 Bytes JMP 6FB49884 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!DefWindowProcA 77B2DB88 7 Bytes JMP 6FB09345 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!CreateWindowExA 77B2DC2A 2 Bytes JMP 6FB13173 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!CreateWindowExA + 3 77B2DC2D 2 Bytes [FE, F7]
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!CreateWindowExW 77B31305 5 Bytes JMP 6FB6FF57 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!GetKeyState 77B38CB1 5 Bytes JMP 6FAEDAE3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!DefWindowProcW 77B403B4 7 Bytes JMP 6FB67B52 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!IsDialogMessageW 77B40745 5 Bytes JMP 6FC96406 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!CreateDialogParamA 77B417AA 5 Bytes JMP 6FC95C41 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!IsDialogMessage 77B41847 5 Bytes JMP 6FC963DE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!CreateDialogIndirectParamA 77B426F1 5 Bytes JMP 6FC95CB1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!CreateDialogIndirectParamW 77B49A62 5 Bytes JMP 6FC95CE9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!SetKeyboardState 77B50987 5 Bytes JMP 6FC96CCD C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!DialogBoxParamW 77B510B0 5 Bytes JMP 6FAA15BB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!DialogBoxIndirectParamW 77B52EF5 5 Bytes JMP 6FC9590F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!SendInput 77B52F75 5 Bytes JMP 6FC96C75 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!EndDialog 77B5326E 5 Bytes JMP 6FC966B2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!SetCursorPos 77B66FB2 5 Bytes JMP 6FC96D4E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!DialogBoxParamA 77B68152 5 Bytes JMP 6FC958AA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!DialogBoxIndirectParamA 77B6847D 5 Bytes JMP 6FC95974 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!MessageBoxIndirectA 77B7D4D9 5 Bytes JMP 6FC95831 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!MessageBoxIndirectW 77B7D5D3 5 Bytes JMP 6FC957B8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!MessageBoxExA 77B7D639 5 Bytes JMP 6FC95754 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!MessageBoxExW 77B7D65D 5 Bytes JMP 6FC956F0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] USER32.dll!keybd_event 77B7D972 5 Bytes JMP 6FC96C32 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] SHELL32.dll!SHRestricted + D95 763089A8 4 Bytes [37, 01, 7A, 67] {AAA ; ADD [EDX+0x67], EDI}
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] SHELL32.dll!SHRestricted + D9D 763089B0 8 Bytes [60, 61, 79, 67, E1, F6, 79, ...] {PUSHA ; POPA ; JNS 0x6b; LOOPZ 0xfffffffffffffffc; JNS 0x6f}
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] ole32.dll!OleLoadFromStream 76FA1E80 5 Bytes JMP 6FC96110 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6000] ole32.dll!CoCreateInstance 76FD9F3E 5 Bytes JMP 6FB6B6D4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 875661F8

AttachedDevice \FileSystem\Ntfs \Ntfs trufos.sys

Device \Driver\volmgr \Device\VolMgrControl 875631F8
Device \Driver\usbohci \Device\USBPDO-0 8877C1F8
Device \Driver\usbohci \Device\USBPDO-1 8877C1F8
Device \Driver\usbehci \Device\USBPDO-2 886E41F8
Device \Driver\usbohci \Device\USBPDO-3 8877C1F8
Device \Driver\usbohci \Device\USBPDO-4 8877C1F8

AttachedDevice \Driver\tdx \Device\Tcp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)

Device \Driver\usbehci \Device\USBPDO-5 886E41F8
Device \Driver\usbohci \Device\USBPDO-6 8877C1F8
Device \Driver\volmgr \Device\HarddiskVolume1 875631F8
Device \Driver\volmgr \Device\HarddiskVolume2 875631F8
Device \Driver\cdrom \Device\CdRom0 886BA500
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 875651F8
Device \Driver\atapi \Device\Ide\IdePort0 875651F8
Device \Driver\atapi \Device\Ide\IdePort1 875651F8
Device \Driver\atapi \Device\Ide\IdePort2 875651F8
Device \Driver\atapi \Device\Ide\IdePort3 875651F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 875651F8
Device \Driver\volmgr \Device\HarddiskVolume3 875631F8
Device \Driver\cdrom \Device\CdRom1 886BA500
Device \Driver\volmgr \Device\HarddiskVolume4 875631F8
Device \Driver\cdrom \Device\CdRom2 886BA500
Device \Driver\volmgr \Device\HarddiskVolume5 875631F8
Device \Driver\volmgr \Device\HarddiskVolume6 875631F8
Device \Driver\volmgr \Device\HarddiskVolume7 875631F8
Device \Driver\netbt \Device\NetBt_Wins_Export 88D951F8
Device \Driver\netbt \Device\NetBT_Tcpip_{535B8C3A-C6E0-40EF-A618-94E961B89A1A} 88D951F8
Device \Driver\Smb \Device\NetbiosSmb 8933E1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{E289220D-C914-41A2-9674-46AE0C191629} 88D951F8
Device \Driver\iScsiPrt \Device\RaidPort0 887BA1F8

AttachedDevice \Driver\tdx \Device\Udp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\tdx \Device\RawIp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)

Device \Driver\usbohci \Device\USBFDO-0 8877C1F8
Device \Driver\USBSTOR \Device\0000007a 893361F8
Device \Driver\usbohci \Device\USBFDO-1 8877C1F8
Device \Driver\USBSTOR \Device\0000007b 893361F8
Device \Driver\usbehci \Device\USBFDO-2 886E41F8
Device \Driver\USBSTOR \Device\0000007c 893361F8
Device \Driver\usbohci \Device\USBFDO-3 8877C1F8
Device \Driver\USBSTOR \Device\0000007d 893361F8
Device \Driver\usbohci \Device\USBFDO-4 8877C1F8
Device \Driver\USBSTOR \Device\0000007e 893361F8
Device \Driver\usbehci \Device\USBFDO-5 886E41F8
Device \Driver\usbohci \Device\USBFDO-6 8877C1F8
Device \FileSystem\cdfs \Cdfs 8A0521F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x60 0x4E 0x03 0x09 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0D 0x9F 0x61 0x12 ...
Reg HKLM\SYSTEM\ControlSet030\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet030\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet030\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x60 0x4E 0x03 0x09 ...
Reg HKLM\SYSTEM\ControlSet030\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet030\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet030\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet030\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0D 0x9F 0x61 0x12 ...

---- Files - GMER 1.0.15 ----

File C:\Users\geoff\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{15F6ABC5-701E-11E0-8382-00226807482A}.dat 4608 bytes
File C:\Users\geoff\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N113TQYK\01[1].htm 4797 bytes
File C:\Users\geoff\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QCI0JC4O\default[1].htm 6974 bytes
File C:\Users\geoff\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QCI0JC4O\9166855985[1].htm 2305 bytes

---- EOF - GMER 1.0.15 ----

Attached File(s)


#2 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,856
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 26 April 2011 - 08:40 PM

Hi,

Please do the following

Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs here

  • Double click on ComboFix.exe & follow the prompts.

  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------

  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#3 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,856
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 06 May 2011 - 06:05 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#4 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,856
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 08 May 2011 - 07:00 PM

This topic has been re-opened at the request of the person who originally posted.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#5 User is offline   geoph 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 26-April 11

Posted 08 May 2011 - 07:38 PM

Ok Few Things, 1 - Thank you for Reopening The topic, 2 - Ran ComboFix Had to uninstall AVG 2011 couldnot diable Bell Protection was stuck and would not run, 3 - My computer recovered lost files from six weeks ago which I couldn't find before. So does this mean I'm cured or is it still in there waiting, planning it's next move? Here is the ComboFix log as you requested:

ComboFix 11-05-08.02 - geoff 08/05/2011 18:55:37.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2814.1680 [GMT -4:00]
Running from: c:\users\geoff\Desktop\ComboFix.exe
AV: AVG Anti-Virus 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Bell Internet Security Services Anti-Virus *Enabled/Updated* {A61154FD-4365-E00F-9A33-13A09AD54B56}
FW: Bell Internet Security Services Firewall *Enabled* {9E2AD5D8-090A-E157-B16C-BA9564060C2D}
SP: AVG Anti-Virus 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Bell Internet Security Services Anti-Spyware *Enabled/Updated* {1D70B519-655F-EF81-A083-28D2E15201EB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Registry Helper
c:\program files\Registry Helper\AdvisorLetters.exe
c:\program files\Registry Helper\background.jpg
c:\program files\Registry Helper\delete_invalid_entries_grey.jpg
c:\program files\Registry Helper\ErrorFound.wav
c:\program files\Registry Helper\header.gif
c:\program files\Registry Helper\help.chm
c:\program files\Registry Helper\IEHandler.exe
c:\program files\Registry Helper\letter.htm
c:\program files\Registry Helper\letter1.htm
c:\program files\Registry Helper\letter2.htm
c:\program files\Registry Helper\letter3.htm
c:\program files\Registry Helper\letter4.htm
c:\program files\Registry Helper\letter5.htm
c:\program files\Registry Helper\logo.jpg
c:\program files\Registry Helper\print_16.gif
c:\program files\Registry Helper\Registry Helper Screen Saver Setup.exe
c:\program files\Registry Helper\RegistryHelper.exe
c:\program files\Registry Helper\RegistryHelperBundle.exe
c:\program files\Registry Helper\RegistryHelperService.exe
c:\program files\Registry Helper\RegistryHelperSetupCB.exe
c:\program files\Registry Helper\RegistryHelperSetupTR.exe
c:\program files\Registry Helper\RegistryHelperUninstaller.exe
c:\program files\Registry Helper\Starter.exe
c:\program files\Registry Helper\vbrun60sp5.exe
c:\programdata\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\programdata\41017096.exe
c:\programdata\ClickPotatoLiteSA
c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSA.dat
c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSA_hpk.dat
c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSA_kyf.dat
c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSAAbout.mht
c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSAau.dat
c:\programdata\ClickPotatoLiteSA\ClickPotatoLiteSAEULA.mht
c:\programdata\yelHNrXgoh.exe
c:\users\geoff\AUTORUN.INF
c:\users\geoff\configdetect.dll
c:\users\geoff\eula.dll
c:\users\geoff\mgspid.dll
c:\users\geoff\msvcp71.dll
c:\users\geoff\msvcr71.dll
c:\users\geoff\setupenu.dll
c:\users\geoff\splash.exe
c:\users\geoff\strings.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-08 to 2011-05-08 )))))))))))))))))))))))))))))))
.
.
2011-05-08 23:11 . 2011-05-08 23:12 -------- d-----w- c:\users\geoff\AppData\Local\temp
2011-05-08 23:11 . 2011-05-08 23:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-06 16:05 . 2011-05-06 16:05 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2011-05-06 16:05 . 2011-05-06 16:05 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2011-05-06 16:05 . 2011-05-06 16:05 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2011-05-06 16:05 . 2011-05-06 16:05 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2011-05-06 16:05 . 2011-05-06 16:05 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2011-05-06 16:05 . 2011-05-06 16:05 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2011-05-06 16:05 . 2011-05-06 16:05 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2011-05-06 16:04 . 2011-05-06 16:05 -------- d-----w- c:\program files\QuickTime
2011-05-06 16:04 . 2011-05-06 16:04 -------- d-----w- c:\programdata\Apple Computer
2011-05-06 16:03 . 2011-05-06 16:03 -------- d-----w- c:\program files\Common Files\Apple
2011-05-06 16:03 . 2011-05-06 16:03 -------- d-----w- c:\program files\Apple Software Update
2011-04-30 21:15 . 2011-04-30 21:15 -------- d-----w- c:\programdata\mC31002NmJoG31002
2011-04-29 06:08 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{14407AF3-5E83-4F75-B29E-012639736ACF}\mpengine.dll
2011-04-26 15:28 . 2011-04-26 15:28 388096 ----a-r- c:\users\geoff\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-23 14:23 . 2011-04-23 14:23 -------- d-----w- c:\program files\GOG.com
2011-04-23 02:54 . 2011-04-23 03:34 -------- d-----w- c:\users\geoff\FrostWire
2011-04-23 02:54 . 2011-04-29 00:57 -------- d-----w- c:\program files\FrostWire
2011-04-22 22:17 . 2011-04-22 22:17 -------- d-----w- c:\program files\1C
2011-04-22 13:49 . 2011-04-22 13:49 -------- d-----w- c:\windows\CheckSur
2011-04-17 23:22 . 2011-05-02 02:00 696320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2011-04-17 23:22 . 2011-05-02 02:00 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2011-04-17 23:22 . 2011-05-02 02:00 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2011-04-17 23:22 . 2011-05-02 02:00 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2011-04-17 23:22 . 2011-04-17 23:22 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2011-04-17 23:22 . 2011-04-17 23:22 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2011-04-17 23:22 . 2002-12-02 19:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2011-04-16 16:09 . 2011-03-03 15:42 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-16 16:08 . 2011-03-03 10:50 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-04-16 14:23 . 2011-04-16 14:23 -------- d-----w- c:\program files\uTorrent
2011-04-16 14:22 . 2011-05-08 22:46 -------- d-----w- c:\users\geoff\AppData\Roaming\uTorrent
2011-04-16 14:15 . 2011-04-16 14:15 -------- d-----w- C:\extensions
2011-04-15 20:55 . 2011-04-15 20:55 -------- d-----w- C:\$AVG
2011-04-15 20:46 . 2011-04-15 20:46 -------- d--h--w- c:\users\geoff\AppData\Roaming\AVG10
2011-04-15 20:45 . 2011-04-15 20:45 -------- d--h--w- c:\programdata\Common Files
2011-04-15 20:43 . 2011-05-08 22:50 -------- d--h--w- c:\programdata\AVG10
2011-04-15 20:42 . 2011-05-02 15:59 -------- d-----w- c:\program files\AVG
2011-04-15 20:39 . 2011-05-08 22:49 -------- d--h--w- c:\programdata\MFAData
2011-04-14 13:46 . 2011-04-14 13:46 -------- d--h--w- c:\programdata\nDf31001eMpGp31001
2011-04-11 19:10 . 2011-04-11 19:10 -------- d--h--w- c:\programdata\bKn31001gBoCo31001
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-02 02:21 . 2006-11-02 08:11 40960 ----a-w- c:\windows\system32\cliconfg.rll
2011-05-02 02:20 . 2006-11-02 06:37 20480 ----a-w- c:\windows\system32\drivers\secdrv.sys
2011-05-02 02:19 . 2009-05-28 21:29 299008 ---ha-w- c:\windows\uninst.exe
2011-05-02 02:19 . 2011-03-30 01:45 114688 ---ha-w- c:\windows\system32\xMouse.cpl
2011-05-02 02:19 . 2009-06-07 16:24 180224 ---ha-w- c:\windows\system32\xvidvfw.dll
2011-05-02 02:19 . 2009-05-01 00:11 53248 ---ha-w- c:\windows\system32\xvid.ax
2011-05-02 02:19 . 2008-08-26 22:11 987136 ---ha-w- c:\windows\system32\VSFilter.dll
2011-05-02 02:19 . 2008-08-21 20:52 1777664 ----a-w- c:\windows\system32\WavesLib.dll
2011-05-02 02:19 . 2005-07-26 13:56 53248 ---ha-w- c:\windows\system32\vp7dec_settings.cpl
2011-05-02 02:19 . 2005-07-26 13:56 233472 ---ha-w- c:\windows\system32\vp7dec.ax
2011-05-02 02:19 . 2004-12-10 09:06 327680 ---ha-w- c:\windows\system32\vp6dec.ax
2011-05-02 02:19 . 2004-12-10 09:03 438272 ---ha-w- c:\windows\system32\vp6vfw.dll
2011-05-02 02:19 . 2004-02-17 10:11 53248 ---ha-w- c:\windows\system32\vp6dec_settings.cpl
2011-05-02 02:19 . 2011-03-30 01:45 28672 ---ha-w- c:\windows\system32\UnInst.exe
2011-05-02 02:19 . 2011-03-30 01:45 126976 ---ha-w- c:\windows\system32\Twister.DLL
2011-05-02 02:19 . 2009-05-01 21:02 200704 ---ha-w- c:\windows\system32\ssldivx.dll
2011-05-02 02:19 . 2008-08-21 20:52 339968 ----a-w- c:\windows\system32\SRSTSXT.dll
2011-05-02 02:19 . 2008-08-21 20:52 167936 ----a-w- c:\windows\system32\SRSHP360.dll
2011-05-02 02:19 . 2008-08-21 20:52 135168 ----a-w- c:\windows\system32\SRSWOW.dll
2011-05-02 02:19 . 2004-09-08 18:03 86016 ---ha-w- c:\windows\system32\sl_anet.acm
2011-05-02 02:19 . 2011-03-30 01:45 45056 ---ha-w- c:\windows\system32\SetupNT.exe
2011-05-02 02:19 . 2008-08-21 20:52 540672 ----a-w- c:\windows\system32\RTSndMgr.cpl
2011-05-02 02:19 . 2008-08-21 20:52 32768 ----a-w- c:\windows\system32\RtkCoInst.dll
2011-05-02 02:19 . 2010-08-25 00:09 389120 ---ha-w- c:\windows\system32\RegistryHelperLM.ocx
2011-05-02 02:19 . 2004-04-27 15:03 49152 ---ha-w- c:\windows\system32\RLOFRDec.ax
2011-05-02 02:19 . 2011-03-30 01:45 40960 ---ha-w- c:\windows\system32\PMTilt3.DLL
2011-05-02 02:19 . 2011-03-30 01:45 36864 ---ha-w- c:\windows\system32\PMUninNT.exe
2011-05-02 02:19 . 2011-03-30 01:45 229376 ---ha-w- c:\windows\system32\PMUninst.exe
2011-05-02 02:19 . 2010-09-30 00:15 221184 ----a-w- c:\windows\system32\RaCoInst.dll
2011-05-02 02:19 . 2008-11-06 16:37 3596288 ---ha-w- c:\windows\system32\qt-dx331.dll
2011-05-02 02:19 . 2011-03-30 01:45 69632 ---ha-w- c:\windows\system32\pelhooks.dll
2011-05-02 02:19 . 2011-03-30 01:45 49152 ---ha-w- c:\windows\system32\pmpopo.dll
2011-05-02 02:19 . 2011-03-30 01:45 36864 ---ha-w- c:\windows\system32\pelcomm.dll
2011-05-02 02:19 . 2011-03-30 01:45 241664 ---ha-w- c:\windows\system32\pelutil.dll
2011-05-02 02:19 . 2011-03-30 01:45 114688 ---ha-w- c:\windows\system32\pelscrll.dll
2011-05-02 02:19 . 2011-03-30 01:45 94208 ---ha-w- c:\windows\system32\Pelzoom.dll
2011-05-02 02:19 . 2011-03-30 01:45 303104 ---ha-w- c:\windows\system32\PelSetup.exe
2011-05-02 02:19 . 2011-03-30 01:45 24576 ---ha-w- c:\windows\system32\Pelsetup.dll
2011-05-02 02:19 . 2011-03-30 01:45 65536 ---ha-w- c:\windows\system32\PMIBM.DLL
2011-05-02 02:19 . 2011-03-30 01:45 45056 ---ha-w- c:\windows\system32\PMMO32R.DLL
2011-05-02 02:19 . 2011-03-30 01:45 40960 ---ha-w- c:\windows\system32\PMTILT.DLL
2011-05-02 02:19 . 2011-03-30 01:45 45056 ---ha-w- c:\windows\system32\PELRESS.DLL
2011-05-02 02:19 . 2011-03-30 01:45 151552 ---ha-w- c:\windows\system32\PELMICED.EXE
2011-05-02 02:19 . 2004-04-20 22:00 172032 ---ha-w- c:\windows\system32\OptimFROG.dll
2011-05-02 02:19 . 2008-08-30 09:58 262144 ----a-w- c:\windows\system32\Oemdspif.dll
2011-05-02 02:19 . 2011-03-30 01:45 241664 ---ha-w- c:\windows\system32\Notifier.dll
2011-05-02 02:19 . 2001-12-26 20:12 65536 ----a-w- c:\windows\system32\multiplex_vcd.dll
2011-05-02 02:19 . 2009-04-20 22:40 544768 ---ha-w- c:\windows\system32\msvcr71d.dll
2011-05-02 02:19 . 2009-01-03 00:55 487424 ---ha-w- c:\windows\system32\msvcp70.dll
2011-05-02 02:19 . 2009-01-03 00:55 24576 ---ha-w- c:\windows\system32\msxml3a.dll
2011-05-02 02:19 . 2008-08-21 20:56 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-05-02 02:19 . 2008-08-21 20:56 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-05-02 02:19 . 2002-01-05 07:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
2011-05-02 02:18 . 2009-11-14 18:11 24576 ---ha-w- c:\windows\system32\mkunicode.dll
2011-05-02 02:18 . 2009-01-10 22:15 159744 ---ha-w- c:\windows\system32\mmfinfo.dll
2011-05-02 02:18 . 2009-04-20 22:40 2179072 ---ha-w- c:\windows\system32\mfc71d.dll
2011-05-02 02:18 . 2009-01-03 00:55 974848 ---ha-w- c:\windows\system32\mfc70.dll
2011-05-02 02:18 . 2008-08-21 20:56 1060864 ----a-w- c:\windows\system32\MFC71.dll
2011-05-02 02:18 . 2008-08-21 20:52 1933312 ----a-w- c:\windows\system32\MaxxAudioEQ.dll
2011-05-02 02:18 . 2008-08-21 20:52 159744 ----a-w- c:\windows\system32\MaxxAudioAPO20.dll
2011-05-02 02:18 . 2008-08-21 20:52 126976 ----a-w- c:\windows\system32\MaxxAudioAPO.dll
2011-05-02 02:18 . 2007-01-17 16:24 2830336 ----a-w- c:\windows\system32\LS_HSI.msi
2011-05-02 02:18 . 2011-03-30 01:45 61440 ---ha-w- c:\windows\system32\LaunHelp.exe
2011-05-02 02:18 . 2009-05-01 21:02 1044480 ---ha-w- c:\windows\system32\libdivx.dll
2011-05-02 02:18 . 2009-05-01 00:11 98304 ---ha-w- c:\windows\system32\L3CODECX.AX
2011-05-02 02:18 . 2008-09-24 20:41 839680 ---ha-w- c:\windows\system32\lameACM.acm
2011-05-02 02:18 . 2008-08-21 20:57 487424 ----a-w- c:\windows\system32\INT15.dll
2011-05-02 02:18 . 2006-04-17 13:37 3956736 ---ha-w- c:\windows\system32\IVIVIDEO.ax
2011-05-02 02:18 . 2011-03-30 01:45 57344 ----a-w- c:\windows\system32\iconspy.exe
2011-05-02 02:18 . 2011-03-30 01:45 225280 ---ha-w- c:\windows\system32\HPppm.dll
2011-05-02 02:18 . 2011-03-30 01:45 290816 ---ha-w- c:\windows\system32\HPWHEEL.dll
2011-05-02 02:18 . 2010-07-13 22:45 364544 ----a-w- c:\windows\system32\hppldcoi.dll
2011-05-02 02:18 . 2007-07-05 01:33 892928 ---ha-w- c:\windows\system32\iconv.dll
2011-05-02 02:18 . 2010-07-13 22:45 675840 ----a-w- c:\windows\system32\hpowiax3.dll
2011-05-02 02:18 . 2010-07-13 22:45 569344 ----a-w- c:\windows\system32\hpotscl3.dll
2011-05-02 02:18 . 2010-07-13 22:45 303104 ----a-w- c:\windows\system32\hpovst10.dll
2011-05-02 02:18 . 2001-09-04 03:46 110592 ----a-w- c:\windows\system32\Hmpg12.dll
2011-05-02 02:18 . 2001-07-30 20:33 118784 ----a-w- c:\windows\system32\HMPV2_ENC.dll
2011-05-02 02:18 . 2001-07-24 02:04 118784 ----a-w- c:\windows\system32\HMPV2_ENC_MMX.dll
2011-05-02 02:18 . 2006-12-15 23:22 1712128 ----a-w- c:\windows\system32\GdiPlus.dll
2011-05-02 02:18 . 2008-08-21 20:52 143360 ----a-w- c:\windows\system32\FMAPO.dll
2011-05-02 02:18 . 2010-03-03 00:00 151552 ---ha-w- c:\windows\system32\ff_libmad.dll
2011-05-02 02:18 . 2011-03-30 01:45 45056 ---ha-w- c:\windows\system32\ergo5b.dll
2011-05-02 02:18 . 2011-03-30 01:45 77824 ---ha-w- c:\windows\system32\Dynex5B.dll
2011-05-02 02:18 . 2009-11-14 18:33 249856 ---ha-w- c:\windows\system32\dxr.dll
2011-05-02 02:18 . 2008-11-29 18:30 290816 ---ha-w- c:\windows\system32\dtsac3source.ax
2011-05-02 02:18 . 2008-08-05 21:59 196608 ---ha-w- c:\windows\system32\dtu100.dll
2011-05-02 02:18 . 2006-11-02 08:51 12288 ----a-w- c:\windows\system32\drivers\sffp_mmc.sys
2011-05-02 02:18 . 2006-11-02 08:30 40960 ----a-w- c:\windows\system32\drivers\processr.sys
2011-05-02 02:18 . 2008-01-21 02:23 118784 ----a-w- c:\windows\system32\drivers\E1G60I32.sys
2011-05-02 02:18 . 2008-01-21 02:23 20480 ----a-w- c:\windows\system32\drivers\flpydisk.sys
2011-05-02 02:18 . 2006-11-02 08:30 40960 ----a-w- c:\windows\system32\drivers\crusoe.sys
2011-05-02 02:18 . 2008-08-30 08:56 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-05-02 02:18 . 2009-11-14 00:49 532480 ---ha-w- c:\windows\system32\DivXsm.exe
2011-05-02 02:18 . 2009-11-14 00:47 999424 ---ha-w- c:\windows\system32\divxdec.ax
2011-05-02 02:18 . 2008-08-05 21:59 57344 ---ha-w- c:\windows\system32\dpv11.dll
2011-05-02 02:18 . 2008-03-09 09:31 245760 ---ha-w- c:\windows\system32\DCBassSource.ax
2011-05-02 02:18 . 2005-07-09 19:12 241664 ---ha-w- c:\windows\system32\CoreVorbis.ax
2011-05-02 02:16 . 2009-04-20 22:40 32768 ---ha-w- c:\windows\system32\CMDLGFR.DLL
2011-05-02 02:15 . 2005-01-13 01:53 57344 ----a-w- c:\windows\system32\Big Kahuna Reef.scr
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-29 21:52 121392 ---ha-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon1]
@="{B976888E-DC7B-456C-A62F-44EA07ED231F}"
[HKEY_CLASSES_ROOT\CLSID\{B976888E-DC7B-456C-A62F-44EA07ED231F}]
2010-01-17 23:08 503808 ----a-w- c:\program files\Personal Vault Backup Manager\VaultClientMenu.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Empowering Technology Monitor"="c:\program files\Acer\Empowering Technology\SysMonitor.exe" [2008-06-02 319488]
"EmpoweringTechnology"="c:\program files\Acer\Empowering Technology\Framework.Launcher.exe" [2008-06-02 319488]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-29 526896]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2011-05-02 1261568]
"D-Link D-Link DWA-125"="c:\program files\D-Link\DWA-125 revA\AirGCFG.exe" [2009-10-19 995328]
"BellCanada_McciTrayApp"="c:\program files\BellCanada\McciTrayApp.exe" [2010-01-19 1565696]
"BISA.exe"="c:\program files\Bell\Internet Service Advisor\BISA.exe" [2010-01-13 4281584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
.
c:\users\geoff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-5-13 576000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-05-02 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2011-05-02 01:51 3387392 ----a-w- c:\program files\Acer\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 17:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2011-05-02 01:57 77824 ----a-w- c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2011-05-02 01:57 311296 ----a-w- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
2006-10-23 17:54 56128 ---ha-w- c:\windows\System32\ico.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMMediaSharing]
2008-05-20 21:50 204908 ----a-w- c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2011-05-02 02:14 6144000 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Setresolution]
2008-02-26 22:29 240 ---ha-w- c:\acer\Config\1440X900.CMD
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-05-02 01:57 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WZCSLDR2]
2011-05-02 02:01 122880 ----a-w- c:\program files\D-Link\DWA-125 revA\WZCSLDR2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
2;2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\D-Link\DWA-125 revA\ANIWZCSdS.exe [x]
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 MSMQSVC;Message Queuing Service;c:\windows\system32\mqsv32.exe [x]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe RadialpointIDSAgent [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-11-23 7408]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-01-27 691696]
S1 anodlwf;ANOD Network Security Filter driver;c:\windows\system32\DRIVERS\anodlwf.sys [2009-03-06 12800]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-11-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-11-23 74480]
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-05-20 269448]
S2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\D-Link\DWA-125 revA\ANIWConnService.exe [2009-07-07 40960]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-06-02 24576]
S2 Radialpoint Security Services;Bell Internet Security Services;c:\program files\Bell\Bell Internet Security Services\RpsSecurityAwareR.exe [2010-01-18 165408]
S2 ServicepointService;ServicepointService;c:\program files\Bell\Internet Service Advisor\ServicepointService.exe [2010-01-13 689392]
S2 VaultClientSRV;Personal Vault Backup Manager Service;c:\program files\Personal Vault Backup Manager\VaultClientSRV.exe [2010-01-17 1051728]
S2 VaultClientUpgrade;Personal Vault Backup Manager Upgrade Service;c:\program files\Personal Vault Backup Manager\VaultClientUpgrade.exe [2010-01-17 56400]
S3 netr28u;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\Dnetr28u.sys [2009-09-15 798208]
S3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [2009-11-02 122376]
S3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSFilter.sys [2009-11-02 30216]
S3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [2009-11-02 27800]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - A64145DA
*Deregistered* - a64145da
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
bdx REG_MULTI_SZ scan sysagent
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sympatico.ca/
mStart Page = about:blank
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: {535B8C3A-C6E0-40EF-A618-94E961B89A1A} = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
MSConfigStartUp-yelHNrXgoh - c:\programdata\yelHNrXgoh.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\users\geoff\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-08 19:12
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2035741258-2230102944-2969920155-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:67,47,0f,3a,4b,03,ee,8c,40,1b,90,fd,95,1f,da,c0,ae,db,ba,ed,6e,8d,94,
21,d1,03,f4,7c,59,b5,7d,ca,d6,17,dc,6a,ed,de,0b,18,0d,db,87,16,62,a2,f6,a9,\
"??"=hex:3c,46,be,02,dd,41,6a,66,be,c0,c6,02,17,6a,f1,4b
.
[HKEY_USERS\S-1-5-21-2035741258-2230102944-2969920155-1000\Software\SecuROM\License information*]
"datasecu"=hex:38,c3,4c,de,2c,88,ed,ef,f1,89,d7,c3,ba,12,e8,9d,11,0c,cf,4e,fd,
33,31,ad,11,15,ff,51,19,57,9f,9f,77,0a,e7,1a,98,76,3c,96,13,66,85,0c,fa,8e,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
Completion time: 2011-05-08 19:27:25
ComboFix-quarantined-files.txt 2011-05-08 23:27
.
Pre-Run: 27,498,303,488 bytes free
Post-Run: 27,212,062,720 bytes free
.
- - End Of File - - A3E7C97CF84BFF9A9F13B77C36DDA574


Thnx
Geoph

#6 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,856
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 08 May 2011 - 08:18 PM

Hi,Please do the following:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

DirLook::
c:\programdata\mC31002NmJoG31002
c:\programdata\nDf31001eMpGp31001
c:\programdata\bKn31001gBoCo31001


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.


Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#7 User is offline   geoph 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 26-April 11

Posted 08 May 2011 - 10:17 PM

ComboFix Log

ComboFix 11-05-08.02 - geoff 08/05/2011 21:26:13.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2814.1626 [GMT -4:00]
Running from: c:\users\geoff\Desktop\ComboFix.exe
Command switches used :: c:\users\geoff\Desktop\CFScript.txt
AV: Bell Internet Security Services Anti-Virus *Disabled/Updated* {A61154FD-4365-E00F-9A33-13A09AD54B56}
FW: Bell Internet Security Services Firewall *Disabled* {9E2AD5D8-090A-E157-B16C-BA9564060C2D}
SP: Bell Internet Security Services Anti-Spyware *Disabled/Updated* {1D70B519-655F-EF81-A083-28D2E15201EB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-09 to 2011-05-09 )))))))))))))))))))))))))))))))
.
.
2011-05-09 01:33 . 2011-05-09 01:33 -------- d-----w- c:\users\geoff\AppData\Local\temp
2011-05-09 01:33 . 2011-05-09 01:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-09 00:34 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-05-09 00:34 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-05-09 00:34 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-05-09 00:31 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DC9E9134-26F1-4BF7-9039-BD22020A990A}\mpengine.dll
2011-05-06 16:05 . 2011-05-06 16:05 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2011-05-06 16:05 . 2011-05-06 16:05 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2011-05-06 16:05 . 2011-05-06 16:05 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2011-05-06 16:05 . 2011-05-06 16:05 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2011-05-06 16:05 . 2011-05-06 16:05 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2011-05-06 16:05 . 2011-05-06 16:05 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2011-05-06 16:05 . 2011-05-06 16:05 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2011-05-06 16:04 . 2011-05-06 16:05 -------- d-----w- c:\program files\QuickTime
2011-05-06 16:04 . 2011-05-06 16:04 -------- d-----w- c:\programdata\Apple Computer
2011-05-06 16:03 . 2011-05-06 16:03 -------- d-----w- c:\program files\Common Files\Apple
2011-05-06 16:03 . 2011-05-06 16:03 -------- d-----w- c:\program files\Apple Software Update
2011-04-30 21:15 . 2011-04-30 21:15 -------- d-----w- c:\programdata\mC31002NmJoG31002
2011-04-26 15:28 . 2011-04-26 15:28 388096 ----a-r- c:\users\geoff\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-23 14:23 . 2011-04-23 14:23 -------- d-----w- c:\program files\GOG.com
2011-04-23 02:54 . 2011-04-23 03:34 -------- d-----w- c:\users\geoff\FrostWire
2011-04-23 02:54 . 2011-04-29 00:57 -------- d-----w- c:\program files\FrostWire
2011-04-22 22:17 . 2011-04-22 22:17 -------- d-----w- c:\program files\1C
2011-04-22 13:49 . 2011-04-22 13:49 -------- d-----w- c:\windows\CheckSur
2011-04-17 23:22 . 2011-05-02 02:00 696320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2011-04-17 23:22 . 2011-05-02 02:00 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2011-04-17 23:22 . 2011-05-02 02:00 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2011-04-17 23:22 . 2011-05-02 02:00 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2011-04-17 23:22 . 2011-04-17 23:22 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2011-04-17 23:22 . 2011-04-17 23:22 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2011-04-17 23:22 . 2002-12-02 19:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2011-04-16 16:09 . 2011-03-03 15:42 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-16 16:08 . 2011-03-03 10:50 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-04-16 14:23 . 2011-04-16 14:23 -------- d-----w- c:\program files\uTorrent
2011-04-16 14:22 . 2011-05-09 01:15 -------- d-----w- c:\users\geoff\AppData\Roaming\uTorrent
2011-04-16 14:15 . 2011-04-16 14:15 -------- d-----w- C:\extensions
2011-04-15 20:55 . 2011-04-15 20:55 -------- d-----w- C:\$AVG
2011-04-15 20:46 . 2011-04-15 20:46 -------- d-----w- c:\users\geoff\AppData\Roaming\AVG10
2011-04-15 20:45 . 2011-04-15 20:45 -------- d-----w- c:\programdata\Common Files
2011-04-15 20:43 . 2011-05-09 00:25 -------- d-----w- c:\programdata\AVG10
2011-04-15 20:42 . 2011-05-02 15:59 -------- d-----w- c:\program files\AVG
2011-04-15 20:39 . 2011-05-09 00:23 -------- d-----w- c:\programdata\MFAData
2011-04-14 13:46 . 2011-04-14 13:46 -------- d-----w- c:\programdata\nDf31001eMpGp31001
2011-04-11 19:10 . 2011-04-11 19:10 -------- d-----w- c:\programdata\bKn31001gBoCo31001
2011-04-09 22:55 . 2011-04-09 22:55 15453336 ----a-w- c:\windows\system32\xlive.dll
2011-04-09 22:55 . 2011-04-09 22:55 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-02 02:21 . 2006-11-02 08:11 40960 ----a-w- c:\windows\system32\cliconfg.rll
2011-05-02 02:20 . 2006-11-02 06:37 20480 ----a-w- c:\windows\system32\drivers\secdrv.sys
2011-05-02 02:19 . 2009-05-28 21:29 299008 ----a-w- c:\windows\uninst.exe
2011-05-02 02:19 . 2011-03-30 01:45 114688 ----a-w- c:\windows\system32\xMouse.cpl
2011-05-02 02:19 . 2009-06-07 16:24 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2011-05-02 02:19 . 2009-05-01 00:11 53248 ----a-w- c:\windows\system32\xvid.ax
2011-05-02 02:19 . 2008-08-26 22:11 987136 ----a-w- c:\windows\system32\VSFilter.dll
2011-05-02 02:19 . 2008-08-21 20:52 1777664 ----a-w- c:\windows\system32\WavesLib.dll
2011-05-02 02:19 . 2005-07-26 13:56 53248 ----a-w- c:\windows\system32\vp7dec_settings.cpl
2011-05-02 02:19 . 2005-07-26 13:56 233472 ----a-w- c:\windows\system32\vp7dec.ax
2011-05-02 02:19 . 2004-12-10 09:06 327680 ----a-w- c:\windows\system32\vp6dec.ax
2011-05-02 02:19 . 2004-12-10 09:03 438272 ----a-w- c:\windows\system32\vp6vfw.dll
2011-05-02 02:19 . 2004-02-17 10:11 53248 ----a-w- c:\windows\system32\vp6dec_settings.cpl
2011-05-02 02:19 . 2011-03-30 01:45 28672 ----a-w- c:\windows\system32\UnInst.exe
2011-05-02 02:19 . 2011-03-30 01:45 126976 ----a-w- c:\windows\system32\Twister.DLL
2011-05-02 02:19 . 2009-05-01 21:02 200704 ----a-w- c:\windows\system32\ssldivx.dll
2011-05-02 02:19 . 2008-08-21 20:52 339968 ----a-w- c:\windows\system32\SRSTSXT.dll
2011-05-02 02:19 . 2008-08-21 20:52 167936 ----a-w- c:\windows\system32\SRSHP360.dll
2011-05-02 02:19 . 2008-08-21 20:52 135168 ----a-w- c:\windows\system32\SRSWOW.dll
2011-05-02 02:19 . 2004-09-08 18:03 86016 ----a-w- c:\windows\system32\sl_anet.acm
2011-05-02 02:19 . 2011-03-30 01:45 45056 ----a-w- c:\windows\system32\SetupNT.exe
2011-05-02 02:19 . 2008-08-21 20:52 540672 ----a-w- c:\windows\system32\RTSndMgr.cpl
2011-05-02 02:19 . 2008-08-21 20:52 32768 ----a-w- c:\windows\system32\RtkCoInst.dll
2011-05-02 02:19 . 2010-08-25 00:09 389120 ----a-w- c:\windows\system32\RegistryHelperLM.ocx
2011-05-02 02:19 . 2004-04-27 15:03 49152 ----a-w- c:\windows\system32\RLOFRDec.ax
2011-05-02 02:19 . 2011-03-30 01:45 40960 ----a-w- c:\windows\system32\PMTilt3.DLL
2011-05-02 02:19 . 2011-03-30 01:45 36864 ----a-w- c:\windows\system32\PMUninNT.exe
2011-05-02 02:19 . 2011-03-30 01:45 229376 ----a-w- c:\windows\system32\PMUninst.exe
2011-05-02 02:19 . 2010-09-30 00:15 221184 ----a-w- c:\windows\system32\RaCoInst.dll
2011-05-02 02:19 . 2008-11-06 16:37 3596288 ----a-w- c:\windows\system32\qt-dx331.dll
2011-05-02 02:19 . 2011-03-30 01:45 69632 ----a-w- c:\windows\system32\pelhooks.dll
2011-05-02 02:19 . 2011-03-30 01:45 49152 ----a-w- c:\windows\system32\pmpopo.dll
2011-05-02 02:19 . 2011-03-30 01:45 36864 ----a-w- c:\windows\system32\pelcomm.dll
2011-05-02 02:19 . 2011-03-30 01:45 241664 ----a-w- c:\windows\system32\pelutil.dll
2011-05-02 02:19 . 2011-03-30 01:45 114688 ----a-w- c:\windows\system32\pelscrll.dll
2011-05-02 02:19 . 2011-03-30 01:45 94208 ----a-w- c:\windows\system32\Pelzoom.dll
2011-05-02 02:19 . 2011-03-30 01:45 303104 ----a-w- c:\windows\system32\PelSetup.exe
2011-05-02 02:19 . 2011-03-30 01:45 24576 ----a-w- c:\windows\system32\Pelsetup.dll
2011-05-02 02:19 . 2011-03-30 01:45 65536 ----a-w- c:\windows\system32\PMIBM.DLL
2011-05-02 02:19 . 2011-03-30 01:45 45056 ----a-w- c:\windows\system32\PMMO32R.DLL
2011-05-02 02:19 . 2011-03-30 01:45 40960 ----a-w- c:\windows\system32\PMTILT.DLL
2011-05-02 02:19 . 2011-03-30 01:45 45056 ----a-w- c:\windows\system32\PELRESS.DLL
2011-05-02 02:19 . 2011-03-30 01:45 151552 ----a-w- c:\windows\system32\PELMICED.EXE
2011-05-02 02:19 . 2004-04-20 22:00 172032 ----a-w- c:\windows\system32\OptimFROG.dll
2011-05-02 02:19 . 2008-08-30 09:58 262144 ----a-w- c:\windows\system32\Oemdspif.dll
2011-05-02 02:19 . 2011-03-30 01:45 241664 ----a-w- c:\windows\system32\Notifier.dll
2011-05-02 02:19 . 2001-12-26 20:12 65536 ----a-w- c:\windows\system32\multiplex_vcd.dll
2011-05-02 02:19 . 2009-04-20 22:40 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2011-05-02 02:19 . 2009-01-03 00:55 487424 ----a-w- c:\windows\system32\msvcp70.dll
2011-05-02 02:19 . 2009-01-03 00:55 24576 ----a-w- c:\windows\system32\msxml3a.dll
2011-05-02 02:19 . 2008-08-21 20:56 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-05-02 02:19 . 2008-08-21 20:56 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-05-02 02:19 . 2002-01-05 07:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
2011-05-02 02:18 . 2009-11-14 18:11 24576 ----a-w- c:\windows\system32\mkunicode.dll
2011-05-02 02:18 . 2009-01-10 22:15 159744 ----a-w- c:\windows\system32\mmfinfo.dll
2011-05-02 02:18 . 2009-04-20 22:40 2179072 ----a-w- c:\windows\system32\mfc71d.dll
2011-05-02 02:18 . 2009-01-03 00:55 974848 ----a-w- c:\windows\system32\mfc70.dll
2011-05-02 02:18 . 2008-08-21 20:56 1060864 ----a-w- c:\windows\system32\MFC71.dll
2011-05-02 02:18 . 2008-08-21 20:52 1933312 ----a-w- c:\windows\system32\MaxxAudioEQ.dll
2011-05-02 02:18 . 2008-08-21 20:52 159744 ----a-w- c:\windows\system32\MaxxAudioAPO20.dll
2011-05-02 02:18 . 2008-08-21 20:52 126976 ----a-w- c:\windows\system32\MaxxAudioAPO.dll
2011-05-02 02:18 . 2007-01-17 16:24 2830336 ----a-w- c:\windows\system32\LS_HSI.msi
2011-05-02 02:18 . 2011-03-30 01:45 61440 ----a-w- c:\windows\system32\LaunHelp.exe
2011-05-02 02:18 . 2009-05-01 21:02 1044480 ----a-w- c:\windows\system32\libdivx.dll
2011-05-02 02:18 . 2009-05-01 00:11 98304 ----a-w- c:\windows\system32\L3CODECX.AX
2011-05-02 02:18 . 2008-09-24 20:41 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-05-02 02:18 . 2008-08-21 20:57 487424 ----a-w- c:\windows\system32\INT15.dll
2011-05-02 02:18 . 2006-04-17 13:37 3956736 ----a-w- c:\windows\system32\IVIVIDEO.ax
2011-05-02 02:18 . 2011-03-30 01:45 57344 ----a-w- c:\windows\system32\iconspy.exe
2011-05-02 02:18 . 2011-03-30 01:45 225280 ----a-w- c:\windows\system32\HPppm.dll
2011-05-02 02:18 . 2011-03-30 01:45 290816 ----a-w- c:\windows\system32\HPWHEEL.dll
2011-05-02 02:18 . 2010-07-13 22:45 364544 ----a-w- c:\windows\system32\hppldcoi.dll
2011-05-02 02:18 . 2007-07-05 01:33 892928 ----a-w- c:\windows\system32\iconv.dll
2011-05-02 02:18 . 2010-07-13 22:45 675840 ----a-w- c:\windows\system32\hpowiax3.dll
2011-05-02 02:18 . 2010-07-13 22:45 569344 ----a-w- c:\windows\system32\hpotscl3.dll
2011-05-02 02:18 . 2010-07-13 22:45 303104 ----a-w- c:\windows\system32\hpovst10.dll
2011-05-02 02:18 . 2001-09-04 03:46 110592 ----a-w- c:\windows\system32\Hmpg12.dll
2011-05-02 02:18 . 2001-07-30 20:33 118784 ----a-w- c:\windows\system32\HMPV2_ENC.dll
2011-05-02 02:18 . 2001-07-24 02:04 118784 ----a-w- c:\windows\system32\HMPV2_ENC_MMX.dll
2011-05-02 02:18 . 2006-12-15 23:22 1712128 ----a-w- c:\windows\system32\GdiPlus.dll
2011-05-02 02:18 . 2008-08-21 20:52 143360 ----a-w- c:\windows\system32\FMAPO.dll
2011-05-02 02:18 . 2010-03-03 00:00 151552 ----a-w- c:\windows\system32\ff_libmad.dll
2011-05-02 02:18 . 2011-03-30 01:45 45056 ----a-w- c:\windows\system32\ergo5b.dll
2011-05-02 02:18 . 2011-03-30 01:45 77824 ----a-w- c:\windows\system32\Dynex5B.dll
2011-05-02 02:18 . 2009-11-14 18:33 249856 ----a-w- c:\windows\system32\dxr.dll
2011-05-02 02:18 . 2008-11-29 18:30 290816 ----a-w- c:\windows\system32\dtsac3source.ax
2011-05-02 02:18 . 2008-08-05 21:59 196608 ----a-w- c:\windows\system32\dtu100.dll
2011-05-02 02:18 . 2006-11-02 08:51 12288 ----a-w- c:\windows\system32\drivers\sffp_mmc.sys
2011-05-02 02:18 . 2006-11-02 08:30 40960 ----a-w- c:\windows\system32\drivers\processr.sys
2011-05-02 02:18 . 2008-01-21 02:23 118784 ----a-w- c:\windows\system32\drivers\E1G60I32.sys
2011-05-02 02:18 . 2008-01-21 02:23 20480 ----a-w- c:\windows\system32\drivers\flpydisk.sys
2011-05-02 02:18 . 2006-11-02 08:30 40960 ----a-w- c:\windows\system32\drivers\crusoe.sys
2011-05-02 02:18 . 2008-08-30 08:56 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-05-02 02:18 . 2009-11-14 00:49 532480 ----a-w- c:\windows\system32\DivXsm.exe
2011-05-02 02:18 . 2009-11-14 00:47 999424 ----a-w- c:\windows\system32\divxdec.ax
2011-05-02 02:18 . 2008-08-05 21:59 57344 ----a-w- c:\windows\system32\dpv11.dll
2011-05-02 02:18 . 2008-03-09 09:31 245760 ----a-w- c:\windows\system32\DCBassSource.ax
2011-05-02 02:18 . 2005-07-09 19:12 241664 ----a-w- c:\windows\system32\CoreVorbis.ax
2011-05-02 02:16 . 2009-04-20 22:40 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2011-05-02 02:15 . 2005-01-13 01:53 57344 ----a-w- c:\windows\system32\Big Kahuna Reef.scr
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\programdata\bKn31001gBoCo31001 ----
.
2011-04-11 19:10 . 2011-04-11 19:10 192 ----a-w- c:\programdata\bKn31001gBoCo31001\bKn31001gBoCo31001
.
---- Directory of c:\programdata\mC31002NmJoG31002 ----
.
2011-04-30 21:15 . 2011-04-30 21:17 192 ----a-w- c:\programdata\mC31002NmJoG31002\mC31002NmJoG31002
.
---- Directory of c:\programdata\nDf31001eMpGp31001 ----
.
2011-04-14 13:46 . 2011-04-14 13:46 192 ----a-w- c:\programdata\nDf31001eMpGp31001\nDf31001eMpGp31001
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-29 21:52 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon1]
@="{B976888E-DC7B-456C-A62F-44EA07ED231F}"
[HKEY_CLASSES_ROOT\CLSID\{B976888E-DC7B-456C-A62F-44EA07ED231F}]
2010-01-17 23:08 503808 ----a-w- c:\program files\Personal Vault Backup Manager\VaultClientMenu.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Empowering Technology Monitor"="c:\program files\Acer\Empowering Technology\SysMonitor.exe" [2008-06-02 319488]
"EmpoweringTechnology"="c:\program files\Acer\Empowering Technology\Framework.Launcher.exe" [2008-06-02 319488]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-29 526896]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2011-05-02 1261568]
"D-Link D-Link DWA-125"="c:\program files\D-Link\DWA-125 revA\AirGCFG.exe" [2009-10-19 995328]
"BellCanada_McciTrayApp"="c:\program files\BellCanada\McciTrayApp.exe" [2010-01-19 1565696]
"BISA.exe"="c:\program files\Bell\Internet Service Advisor\BISA.exe" [2010-01-13 4281584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
.
c:\users\geoff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-5-13 576000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-05-02 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2011-05-02 01:51 3387392 ----a-w- c:\program files\Acer\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 17:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2011-05-02 01:57 77824 ----a-w- c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2011-05-02 01:57 311296 ----a-w- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
2006-10-23 17:54 56128 ----a-w- c:\windows\System32\ico.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMMediaSharing]
2008-05-20 21:50 204908 ----a-w- c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2011-05-02 02:14 6144000 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Setresolution]
2008-02-26 22:29 240 ----a-w- c:\acer\Config\1440X900.CMD
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-05-02 01:57 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WZCSLDR2]
2011-05-02 02:01 122880 ----a-w- c:\program files\D-Link\DWA-125 revA\WZCSLDR2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
2;2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\D-Link\DWA-125 revA\ANIWZCSdS.exe [x]
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 MSMQSVC;Message Queuing Service;c:\windows\system32\mqsv32.exe [x]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe RadialpointIDSAgent [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-11-23 7408]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-01-27 691696]
S1 anodlwf;ANOD Network Security Filter driver;c:\windows\system32\DRIVERS\anodlwf.sys [2009-03-06 12800]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-11-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-11-23 74480]
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-05-20 269448]
S2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\D-Link\DWA-125 revA\ANIWConnService.exe [2009-07-07 40960]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-06-02 24576]
S2 Radialpoint Security Services;Bell Internet Security Services;c:\program files\Bell\Bell Internet Security Services\RpsSecurityAwareR.exe [2010-01-18 165408]
S2 ServicepointService;ServicepointService;c:\program files\Bell\Internet Service Advisor\ServicepointService.exe [2010-01-13 689392]
S2 VaultClientSRV;Personal Vault Backup Manager Service;c:\program files\Personal Vault Backup Manager\VaultClientSRV.exe [2010-01-17 1051728]
S2 VaultClientUpgrade;Personal Vault Backup Manager Upgrade Service;c:\program files\Personal Vault Backup Manager\VaultClientUpgrade.exe [2010-01-17 56400]
S3 netr28u;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\Dnetr28u.sys [2009-09-15 798208]
S3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [2009-11-02 122376]
S3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSFilter.sys [2009-11-02 30216]
S3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [2009-11-02 27800]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 074FF0C4
*NewlyCreated* - 2DEEC74C
*NewlyCreated* - 96C0F86D
*Deregistered* - 074ff0c4
*Deregistered* - 2deec74c
*Deregistered* - 96c0f86d
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
bdx REG_MULTI_SZ scan sysagent
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sympatico.ca/
mStart Page = about:blank
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: {535B8C3A-C6E0-40EF-A618-94E961B89A1A} = 192.168.2.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-08 21:33
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2035741258-2230102944-2969920155-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:67,47,0f,3a,4b,03,ee,8c,40,1b,90,fd,95,1f,da,c0,ae,db,ba,ed,6e,8d,94,
21,d1,03,f4,7c,59,b5,7d,ca,d6,17,dc,6a,ed,de,0b,18,0d,db,87,16,62,a2,f6,a9,\
"??"=hex:3c,46,be,02,dd,41,6a,66,be,c0,c6,02,17,6a,f1,4b
.
[HKEY_USERS\S-1-5-21-2035741258-2230102944-2969920155-1000\Software\SecuROM\License information*]
"datasecu"=hex:38,c3,4c,de,2c,88,ed,ef,f1,89,d7,c3,ba,12,e8,9d,11,0c,cf,4e,fd,
33,31,ad,11,15,ff,51,19,57,9f,9f,77,0a,e7,1a,98,76,3c,96,13,66,85,0c,fa,8e,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2276)
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\program files\Personal Vault Backup Manager\VaultClientMenu.dll
c:\program files\Personal Vault Backup Manager\LIBEXPAT.dll
c:\program files\Personal Vault Backup Manager\VaultClientCOM.dll
.
Completion time: 2011-05-08 21:35:02
ComboFix-quarantined-files.txt 2011-05-09 01:35
ComboFix2.txt 2011-05-08 23:27
.
Pre-Run: 53,911,576,576 bytes free
Post-Run: 53,678,260,224 bytes free
.
- - End Of File - - 14ED55BF29CA2162A94AF10BD424582D

Malwarebytes Anti-Malware Log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6534

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

08/05/2011 9:43:57 PM
mbam-log-2011-05-08 (21-43-57).txt

Scan type: Quick scan
Objects scanned: 151126
Time elapsed: 3 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Registry Helper (Rogue.RegistryHelper) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\ClickPotatoLite@ClickPotatoLite.com (Adware.ClickPotato) -> Value: ClickPotatoLite@ClickPotatoLite.com -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&ext=%s) Good: (http://shell.windows.com/fileassoc/%04x/xml/redir.asp?Ext=%s) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

and ESETSCAN Log

C:\Qoobox\Quarantine\C\ProgramData\41017096.exe.vir a variant of Win32/Kryptik.MQP trojan
C:\Qoobox\Quarantine\C\ProgramData\yelHNrXgoh.exe.vir a variant of Win32/Kryptik.MQP trojan

#8 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,856
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 09 May 2011 - 05:49 PM

Hi,Please do the following:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic393903.html/page__view__findpost__p__2239640

Collect::
c:\programdata\bKn31001gBoCo31001\bKn31001gBoCo31001
c:\programdata\mC31002NmJoG31002\mC31002NmJoG31002
c:\programdata\nDf31001eMpGp31001\nDf31001eMpGp31001


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 25 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 25 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u25 with JavaFX 1 License Agreement". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u25-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#9 User is offline   geoph 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 26-April 11

Posted 09 May 2011 - 07:42 PM

Combofix Log

ComboFix 11-05-09.01 - geoff 09/05/2011 19:45:28.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2814.1459 [GMT -4:00]
Running from: c:\users\geoff\Desktop\ComboFix.exe
Command switches used :: c:\users\geoff\Desktop\CFScript.txt
AV: Bell Internet Security Services Anti-Virus *Disabled/Updated* {A61154FD-4365-E00F-9A33-13A09AD54B56}
FW: Bell Internet Security Services Firewall *Disabled* {9E2AD5D8-090A-E157-B16C-BA9564060C2D}
SP: Bell Internet Security Services Anti-Spyware *Disabled/Updated* {1D70B519-655F-EF81-A083-28D2E15201EB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
file zipped: c:\programdata\bKn31001gBoCo31001\bKn31001gBoCo31001
file zipped: c:\programdata\mC31002NmJoG31002\mC31002NmJoG31002
file zipped: c:\programdata\nDf31001eMpGp31001\nDf31001eMpGp31001
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\bKn31001gBoCo31001\bKn31001gBoCo31001
c:\programdata\mC31002NmJoG31002\mC31002NmJoG31002
c:\programdata\nDf31001eMpGp31001\nDf31001eMpGp31001
.
.
((((((((((((((((((((((((( Files Created from 2011-04-09 to 2011-05-09 )))))))))))))))))))))))))))))))
.
.
2011-05-09 23:52 . 2011-05-09 23:55 -------- d-----w- c:\users\geoff\AppData\Local\temp
2011-05-09 23:52 . 2011-05-09 23:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-09 15:29 . 2011-05-09 15:31 -------- d-----w- c:\users\geoff\AppData\Local\{9BE06DB6-1709-4345-8E4D-20F1C0037877}
2011-05-09 15:29 . 2011-05-09 15:29 -------- d-----w- c:\users\geoff\AppData\Local\{A57A1F7E-2E53-4F7F-B26A-AC68D8E5F471}
2011-05-09 01:53 . 2011-05-09 01:53 -------- d-----w- c:\program files\ESET
2011-05-09 01:38 . 2011-05-09 01:38 -------- d-----w- c:\users\geoff\AppData\Roaming\Malwarebytes
2011-05-09 01:38 . 2011-05-09 01:38 -------- d-----w- c:\programdata\Malwarebytes
2011-05-09 01:38 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-09 01:38 . 2011-05-09 01:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-09 01:38 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-09 00:34 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-05-09 00:34 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-05-09 00:34 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-05-09 00:31 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DC9E9134-26F1-4BF7-9039-BD22020A990A}\mpengine.dll
2011-04-30 21:15 . 2011-05-09 23:52 -------- d-----w- c:\programdata\mC31002NmJoG31002
2011-04-26 15:28 . 2011-04-26 15:28 388096 ----a-r- c:\users\geoff\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-23 14:23 . 2011-04-23 14:23 -------- d-----w- c:\program files\GOG.com
2011-04-23 02:54 . 2011-04-23 03:34 -------- d-----w- c:\users\geoff\FrostWire
2011-04-22 22:17 . 2011-04-22 22:17 -------- d-----w- c:\program files\1C
2011-04-22 13:49 . 2011-04-22 13:49 -------- d-----w- c:\windows\CheckSur
2011-04-17 23:22 . 2011-05-02 02:00 696320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2011-04-17 23:22 . 2011-05-02 02:00 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2011-04-17 23:22 . 2011-05-02 02:00 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2011-04-17 23:22 . 2011-05-02 02:00 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2011-04-17 23:22 . 2011-04-17 23:22 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2011-04-17 23:22 . 2011-04-17 23:22 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2011-04-17 23:22 . 2002-12-02 19:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2011-04-16 16:09 . 2011-03-03 15:42 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-16 16:08 . 2011-03-03 10:50 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-04-16 14:23 . 2011-04-16 14:23 -------- d-----w- c:\program files\uTorrent
2011-04-16 14:22 . 2011-05-09 15:51 -------- d-----w- c:\users\geoff\AppData\Roaming\uTorrent
2011-04-16 14:15 . 2011-04-16 14:15 -------- d-----w- C:\extensions
2011-04-15 20:46 . 2011-04-15 20:46 -------- d-----w- c:\users\geoff\AppData\Roaming\AVG10
2011-04-15 20:45 . 2011-04-15 20:45 -------- d-----w- c:\programdata\Common Files
2011-04-15 20:43 . 2011-05-09 00:25 -------- d-----w- c:\programdata\AVG10
2011-04-15 20:42 . 2011-05-02 15:59 -------- d-----w- c:\program files\AVG
2011-04-15 20:39 . 2011-05-09 00:23 -------- d-----w- c:\programdata\MFAData
2011-04-14 13:46 . 2011-05-09 23:52 -------- d-----w- c:\programdata\nDf31001eMpGp31001
2011-04-11 19:10 . 2011-05-09 23:52 -------- d-----w- c:\programdata\bKn31001gBoCo31001
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-02 02:21 . 2006-11-02 08:11 40960 ----a-w- c:\windows\system32\cliconfg.rll
2011-05-02 02:20 . 2006-11-02 06:37 20480 ----a-w- c:\windows\system32\drivers\secdrv.sys
2011-05-02 02:19 . 2009-05-28 21:29 299008 ----a-w- c:\windows\uninst.exe
2011-05-02 02:19 . 2011-03-30 01:45 114688 ----a-w- c:\windows\system32\xMouse.cpl
2011-05-02 02:19 . 2009-06-07 16:24 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2011-05-02 02:19 . 2009-05-01 00:11 53248 ----a-w- c:\windows\system32\xvid.ax
2011-05-02 02:19 . 2008-08-26 22:11 987136 ----a-w- c:\windows\system32\VSFilter.dll
2011-05-02 02:19 . 2008-08-21 20:52 1777664 ----a-w- c:\windows\system32\WavesLib.dll
2011-05-02 02:19 . 2005-07-26 13:56 53248 ----a-w- c:\windows\system32\vp7dec_settings.cpl
2011-05-02 02:19 . 2005-07-26 13:56 233472 ----a-w- c:\windows\system32\vp7dec.ax
2011-05-02 02:19 . 2004-12-10 09:06 327680 ----a-w- c:\windows\system32\vp6dec.ax
2011-05-02 02:19 . 2004-12-10 09:03 438272 ----a-w- c:\windows\system32\vp6vfw.dll
2011-05-02 02:19 . 2004-02-17 10:11 53248 ----a-w- c:\windows\system32\vp6dec_settings.cpl
2011-05-02 02:19 . 2011-03-30 01:45 28672 ----a-w- c:\windows\system32\UnInst.exe
2011-05-02 02:19 . 2011-03-30 01:45 126976 ----a-w- c:\windows\system32\Twister.DLL
2011-05-02 02:19 . 2009-05-01 21:02 200704 ----a-w- c:\windows\system32\ssldivx.dll
2011-05-02 02:19 . 2008-08-21 20:52 339968 ----a-w- c:\windows\system32\SRSTSXT.dll
2011-05-02 02:19 . 2008-08-21 20:52 167936 ----a-w- c:\windows\system32\SRSHP360.dll
2011-05-02 02:19 . 2008-08-21 20:52 135168 ----a-w- c:\windows\system32\SRSWOW.dll
2011-05-02 02:19 . 2004-09-08 18:03 86016 ----a-w- c:\windows\system32\sl_anet.acm
2011-05-02 02:19 . 2011-03-30 01:45 45056 ----a-w- c:\windows\system32\SetupNT.exe
2011-05-02 02:19 . 2008-08-21 20:52 540672 ----a-w- c:\windows\system32\RTSndMgr.cpl
2011-05-02 02:19 . 2008-08-21 20:52 32768 ----a-w- c:\windows\system32\RtkCoInst.dll
2011-05-02 02:19 . 2010-08-25 00:09 389120 ----a-w- c:\windows\system32\RegistryHelperLM.ocx
2011-05-02 02:19 . 2004-04-27 15:03 49152 ----a-w- c:\windows\system32\RLOFRDec.ax
2011-05-02 02:19 . 2011-03-30 01:45 40960 ----a-w- c:\windows\system32\PMTilt3.DLL
2011-05-02 02:19 . 2011-03-30 01:45 36864 ----a-w- c:\windows\system32\PMUninNT.exe
2011-05-02 02:19 . 2011-03-30 01:45 229376 ----a-w- c:\windows\system32\PMUninst.exe
2011-05-02 02:19 . 2010-09-30 00:15 221184 ----a-w- c:\windows\system32\RaCoInst.dll
2011-05-02 02:19 . 2011-03-30 01:45 69632 ----a-w- c:\windows\system32\pelhooks.dll
2011-05-02 02:19 . 2011-03-30 01:45 49152 ----a-w- c:\windows\system32\pmpopo.dll
2011-05-02 02:19 . 2011-03-30 01:45 36864 ----a-w- c:\windows\system32\pelcomm.dll
2011-05-02 02:19 . 2011-03-30 01:45 241664 ----a-w- c:\windows\system32\pelutil.dll
2011-05-02 02:19 . 2011-03-30 01:45 114688 ----a-w- c:\windows\system32\pelscrll.dll
2011-05-02 02:19 . 2011-03-30 01:45 94208 ----a-w- c:\windows\system32\Pelzoom.dll
2011-05-02 02:19 . 2011-03-30 01:45 303104 ----a-w- c:\windows\system32\PelSetup.exe
2011-05-02 02:19 . 2011-03-30 01:45 24576 ----a-w- c:\windows\system32\Pelsetup.dll
2011-05-02 02:19 . 2011-03-30 01:45 65536 ----a-w- c:\windows\system32\PMIBM.DLL
2011-05-02 02:19 . 2011-03-30 01:45 45056 ----a-w- c:\windows\system32\PMMO32R.DLL
2011-05-02 02:19 . 2011-03-30 01:45 40960 ----a-w- c:\windows\system32\PMTILT.DLL
2011-05-02 02:19 . 2011-03-30 01:45 45056 ----a-w- c:\windows\system32\PELRESS.DLL
2011-05-02 02:19 . 2011-03-30 01:45 151552 ----a-w- c:\windows\system32\PELMICED.EXE
2011-05-02 02:19 . 2004-04-20 22:00 172032 ----a-w- c:\windows\system32\OptimFROG.dll
2011-05-02 02:19 . 2008-08-30 09:58 262144 ----a-w- c:\windows\system32\Oemdspif.dll
2011-05-02 02:19 . 2011-03-30 01:45 241664 ----a-w- c:\windows\system32\Notifier.dll
2011-05-02 02:19 . 2001-12-26 20:12 65536 ----a-w- c:\windows\system32\multiplex_vcd.dll
2011-05-02 02:19 . 2009-04-20 22:40 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2011-05-02 02:19 . 2009-01-03 00:55 487424 ----a-w- c:\windows\system32\msvcp70.dll
2011-05-02 02:19 . 2009-01-03 00:55 24576 ----a-w- c:\windows\system32\msxml3a.dll
2011-05-02 02:19 . 2008-08-21 20:56 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-05-02 02:19 . 2008-08-21 20:56 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-05-02 02:19 . 2002-01-05 07:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
2011-05-02 02:18 . 2009-11-14 18:11 24576 ----a-w- c:\windows\system32\mkunicode.dll
2011-05-02 02:18 . 2009-01-10 22:15 159744 ----a-w- c:\windows\system32\mmfinfo.dll
2011-05-02 02:18 . 2009-04-20 22:40 2179072 ----a-w- c:\windows\system32\mfc71d.dll
2011-05-02 02:18 . 2009-01-03 00:55 974848 ----a-w- c:\windows\system32\mfc70.dll
2011-05-02 02:18 . 2008-08-21 20:56 1060864 ----a-w- c:\windows\system32\MFC71.dll
2011-05-02 02:18 . 2008-08-21 20:52 1933312 ----a-w- c:\windows\system32\MaxxAudioEQ.dll
2011-05-02 02:18 . 2008-08-21 20:52 159744 ----a-w- c:\windows\system32\MaxxAudioAPO20.dll
2011-05-02 02:18 . 2008-08-21 20:52 126976 ----a-w- c:\windows\system32\MaxxAudioAPO.dll
2011-05-02 02:18 . 2007-01-17 16:24 2830336 ----a-w- c:\windows\system32\LS_HSI.msi
2011-05-02 02:18 . 2011-03-30 01:45 61440 ----a-w- c:\windows\system32\LaunHelp.exe
2011-05-02 02:18 . 2009-05-01 21:02 1044480 ----a-w- c:\windows\system32\libdivx.dll
2011-05-02 02:18 . 2009-05-01 00:11 98304 ----a-w- c:\windows\system32\L3CODECX.AX
2011-05-02 02:18 . 2008-09-24 20:41 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-05-02 02:18 . 2008-08-21 20:57 487424 ----a-w- c:\windows\system32\INT15.dll
2011-05-02 02:18 . 2006-04-17 13:37 3956736 ----a-w- c:\windows\system32\IVIVIDEO.ax
2011-05-02 02:18 . 2011-03-30 01:45 57344 ----a-w- c:\windows\system32\iconspy.exe
2011-05-02 02:18 . 2011-03-30 01:45 225280 ----a-w- c:\windows\system32\HPppm.dll
2011-05-02 02:18 . 2011-03-30 01:45 290816 ----a-w- c:\windows\system32\HPWHEEL.dll
2011-05-02 02:18 . 2010-07-13 22:45 364544 ----a-w- c:\windows\system32\hppldcoi.dll
2011-05-02 02:18 . 2007-07-05 01:33 892928 ----a-w- c:\windows\system32\iconv.dll
2011-05-02 02:18 . 2010-07-13 22:45 675840 ----a-w- c:\windows\system32\hpowiax3.dll
2011-05-02 02:18 . 2010-07-13 22:45 569344 ----a-w- c:\windows\system32\hpotscl3.dll
2011-05-02 02:18 . 2010-07-13 22:45 303104 ----a-w- c:\windows\system32\hpovst10.dll
2011-05-02 02:18 . 2001-09-04 03:46 110592 ----a-w- c:\windows\system32\Hmpg12.dll
2011-05-02 02:18 . 2001-07-30 20:33 118784 ----a-w- c:\windows\system32\HMPV2_ENC.dll
2011-05-02 02:18 . 2001-07-24 02:04 118784 ----a-w- c:\windows\system32\HMPV2_ENC_MMX.dll
2011-05-02 02:18 . 2006-12-15 23:22 1712128 ----a-w- c:\windows\system32\GdiPlus.dll
2011-05-02 02:18 . 2008-08-21 20:52 143360 ----a-w- c:\windows\system32\FMAPO.dll
2011-05-02 02:18 . 2010-03-03 00:00 151552 ----a-w- c:\windows\system32\ff_libmad.dll
2011-05-02 02:18 . 2011-03-30 01:45 45056 ----a-w- c:\windows\system32\ergo5b.dll
2011-05-02 02:18 . 2011-03-30 01:45 77824 ----a-w- c:\windows\system32\Dynex5B.dll
2011-05-02 02:18 . 2009-11-14 18:33 249856 ----a-w- c:\windows\system32\dxr.dll
2011-05-02 02:18 . 2008-11-29 18:30 290816 ----a-w- c:\windows\system32\dtsac3source.ax
2011-05-02 02:18 . 2006-11-02 08:51 12288 ----a-w- c:\windows\system32\drivers\sffp_mmc.sys
2011-05-02 02:18 . 2006-11-02 08:30 40960 ----a-w- c:\windows\system32\drivers\processr.sys
2011-05-02 02:18 . 2008-01-21 02:23 118784 ----a-w- c:\windows\system32\drivers\E1G60I32.sys
2011-05-02 02:18 . 2008-01-21 02:23 20480 ----a-w- c:\windows\system32\drivers\flpydisk.sys
2011-05-02 02:18 . 2006-11-02 08:30 40960 ----a-w- c:\windows\system32\drivers\crusoe.sys
2011-05-02 02:18 . 2008-08-30 08:56 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-05-02 02:18 . 2009-11-14 00:49 532480 ----a-w- c:\windows\system32\DivXsm.exe
2011-05-02 02:18 . 2009-11-14 00:47 999424 ----a-w- c:\windows\system32\divxdec.ax
2011-05-02 02:18 . 2008-08-05 21:59 57344 ----a-w- c:\windows\system32\dpv11.dll
2011-05-02 02:18 . 2008-03-09 09:31 245760 ----a-w- c:\windows\system32\DCBassSource.ax
2011-05-02 02:18 . 2005-07-09 19:12 241664 ----a-w- c:\windows\system32\CoreVorbis.ax
2011-05-02 02:16 . 2009-04-20 22:40 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2011-05-02 02:15 . 2005-01-13 01:53 57344 ----a-w- c:\windows\system32\Big Kahuna Reef.scr
2011-05-02 02:15 . 2008-08-30 09:15 9838592 ----a-w- c:\windows\system32\atioglxx.dll
2011-05-02 02:15 . 2009-02-25 21:36 425984 ----a-w- c:\windows\system32\ATIDEMGX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-29 21:52 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon1]
@="{B976888E-DC7B-456C-A62F-44EA07ED231F}"
[HKEY_CLASSES_ROOT\CLSID\{B976888E-DC7B-456C-A62F-44EA07ED231F}]
2010-01-17 23:08 503808 ----a-w- c:\program files\Personal Vault Backup Manager\VaultClientMenu.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Empowering Technology Monitor"="c:\program files\Acer\Empowering Technology\SysMonitor.exe" [2008-06-02 319488]
"EmpoweringTechnology"="c:\program files\Acer\Empowering Technology\Framework.Launcher.exe" [2008-06-02 319488]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-29 526896]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2011-05-02 1261568]
"D-Link D-Link DWA-125"="c:\program files\D-Link\DWA-125 revA\AirGCFG.exe" [2009-10-19 995328]
"BellCanada_McciTrayApp"="c:\program files\BellCanada\McciTrayApp.exe" [2010-01-19 1565696]
"BISA.exe"="c:\program files\Bell\Internet Service Advisor\BISA.exe" [2010-01-13 4281584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-05-02 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^geoff^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\users\geoff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2011-05-02 01:51 3387392 ----a-w- c:\program files\Acer\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 17:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2011-05-02 01:57 77824 ----a-w- c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2011-05-02 01:57 311296 ----a-w- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 22:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
2006-10-23 17:54 56128 ----a-w- c:\windows\System32\ico.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMMediaSharing]
2008-05-20 21:50 204908 ----a-w- c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2011-05-02 02:14 6144000 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Setresolution]
2008-02-26 22:29 240 ----a-w- c:\acer\Config\1440X900.CMD
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-05-02 01:57 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WZCSLDR2]
2011-05-02 02:01 122880 ----a-w- c:\program files\D-Link\DWA-125 revA\WZCSLDR2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
2;2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\D-Link\DWA-125 revA\ANIWZCSdS.exe [x]
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 MSMQSVC;Message Queuing Service;c:\windows\system32\mqsv32.exe [x]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe RadialpointIDSAgent [x]
R3 CFcatchme;CFcatchme;c:\users\geoff\AppData\Local\Temp\CFcatchme.sys [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-11-23 7408]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-01-27 691696]
S1 anodlwf;ANOD Network Security Filter driver;c:\windows\system32\DRIVERS\anodlwf.sys [2009-03-06 12800]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-11-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-11-23 74480]
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-05-20 269448]
S2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\D-Link\DWA-125 revA\ANIWConnService.exe [2009-07-07 40960]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-06-02 24576]
S2 Radialpoint Security Services;Bell Internet Security Services;c:\program files\Bell\Bell Internet Security Services\RpsSecurityAwareR.exe [2010-01-18 165408]
S2 ServicepointService;ServicepointService;c:\program files\Bell\Internet Service Advisor\ServicepointService.exe [2010-01-13 689392]
S2 VaultClientSRV;Personal Vault Backup Manager Service;c:\program files\Personal Vault Backup Manager\VaultClientSRV.exe [2010-01-17 1051728]
S2 VaultClientUpgrade;Personal Vault Backup Manager Upgrade Service;c:\program files\Personal Vault Backup Manager\VaultClientUpgrade.exe [2010-01-17 56400]
S3 netr28u;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\Dnetr28u.sys [2009-09-15 798208]
S3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [2009-11-02 122376]
S3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSFilter.sys [2009-11-02 30216]
S3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [2009-11-02 27800]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ACE0C741
*Deregistered* - ace0c741
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
bdx REG_MULTI_SZ scan sysagent
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sympatico.ca/
mStart Page = about:blank
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: {535B8C3A-C6E0-40EF-A618-94E961B89A1A} = 192.168.2.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-09 19:54
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2035741258-2230102944-2969920155-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:67,47,0f,3a,4b,03,ee,8c,40,1b,90,fd,95,1f,da,c0,ae,db,ba,ed,6e,8d,94,
21,d1,03,f4,7c,59,b5,7d,ca,d6,17,dc,6a,ed,de,0b,18,0d,db,87,16,62,a2,f6,a9,\
"??"=hex:3c,46,be,02,dd,41,6a,66,be,c0,c6,02,17,6a,f1,4b
.
[HKEY_USERS\S-1-5-21-2035741258-2230102944-2969920155-1000\Software\SecuROM\License information*]
"datasecu"=hex:38,c3,4c,de,2c,88,ed,ef,f1,89,d7,c3,ba,12,e8,9d,11,0c,cf,4e,fd,
33,31,ad,11,15,ff,51,19,57,9f,9f,77,0a,e7,1a,98,76,3c,96,13,66,85,0c,fa,8e,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2160)
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\program files\Personal Vault Backup Manager\VaultClientMenu.dll
c:\program files\Personal Vault Backup Manager\LIBEXPAT.dll
c:\program files\Personal Vault Backup Manager\VaultClientCOM.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bell\Bell Internet Security Services\Fws.exe
c:\program files\Bell\Bell Internet Security Services\rps.exe
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\UI0Detect.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2011-05-09 19:59:18 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-09 23:59
ComboFix2.txt 2011-05-09 01:35
ComboFix3.txt 2011-05-08 23:27
.
Pre-Run: 79,001,640,960 bytes free
Post-Run: 78,772,731,904 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=3 Sets=1,2,3,30
- - End Of File - - 951695542624723BBEA78F3CCF4B8DAA
Upload was successful

#10 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,856
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 09 May 2011 - 08:02 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
c:\users\geoff\AppData\Local\{9BE06DB6-1709-4345-8E4D-20F1C0037877}
c:\users\geoff\AppData\Local\{A57A1F7E-2E53-4F7F-B26A-AC68D8E5F471}
c:\programdata\mC31002NmJoG31002
c:\programdata\nDf31001eMpGp31001
c:\programdata\bKn31001gBoCo31001


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Please advise how the computer is running now and if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#11 User is offline   geoph 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 26-April 11

Posted 10 May 2011 - 05:17 PM

ComboFix 11-05-09.04 - geoff 10/05/2011 17:59:37.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2814.1659 [GMT -4:00]
Running from: c:\users\geoff\Desktop\ComboFix.exe
Command switches used :: c:\users\geoff\Desktop\cfscript.txt
AV: Bell Internet Security Services Anti-Virus *Disabled/Updated* {A61154FD-4365-E00F-9A33-13A09AD54B56}
FW: Bell Internet Security Services Firewall *Disabled* {9E2AD5D8-090A-E157-B16C-BA9564060C2D}
SP: Bell Internet Security Services Anti-Spyware *Disabled/Updated* {1D70B519-655F-EF81-A083-28D2E15201EB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-10 to 2011-05-10 )))))))))))))))))))))))))))))))
.
.
2011-05-10 22:06 . 2011-05-10 22:06 -------- d-----w- c:\users\geoff\AppData\Local\temp
2011-05-10 22:06 . 2011-05-10 22:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-10 20:56 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-10 20:55 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F0A610B6-EDB9-4E29-BFAA-B801CAAE4449}\mpengine.dll
2011-05-10 00:23 . 2011-05-10 00:23 -------- d-----w- c:\users\geoff\AppData\Local\VS Revo Group
2011-05-10 00:23 . 2009-12-30 15:21 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-05-10 00:23 . 2011-05-10 00:23 -------- d-----w- c:\program files\VS Revo Group
2011-05-09 01:53 . 2011-05-09 01:53 -------- d-----w- c:\program files\ESET
2011-05-09 01:38 . 2011-05-09 01:38 -------- d-----w- c:\users\geoff\AppData\Roaming\Malwarebytes
2011-05-09 01:38 . 2011-05-09 01:38 -------- d-----w- c:\programdata\Malwarebytes
2011-05-09 01:38 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-09 01:38 . 2011-05-09 01:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-09 01:38 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-09 00:34 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-05-09 00:34 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-05-09 00:34 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-26 15:28 . 2011-04-26 15:28 388096 ----a-r- c:\users\geoff\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-23 02:54 . 2011-04-23 03:34 -------- d-----w- c:\users\geoff\FrostWire
2011-04-22 13:49 . 2011-04-22 13:49 -------- d-----w- c:\windows\CheckSur
2011-04-17 23:22 . 2011-05-02 02:00 696320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2011-04-17 23:22 . 2011-05-02 02:00 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2011-04-17 23:22 . 2011-05-02 02:00 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2011-04-17 23:22 . 2011-05-02 02:00 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2011-04-17 23:22 . 2011-04-17 23:22 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2011-04-17 23:22 . 2011-04-17 23:22 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2011-04-17 23:22 . 2002-12-02 19:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2011-04-16 16:09 . 2011-03-03 15:42 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-16 14:23 . 2011-04-16 14:23 -------- d-----w- c:\program files\uTorrent
2011-04-16 14:22 . 2011-05-10 21:17 -------- d-----w- c:\users\geoff\AppData\Roaming\uTorrent
2011-04-16 14:15 . 2011-04-16 14:15 -------- d-----w- C:\extensions
2011-04-15 20:46 . 2011-04-15 20:46 -------- d-----w- c:\users\geoff\AppData\Roaming\AVG10
2011-04-15 20:45 . 2011-04-15 20:45 -------- d-----w- c:\programdata\Common Files
2011-04-15 20:43 . 2011-05-09 00:25 -------- d-----w- c:\programdata\AVG10
2011-04-15 20:42 . 2011-05-02 15:59 -------- d-----w- c:\program files\AVG
2011-04-15 20:39 . 2011-05-09 00:23 -------- d-----w- c:\programdata\MFAData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 00:36 . 2010-06-11 23:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-02 02:21 . 2006-11-02 08:11 40960 ----a-w- c:\windows\system32\cliconfg.rll
2011-05-02 02:20 . 2006-11-02 06:37 20480 ----a-w- c:\windows\system32\drivers\secdrv.sys
2011-05-02 02:19 . 2009-05-28 21:29 299008 ----a-w- c:\windows\uninst.exe
2011-05-02 02:19 . 2011-03-30 01:45 114688 ----a-w- c:\windows\system32\xMouse.cpl
2011-05-02 02:19 . 2009-06-07 16:24 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2011-05-02 02:19 . 2009-05-01 00:11 53248 ----a-w- c:\windows\system32\xvid.ax
2011-05-02 02:19 . 2008-08-26 22:11 987136 ----a-w- c:\windows\system32\VSFilter.dll
2011-05-02 02:19 . 2008-08-21 20:52 1777664 ----a-w- c:\windows\system32\WavesLib.dll
2011-05-02 02:19 . 2005-07-26 13:56 53248 ----a-w- c:\windows\system32\vp7dec_settings.cpl
2011-05-02 02:19 . 2005-07-26 13:56 233472 ----a-w- c:\windows\system32\vp7dec.ax
2011-05-02 02:19 . 2004-12-10 09:06 327680 ----a-w- c:\windows\system32\vp6dec.ax
2011-05-02 02:19 . 2004-12-10 09:03 438272 ----a-w- c:\windows\system32\vp6vfw.dll
2011-05-02 02:19 . 2004-02-17 10:11 53248 ----a-w- c:\windows\system32\vp6dec_settings.cpl
2011-05-02 02:19 . 2011-03-30 01:45 28672 ----a-w- c:\windows\system32\UnInst.exe
2011-05-02 02:19 . 2011-03-30 01:45 126976 ----a-w- c:\windows\system32\Twister.DLL
2011-05-02 02:19 . 2009-05-01 21:02 200704 ----a-w- c:\windows\system32\ssldivx.dll
2011-05-02 02:19 . 2008-08-21 20:52 339968 ----a-w- c:\windows\system32\SRSTSXT.dll
2011-05-02 02:19 . 2008-08-21 20:52 167936 ----a-w- c:\windows\system32\SRSHP360.dll
2011-05-02 02:19 . 2008-08-21 20:52 135168 ----a-w- c:\windows\system32\SRSWOW.dll
2011-05-02 02:19 . 2004-09-08 18:03 86016 ----a-w- c:\windows\system32\sl_anet.acm
2011-05-02 02:19 . 2011-03-30 01:45 45056 ----a-w- c:\windows\system32\SetupNT.exe
2011-05-02 02:19 . 2008-08-21 20:52 540672 ----a-w- c:\windows\system32\RTSndMgr.cpl
2011-05-02 02:19 . 2008-08-21 20:52 32768 ----a-w- c:\windows\system32\RtkCoInst.dll
2011-05-02 02:19 . 2010-08-25 00:09 389120 ----a-w- c:\windows\system32\RegistryHelperLM.ocx
2011-05-02 02:19 . 2004-04-27 15:03 49152 ----a-w- c:\windows\system32\RLOFRDec.ax
2011-05-02 02:19 . 2011-03-30 01:45 40960 ----a-w- c:\windows\system32\PMTilt3.DLL
2011-05-02 02:19 . 2011-03-30 01:45 36864 ----a-w- c:\windows\system32\PMUninNT.exe
2011-05-02 02:19 . 2011-03-30 01:45 229376 ----a-w- c:\windows\system32\PMUninst.exe
2011-05-02 02:19 . 2010-09-30 00:15 221184 ----a-w- c:\windows\system32\RaCoInst.dll
2011-05-02 02:19 . 2011-03-30 01:45 69632 ----a-w- c:\windows\system32\pelhooks.dll
2011-05-02 02:19 . 2011-03-30 01:45 49152 ----a-w- c:\windows\system32\pmpopo.dll
2011-05-02 02:19 . 2011-03-30 01:45 36864 ----a-w- c:\windows\system32\pelcomm.dll
2011-05-02 02:19 . 2011-03-30 01:45 241664 ----a-w- c:\windows\system32\pelutil.dll
2011-05-02 02:19 . 2011-03-30 01:45 114688 ----a-w- c:\windows\system32\pelscrll.dll
2011-05-02 02:19 . 2011-03-30 01:45 94208 ----a-w- c:\windows\system32\Pelzoom.dll
2011-05-02 02:19 . 2011-03-30 01:45 303104 ----a-w- c:\windows\system32\PelSetup.exe
2011-05-02 02:19 . 2011-03-30 01:45 24576 ----a-w- c:\windows\system32\Pelsetup.dll
2011-05-02 02:19 . 2011-03-30 01:45 65536 ----a-w- c:\windows\system32\PMIBM.DLL
2011-05-02 02:19 . 2011-03-30 01:45 45056 ----a-w- c:\windows\system32\PMMO32R.DLL
2011-05-02 02:19 . 2011-03-30 01:45 40960 ----a-w- c:\windows\system32\PMTILT.DLL
2011-05-02 02:19 . 2011-03-30 01:45 45056 ----a-w- c:\windows\system32\PELRESS.DLL
2011-05-02 02:19 . 2011-03-30 01:45 151552 ----a-w- c:\windows\system32\PELMICED.EXE
2011-05-02 02:19 . 2004-04-20 22:00 172032 ----a-w- c:\windows\system32\OptimFROG.dll
2011-05-02 02:19 . 2008-08-30 09:58 262144 ----a-w- c:\windows\system32\Oemdspif.dll
2011-05-02 02:19 . 2011-03-30 01:45 241664 ----a-w- c:\windows\system32\Notifier.dll
2011-05-02 02:19 . 2001-12-26 20:12 65536 ----a-w- c:\windows\system32\multiplex_vcd.dll
2011-05-02 02:19 . 2009-04-20 22:40 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2011-05-02 02:19 . 2009-01-03 00:55 487424 ----a-w- c:\windows\system32\msvcp70.dll
2011-05-02 02:19 . 2009-01-03 00:55 24576 ----a-w- c:\windows\system32\msxml3a.dll
2011-05-02 02:19 . 2008-08-21 20:56 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-05-02 02:19 . 2008-08-21 20:56 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-05-02 02:19 . 2002-01-05 07:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
2011-05-02 02:18 . 2009-11-14 18:11 24576 ----a-w- c:\windows\system32\mkunicode.dll
2011-05-02 02:18 . 2009-01-10 22:15 159744 ----a-w- c:\windows\system32\mmfinfo.dll
2011-05-02 02:18 . 2009-04-20 22:40 2179072 ----a-w- c:\windows\system32\mfc71d.dll
2011-05-02 02:18 . 2009-01-03 00:55 974848 ----a-w- c:\windows\system32\mfc70.dll
2011-05-02 02:18 . 2008-08-21 20:56 1060864 ----a-w- c:\windows\system32\MFC71.dll
2011-05-02 02:18 . 2008-08-21 20:52 1933312 ----a-w- c:\windows\system32\MaxxAudioEQ.dll
2011-05-02 02:18 . 2008-08-21 20:52 159744 ----a-w- c:\windows\system32\MaxxAudioAPO20.dll
2011-05-02 02:18 . 2008-08-21 20:52 126976 ----a-w- c:\windows\system32\MaxxAudioAPO.dll
2011-05-02 02:18 . 2007-01-17 16:24 2830336 ----a-w- c:\windows\system32\LS_HSI.msi
2011-05-02 02:18 . 2011-03-30 01:45 61440 ----a-w- c:\windows\system32\LaunHelp.exe
2011-05-02 02:18 . 2009-05-01 21:02 1044480 ----a-w- c:\windows\system32\libdivx.dll
2011-05-02 02:18 . 2009-05-01 00:11 98304 ----a-w- c:\windows\system32\L3CODECX.AX
2011-05-02 02:18 . 2008-09-24 20:41 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-05-02 02:18 . 2008-08-21 20:57 487424 ----a-w- c:\windows\system32\INT15.dll
2011-05-02 02:18 . 2006-04-17 13:37 3956736 ----a-w- c:\windows\system32\IVIVIDEO.ax
2011-05-02 02:18 . 2011-03-30 01:45 57344 ----a-w- c:\windows\system32\iconspy.exe
2011-05-02 02:18 . 2011-03-30 01:45 225280 ----a-w- c:\windows\system32\HPppm.dll
2011-05-02 02:18 . 2011-03-30 01:45 290816 ----a-w- c:\windows\system32\HPWHEEL.dll
2011-05-02 02:18 . 2010-07-13 22:45 364544 ----a-w- c:\windows\system32\hppldcoi.dll
2011-05-02 02:18 . 2007-07-05 01:33 892928 ----a-w- c:\windows\system32\iconv.dll
2011-05-02 02:18 . 2010-07-13 22:45 675840 ----a-w- c:\windows\system32\hpowiax3.dll
2011-05-02 02:18 . 2010-07-13 22:45 569344 ----a-w- c:\windows\system32\hpotscl3.dll
2011-05-02 02:18 . 2010-07-13 22:45 303104 ----a-w- c:\windows\system32\hpovst10.dll
2011-05-02 02:18 . 2001-09-04 03:46 110592 ----a-w- c:\windows\system32\Hmpg12.dll
2011-05-02 02:18 . 2001-07-30 20:33 118784 ----a-w- c:\windows\system32\HMPV2_ENC.dll
2011-05-02 02:18 . 2001-07-24 02:04 118784 ----a-w- c:\windows\system32\HMPV2_ENC_MMX.dll
2011-05-02 02:18 . 2006-12-15 23:22 1712128 ----a-w- c:\windows\system32\GdiPlus.dll
2011-05-02 02:18 . 2008-08-21 20:52 143360 ----a-w- c:\windows\system32\FMAPO.dll
2011-05-02 02:18 . 2010-03-03 00:00 151552 ----a-w- c:\windows\system32\ff_libmad.dll
2011-05-02 02:18 . 2011-03-30 01:45 45056 ----a-w- c:\windows\system32\ergo5b.dll
2011-05-02 02:18 . 2011-03-30 01:45 77824 ----a-w- c:\windows\system32\Dynex5B.dll
2011-05-02 02:18 . 2009-11-14 18:33 249856 ----a-w- c:\windows\system32\dxr.dll
2011-05-02 02:18 . 2008-11-29 18:30 290816 ----a-w- c:\windows\system32\dtsac3source.ax
2011-05-02 02:18 . 2006-11-02 08:51 12288 ----a-w- c:\windows\system32\drivers\sffp_mmc.sys
2011-05-02 02:18 . 2006-11-02 08:30 40960 ----a-w- c:\windows\system32\drivers\processr.sys
2011-05-02 02:18 . 2008-01-21 02:23 118784 ----a-w- c:\windows\system32\drivers\E1G60I32.sys
2011-05-02 02:18 . 2008-01-21 02:23 20480 ----a-w- c:\windows\system32\drivers\flpydisk.sys
2011-05-02 02:18 . 2006-11-02 08:30 40960 ----a-w- c:\windows\system32\drivers\crusoe.sys
2011-05-02 02:18 . 2008-08-30 08:56 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-05-02 02:18 . 2009-11-14 00:49 532480 ----a-w- c:\windows\system32\DivXsm.exe
2011-05-02 02:18 . 2009-11-14 00:47 999424 ----a-w- c:\windows\system32\divxdec.ax
2011-05-02 02:18 . 2008-08-05 21:59 57344 ----a-w- c:\windows\system32\dpv11.dll
2011-05-02 02:18 . 2008-03-09 09:31 245760 ----a-w- c:\windows\system32\DCBassSource.ax
2011-05-02 02:18 . 2005-07-09 19:12 241664 ----a-w- c:\windows\system32\CoreVorbis.ax
2011-05-02 02:16 . 2009-04-20 22:40 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2011-05-02 02:15 . 2005-01-13 01:53 57344 ----a-w- c:\windows\system32\Big Kahuna Reef.scr
2011-05-02 02:15 . 2008-08-30 09:15 9838592 ----a-w- c:\windows\system32\atioglxx.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-29 21:52 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon1]
@="{B976888E-DC7B-456C-A62F-44EA07ED231F}"
[HKEY_CLASSES_ROOT\CLSID\{B976888E-DC7B-456C-A62F-44EA07ED231F}]
2010-01-17 23:08 503808 ----a-w- c:\program files\Personal Vault Backup Manager\VaultClientMenu.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Empowering Technology Monitor"="c:\program files\Acer\Empowering Technology\SysMonitor.exe" [2008-06-02 319488]
"EmpoweringTechnology"="c:\program files\Acer\Empowering Technology\Framework.Launcher.exe" [2008-06-02 319488]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-29 526896]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2011-05-02 1261568]
"D-Link D-Link DWA-125"="c:\program files\D-Link\DWA-125 revA\AirGCFG.exe" [2009-10-19 995328]
"BellCanada_McciTrayApp"="c:\program files\BellCanada\McciTrayApp.exe" [2010-01-19 1565696]
"BISA.exe"="c:\program files\Bell\Internet Service Advisor\BISA.exe" [2010-01-13 4281584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-05-02 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^geoff^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\users\geoff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2011-05-02 01:51 3387392 ----a-w- c:\program files\Acer\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 17:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2011-05-02 01:57 77824 ----a-w- c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2011-05-02 01:57 311296 ----a-w- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 22:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
2006-10-23 17:54 56128 ----a-w- c:\windows\System32\ico.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMMediaSharing]
2008-05-20 21:50 204908 ----a-w- c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2011-05-02 02:14 6144000 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Setresolution]
2008-02-26 22:29 240 ----a-w- c:\acer\Config\1440X900.CMD
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-05-02 01:57 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WZCSLDR2]
2011-05-02 02:01 122880 ----a-w- c:\program files\D-Link\DWA-125 revA\WZCSLDR2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
2;2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\D-Link\DWA-125 revA\ANIWZCSdS.exe [x]
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 MSMQSVC;Message Queuing Service;c:\windows\system32\mqsv32.exe [x]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe RadialpointIDSAgent [x]
R3 CFcatchme;CFcatchme;c:\users\geoff\AppData\Local\Temp\CFcatchme.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-11-23 7408]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-01-27 691696]
S1 anodlwf;ANOD Network Security Filter driver;c:\windows\system32\DRIVERS\anodlwf.sys [2009-03-06 12800]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-11-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-11-23 74480]
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-05-20 269448]
S2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\D-Link\DWA-125 revA\ANIWConnService.exe [2009-07-07 40960]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-06-02 24576]
S2 Radialpoint Security Services;Bell Internet Security Services;c:\program files\Bell\Bell Internet Security Services\RpsSecurityAwareR.exe [2010-01-18 165408]
S2 ServicepointService;ServicepointService;c:\program files\Bell\Internet Service Advisor\ServicepointService.exe [2010-01-13 689392]
S2 VaultClientSRV;Personal Vault Backup Manager Service;c:\program files\Personal Vault Backup Manager\VaultClientSRV.exe [2010-01-17 1051728]
S2 VaultClientUpgrade;Personal Vault Backup Manager Upgrade Service;c:\program files\Personal Vault Backup Manager\VaultClientUpgrade.exe [2010-01-17 56400]
S3 netr28u;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\Dnetr28u.sys [2009-09-15 798208]
S3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [2009-11-02 122376]
S3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSFilter.sys [2009-11-02 30216]
S3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [2009-11-02 27800]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - BDC773EE
*Deregistered* - bdc773ee
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
bdx REG_MULTI_SZ scan sysagent
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sympatico.ca/
mStart Page = about:blank
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: {535B8C3A-C6E0-40EF-A618-94E961B89A1A} = 192.168.2.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-10 18:06
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2035741258-2230102944-2969920155-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:67,47,0f,3a,4b,03,ee,8c,40,1b,90,fd,95,1f,da,c0,ae,db,ba,ed,6e,8d,94,
21,d1,03,f4,7c,59,b5,7d,ca,d6,17,dc,6a,ed,de,0b,18,0d,db,87,16,62,a2,f6,a9,\
"??"=hex:3c,46,be,02,dd,41,6a,66,be,c0,c6,02,17,6a,f1,4b
.
[HKEY_USERS\S-1-5-21-2035741258-2230102944-2969920155-1000\Software\SecuROM\License information*]
"datasecu"=hex:38,c3,4c,de,2c,88,ed,ef,f1,89,d7,c3,ba,12,e8,9d,11,0c,cf,4e,fd,
33,31,ad,11,15,ff,51,19,57,9f,9f,77,0a,e7,1a,98,76,3c,96,13,66,85,0c,fa,8e,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(6108)
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\program files\Personal Vault Backup Manager\VaultClientMenu.dll
c:\program files\Personal Vault Backup Manager\LIBEXPAT.dll
c:\program files\Personal Vault Backup Manager\VaultClientCOM.dll
.
Completion time: 2011-05-10 18:08:13
ComboFix-quarantined-files.txt 2011-05-10 22:08
ComboFix2.txt 2011-05-10 21:34
ComboFix3.txt 2011-05-09 23:59
ComboFix4.txt 2011-05-09 01:35
ComboFix5.txt 2011-05-10 21:58
.
Pre-Run: 74,593,447,936 bytes free
Post-Run: 74,558,361,600 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4,30
- - End Of File - - 5A3A94C3620AD110B5C62DE552F2AC27
This is the second log scan with the same command. I deleted the FIRST SCAN LOG BY ACCIDENT.

#12 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,856
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 10 May 2011 - 06:05 PM

One more thing we need to take care of


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FixCSet::


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Please advise how the computer is running now and if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#13 User is offline   geoph 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 26-April 11

Posted 10 May 2011 - 08:03 PM

ComboFix 11-05-09.04 - geoff 10/05/2011 20:49:04.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2814.1682 [GMT -4:00]
Running from: c:\users\geoff\Desktop\ComboFix.exe
Command switches used :: c:\users\geoff\Desktop\cfscript.txt
AV: Bell Internet Security Services Anti-Virus *Disabled/Updated* {A61154FD-4365-E00F-9A33-13A09AD54B56}
FW: Bell Internet Security Services Firewall *Disabled* {9E2AD5D8-090A-E157-B16C-BA9564060C2D}
SP: Bell Internet Security Services Anti-Spyware *Disabled/Updated* {1D70B519-655F-EF81-A083-28D2E15201EB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
.
.
2011-05-11 00:56 . 2011-05-11 00:58 -------- d-----w- c:\users\geoff\AppData\Local\temp
2011-05-11 00:56 . 2011-05-11 00:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-10 20:56 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-10 20:55 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F0A610B6-EDB9-4E29-BFAA-B801CAAE4449}\mpengine.dll
2011-05-10 00:23 . 2011-05-10 00:23 -------- d-----w- c:\users\geoff\AppData\Local\VS Revo Group
2011-05-10 00:23 . 2009-12-30 15:21 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-05-10 00:23 . 2011-05-10 00:23 -------- d-----w- c:\program files\VS Revo Group
2011-05-09 01:53 . 2011-05-09 01:53 -------- d-----w- c:\program files\ESET
2011-05-09 01:38 . 2011-05-09 01:38 -------- d-----w- c:\users\geoff\AppData\Roaming\Malwarebytes
2011-05-09 01:38 . 2011-05-09 01:38 -------- d-----w- c:\programdata\Malwarebytes
2011-05-09 01:38 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-09 01:38 . 2011-05-09 01:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-09 01:38 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-09 00:34 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-05-09 00:34 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-05-09 00:34 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-04-26 15:28 . 2011-04-26 15:28 388096 ----a-r- c:\users\geoff\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-23 02:54 . 2011-04-23 03:34 -------- d-----w- c:\users\geoff\FrostWire
2011-04-22 13:49 . 2011-04-22 13:49 -------- d-----w- c:\windows\CheckSur
2011-04-17 23:22 . 2011-05-02 02:00 696320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2011-04-17 23:22 . 2011-05-02 02:00 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2011-04-17 23:22 . 2011-05-02 02:00 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2011-04-17 23:22 . 2011-05-02 02:00 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2011-04-17 23:22 . 2011-04-17 23:22 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2011-04-17 23:22 . 2011-04-17 23:22 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2011-04-17 23:22 . 2002-12-02 19:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2011-04-16 16:09 . 2011-03-03 15:42 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-16 14:23 . 2011-04-16 14:23 -------- d-----w- c:\program files\uTorrent
2011-04-16 14:22 . 2011-05-11 00:46 -------- d-----w- c:\users\geoff\AppData\Roaming\uTorrent
2011-04-16 14:15 . 2011-04-16 14:15 -------- d-----w- C:\extensions
2011-04-15 20:46 . 2011-04-15 20:46 -------- d-----w- c:\users\geoff\AppData\Roaming\AVG10
2011-04-15 20:45 . 2011-04-15 20:45 -------- d-----w- c:\programdata\Common Files
2011-04-15 20:43 . 2011-05-09 00:25 -------- d-----w- c:\programdata\AVG10
2011-04-15 20:42 . 2011-05-02 15:59 -------- d-----w- c:\program files\AVG
2011-04-15 20:39 . 2011-05-09 00:23 -------- d-----w- c:\programdata\MFAData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 00:36 . 2010-06-11 23:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-02 02:21 . 2006-11-02 08:11 40960 ----a-w- c:\windows\system32\cliconfg.rll
2011-05-02 02:20 . 2006-11-02 06:37 20480 ----a-w- c:\windows\system32\drivers\secdrv.sys
2011-05-02 02:19 . 2009-05-28 21:29 299008 ----a-w- c:\windows\uninst.exe
2011-05-02 02:19 . 2011-03-30 01:45 114688 ----a-w- c:\windows\system32\xMouse.cpl
2011-05-02 02:19 . 2009-06-07 16:24 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2011-05-02 02:19 . 2009-05-01 00:11 53248 ----a-w- c:\windows\system32\xvid.ax
2011-05-02 02:19 . 2008-08-26 22:11 987136 ----a-w- c:\windows\system32\VSFilter.dll
2011-05-02 02:19 . 2008-08-21 20:52 1777664 ----a-w- c:\windows\system32\WavesLib.dll
2011-05-02 02:19 . 2005-07-26 13:56 53248 ----a-w- c:\windows\system32\vp7dec_settings.cpl
2011-05-02 02:19 . 2005-07-26 13:56 233472 ----a-w- c:\windows\system32\vp7dec.ax
2011-05-02 02:19 . 2004-12-10 09:06 327680 ----a-w- c:\windows\system32\vp6dec.ax
2011-05-02 02:19 . 2004-12-10 09:03 438272 ----a-w- c:\windows\system32\vp6vfw.dll
2011-05-02 02:19 . 2004-02-17 10:11 53248 ----a-w- c:\windows\system32\vp6dec_settings.cpl
2011-05-02 02:19 . 2011-03-30 01:45 28672 ----a-w- c:\windows\system32\UnInst.exe
2011-05-02 02:19 . 2011-03-30 01:45 126976 ----a-w- c:\windows\system32\Twister.DLL
2011-05-02 02:19 . 2009-05-01 21:02 200704 ----a-w- c:\windows\system32\ssldivx.dll
2011-05-02 02:19 . 2008-08-21 20:52 339968 ----a-w- c:\windows\system32\SRSTSXT.dll
2011-05-02 02:19 . 2008-08-21 20:52 167936 ----a-w- c:\windows\system32\SRSHP360.dll
2011-05-02 02:19 . 2008-08-21 20:52 135168 ----a-w- c:\windows\system32\SRSWOW.dll
2011-05-02 02:19 . 2004-09-08 18:03 86016 ----a-w- c:\windows\system32\sl_anet.acm
2011-05-02 02:19 . 2011-03-30 01:45 45056 ----a-w- c:\windows\system32\SetupNT.exe
2011-05-02 02:19 . 2008-08-21 20:52 540672 ----a-w- c:\windows\system32\RTSndMgr.cpl
2011-05-02 02:19 . 2008-08-21 20:52 32768 ----a-w- c:\windows\system32\RtkCoInst.dll
2011-05-02 02:19 . 2010-08-25 00:09 389120 ----a-w- c:\windows\system32\RegistryHelperLM.ocx
2011-05-02 02:19 . 2004-04-27 15:03 49152 ----a-w- c:\windows\system32\RLOFRDec.ax
2011-05-02 02:19 . 2011-03-30 01:45 40960 ----a-w- c:\windows\system32\PMTilt3.DLL
2011-05-02 02:19 . 2011-03-30 01:45 36864 ----a-w- c:\windows\system32\PMUninNT.exe
2011-05-02 02:19 . 2011-03-30 01:45 229376 ----a-w- c:\windows\system32\PMUninst.exe
2011-05-02 02:19 . 2010-09-30 00:15 221184 ----a-w- c:\windows\system32\RaCoInst.dll
2011-05-02 02:19 . 2011-03-30 01:45 69632 ----a-w- c:\windows\system32\pelhooks.dll
2011-05-02 02:19 . 2011-03-30 01:45 49152 ----a-w- c:\windows\system32\pmpopo.dll
2011-05-02 02:19 . 2011-03-30 01:45 36864 ----a-w- c:\windows\system32\pelcomm.dll
2011-05-02 02:19 . 2011-03-30 01:45 241664 ----a-w- c:\windows\system32\pelutil.dll
2011-05-02 02:19 . 2011-03-30 01:45 114688 ----a-w- c:\windows\system32\pelscrll.dll
2011-05-02 02:19 . 2011-03-30 01:45 94208 ----a-w- c:\windows\system32\Pelzoom.dll
2011-05-02 02:19 . 2011-03-30 01:45 303104 ----a-w- c:\windows\system32\PelSetup.exe
2011-05-02 02:19 . 2011-03-30 01:45 24576 ----a-w- c:\windows\system32\Pelsetup.dll
2011-05-02 02:19 . 2011-03-30 01:45 65536 ----a-w- c:\windows\system32\PMIBM.DLL
2011-05-02 02:19 . 2011-03-30 01:45 45056 ----a-w- c:\windows\system32\PMMO32R.DLL
2011-05-02 02:19 . 2011-03-30 01:45 40960 ----a-w- c:\windows\system32\PMTILT.DLL
2011-05-02 02:19 . 2011-03-30 01:45 45056 ----a-w- c:\windows\system32\PELRESS.DLL
2011-05-02 02:19 . 2011-03-30 01:45 151552 ----a-w- c:\windows\system32\PELMICED.EXE
2011-05-02 02:19 . 2004-04-20 22:00 172032 ----a-w- c:\windows\system32\OptimFROG.dll
2011-05-02 02:19 . 2008-08-30 09:58 262144 ----a-w- c:\windows\system32\Oemdspif.dll
2011-05-02 02:19 . 2011-03-30 01:45 241664 ----a-w- c:\windows\system32\Notifier.dll
2011-05-02 02:19 . 2001-12-26 20:12 65536 ----a-w- c:\windows\system32\multiplex_vcd.dll
2011-05-02 02:19 . 2009-04-20 22:40 544768 ----a-w- c:\windows\system32\msvcr71d.dll
2011-05-02 02:19 . 2009-01-03 00:55 487424 ----a-w- c:\windows\system32\msvcp70.dll
2011-05-02 02:19 . 2009-01-03 00:55 24576 ----a-w- c:\windows\system32\msxml3a.dll
2011-05-02 02:19 . 2008-08-21 20:56 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-05-02 02:19 . 2008-08-21 20:56 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-05-02 02:19 . 2002-01-05 07:37 344064 ----a-w- c:\windows\system32\msvcr70.dll
2011-05-02 02:18 . 2009-11-14 18:11 24576 ----a-w- c:\windows\system32\mkunicode.dll
2011-05-02 02:18 . 2009-01-10 22:15 159744 ----a-w- c:\windows\system32\mmfinfo.dll
2011-05-02 02:18 . 2009-04-20 22:40 2179072 ----a-w- c:\windows\system32\mfc71d.dll
2011-05-02 02:18 . 2009-01-03 00:55 974848 ----a-w- c:\windows\system32\mfc70.dll
2011-05-02 02:18 . 2008-08-21 20:56 1060864 ----a-w- c:\windows\system32\MFC71.dll
2011-05-02 02:18 . 2008-08-21 20:52 1933312 ----a-w- c:\windows\system32\MaxxAudioEQ.dll
2011-05-02 02:18 . 2008-08-21 20:52 159744 ----a-w- c:\windows\system32\MaxxAudioAPO20.dll
2011-05-02 02:18 . 2008-08-21 20:52 126976 ----a-w- c:\windows\system32\MaxxAudioAPO.dll
2011-05-02 02:18 . 2007-01-17 16:24 2830336 ----a-w- c:\windows\system32\LS_HSI.msi
2011-05-02 02:18 . 2011-03-30 01:45 61440 ----a-w- c:\windows\system32\LaunHelp.exe
2011-05-02 02:18 . 2009-05-01 21:02 1044480 ----a-w- c:\windows\system32\libdivx.dll
2011-05-02 02:18 . 2009-05-01 00:11 98304 ----a-w- c:\windows\system32\L3CODECX.AX
2011-05-02 02:18 . 2008-09-24 20:41 839680 ----a-w- c:\windows\system32\lameACM.acm
2011-05-02 02:18 . 2008-08-21 20:57 487424 ----a-w- c:\windows\system32\INT15.dll
2011-05-02 02:18 . 2006-04-17 13:37 3956736 ----a-w- c:\windows\system32\IVIVIDEO.ax
2011-05-02 02:18 . 2011-03-30 01:45 57344 ----a-w- c:\windows\system32\iconspy.exe
2011-05-02 02:18 . 2011-03-30 01:45 225280 ----a-w- c:\windows\system32\HPppm.dll
2011-05-02 02:18 . 2011-03-30 01:45 290816 ----a-w- c:\windows\system32\HPWHEEL.dll
2011-05-02 02:18 . 2010-07-13 22:45 364544 ----a-w- c:\windows\system32\hppldcoi.dll
2011-05-02 02:18 . 2007-07-05 01:33 892928 ----a-w- c:\windows\system32\iconv.dll
2011-05-02 02:18 . 2010-07-13 22:45 675840 ----a-w- c:\windows\system32\hpowiax3.dll
2011-05-02 02:18 . 2010-07-13 22:45 569344 ----a-w- c:\windows\system32\hpotscl3.dll
2011-05-02 02:18 . 2010-07-13 22:45 303104 ----a-w- c:\windows\system32\hpovst10.dll
2011-05-02 02:18 . 2001-09-04 03:46 110592 ----a-w- c:\windows\system32\Hmpg12.dll
2011-05-02 02:18 . 2001-07-30 20:33 118784 ----a-w- c:\windows\system32\HMPV2_ENC.dll
2011-05-02 02:18 . 2001-07-24 02:04 118784 ----a-w- c:\windows\system32\HMPV2_ENC_MMX.dll
2011-05-02 02:18 . 2006-12-15 23:22 1712128 ----a-w- c:\windows\system32\GdiPlus.dll
2011-05-02 02:18 . 2008-08-21 20:52 143360 ----a-w- c:\windows\system32\FMAPO.dll
2011-05-02 02:18 . 2010-03-03 00:00 151552 ----a-w- c:\windows\system32\ff_libmad.dll
2011-05-02 02:18 . 2011-03-30 01:45 45056 ----a-w- c:\windows\system32\ergo5b.dll
2011-05-02 02:18 . 2011-03-30 01:45 77824 ----a-w- c:\windows\system32\Dynex5B.dll
2011-05-02 02:18 . 2009-11-14 18:33 249856 ----a-w- c:\windows\system32\dxr.dll
2011-05-02 02:18 . 2008-11-29 18:30 290816 ----a-w- c:\windows\system32\dtsac3source.ax
2011-05-02 02:18 . 2006-11-02 08:51 12288 ----a-w- c:\windows\system32\drivers\sffp_mmc.sys
2011-05-02 02:18 . 2006-11-02 08:30 40960 ----a-w- c:\windows\system32\drivers\processr.sys
2011-05-02 02:18 . 2008-01-21 02:23 118784 ----a-w- c:\windows\system32\drivers\E1G60I32.sys
2011-05-02 02:18 . 2008-01-21 02:23 20480 ----a-w- c:\windows\system32\drivers\flpydisk.sys
2011-05-02 02:18 . 2006-11-02 08:30 40960 ----a-w- c:\windows\system32\drivers\crusoe.sys
2011-05-02 02:18 . 2008-08-30 08:56 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-05-02 02:18 . 2009-11-14 00:49 532480 ----a-w- c:\windows\system32\DivXsm.exe
2011-05-02 02:18 . 2009-11-14 00:47 999424 ----a-w- c:\windows\system32\divxdec.ax
2011-05-02 02:18 . 2008-08-05 21:59 57344 ----a-w- c:\windows\system32\dpv11.dll
2011-05-02 02:18 . 2008-03-09 09:31 245760 ----a-w- c:\windows\system32\DCBassSource.ax
2011-05-02 02:18 . 2005-07-09 19:12 241664 ----a-w- c:\windows\system32\CoreVorbis.ax
2011-05-02 02:16 . 2009-04-20 22:40 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2011-05-02 02:15 . 2005-01-13 01:53 57344 ----a-w- c:\windows\system32\Big Kahuna Reef.scr
2011-05-02 02:15 . 2008-08-30 09:15 9838592 ----a-w- c:\windows\system32\atioglxx.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-29 21:52 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VaultIcon1]
@="{B976888E-DC7B-456C-A62F-44EA07ED231F}"
[HKEY_CLASSES_ROOT\CLSID\{B976888E-DC7B-456C-A62F-44EA07ED231F}]
2010-01-17 23:08 503808 ----a-w- c:\program files\Personal Vault Backup Manager\VaultClientMenu.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Empowering Technology Monitor"="c:\program files\Acer\Empowering Technology\SysMonitor.exe" [2008-06-02 319488]
"EmpoweringTechnology"="c:\program files\Acer\Empowering Technology\Framework.Launcher.exe" [2008-06-02 319488]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-29 526896]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2011-05-02 1261568]
"D-Link D-Link DWA-125"="c:\program files\D-Link\DWA-125 revA\AirGCFG.exe" [2009-10-19 995328]
"BellCanada_McciTrayApp"="c:\program files\BellCanada\McciTrayApp.exe" [2010-01-19 1565696]
"BISA.exe"="c:\program files\Bell\Internet Service Advisor\BISA.exe" [2010-01-13 4281584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-05-02 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^geoff^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\users\geoff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2011-05-02 01:51 3387392 ----a-w- c:\program files\Acer\Acer Registration\ACE1.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 17:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-30 15:45 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
2011-05-02 01:57 77824 ----a-w- c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2011-05-02 01:57 311296 ----a-w- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 22:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
2006-10-23 17:54 56128 ----a-w- c:\windows\System32\ico.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMMediaSharing]
2008-05-20 21:50 204908 ----a-w- c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2011-05-02 02:14 6144000 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Setresolution]
2008-02-26 22:29 240 ----a-w- c:\acer\Config\1440X900.CMD
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2011-05-02 01:57 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WZCSLDR2]
2011-05-02 02:01 122880 ----a-w- c:\program files\D-Link\DWA-125 revA\WZCSLDR2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
2;2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\D-Link\DWA-125 revA\ANIWZCSdS.exe [x]
R0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 MSMQSVC;Message Queuing Service;c:\windows\system32\mqsv32.exe [x]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe RadialpointIDSAgent [x]
R3 CFcatchme;CFcatchme;c:\users\geoff\AppData\Local\Temp\CFcatchme.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-11-23 7408]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\WPRO_40_1340.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-01-27 691696]
S1 anodlwf;ANOD Network Security Filter driver;c:\windows\system32\DRIVERS\anodlwf.sys [2009-03-06 12800]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-11-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-11-23 74480]
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-05-20 269448]
S2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\D-Link\DWA-125 revA\ANIWConnService.exe [2009-07-07 40960]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-06-02 24576]
S2 Radialpoint Security Services;Bell Internet Security Services;c:\program files\Bell\Bell Internet Security Services\RpsSecurityAwareR.exe [2010-01-18 165408]
S2 ServicepointService;ServicepointService;c:\program files\Bell\Internet Service Advisor\ServicepointService.exe [2010-01-13 689392]
S2 VaultClientSRV;Personal Vault Backup Manager Service;c:\program files\Personal Vault Backup Manager\VaultClientSRV.exe [2010-01-17 1051728]
S2 VaultClientUpgrade;Personal Vault Backup Manager Upgrade Service;c:\program files\Personal Vault Backup Manager\VaultClientUpgrade.exe [2010-01-17 56400]
S3 netr28u;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\DRIVERS\Dnetr28u.sys [2009-09-15 798208]
S3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [2009-11-02 122376]
S3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSFilter.sys [2009-11-02 30216]
S3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Bell\Bell Internet Security Services\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [2009-11-02 27800]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 774517C2
*Deregistered* - 774517c2
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
bdx REG_MULTI_SZ scan sysagent
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sympatico.ca/
mStart Page = about:blank
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: {535B8C3A-C6E0-40EF-A618-94E961B89A1A} = 192.168.2.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-10 20:58
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2035741258-2230102944-2969920155-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:67,47,0f,3a,4b,03,ee,8c,40,1b,90,fd,95,1f,da,c0,ae,db,ba,ed,6e,8d,94,
21,d1,03,f4,7c,59,b5,7d,ca,d6,17,dc,6a,ed,de,0b,18,0d,db,87,16,62,a2,f6,a9,\
"??"=hex:3c,46,be,02,dd,41,6a,66,be,c0,c6,02,17,6a,f1,4b
.
[HKEY_USERS\S-1-5-21-2035741258-2230102944-2969920155-1000\Software\SecuROM\License information*]
"datasecu"=hex:38,c3,4c,de,2c,88,ed,ef,f1,89,d7,c3,ba,12,e8,9d,11,0c,cf,4e,fd,
33,31,ad,11,15,ff,51,19,57,9f,9f,77,0a,e7,1a,98,76,3c,96,13,66,85,0c,fa,8e,\
"rkeysecu"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1824)
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\program files\Personal Vault Backup Manager\VaultClientMenu.dll
c:\program files\Personal Vault Backup Manager\LIBEXPAT.dll
c:\program files\Personal Vault Backup Manager\VaultClientCOM.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bell\Bell Internet Security Services\Fws.exe
c:\program files\Bell\Bell Internet Security Services\rps.exe
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\UI0Detect.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2011-05-10 21:01:38 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-11 01:01
ComboFix2.txt 2011-05-10 22:08
ComboFix3.txt 2011-05-10 21:34
ComboFix4.txt 2011-05-09 23:59
ComboFix5.txt 2011-05-11 00:47
.
Pre-Run: 73,127,395,328 bytes free
Post-Run: 73,069,948,928 bytes free
.
- - End Of File - - F86CE0F8D73262BB4F2B1EBEB8EACBF0

#14 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,856
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 10 May 2011 - 08:38 PM

Please advise how the computer is running now and if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#15 User is offline   geoph 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 8
  • Joined: 26-April 11

Posted 10 May 2011 - 10:05 PM

Thank you very much for your help. My computer is running great now thanks to you.

Geoph

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users