Solved: Google Redirect Tried Everything Can't Get Rid of It

ReverendRedd · 12-Nov-2009, 12:30 AM #1

Ok I've got my google search results redirecting me to other sites. I've spent almost two weeks researching it and trying every method and program listed in the forums on various sites and nothing seems to help. I seriously need help from someone with more knowledge than me that can hopefully tell me what is going wrong.

I'm using IE on Windows Vista Basic on an acer laptop.

here is my HJT log. Thank you in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:31 PM, on 11/11/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=...&m=aspire_4330
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.415.1646\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [ArcadeDeluxeAgent] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe"
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ParetoLogic Anti-Virus PLUS] "C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk" -NM -hidesplash
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programs\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programs\PartyGaming.Net\PartyPokerNet\RunPF.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinner.com/games/v50/tpir/tpir.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/Pog...rInstaller.CAB
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: CounterSpy Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe
--
End of file - 12275 bytes

NeonFx · 11:34 PM

Hello there

Welcome to the Tech Support Guy forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Step 1

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - NetSvcs
- Reg - Shell Spawning
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Please copy the following into the Custom Scans box at the bottom

Code:

%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys  /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

Step 2

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

Click on the Log tab.
In the Write to log box select All items.
Place a checkmark next to Hidden Objects Only
Click on the Create Log button on the bottom right.
After a few seconds a new Window should appear.
Make sure Scan all drives is selected and click on the Start button.
(Unless you have a floppy drive. In this case, please use "Scan Root Drive Only" and press Start)
When it is complete a new Window will appear to indicate that the scan is finished.
The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

ReverendRedd · 13-Nov-2009, 12:16 AM #3

Thank you so much for helping. This problem is beyond my abilities and is causing me a lot of anxiety. So thank you again for trying to help me get this junk off my machine. Attached is the requested OTS log and I'll now Continue to step two.

thank you again, Rev. Sam

ReverendRedd · 13-Nov-2009, 12:49 AM #4

SysProt AntiRootkit v1.0.1.0
by swatkat
*************************************************************************** ***************
*************************************************************************** ***************
No Hidden Processes found
*************************************************************************** ***************
*************************************************************************** ***************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 8C550000
Module End: 8C55B000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_msahci.sys
Service Name: ---
Module Base: 8C55B000
Module End: 8C565000
Hidden: Yes
*************************************************************************** ***************
*************************************************************************** ***************
SSDT:
Function Name: ZwTerminateProcess
Address: 8C48D0B0
Driver Base: 8C484000
Driver End: 8C4A9000
Driver Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
*************************************************************************** ***************
*************************************************************************** ***************
Kernel Hooks:
Hooked Function: ZwCreateUserProcess
At Address: 81DD1B82
Jump To: 8C512426
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwTerminateProcess
At Address: 81DF8D5D
Jump To: 8C5123C0
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwSetInformationProcess
At Address: 81E1C474
Jump To: 8C51243A
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwSetContextThread
At Address: 81E9A253
Jump To: 8C51244E
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwRestoreKey
At Address: 81E5A7B2
Jump To: 8C5124A0
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwReplaceKey
At Address: 81E5B9B6
Jump To: 8C5124B4
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwProtectVirtualMemory
At Address: 81E21E7D
Jump To: 8C512476
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwOpenThread
At Address: 81E2409A
Jump To: 8C5123E8
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwOpenProcess
At Address: 81E28B48
Jump To: 8C5123D4
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwNotifyChangeKey
At Address: 81DC75B5
Jump To: 8C51248C
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwCreateProcessEx
At Address: 81E99796
Jump To: 8C512410
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwCreateProcess
At Address: 81E9974B
Jump To: 8C5123FC
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: ZwCreateFile
At Address: 81E49D59
Jump To: 8C512462
Module Name: C:\Windows\system32\drivers\mfehidk.sys
Hooked Function: PsSetContextThread
At Address: 81E9A253
Jump To: 8C51244E
Module Name: C:\Windows\system32\drivers\mfehidk.sys
*************************************************************************** ***************
*************************************************************************** ***************
No IRP Hooks found
*************************************************************************** ***************
*************************************************************************** ***************
Ports:
Local Address: SAM-PC.HSD1.OR.COMCAST.NET.:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: SAM-PC:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING
Local Address: SAM-PC:49161
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\services.exe
State: LISTENING
Local Address: SAM-PC:49157
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING
Local Address: SAM-PC:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING
Local Address: SAM-PC:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\lsass.exe
State: LISTENING
Local Address: SAM-PC:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING
Local Address: SAM-PC:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\wininit.exe
State: LISTENING
Local Address: SAM-PC:10000
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
State: LISTENING
Local Address: SAM-PC:8384
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
State: LISTENING
Local Address: SAM-PC:6646
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
State: LISTENING
Local Address: SAM-PC:5357
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: SAM-PC:5151
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
State: LISTENING
Local Address: SAM-PC:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: SAM-PC:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Windows\System32\svchost.exe
State: LISTENING
Local Address: SAM-PC.HSD1.OR.COMCAST.NET.:57055
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: SAM-PC.HSD1.OR.COMCAST.NET.:6646
Remote Address: NA
Type: UDP
Process: C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
State: NA
Local Address: SAM-PC.HSD1.OR.COMCAST.NET.:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA
Local Address: SAM-PC.HSD1.OR.COMCAST.NET.:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: SAM-PC.HSD1.OR.COMCAST.NET.:138
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: SAM-PC.HSD1.OR.COMCAST.NET.:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: SAM-PC:65402
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: SAM-PC:65401
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: SAM-PC:57056
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: SAM-PC:53089
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: SAM-PC:SSDP
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: SAM-PC:62647
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: SAM-PC:62645
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA
Local Address: SAM-PC:61596
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA
Local Address: SAM-PC:10001
Remote Address: NA
Type: UDP
Process: C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
State: NA
Local Address: SAM-PC:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: SAM-PC:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: SAM-PC:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: SAM-PC:500
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
Local Address: SAM-PC:123
Remote Address: NA
Type: UDP
Process: C:\Windows\System32\svchost.exe
State: NA
*************************************************************************** ***************
*************************************************************************** ***************
Hidden files/folders:
Object: D:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: D:\System Volume Information\tracking.log
Status: Access denied
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied
Object: C:\System Volume Information\SPP
Status: Access denied
Object: C:\System Volume Information\SystemRestore
Status: Access denied
Object: C:\System Volume Information\tracking.log
Status: Access denied
Object: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\System Volume Information\{e4f682af-cafb-11de-b75a-001eec5f0891}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied
Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

NeonFx · 13-Nov-2009, 12:51 AM #5

Good Job. I can see the problem already. Please do the following:

NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
Double click on ComboFix.exe & follow the prompts.

Note: Combofix will run without the Recovery Console installed.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

ReverendRedd · 13-Nov-2009, 02:12 AM #6

ComboFix 09-11-13.04 - Sam 11/12/2009 21:16.3.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1977.932 [GMT -8:00]
Running from: c:\users\Sam\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))
.
2009-11-13 05:44 . 2009-11-13 05:46 -------- d-----w- c:\users\Sam\AppData\Local\temp
2009-11-13 05:44 . 2009-11-13 05:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-11-13 05:44 . 2009-11-13 05:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-12 01:12 . 2009-11-12 01:12 -------- d-----w- C:\!KillBox
2009-11-12 01:08 . 2009-11-12 01:41 65536 d-----w- C:\Combo-Fix
2009-11-12 00:13 . 2009-11-12 00:13 -------- d-----w- c:\program files\CCleaner
2009-11-11 20:23 . 2009-08-14 13:27 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 01:12 . 2009-11-11 23:17 -------- d-----w- c:\users\Sam\DoctorWeb
2009-11-10 20:36 . 2009-11-10 20:36 -------- d-----w- c:\programdata\RegCure
2009-11-10 20:36 . 2009-11-10 20:42 16384 d-----w- c:\program files\RegCure
2009-11-10 17:12 . 2009-11-13 05:46 2395936 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-10 17:06 . 2009-11-10 17:06 -------- d-----w- c:\programdata\ParetoLogic Anti-Virus PLUS
2009-11-10 17:06 . 2009-11-10 17:06 -------- d-----w- c:\programdata\ParetoLogic
2009-11-10 17:06 . 2009-11-10 17:06 -------- d-----w- c:\program files\ParetoLogic
2009-11-10 17:06 . 2009-11-10 17:06 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-11-10 17:05 . 2009-11-10 17:05 -------- d-----w- c:\users\Sam\AppData\Local\Downloaded Installations
2009-11-08 18:09 . 2009-11-08 19:02 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-08 18:09 . 2009-11-08 18:14 4096 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-08 17:53 . 2009-11-08 17:53 -------- d-----w- c:\users\Sam\Pavark
2009-11-07 17:27 . 2009-11-09 18:43 117760 ----a-w- c:\users\Sam\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\U IREPAIR.DLL
2009-11-07 17:26 . 2009-11-07 17:26 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-07 17:26 . 2009-11-07 17:26 4096 d-----w- c:\program files\SUPERAntiSpyware
2009-11-07 17:26 . 2009-11-07 17:26 -------- d-----w- c:\users\Sam\AppData\Roaming\SUPERAntiSpyware.com
2009-11-07 17:25 . 2009-11-07 17:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-07 16:48 . 2005-08-26 09:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-11-07 16:48 . 2006-06-19 21:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-11-07 16:48 . 2006-05-25 23:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-11-07 16:48 . 2003-02-03 04:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-11-07 16:48 . 2002-03-06 09:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-11-07 16:48 . 2009-11-07 16:48 4096 d-----w- c:\program files\Trojan Remover
2009-11-07 16:48 . 2009-11-07 16:48 -------- d-----w- c:\users\Sam\AppData\Roaming\Simply Super Software
2009-11-07 16:48 . 2009-11-07 16:48 -------- d-----w- c:\programdata\Simply Super Software
2009-11-07 01:58 . 2009-11-07 01:58 -------- d-----w- c:\users\Sam\AppData\Roaming\Sunbelt
2009-11-07 01:58 . 2009-11-07 01:58 -------- d-----w- c:\programdata\Sunbelt
2009-11-07 01:58 . 2009-11-07 01:58 -------- d-----w- c:\program files\Sunbelt Software
2009-11-06 21:20 . 2009-11-06 21:20 4096 d-----w- c:\programdata\avg9
2009-11-06 21:17 . 2009-11-06 21:17 -------- d-----w- c:\users\Sam\AppData\Roaming\AVG8
2009-11-06 19:40 . 2009-11-06 19:40 -------- d-----w- c:\users\Sam\AppData\Roaming\Uniblue
2009-11-06 19:40 . 2009-11-06 19:40 -------- d-----w- c:\program files\Uniblue
2009-11-06 19:16 . 2009-11-06 19:16 -------- d-----w- c:\programdata\UAB
2009-11-06 19:16 . 2009-11-06 19:16 -------- d-----w- c:\programdata\PC Drivers HeadQuarters
2009-11-06 19:16 . 2009-11-06 19:16 -------- d-----w- c:\users\Sam\AppData\Local\PC_Drivers_Headquarters
2009-11-06 19:11 . 2009-11-06 19:11 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2009-11-06 19:02 . 2009-11-06 19:02 -------- d-----w- c:\programdata\SpeedyPC
2009-11-06 19:02 . 2009-11-06 19:02 16384 d-----w- c:\program files\SpeedyPC
2009-11-03 18:31 . 2009-11-03 18:33 -------- d-----w- c:\users\Sam\AppData\Roaming\Apple Computer
2009-11-03 18:31 . 2008-04-17 21:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-11-03 18:31 . 2009-11-03 18:31 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-03 18:31 . 2009-05-18 22:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-11-03 18:30 . 2009-11-03 18:30 -------- d-----w- c:\program files\iPod
2009-11-03 18:30 . 2009-11-03 18:31 4096 d-----w- c:\program files\iTunes
2009-11-03 18:30 . 2009-11-03 18:31 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-03 18:29 . 2009-11-03 18:29 -------- d-----w- c:\program files\Bonjour
2009-11-03 18:28 . 2009-11-03 18:29 4096 d-----w- c:\program files\QuickTime
2009-11-03 18:28 . 2009-11-03 18:30 -------- d-----w- c:\programdata\Apple Computer
2009-10-29 15:54 . 2009-11-03 04:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 04:58 . 2009-10-29 04:58 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-28 20:52 . 2009-10-28 20:52 -------- d-----w- c:\program files\AVG
2009-10-28 20:31 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 20:31 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 20:31 . 2009-10-28 20:31 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-28 20:23 . 2009-10-28 20:23 -------- d-----w- c:\program files\Trend Micro
2009-10-27 16:26 . 2009-10-27 16:26 -------- d-----w- c:\users\Sam\AppData\Roaming\Malwarebytes
2009-10-27 16:26 . 2009-10-27 16:26 -------- d-----w- c:\programdata\Malwarebytes
2009-10-14 16:13 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 16:13 . 2009-08-27 12:40 834048 ----a-w- c:\windows\system32\wininet.dll
2009-10-14 16:12 . 2009-08-27 13:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-14 16:12 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 16:12 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 16:11 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 16:11 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 16:11 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-12 19:58 . 2009-11-10 17:12 31388 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-12 17:55 . 2008-08-19 07:06 8192 d-----w- c:\programdata\Microsoft Help
2009-11-10 00:58 . 2008-12-26 20:43 4096 d-----w- c:\program files\Java
2009-11-07 04:19 . 2008-12-26 06:03 4096 d-----w- c:\program files\Google
2009-11-06 21:29 . 2008-12-28 21:23 4096 d-----w- c:\program files\Common Files\Apple
2009-11-06 18:50 . 2009-01-12 16:43 4096 d-----w- c:\users\Sam\AppData\Roaming\Winamp
2009-11-06 18:50 . 2009-10-08 23:27 8192 d-----w- c:\program files\Xvid
2009-11-06 18:50 . 2009-01-12 16:43 4096 d-----w- c:\program files\Winamp
2009-11-06 18:50 . 2008-08-31 18:36 8192 d-----w- c:\program files\Launch Manager
2009-11-06 18:50 . 2008-08-19 06:36 8192 d--h--w- c:\program files\InstallShield Installation Information
2009-11-06 18:49 . 2008-08-31 18:36 12288 d-----w- c:\program files\Apoint2K
2009-11-03 20:55 . 2008-12-26 20:46 8192 d-----w- c:\users\Sam\AppData\Roaming\LimeWire
2009-10-15 17:06 . 2008-08-19 07:07 28672 d-----w- c:\program files\Microsoft Works
2009-10-11 12:17 . 2008-12-26 20:43 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-09 14:44 . 2009-10-09 14:44 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-10-09 14:41 . 2009-10-09 14:40 6591664 ----a-w- c:\users\Sam\AppData\Roaming\MySpace\IM\Install\MSIMClientSetup.1.0.804.0-static-A.exe
2009-10-08 02:10 . 2009-10-07 23:01 -------- d-----w- c:\program files\Winferno
2009-10-07 23:16 . 2009-10-07 23:01 -------- d-----w- c:\program files\Yahoo!
2009-10-07 23:06 . 2009-10-07 23:06 -------- d-----w- c:\programdata\Winferno
2009-10-07 23:02 . 2009-10-07 23:02 -------- d-----w- c:\users\Sam\AppData\Roaming\WeatherBug
2009-10-07 23:01 . 2009-10-07 23:01 -------- d-----w- c:\users\Sam\AppData\Roaming\Yahoo!
2009-10-07 18:14 . 2009-10-07 18:14 -------- d-----w- c:\programdata\KingsIsle Entertainment
2009-10-06 23:33 . 2009-10-06 23:33 -------- d-----w- c:\programdata\WinZip
2009-09-04 19:10 . 2009-09-04 19:10 27944 ----a-w- c:\windows\system32\sbbd.exe
2009-09-02 11:09 . 2009-09-02 11:09 176128 ----a-w- c:\windows\system32\drivers\Rtlh86.sys
2009-08-30 18:43 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-08-30 18:01 . 2008-12-26 06:03 71664 ----a-w- c:\users\Sam\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-18 06:33 . 2009-08-18 06:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-01-09 04:16 . 2009-01-09 04:15 20 ----a-w- c:\program files\FullScreensavers.ini
.
------- Sigcheck -------
[-] 2009-04-11 06:32 . 111FA20178BFC8FAD7920946CFC78D40 . 19944 . . [------] . . c:\windows\System32\drivers\atapi.sys
[7] 2009-04-11 . 1F05B78AB91C9075565A9D8A4B880BC4 . 19944 . . [6.0.6002.18005] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[7] 2008-01-21 . 2D9C903DC76A66813D350A562DE40ED9 . 21560 . . [6.0.6001.18000] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[7] 2006-11-02 . 4F4FCB8B6EA06784FB6D475B7EC7300F . 19048 . . [6.0.6000.16386] . . c:\windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-11-12_02.23.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2009-11-12 20:10 56148 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-11-12 20:10 71656 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-26 06:00 . 2009-11-13 04:46 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2008-12-26 06:00 . 2009-11-12 01:27 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2008-12-26 06:00 . 2009-11-12 01:27 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
+ 2008-12-26 06:00 . 2009-11-13 04:46 65536 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
- 2008-12-26 06:00 . 2009-11-12 01:27 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2008-12-26 06:00 . 2009-11-13 04:46 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2008-08-19 07:08 . 2009-11-12 17:55 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-08-19 07:08 . 2009-10-15 17:09 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-08-19 07:08 . 2009-11-12 17:55 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-08-19 07:08 . 2009-10-15 17:09 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-08-19 07:08 . 2009-11-12 17:55 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-08-19 07:08 . 2009-10-15 17:09 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-12-26 06:04 . 2009-11-12 20:10 8900 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3087719114-1495364723-2819188245-1000_UserData.bin
+ 2009-11-13 03:32 . 2009-11-13 03:32 5284 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\FD531225F5FF92FABFF13493965807B4DB2386D F\FD531225F5FF92FABFF13493965807B4DB2386DF\Data.dat
+ 2009-11-13 03:34 . 2009-11-13 03:34 6224 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\DED139390F79542F701D7E3C3AC213F770FBB84 F\DED139390F79542F701D7E3C3AC213F770FBB84F\Data.dat
- 2009-11-12 00:17 . 2009-11-12 00:17 6224 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\DED139390F79542F701D7E3C3AC213F770FBB84 F\DED139390F79542F701D7E3C3AC213F770FBB84F\Data.dat
+ 2009-11-13 03:25 . 2009-11-13 03:25 3514 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\C8E4AEFEB26F98624D3F6D1444229D8C5EF8DBB 6\C8E4AEFEB26F98624D3F6D1444229D8C5EF8DBB6\Data.dat
+ 2009-11-13 03:25 . 2009-11-13 03:25 4894 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\BB21B464B8D5F122B60F58CE8D9CB220224B89D 2\BB21B464B8D5F122B60F58CE8D9CB220224B89D2\Data.dat
+ 2009-11-13 04:18 . 2009-11-13 04:18 5904 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\B2CDE120BF8DD1320F58333EDEF762E16E98EDC 1\B2CDE120BF8DD1320F58333EDEF762E16E98EDC1\Data.dat
- 2009-11-12 01:27 . 2009-11-12 01:27 6396 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\AFA0228517D559C72225EDC64521ED7E04459E8 9\AFA0228517D559C72225EDC64521ED7E04459E89\Data.dat
+ 2009-11-13 03:25 . 2009-11-13 03:25 6396 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\AFA0228517D559C72225EDC64521ED7E04459E8 9\AFA0228517D559C72225EDC64521ED7E04459E89\Data.dat
+ 2009-11-13 03:32 . 2009-11-13 03:32 6304 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\AAA7BEF495539FCD65B5B4ED700BA47D8404578 7\AAA7BEF495539FCD65B5B4ED700BA47D84045787\Data.dat
+ 2009-11-13 03:25 . 2009-11-13 03:25 3444 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\A0ED9749AA10A68899375B529D34AC2A09E6756 B\A0ED9749AA10A68899375B529D34AC2A09E6756B\Data.dat
+ 2009-11-13 03:25 . 2009-11-13 03:25 4834 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\7AC4707950BEDDDE5BD8611BA1FB9A450D5272A 0\7AC4707950BEDDDE5BD8611BA1FB9A450D5272A0\Data.dat
+ 2009-11-13 03:25 . 2009-11-13 03:25 3416 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\70A5988D65332523B918261BAE3DAD4638C5F61 C\70A5988D65332523B918261BAE3DAD4638C5F61C\Data.dat
+ 2009-11-13 03:25 . 2009-11-13 03:25 3458 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\6BF1A6727B7E38A2A932F9907DDA42A5753311B A\6BF1A6727B7E38A2A932F9907DDA42A5753311BA\Data.dat
+ 2009-11-13 03:39 . 2009-11-13 03:39 6220 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\6B4C27592649412FC24F35D9CB1FC7EBF0F2ED1 7\6B4C27592649412FC24F35D9CB1FC7EBF0F2ED17\Data.dat
+ 2009-11-13 05:01 . 2009-11-13 05:01 5324 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\3A3C5F7CC9415160B34912634CB95978E99A7DD E\3A3C5F7CC9415160B34912634CB95978E99A7DDE\Data.dat
- 2009-11-11 23:45 . 2009-11-11 23:45 5324 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\3A3C5F7CC9415160B34912634CB95978E99A7DD E\3A3C5F7CC9415160B34912634CB95978E99A7DDE\Data.dat
+ 2009-11-13 03:25 . 2009-11-13 03:25 5322 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\2593C9086CC1B62DE62024887B0BD3314AAD4BE 6\2593C9086CC1B62DE62024887B0BD3314AAD4BE6\Data.dat
+ 2009-11-13 03:25 . 2009-11-13 03:25 5780 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\25125DBAB1B475C79C142DECD455B4989DF73B8 6\25125DBAB1B475C79C142DECD455B4989DF73B86\Data.dat
+ 2009-11-13 04:52 . 2009-11-13 04:52 5290 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A 3EE5E6B4B0D3255BFEF95601890AFD80709\11647C152CFDC35EBE24490994F9351A23BC775 6\11647C152CFDC35EBE24490994F9351A23BC7756\Data.dat
- 2009-11-12 00:02 . 2009-11-12 00:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-11-12 20:07 . 2009-11-12 20:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-11-12 20:07 . 2009-11-12 20:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-11-12 00:02 . 2009-11-12 00:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 10:33 . 2009-11-12 00:10 595684 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-11-12 20:13 595684 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-11-12 00:10 101350 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-11-12 20:13 101350 c:\windows\System32\perfc009.dat
- 2006-11-02 12:44 . 2009-08-30 18:49 301232 c:\windows\System32\FNTCACHE.DAT
+ 2006-11-02 12:44 . 2009-11-12 18:08 301232 c:\windows\System32\FNTCACHE.DAT
- 2009-11-11 20:23 . 2009-08-10 12:39 355328 c:\windows\SoftwareDistribution\Download\2ce815ede05b14339b85a58f16a18859\x 86_wsdapi_31bf3856ad364e35_6.0.6002.22194_none_c0c6531463dfed55\WSDApi.dll
- 2009-11-11 20:23 . 2009-08-10 12:35 355328 c:\windows\SoftwareDistribution\Download\2ce815ede05b14339b85a58f16a18859\x 86_wsdapi_31bf3856ad364e35_6.0.6002.18085_none_c048867f4ab94af1\WSDApi.dll
- 2009-11-11 20:23 . 2009-08-10 13:03 351232 c:\windows\SoftwareDistribution\Download\2ce815ede05b14339b85a58f16a18859\x 86_wsdapi_31bf3856ad364e35_6.0.6001.22491_none_bedce04e66bc4c2c\WSDApi.dll
- 2009-11-11 20:23 . 2009-08-10 13:05 351232 c:\windows\SoftwareDistribution\Download\2ce815ede05b14339b85a58f16a18859\x 86_wsdapi_31bf3856ad364e35_6.0.6001.18306_none_beb994414d512f9c\WSDApi.dll
- 2009-11-11 20:23 . 2009-08-10 12:53 323072 c:\windows\SoftwareDistribution\Download\2ce815ede05b14339b85a58f16a18859\x 86_wsdapi_31bf3856ad364e35_6.0.6000.21103_none_bd59c9aa694b25b2\WSDApi.dll
- 2009-11-11 20:23 . 2009-08-10 13:08 321536 c:\windows\SoftwareDistribution\Download\2ce815ede05b14339b85a58f16a18859\x 86_wsdapi_31bf3856ad364e35_6.0.6000.16903_none_bcd054bd502d52a6\WSDApi.dll
+ 2008-08-19 07:08 . 2009-11-12 17:55 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-08-19 07:08 . 2009-10-15 17:09 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-08-19 07:08 . 2009-10-15 17:09 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-08-19 07:08 . 2009-11-12 17:55 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
- 2008-08-19 07:08 . 2009-10-15 17:09 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
+ 2008-08-19 07:08 . 2009-11-12 17:55 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
+ 2008-08-19 07:08 . 2009-11-12 17:55 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
- 2008-08-19 07:08 . 2009-10-15 17:09 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-11-11 20:23 . 2009-08-14 13:29 2045440 c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6002.22200_none_bb639005b0cab34a\win32k.sys
+ 2009-11-11 20:23 . 2009-08-14 13:27 2036736 c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6002.18091_none_ba79a25297f52b29\win32k.sys
+ 2009-11-11 20:23 . 2009-08-14 13:46 2036224 c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.22497_none_b922cef1b3e70dd9\win32k.sys
+ 2009-11-11 20:23 . 2009-08-14 13:53 2035712 c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.18311_none_b8e9afca9a8df67d\win32k.sys
+ 2009-11-11 20:23 . 2009-08-15 21:08 2032128 c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.21108_none_b79eb803b676ce08\win32k.sys
+ 2009-11-11 20:23 . 2009-08-14 14:01 2031104 c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.16908_none_b71543169d58fafc\win32k.sys
+ 2006-11-02 10:22 . 2009-11-12 18:06 6291456 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2006-11-02 10:22 . 2009-11-11 23:19 6291456 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-08-18 20:58 . 2009-08-18 20:58 8301056 c:\windows\Installer\8bb65.msp
+ 2009-08-18 20:57 . 2009-08-18 20:57 9122304 c:\windows\Installer\8bb53.msp
- 2008-08-19 07:08 . 2009-10-15 17:09 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-08-19 07:08 . 2009-11-12 17:55 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2006-11-02 10:24 . 2009-11-05 17:36 26768832 c:\windows\System32\mrt.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-25 04:25 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-25 333192]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-25 333192]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-30 00:52 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-09-29 9347072]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-30 526896]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 28672]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-17 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-17 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-17 145944]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-22 159744]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-07-02 850440]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-08-01 405504]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-07-24 147456]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-07-24 167936]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-07-18 167936]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-28 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"SBAMTray"="c:\program files\Sunbelt Software\CounterSpy\SBAMTray.exe" [2009-09-04 685352]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-10-18 1070984]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"ParetoLogic Anti-Virus PLUS"="c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk" [2009-11-10 1974]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-06-20 6244896]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-11-21 1826816]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-09-29 9347072]
c:\users\Sam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-19 525640]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 23:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscs vc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSv c]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):50,73,16,fd,a2,29,ca,01

ReverendRedd · 13-Nov-2009, 02:13 AM #7

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R1 SBRE;SBRE;c:\windows\System32\drivers\SBREDrv.sys [8/5/2009 3:58 PM 93872]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [8/31/2008 10:48 AM 61424]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [3/3/2008 12:11 PM 16384]
R2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [8/31/2008 10:50 AM 81504]
R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [8/18/2008 10:43 PM 24576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/26/2008 10:06 PM 210216]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/25/2008 8:36 PM 45056]
R2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [8/31/2008 10:50 AM 122368]
R2 ZeppelinService;plasservice;c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe [2/18/2009 2:40 PM 587216]
R3 JMCR;JMCR;c:\windows\System32\drivers\jmcr.sys [8/18/2008 10:53 PM 84240]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [1/20/2008 6:33 PM 21504]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [1/1/2009 2:08 PM 234888]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [4/25/2008 8:36 PM 131072]
S2 SBAMSvc;CounterSpy Antispyware;c:\program files\Sunbelt Software\CounterSpy\SBAMSvc.exe [9/4/2009 11:10 AM 1012040]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
*Deregistered* - PROCEXP113
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-16 17:53]
2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-16 17:53]
2009-11-11 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 22:43]
2009-11-13 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 22:43]
2009-11-13 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 20:25]
2009-11-12 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 20:25]
2009-11-13 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]
2009-11-12 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]
2009-11-11 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 19:46]
2009-11-13 c:\windows\Tasks\SpeedyPC Program Check.job
- c:\program files\SpeedyPC\SpeedyPC.exe [2009-09-17 20:30]
2009-11-12 c:\windows\Tasks\SpeedyPC Startup.job
- c:\program files\SpeedyPC\SpeedyPC.exe [2009-09-17 20:30]
2009-11-06 c:\windows\Tasks\SpeedyPC.job
- c:\program files\SpeedyPC\SpeedyPC.exe [2009-09-17 20:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vb32&d=0808&m=aspire_4330
LSP: c:\windows\system32\INetHTTPFilter.dll
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 21:45
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86900E07]<<
kernel: MBR read successfully
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(4592)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\windows\System32\SysHook.dll
.
Completion time: 2009-11-12 22:01
ComboFix-quarantined-files.txt 2009-11-13 06:01
ComboFix2.txt 2009-11-12 07:35
ComboFix3.txt 2009-11-12 02:38
Pre-Run: 9,443,966,976 bytes free
Post-Run: 9,420,554,240 bytes free
- - End Of File - - 2CE2ACBC60736584665EE2AFDBFE444A

ReverendRedd · 13-Nov-2009, 02:16 AM #8

You asked to say if I was going to keep replying. Well I ran combofix and have posted the logs. Went onto google, did a quick search.. and the very first search result I tried redirected. So hopefully you'll see something in those logs.

thank you again
hoping we can get this resolved
Rev. Sam

NeonFx · 13-Nov-2009, 02:26 AM #9

That is the third time ComboFix was run.
Please attach both C:\QooBox\Combofix2.txt and C:\QooBox\Combofix3.txt to a reply for me.

To attach them please click on either the blue reply button or the "Go Advanced" button and then click on the Manage attachments to browse for the files.

ReverendRedd · 13-Nov-2009, 02:51 AM **#10**

attached are combofix 2 and 3

NeonFx · 13-Nov-2009, 03:00 AM **#11**

Thank you. I'll need time to review the logs but for now could you do the following for me?

1. Close any open open programs before running the fix.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

Code:

KillAll::

MBR::

FCopy::
c:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys | c:\windows\System32\drivers\atapi.sys

NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

ReverendRedd · 13-Nov-2009, 01:29 PM **#12**

Here is the latest combofix log.

thank you

NeonFx · 13-Nov-2009, 03:26 PM **#13**

Looks like we're going to need a bigger hammer to get rid of that one. Please do the following:

1. Please download The Avenger by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:

Files to Move:
c:\windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys | c:\windows\System32\drivers\atapi.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt

5. Please copy and paste or attach the contents of c:\avenger.txt into your reply.

ReverendRedd · 13-Nov-2009, 04:10 PM **#14**

here is the avenger log

thank you

NeonFx · 13-Nov-2009, 04:36 PM **#15**

That seems to have worked. I will need to check though. Please do the following:

Run OTS.exe and under the Custom Scans section please copy and paste the following:

%SYSTEMDRIVE%\atapi.sys /s /md5

Then click on the Quick Scan button. Attach the results of this scan to your next reply.

Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!