Tech Support Forum - View Single Post

Syria · 08-20-2008, 09:11 PM

It still didn't work, tried a few times, everythign else is working, and the pop ups have gone away! Thank you so much!

ComboFix 08-08-19.03 - Roots 2008-08-20 22:13:00.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.140 [GMT -4:00]
Running from: C:\Users\Roots\Desktop\ComboFix.exe
Command switches used :: C:\Users\Roots\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\defy joy boob.2e75q8n\
C:\ProgramData\Iso Web Bags Else
C:\ProgramData\Iso Web Bags Else\Send Base.exe
C:\ProgramData\Mfcd start
C:\ProgramData\Mfcd start\lmdgrhgd.exe
C:\Users\All Users\Iso Web Bags Else\Send Base.exe
C:\Users\All Users\Mfcd start\lmdgrhgd.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 )))))))))))))))))))))))))))))))
.

2008-08-19 01:02 . 2008-08-19 01:02 <DIR> d-------- C:\Users\Roots\AppData\Roaming\iWin
2008-08-15 23:44 . 2008-07-15 21:32 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-14 10:29 . 2008-06-26 21:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-08-14 10:29 . 2008-06-27 00:15 827,392 --a------ C:\Windows\System32\wininet.dll
2008-08-14 10:29 . 2008-06-18 23:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL
2008-08-14 10:29 . 2008-04-18 01:48 269,312 --a------ C:\Windows\System32\es.dll
2008-08-14 10:28 . 2008-04-10 01:12 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-11 21:00 . 2008-06-19 17:24 28,544 --a------ C:\Windows\System32\drivers\pavboot.sys
2008-08-11 18:23 . 2008-08-11 18:23 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-11 16:51 . 2008-08-11 20:59 <DIR> d-------- C:\Program Files\Panda Security
2008-08-11 13:26 . 2008-08-13 00:38 32,768 --a------ C:\Windows\SPInstall.etl
2008-07-28 00:29 . 2008-08-11 19:00 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-07-26 02:32 . 2008-07-26 02:32 <DIR> d-------- C:\Users\All Users\WindowsSearch
2008-07-26 02:32 . 2008-07-26 02:32 <DIR> d-------- C:\ProgramData\WindowsSearch

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-21 02:05 --------- d-----w C:\ProgramData\Viewpoint
2008-08-21 02:04 --------- d-----w C:\Program Files\Java
2008-08-20 23:23 --------- d-----w C:\Users\Roots\AppData\Roaming\LimeWire
2008-08-20 20:16 3,766 --sha-w C:\Windows\System32\KGyGaAvL.sys
2008-08-19 05:26 --------- d---a-w C:\ProgramData\TEMP
2008-08-18 01:49 24 ----a-w C:\Users\Roots\jagex_runescape_preferences.dat
2008-08-16 07:05 --------- d-----w C:\Program Files\Windows Mail
2008-08-16 03:47 --------- d-----w C:\ProgramData\Microsoft Help
2008-08-16 03:21 --------- d-----w C:\Program Files\McAfee
2008-08-11 23:45 --------- d-----w C:\Program Files\Acer GameZone
2008-08-11 03:37 --------- d-----w C:\Program Files\Oberon Media
2008-07-17 18:32 --------- d-----w C:\Program Files\Codemasters
2008-07-02 22:02 --------- d-----w C:\Users\Roots\AppData\Roaming\Corel
2008-07-02 22:01 --------- d-----w C:\ProgramData\Corel
2008-07-02 22:01 --------- d-----w C:\Program Files\WordPerfect Lightning
2008-07-02 22:01 --------- d-----w C:\Program Files\Common Files\Corel
2008-07-02 21:59 --------- d-----w C:\ProgramData\Lightning
2008-07-01 22:53 --------- d-----w C:\Program Files\SCAR 3.15
2008-07-01 19:30 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-26 01:37 --------- d-----w C:\Program Files\kSolo
2008-06-23 23:32 --------- d-----w C:\Program Files\Microsoft Games
2008-06-23 23:05 --------- d-----w C:\Program Files\QuickTime
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll
2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe
2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll
2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll
2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll
2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll
2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll
2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll
2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll
2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll
2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll
2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll
2008-05-27 05:17 11,776 ----a-w C:\Windows\System32\msshooks.dll
2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll
2008-05-27 04:59 18,904 ----a-w C:\Windows\System32\StructuredQuerySchemaTrivial.bin
2008-05-27 04:59 106,605 ----a-w C:\Windows\System32\StructuredQuerySchema.bin
2008-01-21 02:57 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot@2008-08-20_18.11.00.98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-17 06:25:41 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-08-20 22:17:10 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-08-17 06:25:41 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-08-20 22:17:10 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-08-17 06:25:49 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-08-20 22:18:48 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-08-20 22:09:43 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-21 02:15:55 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-08-21 02:15:55 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-08-20 22:03:29 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-08-20 22:44:32 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-20 22:03:29 98,304 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-20 22:44:32 98,304 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-20 22:03:29 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-20 22:44:32 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-17 06:39:07 8,060 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1469608966-2000317181-2725074326-1000_UserData.bin
+ 2008-08-20 22:19:54 8,256 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1469608966-2000317181-2725074326-1000_UserData.bin
- 2008-08-17 06:39:02 68,844 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-20 22:19:54 68,938 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-08-17 06:38:26 55,910 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-08-20 22:19:46 56,100 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 05:00 39472 --a------ C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-20 22:32 1233920]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 16:21 50528]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 04:42 202088]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-20 22:35 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 17:57 36640]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-05 09:15 525360]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2008-01-25 16:25 155648]
"PLFSetL"="C:\Windows\PLFSetL.exe" [2007-07-05 15:35 94208]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-01-22 10:21 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-01-22 10:21 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-01-22 10:21 133656]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2008-01-04 13:30 768520]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2007-07-21 06:18 159744]
"Acer Product Registration"="C:\Program Files\Acer\Acer Registration\ACE1.exe" [2007-11-26 14:21 3387392]
"Acer Assist Launcher"="C:\Program Files\Acer\Acer Assist\launcher.exe" [2007-11-19 18:17 1261568]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-11 05:53 5296128 C:\Windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-11-20 06:15 1826816 C:\Windows\SkyTel.exe]

C:\Users\Roots\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 07:45:42 101784]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe [2008-03-21 12:34:52 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9886D1AA-4D6D-454D-A107-72639079FBBB}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B4F7761D-9D61-4D0B-B6FE-FB9FD78CF042}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{94695BD5-74BA-4D5E-AFEB-3A20F62AF8F7}"= Profile=Private|Profile=Public|C:\Program Files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{EE668238-02BC-4FD8-83A9-1437F276980E}"= C:\Program Files\Acer\Acer Arcade\PowerCinema.exe:CyberLink PowerCinema
"{2CDCDA02-E919-4AFE-930B-EC2244E54711}"= C:\Program Files\Acer\Acer Arcade\PCMService.exe:CyberLink PowerCinema Resident Program
"{760B2901-463D-4E36-B6EC-DF21768B58F9}"= C:\Program Files\Acer\Acer Arcade\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{CDC33473-8B04-4DAE-AFD0-7C554D50E101}"= C:\Program Files\Acer\Acer Arcade\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{5E1CE298-0D49-4CC6-B058-C4A89EF9D813}"= C:\Program Files\Acer\HomeMedia\HomeMedia.exe:HomeMedia
"{0E054F37-A5EA-4FAC-B140-3DB125C3375E}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{C0132663-0402-42D5-ADB5-460733DDE436}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{D9C63A82-8DCC-4D4E-8146-489ABA7CF70E}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{A1E41EEE-CD80-4BCE-A56B-750B6C2E27A0}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{B2352BE4-D948-4415-9D97-53D88E3AB9E8}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"{E06C1172-2206-4758-89C9-373C14451EF9}"= UDP:445:TCP port445
"{363772BA-A177-4D32-BF14-2E79CD475303}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{2C509254-5E04-47A8-82BA-BEE40D62E7DE}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{40E06684-879F-4841-82AC-F10DC49E08A8}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{760CC036-A83A-45E4-A1E0-A3BAF0DB364D}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDSfsu.exe"= C:\Acer\Empowering Technology\eDataSecurity\x86\eDSfsu.exe:*:Enabled:eDSfsu
"C:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\encryption.exe"= C:\Acer\Empowering Technology\eDataSecurity\x86\encryption.exe:*:Enabled:encryption
"C:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\decryption.exe"= C:\Acer\Empowering Technology\eDataSecurity\x86\decryption.exe:*:Enabled:decryption
"C:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDSMgr.exe"= C:\Acer\Empowering Technology\eDataSecurity\x86\eDSMgr.exe:*:Enabled:eDSMgr
"C:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDStbmngr.exe"= C:\Acer\Empowering Technology\eDataSecurity\x86\eDStbmngr.exe:*:Enabled:eDStbmngr
"C:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDSfsu.exe"= C:\Acer\Empowering Technology\eDataSecurity\x64\eDSfsu.exe:*:Enabled:eDSfsu
"C:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\encryption.exe"= C:\Acer\Empowering Technology\eDataSecurity\x64\encryption.exe:*:Enabled:encryption
"C:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\decryption.exe"= C:\Acer\Empowering Technology\eDataSecurity\x64\decryption.exe:*:Enabled:decryption
"C:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDSMgr.exe"= C:\Acer\Empowering Technology\eDataSecurity\x64\eDSMgr.exe:*:Enabled:eDSMgr
"C:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDStbmngr.exe"= C:\Acer\Empowering Technology\eDataSecurity\x64\eDStbmngr.exe:*:Enabled:eDStbmngr

R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2008-06-19 17:24]
R2 ALaunchService;ALaunch Service;C:\Acer\ALaunch\ALaunchSvc.exe [2007-09-19 17:41]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-07-22 03:00]
S4 ErrDev;Microsoft Hardware Error Device Driver;C:\Windows\system32\drivers\errdev.sys [2008-01-20 22:32]
S4 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-01-20 22:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2008-07-15 C:\Windows\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-08-01 C:\Windows\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.aol.com/
R0 -: HKLM-Main,Start Page = hxxp://en.us.acer.yahoo.com
O8 -: Copy to &Lightning Note - C:\Program Files\WordPerfect Lightning\Programs\WPLightningCopyToNote.hta
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O15 -: Trusted Zone: www.runescape.com
.
.
------- File Associations (Beta) -------
.
VBEFile="%SystemRoot%\System32\WScript.exe" "%1" %*
VBSFile="%SystemRoot%\System32\WScript.exe" "%1" %*
vbefile\shell\open\command="%SystemRoot%\System32\WScript.exe" "%1" %*
vbsfile\shell\open\command="%SystemRoot%\System32\WScript.exe" "%1" %*
jsefile\shell\open\command=%SystemRoot%\System32\WScript.exe "%1" %*
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 22:16:06
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-20 22:18:25
ComboFix-quarantined-files.txt 2008-08-21 02:18:06
ComboFix2.txt 2008-08-20 22:12:00

Pre-Run: 38,709,899,264 bytes free
Post-Run: 38,694,785,024 bytes free

227 --- E O F --- 2008-08-16 03:47:45

Will do other two scans as soon as I can, will post as soon as I have them.

08-20-2008, 09:11 PM	#7 (permalink)
Syria Registered User Join Date: Aug 2008 Location: Ohio, United States Posts: 11 OS: Windows Vista -Home Basic Edition (x32) (fully updated)	Re: CID Help It still didn't work, tried a few times, everythign else is working, and the pop ups have gone away! Thank you so much! ComboFix 08-08-19.03 - Roots 2008-08-20 22:13:00.2 - NTFSx86 Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.140 [GMT -4:00] Running from: C:\Users\Roots\Desktop\ComboFix.exe Command switches used :: C:\Users\Roots\Desktop\CFscript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\ProgramData\defy joy boob.2e75q8n\ C:\ProgramData\Iso Web Bags Else C:\ProgramData\Iso Web Bags Else\Send Base.exe C:\ProgramData\Mfcd start C:\ProgramData\Mfcd start\lmdgrhgd.exe C:\Users\All Users\Iso Web Bags Else\Send Base.exe C:\Users\All Users\Mfcd start\lmdgrhgd.exe . ((((((((((((((((((((((((( Files Created from 2008-07-21 to 2008-08-21 ))))))))))))))))))))))))))))))) . 2008-08-19 01:02 . 2008-08-19 01:02 <DIR> d-------- C:\Users\Roots\AppData\Roaming\iWin 2008-08-15 23:44 . 2008-07-15 21:32 2,048 --a------ C:\Windows\System32\tzres.dll 2008-08-14 10:29 . 2008-06-26 21:55 1,383,424 --a------ C:\Windows\System32\mshtml.tlb 2008-08-14 10:29 . 2008-06-27 00:15 827,392 --a------ C:\Windows\System32\wininet.dll 2008-08-14 10:29 . 2008-06-18 23:31 361,984 --a------ C:\Windows\System32\IPSECSVC.DLL 2008-08-14 10:29 . 2008-04-18 01:48 269,312 --a------ C:\Windows\System32\es.dll 2008-08-14 10:28 . 2008-04-10 01:12 738,304 --a------ C:\Windows\System32\inetcomm.dll 2008-08-11 21:00 . 2008-06-19 17:24 28,544 --a------ C:\Windows\System32\drivers\pavboot.sys 2008-08-11 18:23 . 2008-08-11 18:23 <DIR> d-------- C:\Program Files\Trend Micro 2008-08-11 16:51 . 2008-08-11 20:59 <DIR> d-------- C:\Program Files\Panda Security 2008-08-11 13:26 . 2008-08-13 00:38 32,768 --a------ C:\Windows\SPInstall.etl 2008-07-28 00:29 . 2008-08-11 19:00 <DIR> d-------- C:\Program Files\Windows Live Safety Center 2008-07-26 02:32 . 2008-07-26 02:32 <DIR> d-------- C:\Users\All Users\WindowsSearch 2008-07-26 02:32 . 2008-07-26 02:32 <DIR> d-------- C:\ProgramData\WindowsSearch . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-21 02:05 --------- d-----w C:\ProgramData\Viewpoint 2008-08-21 02:04 --------- d-----w C:\Program Files\Java 2008-08-20 23:23 --------- d-----w C:\Users\Roots\AppData\Roaming\LimeWire 2008-08-20 20:16 3,766 --sha-w C:\Windows\System32\KGyGaAvL.sys 2008-08-19 05:26 --------- d---a-w C:\ProgramData\TEMP 2008-08-18 01:49 24 ----a-w C:\Users\Roots\jagex_runescape_preferences.dat 2008-08-16 07:05 --------- d-----w C:\Program Files\Windows Mail 2008-08-16 03:47 --------- d-----w C:\ProgramData\Microsoft Help 2008-08-16 03:21 --------- d-----w C:\Program Files\McAfee 2008-08-11 23:45 --------- d-----w C:\Program Files\Acer GameZone 2008-08-11 03:37 --------- d-----w C:\Program Files\Oberon Media 2008-07-17 18:32 --------- d-----w C:\Program Files\Codemasters 2008-07-02 22:02 --------- d-----w C:\Users\Roots\AppData\Roaming\Corel 2008-07-02 22:01 --------- d-----w C:\ProgramData\Corel 2008-07-02 22:01 --------- d-----w C:\Program Files\WordPerfect Lightning 2008-07-02 22:01 --------- d-----w C:\Program Files\Common Files\Corel 2008-07-02 21:59 --------- d-----w C:\ProgramData\Lightning 2008-07-01 22:53 --------- d-----w C:\Program Files\SCAR 3.15 2008-07-01 19:30 --------- d-----w C:\Program Files\Common Files\Adobe 2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll 2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll 2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll 2008-06-26 01:37 --------- d-----w C:\Program Files\kSolo 2008-06-23 23:32 --------- d-----w C:\Program Files\Microsoft Games 2008-06-23 23:05 --------- d-----w C:\Program Files\QuickTime 2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll 2008-05-27 05:21 1,582,592 ----a-w C:\Windows\System32\tquery.dll 2008-05-27 05:21 1,418,240 ----a-w C:\Windows\System32\mssrch.dll 2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\SearchFilterHost.exe 2008-05-27 05:17 87,552 ----a-w C:\Windows\System32\mssitlb.dll 2008-05-27 05:17 754,176 ----a-w C:\Windows\System32\propsys.dll 2008-05-27 05:17 60,416 ----a-w C:\Windows\System32\msscntrs.dll 2008-05-27 05:17 6,103,040 ----a-w C:\Windows\System32\chtbrkr.dll 2008-05-27 05:17 34,816 ----a-w C:\Windows\System32\msscb.dll 2008-05-27 05:17 32,768 ----a-w C:\Windows\System32\mssprxy.dll 2008-05-27 05:17 313,344 ----a-w C:\Windows\System32\thawbrkr.dll 2008-05-27 05:17 301,568 ----a-w C:\Windows\System32\srchadmin.dll 2008-05-27 05:17 194,560 ----a-w C:\Windows\System32\offfilt.dll 2008-05-27 05:17 143,872 ----a-w C:\Windows\System32\korwbrkr.dll 2008-05-27 05:17 11,776 ----a-w C:\Windows\System32\msshooks.dll 2008-05-27 05:17 1,671,680 ----a-w C:\Windows\System32\chsbrkr.dll 2008-05-27 04:59 18,904 ----a-w C:\Windows\System32\StructuredQuerySchemaTrivial.bin 2008-05-27 04:59 106,605 ----a-w C:\Windows\System32\StructuredQuerySchema.bin 2008-01-21 02:57 174 --sha-w C:\Program Files\desktop.ini . ((((((((((((((((((((((((((((( snapshot@2008-08-20_18.11.00.98 ))))))))))))))))))))))))))))))))))))))))) . - 2008-08-17 06:25:41 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat + 2008-08-20 22:17:10 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat - 2008-08-17 06:25:41 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat + 2008-08-20 22:17:10 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat - 2008-08-17 06:25:49 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT + 2008-08-20 22:18:48 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT - 2008-08-20 22:09:43 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT + 2008-08-21 02:15:55 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT + 2008-08-21 02:15:55 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 - 2008-08-20 22:03:29 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat + 2008-08-20 22:44:32 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat - 2008-08-20 22:03:29 98,304 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2008-08-20 22:44:32 98,304 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat - 2008-08-20 22:03:29 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat + 2008-08-20 22:44:32 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat - 2008-08-17 06:39:07 8,060 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1469608966-2000317181-2725074326-1000_UserData.bin + 2008-08-20 22:19:54 8,256 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1469608966-2000317181-2725074326-1000_UserData.bin - 2008-08-17 06:39:02 68,844 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin + 2008-08-20 22:19:54 68,938 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin - 2008-08-17 06:38:26 55,910 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin + 2008-08-20 22:19:46 56,100 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP] @="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}" [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}] 2008-01-03 05:00 39472 --a------ C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-20 22:32 1233920] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 16:21 50528] "TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 04:42 202088] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-20 22:35 202240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 01:33 582992] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 17:57 36640] "eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-05 09:15 525360] "PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2008-01-25 16:25 155648] "PLFSetL"="C:\Windows\PLFSetL.exe" [2007-07-05 15:35 94208] "IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-01-22 10:21 141848] "HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-01-22 10:21 166424] "Persistence"="C:\Windows\system32\igfxpers.exe" [2008-01-22 10:21 133656] "LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2008-01-04 13:30 768520] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2007-07-21 06:18 159744] "Acer Product Registration"="C:\Program Files\Acer\Acer Registration\ACE1.exe" [2007-11-26 14:21 3387392] "Acer Assist Launcher"="C:\Program Files\Acer\Acer Assist\launcher.exe" [2007-11-19 18:17 1261568] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "RtHDVCpl"="RtHDVCpl.exe" [2008-03-11 05:53 5296128 C:\Windows\RtHDVCpl.exe] "Skytel"="Skytel.exe" [2007-11-20 06:15 1826816 C:\Windows\SkyTel.exe] C:\Users\Roots\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 07:45:42 101784] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe [2008-03-21 12:34:52 535336] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{9886D1AA-4D6D-454D-A107-72639079FBBB}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{B4F7761D-9D61-4D0B-B6FE-FB9FD78CF042}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{94695BD5-74BA-4D5E-AFEB-3A20F62AF8F7}"= Profile=Private\|Profile=Public\|C:\Program Files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent "{EE668238-02BC-4FD8-83A9-1437F276980E}"= C:\Program Files\Acer\Acer Arcade\PowerCinema.exe:CyberLink PowerCinema "{2CDCDA02-E919-4AFE-930B-EC2244E54711}"= C:\Program Files\Acer\Acer Arcade\PCMService.exe:CyberLink PowerCinema Resident Program "{760B2901-463D-4E36-B6EC-DF21768B58F9}"= C:\Program Files\Acer\Acer Arcade\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine "{CDC33473-8B04-4DAE-AFD0-7C554D50E101}"= C:\Program Files\Acer\Acer Arcade\Kernel\DMS\CLMSService.exe:CyberLink Media Server "{5E1CE298-0D49-4CC6-B058-C4A89EF9D813}"= C:\Program Files\Acer\HomeMedia\HomeMedia.exe:HomeMedia "{0E054F37-A5EA-4FAC-B140-3DB125C3375E}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone) "{C0132663-0402-42D5-ADB5-460733DDE436}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader "{D9C63A82-8DCC-4D4E-8146-489ABA7CF70E}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader "{A1E41EEE-CD80-4BCE-A56B-750B6C2E27A0}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM "{B2352BE4-D948-4415-9D97-53D88E3AB9E8}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM "{E06C1172-2206-4758-89C9-373C14451EF9}"= UDP:445:TCP port445 "{363772BA-A177-4D32-BF14-2E79CD475303}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire "{2C509254-5E04-47A8-82BA-BEE40D62E7DE}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire "TCP Query User{40E06684-879F-4841-82AC-F10DC49E08A8}C:\\program files\\limewire\\limewire.exe"= UDP:C:\program files\limewire\limewire.exe:LimeWire "UDP Query User{760CC036-A83A-45E4-A1E0-A3BAF0DB364D}C:\\program files\\limewire\\limewire.exe"= TCP:C:\program files\limewire\limewire.exe:LimeWire [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List] "C:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDSfsu.exe"= C:\Acer\Empowering Technology\eDataSecurity\x86\eDSfsu.exe::Enabled:eDSfsu "C:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\encryption.exe"= C:\Acer\Empowering Technology\eDataSecurity\x86\encryption.exe::Enabled:encryption "C:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\decryption.exe"= C:\Acer\Empowering Technology\eDataSecurity\x86\decryption.exe::Enabled:decryption "C:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDSMgr.exe"= C:\Acer\Empowering Technology\eDataSecurity\x86\eDSMgr.exe::Enabled:eDSMgr "C:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDStbmngr.exe"= C:\Acer\Empowering Technology\eDataSecurity\x86\eDStbmngr.exe::Enabled:eDStbmngr "C:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDSfsu.exe"= C:\Acer\Empowering Technology\eDataSecurity\x64\eDSfsu.exe::Enabled:eDSfsu "C:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\encryption.exe"= C:\Acer\Empowering Technology\eDataSecurity\x64\encryption.exe::Enabled:encryption "C:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\decryption.exe"= C:\Acer\Empowering Technology\eDataSecurity\x64\decryption.exe::Enabled:decryption "C:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDSMgr.exe"= C:\Acer\Empowering Technology\eDataSecurity\x64\eDSMgr.exe::Enabled:eDSMgr "C:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDStbmngr.exe"= C:\Acer\Empowering Technology\eDataSecurity\x64\eDStbmngr.exe::Enabled:eDStbmngr R0 pavboot;pavboot;C:\Windows\system32\drivers\pavboot.sys [2008-06-19 17:24] R2 ALaunchService;ALaunch Service;C:\Acer\ALaunch\ALaunchSvc.exe [2007-09-19 17:41] R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-07-22 03:00] S4 ErrDev;Microsoft Hardware Error Device Driver;C:\Windows\system32\drivers\errdev.sys [2008-01-20 22:32] S4 MegaSR;MegaSR;C:\Windows\system32\drivers\megasr.sys [2008-01-20 22:32] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc . Contents of the 'Scheduled Tasks' folder 2008-07-15 C:\Windows\Tasks\McDefragTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] 2008-08-01 C:\Windows\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] . . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.aol.com/ R0 -: HKLM-Main,Start Page = hxxp://en.us.acer.yahoo.com O8 -: Copy to &Lightning Note - C:\Program Files\WordPerfect Lightning\Programs\WPLightningCopyToNote.hta O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O15 -: Trusted Zone: www.runescape.com . . ------- File Associations (Beta) ------- . VBEFile="%SystemRoot%\System32\WScript.exe" "%1" %* VBSFile="%SystemRoot%\System32\WScript.exe" "%1" %* vbefile\shell\open\command="%SystemRoot%\System32\WScript.exe" "%1" %* vbsfile\shell\open\command="%SystemRoot%\System32\WScript.exe" "%1" %* jsefile\shell\open\command=%SystemRoot%\System32\WScript.exe "%1" %* . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-20 22:16:06 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-08-20 22:18:25 ComboFix-quarantined-files.txt 2008-08-21 02:18:06 ComboFix2.txt 2008-08-20 22:12:00 Pre-Run: 38,709,899,264 bytes free Post-Run: 38,694,785,024 bytes free 227 --- E O F --- 2008-08-16 03:47:45 Will do other two scans as soon as I can, will post as soon as I have them.