Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues.

July 1st, 2011, 06:04 AM
ryno
Senior Member
Join Date: Aug 2007
Posts: 181
windows vista repair

running an acer aspire 4810TZ (laptop). windows vista.

at startup im getting a black screen w/only the ie icon up and active. have been running ffox for browsing ie is only for work related things. downloaded a few items from family .xls, .wrd.

now this: can't get to ie, have a window on top of black screen w/ 'windows vista repair' and another window on top of that stating 'critical hard drive error'

'critical error' box pops up out of the taskbar stating that 'windows can't find ...' then it changes to 'damaged hard drive clusters detected. Private data is at risk.'

let the madness begin.
July 4th, 2011, 01:56 AM
Jintan's Avatar
Jintan
Cyber Tech Help Moderator
Join Date: Dec 2004
Posts: 52,284
Hello ryno,

The system is infected, and those warnings are just part of it.

The system is Vista, so when running any of the scan files we use, be sure to right click the file, then select "Run as administrator" to start the scan/tool.

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.


Right off see if you can access Safe Mode, where the malware is less active. At startup tap the F8 key about once per half-second, then select Safe Mode with Networking from the menu that will appear.

Download RKill from one of these links (also see those lower down). Each is named differently, depending on what a specific malware is targeting. So you may need to try more than one copy. Download the file, click to run it, and follow any prompts you receive.


Then let's get some info to work with.

To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Click here and download OldTimer's OTL to your desktop, then click that to open the scan display. At the top click "Scan All Users", then click "Run Scan". Make no other changes at this time.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are also saved in the same location as OTL.exe. Post the contents of those back here please.


Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.

Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

Note - If Gmer shows it has located infection once it's opening scan completes, do not click the Scan button. We don't want hidden malware settings to cause any problems. Instead, just click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.


Download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Decline a download of avast itself if offered
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

A lot, but comprehensive, and will make sure we get a good view of everything.
July 4th, 2011, 03:21 AM
ryno
Senior Member
Join Date: Aug 2007
Posts: 181
check your pm's

July 4th, 2011, 03:40 AM
Jintan's Avatar
Jintan
Cyber Tech Help Moderator
Join Date: Dec 2004
Posts: 52,284
I received your PM about using the Bleeping tutorial to do your own repairs. Some may not quite agree with some parts of those tutorials, but in general, they can be very helpful in some malware situations. Did TDSSKiller find or "cure" anything? Perhaps you could post that log here (Similar in name to C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt), as well as the first Malwarebytes log where it did the most malware removals (located under the Logs tab in Malwarebytes).

But also please do the steps posted, to see what else needs changing.
July 4th, 2011, 05:15 AM
ryno
Senior Member
Join Date: Aug 2007
Posts: 181
Malwarebytes' Anti-Malware

Database version: 6705

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

7/1/2011 1:47:18 PM
mbam-log-2011-07-01 (13-47-18).txt

Scan type: Full scan (C:\|)
Objects scanned: 299816
Time elapsed: 47 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\46716944.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
July 4th, 2011, 05:16 AM
ryno
Senior Member
Join Date: Aug 2007
Posts: 181
Malwarebytes' Anti-Malware

Database version: 6998

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

7/1/2011 2:57:28 PM
mbam-log-2011-07-01 (14-57-28).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 305005
Time elapsed: 47 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\PjkqmukNqKrm (Trojan.FakeAlert) -> Value: PjkqmukNqKrm -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\pjkqmuknqkrm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\programdata\26009156.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\Users\ryan\AppData\Local\temp\tmp251E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\ryan\AppData\Local\temp\javaw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\ryan\AppData\Local\temp\adobe_flash_playe r.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
July 4th, 2011, 05:19 AM
ryno
Senior Member
Join Date: Aug 2007
Posts: 181
Database version: 6998

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

7/1/2011 3:21:16 PM
mbam-log-2011-07-01 (15-21-16).txt

Scan type: Quick scan
Objects scanned: 1
Time elapsed: 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

this was the final mab scan i did just to be sure that all the badness was gone:

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
July 4th, 2011, 05:22 AM
ryno
Senior Member
Join Date: Aug 2007
Posts: 181
fyi: tdskiller found nothing. i ditched the log of it.

Last edited by ryno; July 4th, 2011 at 07:00 AM.
July 4th, 2011, 05:32 AM
ryno
Senior Member
Join Date: Aug 2007
Posts: 181
OTL logfile created on: 7/3/2011 9:24:46 PM - Run 1
OTL by OldTimer - Version Folder = C:\Users\ryan\Desktop
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.93 Gb Total Physical Memory | 1.16 Gb Available Physical Memory | 39.61% Memory free
6.09 Gb Paging File | 4.24 Gb Available in Paging File | 69.70% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.32 Gb Total Space | 197.19 Gb Free Space | 68.39% Space Free | Partition Type: NTFS

Computer Name: RYAN-PC | User Name: ryan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/03 21:23:45 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\ryan\Desktop\OTL.exe
PRC - [2011/07/01 11:28:29 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/03/07 12:21:00 | 000,107,008 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\KODAK Share Button App\Listener.exe
PRC - [2011/01/05 09:01:16 | 000,322,112 | ---- | M] (ArcSoft, Inc.) -- C:\Program Files\Kodak\MediaImpression\MediaImpression.exe
PRC - [2010/12/15 18:03:02 | 000,080,448 | ---- | M] (ArcSoft, Inc.) -- C:\Program Files\Kodak\MediaImpression\ArcMonitor.exe
PRC - [2010/10/27 19:17:52 | 000,207,424 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/08/25 11:27:44 | 000,309,824 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2010/01/15 05:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2009/12/17 17:46:08 | 000,072,192 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Media Browser\ArcMediaService.exe
PRC - [2009/04/29 19:56:28 | 000,176,128 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe
PRC - [2009/04/29 17:32:32 | 000,118,784 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe
PRC - [2009/04/27 15:11:24 | 000,707,104 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTray.exe
PRC - [2009/04/27 15:11:24 | 000,703,008 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe
PRC - [2009/04/27 15:11:22 | 000,453,152 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer PowerSmart Manager\ePowerEvent.exe
PRC - [2009/04/10 19:11:20 | 000,117,256 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\dsiwmis.exe
PRC - [2009/04/08 17:56:14 | 001,071,624 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LManager.exe
PRC - [2009/04/01 21:06:08 | 000,249,600 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
PRC - [2009/04/01 21:06:02 | 000,054,528 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
PRC - [2009/02/11 17:38:40 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2009/02/11 17:38:38 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2009/02/11 15:46:28 | 000,565,248 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer VCM\AcerVCM.exe
PRC - [2009/02/05 08:14:56 | 000,237,568 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer VCM\RS_Service.exe
PRC - [2009/01/08 19:08:56 | 000,294,544 | ---- | M] (Carbonite, Inc.) -- C:\Program Files\Carbonite\CarbonitePreinstaller.exe
PRC - [2008/10/28 23:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/10/27 15:09:16 | 000,199,464 | ---- | M] (EgisTec Inc.) -- C:\Program Files\EgisTec Egis Software Update\EgisUpdate.exe
PRC - [2008/10/27 12:05:28 | 000,306,736 | ---- | M] (EgisTec Inc.) -- C:\Program Files\EgisTec\MyWinLocker 3\x86\MWLService.exe
PRC - [2008/10/27 12:05:24 | 000,346,672 | ---- | M] (EgisTec Inc.) -- C:\Program Files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe
PRC - [2008/01/20 19:23:32 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe

========== Modules (SafeList) ==========

MOD - [2011/07/03 21:23:45 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\ryan\Desktop\OTL.exe
MOD - [2010/08/31 08:39:57 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd 65e20837faf2\comctl32.dll
MOD - [2009/04/27 15:11:52 | 000,215,584 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer PowerSmart Manager\SysHook.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2010/01/15 05:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/04/29 17:32:32 | 000,118,784 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe -- (ODDPwrSvc)
SRV - [2009/04/27 15:11:24 | 000,703,008 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Acer PowerSmart Manager\ePowerSvc.exe -- (ePowerSvc)
SRV - [2009/04/10 19:11:20 | 000,117,256 | ---- | M] (Dritek System Inc.) [Auto | Running] -- C:\Program Files\Launch Manager\dsiwmis.exe -- (DsiWMIService)
SRV - [2009/04/01 21:06:02 | 000,054,528 | ---- | M] (NewTech Infosystems, Inc.) [Auto | Running] -- C:\Program Files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe -- (NTI IScheduleSvc)
SRV - [2009/02/11 17:38:40 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
SRV - [2009/02/05 08:14:56 | 000,237,568 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Acer VCM\RS_Service.exe -- (RS_Service)
SRV - [2008/10/27 12:05:28 | 000,306,736 | ---- | M] () [Auto | Running] -- C:\Program Files\EgisTec\MyWinLocker 3\x86\\MWLService.exe -- (MWLService)
SRV - [2008/01/20 19:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

========== Driver Services (SafeList) ==========

DRV - [2009/10/16 09:22:58 | 000,045,608 | ---- | M] (Tether) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\qrkis.sys -- (qrkis)
DRV - [2009/04/01 12:54:44 | 000,050,176 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1C60x86.sys -- (L1C)
DRV - [2008/12/29 15:57:56 | 000,952,832 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/10/09 16:47:12 | 000,059,952 | ---- | M] (Egis Incorporated.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\mwlPSDVDisk.sys -- (mwlPSDVDisk)
DRV - [2008/10/09 16:47:12 | 000,019,504 | ---- | M] (Egis Incorporated.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\mwlPSDFilter.sys -- (mwlPSDFilter)
DRV - [2008/10/09 16:47:12 | 000,016,432 | ---- | M] (Egis Incorporated.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\mwlPSDNserv.sys -- (mwlPSDNServ)
DRV - [2008/09/22 06:49:36 | 000,112,128 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel(R)
DRV - [2006/11/10 15:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\afc.sys -- (Afc)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=...m=aspire_4810t

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyServer" = http=

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings: "ProxyServer" = http=

IE - HKU\S-1-5-21-1035236229-421214943-2964462030-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://global.acer.com [binary data]
IE - HKU\S-1-5-21-1035236229-421214943-2964462030-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1035236229-421214943-2964462030-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.skywestonline.com/SKYW/Home/Login.aspx
IE - HKU\S-1-5-21-1035236229-421214943-2964462030-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1035236229-421214943-2964462030-1000\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1035236229-421214943-2964462030-1000\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

FF - HKLM\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/07/01 11:28:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/05/29 14:22:52 | 000,000,000 | ---D | M]

[2009/09/22 15:41:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ryan\AppData\Roaming\Mozilla\Extensions
[2011/05/07 01:11:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\ryan\AppData\Roaming\Mozilla\Firefox\Prof iles\sxl2uris.default\extensions
[2010/05/03 06:52:28 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\ryan\AppData\Roaming\Mozilla\Firefox\Prof iles\sxl2uris.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/01/05 09:04:42 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/07/09 19:41:25 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/08 17:52:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/11/19 15:35:39 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
File not found (No name found) --
[2011/07/01 11:28:29 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/11/30 09:35:58 | 000,171,832 | ---- | M] (Cisco WebEx LLC) -- C:\Program Files\mozilla firefox\plugins\npatgpc.dll
[2010/09/15 05:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/07/01 11:28:26 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2010/06/27 10:01:43 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: localhost
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\s wg.dll (Google Inc.)
O4 - HKLM..\Run: [Acer Assist Launcher] C:\Program Files\Acer\Acer Assist\launcher.exe ()
O4 - HKLM..\Run: [Acer ePower Management] C:\Program Files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe (Acer Incorporated)
O4 - HKLM..\Run: [Acer Product Registration] C:\Program Files\Acer\Acer Registration\ACE1.exe (Leader Technologies)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [ArcSoft MediaImpression Monitor] C:\Program Files\Kodak\MediaImpression\ArcMonitor.exe (ArcSoft, Inc.)
O4 - HKLM..\Run: [BackupManagerTray] C:\Program Files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe (NewTech Infosystems, Inc.)
O4 - HKLM..\Run: [CarboniteSetupLite] C:\Program Files\Carbonite\CarbonitePreinstaller.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [EgisTecLiveUpdate] C:\Program Files\EgisTec Egis Software Update\EgisUpdate.exe (EgisTec Inc.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mwlDaemon] C:\Program Files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe (EgisTec Inc.)
O4 - HKLM..\Run: [ODDPwr] C:\Program Files\Acer\Optical Drive Power Management\ODDPwr.exe (Acer Incorporated)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1035236229-421214943-2964462030-1000..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1035236229-421214943-2964462030-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1035236229-421214943-2964462030-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C3 48BC2E93EB2B.dll (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer =
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{b7407305-999d-11e0-9ead-001f169fd1c2}\Shell - "" = AutoRun
O33 - MountPoints2\{b7407305-999d-11e0-9ead-001f169fd1c2}\Shell\AutoRun\command - "" = F:\KODAK_Camera_Setup_App.exe
O33 - MountPoints2\{b740733f-999d-11e0-9ead-001f169fd1c2}\Shell - "" = AutoRun
O33 - MountPoints2\{b740733f-999d-11e0-9ead-001f169fd1c2}\Shell\AutoRun\command - "" = F:\KODAK_Camera_Setup_App.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/03 21:23:34 | 000,580,096 | ---- | C] (OldTimer Tools) -- C:\Users\ryan\Desktop\OTL.exe
[2011/07/01 15:01:48 | 000,000,000 | ---D | C] -- C:\Users\ryan\AppData\Roaming\Microsoft\Windows\St art Menu\Programs\CyberLink PowerDVD
[2011/07/01 08:20:00 | 000,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2011/06/30 21:30:44 | 000,000,000 | ---D | C] -- C:\Users\ryan\AppData\Roaming\Microsoft\Windows\St art Menu\Programs\Windows Vista Repair
[2011/06/30 10:27:50 | 000,000,000 | ---D | C] -- C:\Users\ryan\AppData\Roaming\PeerNetworking
[2011/06/27 17:37:05 | 000,000,000 | ---D | C] -- C:\Windows\New Folder
[2011/06/27 17:28:07 | 000,000,000 | ---D | C] -- C:\Users\ryan\AppData\Local\ArcSoft
[2011/06/27 17:28:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ArcSoft Connect
[2011/06/27 17:26:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ArcSoft MediaImpression for Kodak
[2011/06/27 17:24:56 | 000,018,688 | ---- | C] (Arcsoft, Inc.) -- C:\Windows\System32\drivers\afc.sys
[2011/06/27 17:24:30 | 000,000,000 | ---D | C] -- C:\Users\ryan\AppData\Roaming\ArcSoft
[2011/06/27 17:13:02 | 000,000,000 | -H-D | C] -- C:\ProgramData\ArcSoft
[2011/06/27 17:13:01 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ArcSoft
[2011/06/27 17:08:33 | 000,000,000 | ---D | C] -- C:\Users\ryan\AppData\Roaming\Kodak
[2011/06/27 17:08:06 | 000,000,000 | ---D | C] -- C:\Program Files\DIFX
[2011/06/27 17:07:35 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Kodak
[2011/06/27 17:07:33 | 000,000,000 | ---D | C] -- C:\Program Files\Kodak
[2011/06/27 17:05:44 | 000,000,000 | ---D | C] -- C:\ProgramData\{A2A58654-12AA-408A-B411-58A76959BE7F}
[2011/06/16 14:50:52 | 000,671,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2011/06/16 14:50:52 | 000,467,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2011/06/16 14:50:52 | 000,389,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\html.iec
[2011/06/16 14:50:52 | 000,389,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iedkcs32.dll
[2011/06/16 14:50:52 | 000,380,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2011/06/16 14:50:52 | 000,230,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieaksie.dll
[2011/06/16 14:50:52 | 000,193,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iepeers.dll
[2011/06/16 14:50:52 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll
[2011/06/16 14:50:52 | 000,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2011/06/16 14:50:51 | 001,383,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/06/08 11:11:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/06/08 11:10:43 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/06/08 11:10:40 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/08/25 19:59:08 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll
[2009/05/20 01:43:49 | 000,049,152 | ---- | C] ( ) -- C:\Windows\Interop.IWshRuntimeLibrary.dll
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/03 21:23:45 | 000,580,096 | ---- | M] (OldTimer Tools) -- C:\Users\ryan\Desktop\OTL.exe
[2011/07/03 21:09:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/07/03 20:55:25 | 000,003,216 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/07/03 20:55:25 | 000,003,216 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/07/03 14:09:00 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/07/03 12:27:38 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/07/01 20:20:51 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/07/01 20:20:51 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/07/01 14:58:38 | 3145,560,064 | -HS- | M] () -- C:\hiberfil.sys
[2011/07/01 13:53:12 | 000,000,232 | ---- | M] () -- C:\ProgramData\~26009156
[2011/07/01 13:53:11 | 000,000,168 | ---- | M] () -- C:\ProgramData\~26009156r
[2011/07/01 13:53:02 | 000,000,336 | ---- | M] () -- C:\ProgramData\26009156
[2011/06/30 21:30:45 | 000,000,232 | ---- | M] () -- C:\ProgramData\~46716944
[2011/06/30 21:30:45 | 000,000,168 | ---- | M] () -- C:\ProgramData\~46716944r
[2011/06/30 21:30:38 | 000,000,336 | ---- | M] () -- C:\ProgramData\46716944
[2011/06/30 10:27:50 | 000,029,239 | ---- | M] () -- C:\Users\ryan\AppData\Roaming\UserTile.png
[2011/06/27 17:26:21 | 000,001,900 | ---- | M] () -- C:\Users\Public\Desktop\Media Impression for Kodak.lnk
[2011/06/16 14:19:52 | 000,048,165 | ---- | M] () -- C:\Users\ryan\Desktop\scotch gaurd.jpg
[2011/06/15 08:07:13 | 000,001,684 | ---- | M] () -- C:\Users\ryan\Application Data\Microsoft\Internet Explorer\Quick Launch\Snipping Tool.lnk
[2011/06/08 11:11:29 | 000,001,668 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/01 15:11:24 | 000,002,565 | ---- | C] () -- C:\Users\Public\Desktop\Orion.lnk
[2011/07/01 15:11:24 | 000,002,077 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2011/07/01 15:11:24 | 000,001,994 | ---- | C] () -- C:\Users\Public\Desktop\MyWinLocker.lnk
[2011/07/01 15:11:24 | 000,001,900 | ---- | C] () -- C:\Users\Public\Desktop\Media Impression for Kodak.lnk
[2011/07/01 15:11:24 | 000,001,892 | ---- | C] () -- C:\Users\Public\Desktop\GTS Pro.lnk
[2011/07/01 15:11:24 | 000,001,891 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011/07/01 15:11:24 | 000,001,873 | ---- | C] () -- C:\Users\Public\Desktop\Desktop Manager.lnk
[2011/07/01 15:11:24 | 000,001,858 | ---- | C] () -- C:\Users\Public\Desktop\Carbonite Online Backup Setup.lnk
[2011/07/01 15:11:24 | 000,001,804 | ---- | C] () -- C:\Users\Public\Desktop\Network Recording Player.lnk
[2011/07/01 15:11:24 | 000,001,752 | ---- | C] () -- C:\Users\ryan\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/07/01 15:11:24 | 000,001,730 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2011/07/01 15:11:24 | 000,001,728 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2011/07/01 15:11:24 | 000,001,684 | ---- | C] () -- C:\Users\ryan\Application Data\Microsoft\Internet Explorer\Quick Launch\Snipping Tool.lnk
[2011/07/01 15:11:24 | 000,001,668 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/07/01 15:11:24 | 000,001,544 | ---- | C] () -- C:\Users\Public\Desktop\Study with Flight Test 5.lnk
[2011/07/01 15:11:24 | 000,001,182 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Office - 60 Day Trial.lnk
[2011/07/01 15:11:24 | 000,001,008 | ---- | C] () -- C:\Users\Public\Desktop\Microsoft Works.lnk
[2011/07/01 15:11:24 | 000,000,972 | ---- | C] () -- C:\Users\Public\Desktop\FX AccuCharts.lnk
[2011/07/01 15:11:24 | 000,000,950 | ---- | C] () -- C:\Users\Public\Desktop\Acer GameZone Console.lnk
[2011/07/01 15:11:24 | 000,000,947 | ---- | C] () -- C:\Users\ryan\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/07/01 15:11:24 | 000,000,942 | ---- | C] () -- C:\Users\ryan\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/07/01 15:11:24 | 000,000,876 | ---- | C] () -- C:\Users\Public\Desktop\Acrobat_com.lnk
[2011/07/01 15:11:24 | 000,000,822 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/07/01 15:11:24 | 000,000,785 | ---- | C] () -- C:\Users\Public\Desktop\Ingram Media Manager.lnk
[2011/07/01 15:11:24 | 000,000,258 | ---- | C] () -- C:\Users\ryan\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2011/07/01 15:11:24 | 000,000,240 | ---- | C] () -- C:\Users\ryan\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2011/07/01 13:53:11 | 000,000,232 | ---- | C] () -- C:\ProgramData\~26009156
[2011/07/01 13:53:11 | 000,000,168 | ---- | C] () -- C:\ProgramData\~26009156r
[2011/07/01 13:53:01 | 000,000,336 | ---- | C] () -- C:\ProgramData\26009156
[2011/07/01 12:06:54 | 3145,560,064 | -HS- | C] () -- C:\hiberfil.sys
[2011/06/30 21:30:45 | 000,000,232 | ---- | C] () -- C:\ProgramData\~46716944
[2011/06/30 21:30:45 | 000,000,168 | ---- | C] () -- C:\ProgramData\~46716944r
[2011/06/30 21:30:38 | 000,000,336 | ---- | C] () -- C:\ProgramData\46716944
[2011/06/30 10:27:50 | 000,029,239 | ---- | C] () -- C:\Users\ryan\AppData\Roaming\UserTile.png
[2011/06/16 14:19:50 | 000,048,165 | ---- | C] () -- C:\Users\ryan\Desktop\scotch gaurd.jpg
[2010/09/30 20:40:13 | 000,000,680 | ---- | C] () -- C:\Users\ryan\AppData\Local\d3d9caps.dat
[2010/08/25 20:30:02 | 000,439,308 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin
[2010/08/25 20:30:00 | 000,982,240 | ---- | C] () -- C:\Windows\System32\igkrng500.bin
[2010/08/25 20:30:00 | 000,092,356 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin
[2010/08/25 19:57:00 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config
[2010/08/25 19:52:00 | 000,208,896 | ---- | C] () -- C:\Windows\System32\iglhsip32.dll
[2010/08/25 19:52:00 | 000,143,360 | ---- | C] () -- C:\Windows\System32\iglhcp32.dll
[2010/06/27 09:52:39 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/06/27 09:52:39 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2009/10/15 08:45:03 | 000,004,096 | ---- | C] () -- C:\Users\ryan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/29 12:19:01 | 000,000,051 | ---- | C] () -- C:\Windows\TOPO.INI
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/05/20 01:40:58 | 000,004,608 | ---- | C] () -- C:\Windows\System32\HdmiCoin.dll
[2009/05/20 01:40:57 | 000,139,824 | ---- | C] () -- C:\Windows\System32\igfcg500.bin
[2009/05/20 01:10:06 | 000,000,033 | ---- | C] () -- C:\Windows\LaunApp.ini
[2009/05/20 00:56:07 | 000,106,496 | ---- | C] () -- C:\Windows\FixUVC.exe
[2009/05/20 00:54:59 | 000,107,276 | ---- | C] () -- C:\Windows\System32\drivers\RtConvEQ.DAT
[2009/05/20 00:54:59 | 000,000,712 | ---- | C] () -- C:\Windows\System32\drivers\SamSfPa.dat
[2009/05/20 00:54:59 | 000,000,632 | ---- | C] () -- C:\Windows\System32\drivers\RtHdatEx.dat
[2009/05/20 00:54:59 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX2.dat
[2009/05/20 00:54:59 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX1.dat
[2009/05/20 00:54:59 | 000,000,520 | ---- | C] () -- C:\Windows\System32\drivers\RTEQEX0.dat
[2009/05/20 00:54:59 | 000,000,016 | ---- | C] () -- C:\Windows\System32\drivers\rtkhdaud.dat
[2009/04/07 23:47:22 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/04/07 23:47:22 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.b in
[2009/03/31 17:46:06 | 000,872,448 | ---- | C] () -- C:\Windows\iconv.dll
[2009/03/31 17:46:06 | 000,743,424 | ---- | C] () -- C:\Windows\libxml2.dll
[2009/03/31 17:46:05 | 000,000,056 | ---- | C] () -- C:\Windows\Prelaunch.ini
[2009/03/31 17:46:05 | 000,000,028 | ---- | C] () -- C:\Windows\WisLangCode.ini
[2006/11/02 05:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 05:47:37 | 000,427,760 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 05:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 03:33:01 | 000,604,502 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 03:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 03:33:01 | 000,104,170 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 03:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 03:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 01:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 01:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 00:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 00:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== Alternate Data Streams ==========

@Alternate Data Stream - 64 bytes -> C:\Users\ryan\Desktop\Melt_Final_w-audio.mp4:TOC.WMV

< End of report >
July 4th, 2011, 06:41 AM
ryno
Senior Member
Join Date: Aug 2007
Posts: 181
GMER - http://www.gmer.net
Rootkit scan 2011-07-03 22:39:45
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0
Running: 1o6rrpmg.exe; Driver: C:\Users\ryan\AppData\Local\Temp\kgldrpog.sys

---- Kernel code sections - GMER 1.0.15 ----

? System32\drivers\xihwtncw.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[2560] ntdll.dll!LdrLoadDll 777779B3 5 Bytes JMP 00BB1410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Windows\Explorer.exe[3032] SHELL32.dll!InitNetworkAddressControl + 2939 768E006C 4 Bytes [B0, 22, 00, 10] {MOV AL, 0x22; ADD [EAX], DL}
.text C:\Windows\Explorer.exe[3032] SHELL32.dll!ShellExecuteExW + 121F 769111DC 4 Bytes [20, 1B, 00, 10] {AND [EBX], BL; ADD [EAX], DL}
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3952] USER32.dll!GetWindowInfo 77490560 5 Bytes JMP 65FE5451 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3952] USER32.dll!SetWindowLongA 77490736 5 Bytes JMP 661CEDA6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3952] USER32.dll!SetWindowLongW 77491F35 5 Bytes JMP 661CED38 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3952] USER32.dll!TrackPopupMenu 774A1417 5 Bytes JMP 65FE5A99 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe[2380] @ C:\Windows\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [00F31210] C:\Program Files\NewTech Infosystems\Acer Backup Manager\Pehook.dll (Backup Manager Module/NewTech Infosystems, Inc.)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusShutdown] [747D8864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCloneImage] [74819855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDrawImageRectI] [747DB984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [747CFB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusStartup] [747D7A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateFromHDC] [747CEA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7480B12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [747DBC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageHeight] [747D0756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageWidth] [747D06BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDisposeImage] [747C71B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [7485D9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [747F7329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDeleteGraphics] [747CE109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipFree] [747C697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipAlloc] [747C69A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetCompositingMode] [747D2475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_65 95b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3d c\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [10002480] C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll (PSD DragDrop Protection/EgisTec Inc.)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001DA0] C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll (PSD DragDrop Protection/EgisTec Inc.)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [100027D0] C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll (PSD DragDrop Protection/EgisTec Inc.)
IAT C:\Windows\Explorer.exe[3032] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [10001290] C:\Program Files\EgisTec\MyWinLocker 3\x86\psdprotect.dll (PSD DragDrop Protection/EgisTec Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
July 5th, 2011, 06:48 AM
ryno
Senior Member
Join Date: Aug 2007
Posts: 181
aswMBR version Copyright(c) 2011 AVAST Software
Run date: 2011-07-03 22:42:55
22:42:55.884 OS Version: Windows 6.0.6001 Service Pack 1
22:42:55.884 Number of processors: 1 586 0x170A
22:42:55.885 ComputerName: RYAN-PC UserName: ryan
22:42:58.565 Initialize success
22:43:17.836 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
22:43:17.839 Disk 0 Vendor: WDC_WD32 11.0 Size: 305245MB BusType: 3
22:43:18.210 Disk 0 MBR read successfully
22:43:18.219 Disk 0 MBR scan
22:43:18.228 Disk 0 unknown MBR code
22:43:18.292 Disk 0 scanning sectors +625139712
22:43:18.478 Disk 0 scanning C:\Windows\system32\drivers
22:44:30.018 Service scanning
22:44:31.194 Disk 0 trace - called modules:
22:44:31.305 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
22:44:31.309 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8611dac8]
22:44:31.314 3 CLASSPNP.SYS[8a5ab745] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x848cb028]
22:44:31.323 Scan finished successfully
22:48:09.413 Disk 0 MBR has been saved successfully to "C:\Users\ryan\Desktop\MBR.dat"
22:48:09.423 The log file has been saved successfully to "C:\Users\ryan\Desktop\aswMBR.txt"
Old July 4th, 2011, 06:53 AM
ryno ryno is offline
Senior Member
Join Date: Aug 2007
Posts: 181
hopefully i got all these logs correct. again...thanks for the help
July 5th, 2011, 12:53 AM
Jintan's Avatar
Jintan
Cyber Tech Help Moderator
Join Date: Dec 2004
Posts: 52,284
The logs show some type of rootkit activity, and some proxy hijacks, so let's change those and act on the rootkit. Vista Service Pack 1, so when all malware is removed here you will need to get that updated to Service Pack 2, to make sure you have current, pretty critical security updates.

Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
Open Notepad (Start Search, type Notepad then click the notepad file that shows in the display), and copy the text inside the box above and paste it into the open Notepad textbox.

Save this to your desktop as "fixer.reg"

Be sure to include the "" quotes in the name.

Then right click fixer.reg, select Merge, and allow it to merge the new information with the Registry.


Download ComboFix.exe from here to your desktop, then click that to run that scan. Agree to any warnings you might receive.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
July 5th, 2011, 07:54 PM
ryno
Senior Member
Join Date: Aug 2007
Posts: 181
new sitch here: tried to start ffox and ie this a.m. and a very similar virus came back. after a few startups/shutdowns was able to sneak mab by it and got this:

Malwarebytes' Anti-Malware

Database version: 6998

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

7/5/2011 11:32:27 AM
mbam-log-2011-07-05 (11-32-27).txt

Scan type: Full scan (C:\|)
Objects scanned: 305044
Time elapsed: 48 minute(s), 58 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
c:\Users\ryan\AppData\Local\veo.exe (Trojan.FakeAlert.VGen) -> 3036 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\3239826836 (Trojan.FakeAlert.VGen) -> Value: 3239826836 -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default ) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\ryan\AppData\Local\veo.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\ryan\AppData\Local\veo.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\ryan\AppData\Local\veo.exe" -a "C:\Program Files\Internet Explorer\IEXPLORE.EXE") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\exefile\shell\open\command\(defa ult) (Broken.OpenCommand) -> Bad: ("C:\Users\ryan\AppData\Local\veo.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\ryan\AppData\Local\veo.exe (Trojan.FakeAlert.VGen) -> Quarantined and deleted successfully.
c:\Users\ryan\AppData\Local\orf.exe (Trojan.FakeAlert.VGen) -> Quarantined and deleted successfully.
c:\Users\ryan\AppData\Local\microsoft\Windows\temp orary internet files\Content.IE5\AO4AJ0W0\info[1].exe (Trojan.FakeAlert.VGen) -> Quarantined and deleted successfully.
July 5th, 2011, 08:51 PM
ryno
Senior Member
Join Date: Aug 2007
Posts: 181
merged "fixer.reg"
ran combofix. at stage 5 it stopped and a window popped up "pev.exe has stopped working..." had to move the mouse to close that window and get combofix to keep running. here's the log after it finished.

ComboFix 11-07-05.02 - ryan 07/05/2011 12:35:18.2.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3001.1671 [GMT -7:00]
Running from: c:\users\ryan\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
c:\users\ryan\AppData\Roaming\Microsoft\Windows\St art Menu\Programs\Windows Vista Repair
c:\users\ryan\AppData\Roaming\Microsoft\Windows\St art Menu\Programs\Windows Vista Repair\Windows Vista Repair.lnk
((((((((((((((((((((((((( Files Created from 2011-06-05 to 2011-07-05 )))))))))))))))))))))))))))))))
2011-07-05 19:42 . 2011-07-05 19:42 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-07-05 19:42 . 2011-07-05 19:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-05 16:39 . 2011-06-07 15:55 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6C4E66B2-D4B6-457C-9D97-96299D8EDA66}\mpengine.dll
2011-07-01 18:28 . 2011-07-01 18:28 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-07-01 18:28 . 2011-07-01 18:28 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-07-01 15:20 . 2011-07-01 15:20 -------- d-----w- c:\programdata\WindowsSearch
2011-06-30 17:38 . 2011-06-30 17:39 -------- d-----w- c:\windows\7E7D778E121D4BBDBA29FAA81B9FBD8C.TMP
2011-06-30 17:27 . 2011-06-30 17:27 -------- d-----w- c:\users\ryan\AppData\Roaming\PeerNetworking
2011-06-29 11:59 . 2011-04-29 14:54 276992 ----a-w- c:\windows\system32\schannel.dll
2011-06-28 00:37 . 2011-06-28 00:37 -------- d-----w- c:\windows\New Folder
2011-06-28 00:28 . 2011-06-28 00:28 -------- d-----w- c:\users\ryan\AppData\Local\ArcSoft
2011-06-28 00:24 . 2006-11-10 22:05 18688 ----a-w- c:\windows\system32\drivers\afc.sys
2011-06-28 00:24 . 2011-06-28 00:38 -------- d-----w- c:\users\ryan\AppData\Roaming\ArcSoft
2011-06-28 00:13 . 2011-06-28 00:32 -------- d--h--w- c:\programdata\ArcSoft
2011-06-28 00:13 . 2011-06-28 00:28 -------- d-----w- c:\program files\Common Files\ArcSoft
2011-06-28 00:08 . 2011-06-28 00:08 -------- d-----w- c:\users\ryan\AppData\Roaming\Kodak
2011-06-28 00:08 . 2011-06-28 00:08 -------- d-----w- c:\program files\DIFX
2011-06-28 00:07 . 2011-06-28 00:07 -------- d-----w- c:\program files\Common Files\Kodak
2011-06-28 00:07 . 2011-06-28 00:24 -------- d-----w- c:\program files\Kodak
2011-06-28 00:05 . 2011-06-28 00:05 -------- d-----w- c:\programdata\{A2A58654-12AA-408A-B411-58A76959BE7F}
2011-06-08 18:10 . 2011-06-08 18:10 -------- d-----w- c:\program files\iPod
2011-06-08 18:10 . 2011-06-08 18:11 -------- d-----w- c:\program files\iTunes
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
2011-05-29 16:11 . 2010-07-05 17:07 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 16:11 . 2010-07-05 17:07 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-25 02:14 . 2010-06-22 23:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-06 17:04 . 2011-03-28 01:38 2048 ----a-w- c:\users\ryan\comdrv8z.bin
2011-04-06 23:20 . 2011-04-06 23:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20 . 2011-04-06 23:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 23:20 . 2011-04-06 23:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-01 18:28 . 2011-05-08 03:40 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\eg isPSDP]
2008-10-27 19:05 40496 ----a-w- c:\program files\EgisTec\MyWinLocker 3\x86\PSDProtect.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2009-09-22 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-12 186904]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2010-08-26 170520]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-04-11 7399968]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 1430824]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-04-09 1071624]
"BackupManagerTray"="c:\program files\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" [2009-04-02 249600]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2009-03-31 62760]
"Acer ePower Management"="c:\program files\Acer\Acer PowerSmart Manager\ePowerTrayLauncher.exe" [2009-04-27 440864]
"ODDPwr"="c:\program files\Acer\Optical Drive Power Management\ODDPwr.exe" [2009-04-30 176128]
"EgisTecLiveUpdate"="c:\program files\EgisTec Egis Software Update\EgisUpdate.exe" [2008-10-27 199464]
"mwlDaemon"="c:\program files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe" [2008-10-27 346672]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-01-09 294544]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-08 236016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
"ArcSoft MediaImpression Monitor"="c:\program files\Kodak\MediaImpression\ArcMonitor.exe" [2010-12-16 80448]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-05-29 1047656]
c:\users\ryan\AppData\Roaming\Microsoft\Windows\St art Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-5-20 565248]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\ v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-09-24 133104]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-09-24 133104]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\dr ivers\mbamswissarmy.sys [2011-05-29 39984]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-09-23 50424]
R3 qrkis;Tether Miniport;c:\windows\system32\DRIVERS\qrkis.sys [2009-10-16 45608]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\Microsoft.NET\Framework\v4.0.30 319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 DsiWMIService;Dritek WMI Service;c:\program files\Launch Manager\dsiwmis.exe [2009-04-11 117256]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer PowerSmart Manager\ePowerSvc.exe [2009-04-27 703008]
S2 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIV ERS\mwlPSDFilter.sys [2008-10-09 19504]
S2 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVER S\mwlPSDNServ.sys [2008-10-09 16432]
S2 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVER S\mwlPSDVDisk.sys [2008-10-09 59952]
S2 MWLService;MyWinLocker Service;c:\program files\EgisTec\MyWinLocker 3\x86\\MWLService.exe [2008-10-27 306736]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2009-04-02 54528]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-09-23 144632]
S2 ODDPwrSvc;Acer ODD Power Service;c:\program files\Acer\Optical Drive Power Management\ODDPWRSvc.exe [2009-04-30 118784]
S2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [2009-02-05 237568]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-09-22 112128]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sy s [2009-04-01 50176]
Contents of the 'Scheduled Tasks' folder
2011-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-24 04:07]
2011-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-24 04:07]
------- Supplementary Scan -------
uStart Page = https://www.skywestonline.com/SKYW/Home/Login.aspx
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0509&m=aspire_ 4810t
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C3 48BC2E93EB2B.dll/cmsidewiki.html
TCP: DhcpNameServer =
FF - ProfilePath - c:\users\ryan\AppData\Roaming\Mozilla\Firefox\Prof iles\sxl2uris.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-05 12:43
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
Completion time: 2011-07-05 12:46:33
ComboFix-quarantined-files.txt 2011-07-05 19:46
Pre-Run: 212,668,346,368 bytes free
Post-Run: 213,914,824,704 bytes free
- - End Of File - - 5402529FBA72E5957BFEBF3F862E692B
