Solved

Possible Virus

Posted on 2009-04-10
9
2,894 Views
Last Modified: 2013-12-06
Hi All,

My browsers are acting up - I use Opera9.64 and IE7. Opera has started opening all new pages in new tabs and every so often a google search link will open up a random search engine page.
The behaviour in IE7 is pretty much the same except a new window instead of tab is opened.

The Hijackthis log file is below;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:43, on 10/04/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\MobilityPass\Extend360\e360sysTray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Users\Toby\AppData\Local\Microsoft\Live Mesh\Bin\Servicing\0.9.3424.31\MoeMonitor.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Program Files\Opera\opera.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Users\Toby\AppData\Local\Microsoft\Live Mesh\GacBase\Moe.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\QuickTime\QuickTimePlayer.exe
C:\Users\Toby\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://maps.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Athens Toolbar - {2E560504-B9C8-48AA-982A-08B79C3FD40E} - C:\Program Files\Eduserv Technologies Limited\Athens Toolbar\AthensToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ALaunch] C:\Acer\ALaunch\AlaunchClient.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MoeMonitor.exe] "C:\Users\Toby\AppData\Local\Microsoft\Live Mesh\Bin\Servicing\0.9.3424.31\MoeMonitor.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [Google Update] "C:\Users\Toby\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: SETAUDIO.EXE
O4 - Global Startup: SETRES.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFB1CB23-B1EA-4822-8205-453721780D1D}: NameServer = 85.255.112.180,85.255.112.173
O17 - HKLM\System\CCS\Services\Tcpip\..\{F61E37AE-C782-41EA-B1EC-6D3E6D764C6C}: NameServer = 85.255.112.180,85.255.112.173
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.180,85.255.112.173
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.180,85.255.112.173
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.180,85.255.112.173
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: FLWLEvents - C:\Program Files\MobilityPass\Extend360\FiberlinkNetProv.dll
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0

\PhotoshopElementsFileAgent.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Extend360 Enforcement Agent (BESClient) - BigFix Inc. - C:\Program Files\BigFix Enterprise\BES Client\BESClient.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\Windows\system32\brsvc01a.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet

Publisher\FNPLicensingService.exe
O23 - Service: System Connect Util Service (FLUtilsSvc) - Fiberlink Communications Corp. - C:\Program Files\MobilityPass\Extend360\FLUtilsSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common

Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\MobilityPass\Extend360\ServiceMgr.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12891 bytes
0
Comment
Question by:hurst75
9 Comments
 
LVL 17

Expert Comment

by:Shanmuga Sundaram
ID: 24114627
Try using ComboFix. I faced this same situation and it helped me.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 24115260
Just the obvious ones, fix these entries in Hijackthis:(the 017 are hijackers)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFB1CB23-B1EA-4822-8205-453721780D1D}: NameServer = 85.255.112.180,85.255.112.173  
O17 - HKLM\System\CCS\Services\Tcpip\..\{F61E37AE-C782-41EA-B1EC-6D3E6D764C6C}: NameServer = 85.255.112.180,85.255.112.173  
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.180,85.255.112.173  
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.180,85.255.112.173  
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.180,85.255.112.173


Then scan with MalwareBytes or Combofix(as already suggested)
Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php
 

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 

If the tools won't run, then redownload but rename before saving to your desktop.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24115270
Also check the registry key below and check the values of "aux" to make sure there are no values pointing to random filenames(similar to the ones below)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]

"aux"="C:\\WINDOWS\\system32\\..\\jjmviih.nkt"
"aux"="C:\WINDOWS\system32\..\sjkemx.iqd"
"aux2"= "C:\WINDOWS\system32\..\kvlhurx.niq"
"aux2"="C:Windowssystem32..wkliog.nyc
"aux4"="c:\docume~1\%username%\LOCALS~1\Temp\..\herlppj.sna"

If regedit is unaccessible, you can either rename regedit.exe to regedit.com or download this utility to regain access to the registry.
http://www.dougknox.com/xp/utils/xp_emerutils.htm
And go to the C:\EmergencyUtils folder and double click Copy_of_Regedit.com
and look for suspicious random name value of "aux.

Or just export the Drivers32 subkey and paste the contents here.
0
 

Author Comment

by:hurst75
ID: 24116143
Hi RPGGamerGirl,

I have carried out the steps as suggested, although I carried out Combofix and not Malwarebytes, becuase you said do either, or. Please let me know if I need to do both.

I have attached the log from combofix.
ComboFix 09-04-04.01 - Toby 2009-04-10 15:50:54.1 - NTFSx86

Microsoft® Windows Vista" Home Premium   6.0.6001.1.1252.1.1033.18.3062.2143 [GMT 1:00]

Running from: c:\users\Toby\Desktop\ComboFix.exe

AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)

FW: ESET Personal firewall *disabled*

 * Created a new restore point

.
 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

C:\autorun.inf

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat

c:\programdata\Microsoft\Network\Downloader\qmgr1.dat

c:\users\Toby\AppData\Roaming\.#

c:\windows\system32\drivers\gaopdxixlfncobipupcverxmaccqoirfnkmmsi.sys

c:\windows\system32\gaopdxpymtcprudrjmxderrvfonwyinfnhlkdh.dll

c:\windows\system32\x64

D:\Autorun.inf
 

----- BITS: Possible infected sites -----
 

hxxp://sunmicro.ht.rd.llnw.net

.

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

-------\Service_gaopdxserv.sys
 
 

(((((((((((((((((((((((((   Files Created from 2009-03-10 to 2009-04-10  )))))))))))))))))))))))))))))))

.
 

2009-04-10 10:50 . 2009-04-10 10:55	<DIR>	d--------	c:\users\Toby\AppData\Roaming\HouseCall 6.6

2009-04-10 10:49 . 2009-04-10 10:49	<DIR>	d--------	c:\windows\Sun

2009-04-09 10:50 . 2009-04-09 10:50	<DIR>	d--------	c:\program files\Trend Micro

2009-04-09 09:48 . 2009-04-09 09:48	<DIR>	d--------	c:\program files\febooti fileTweak

2009-04-05 18:51 . 2009-04-05 18:51	<DIR>	d--------	c:\program files\Common Files\Macrovision Shared

2009-04-05 18:47 . 2009-04-05 18:46	129,784	---------	c:\windows\System32\pxafs.dll

2009-04-05 18:47 . 2009-04-05 18:46	118,520	---------	c:\windows\System32\pxinsi64.exe

2009-04-05 18:47 . 2009-04-05 18:46	116,472	---------	c:\windows\System32\pxcpyi64.exe

2009-04-05 17:09 . 2009-04-05 17:09	<DIR>	d--------	c:\windows\System32\syncdb

2009-04-05 13:09 . 2009-04-05 13:09	<DIR>	d--------	c:\users\Toby\AppData\Roaming\Fallon.957283BD7AE99C519B762F3E2F85073ED97331F2.1

2009-04-05 13:09 . 2009-04-05 13:09	<DIR>	d--------	c:\program files\skimmer

2009-04-03 23:32 . 2009-04-04 00:08	<DIR>	d--------	c:\users\All Users\NOS

2009-04-03 23:32 . 2009-04-04 00:08	<DIR>	d--------	c:\programdata\NOS

2009-04-03 23:32 . 2009-04-04 00:08	<DIR>	d--------	c:\program files\NOS

2009-04-03 09:57 . 2009-04-03 09:57	<DIR>	d--------	c:\program files\Microsoft Office Outlook Connector

2009-03-31 20:48 . 2009-03-31 20:48	<DIR>	d--------	c:\users\Toby\AppData\Roaming\Funambol

2009-03-28 19:21 . 2009-03-28 19:21	<DIR>	d--------	c:\users\Toby\AppData\Roaming\CD Art Display

2009-03-28 19:21 . 2009-03-28 19:21	<DIR>	d--------	c:\program files\CD Art Display

2009-03-28 19:21 . 2003-01-27 15:27	94,208	--a------	c:\windows\System32\wmpuice.dll

2009-03-28 19:03 . 2009-03-28 19:03	<DIR>	d--------	c:\program files\Common Files\Stardock

2009-03-28 19:03 . 2000-07-21 13:05	518,416	--a------	c:\windows\System32\msxml.dll

2009-03-28 18:47 . 2009-03-29 14:09	16,828,928	--a------	c:\windows\System32\imageres.dll

2009-03-28 17:33 . 2009-03-28 17:33	<DIR>	d--------	c:\program files\CodeGazer

2009-03-28 17:02 . 2009-03-28 17:02	<DIR>	dr-------	c:\program files\Skype

2009-03-28 17:02 . 2009-03-28 17:02	<DIR>	d--------	c:\program files\Common Files\Skype

2009-03-28 12:18 . 2009-03-28 12:18	<DIR>	d--------	c:\users\Public\CyberLink

2009-03-25 12:06 . 2009-03-25 12:06	<DIR>	d--------	c:\users\Toby\.thumbnails

2009-03-25 12:01 . 2009-03-25 13:00	<DIR>	d--------	c:\users\Toby\.gimp-2.6

2009-03-25 12:01 . 2009-03-25 12:01	<DIR>	d--------	c:\users\Toby\.gegl-0.0

2009-03-25 12:00 . 2009-03-25 12:00	<DIR>	d--------	c:\program files\GIMP-2.0

2009-03-25 11:13 . 2009-03-25 17:17	<DIR>	d--------	c:\users\Toby\AppData\Roaming\Windows Edge

2009-03-25 11:00 . 2009-03-25 11:00	<DIR>	d--h-c---	c:\users\All Users\{B98A2B83-8BB0-42E7-AA1D-D6FA6E7C8F31}

2009-03-25 11:00 . 2009-03-25 11:00	<DIR>	d--h-c---	c:\programdata\{B98A2B83-8BB0-42E7-AA1D-D6FA6E7C8F31}

2009-03-25 10:14 . 2009-03-28 16:36	<DIR>	d--------	C:\CallMeBack

2009-03-24 11:04 . 2009-03-24 11:04	79	--a------	c:\windows\SiteSpiderforms.ini

2009-03-24 11:02 . 2009-03-24 11:31	13	--a------	c:\windows\System32\WinSys32.crc

2009-03-24 11:01 . 2009-03-24 11:33	<DIR>	d--------	c:\program files\CoffeeCup Software

2009-03-24 11:01 . 1998-06-17 05:00	18,944	--a------	c:\windows\System32\BORLNDMM.DLL

2009-03-23 10:07 . 2009-03-23 10:07	<DIR>	d--------	c:\program files\BBC iPlayer Desktop

2009-03-13 13:16 . 2009-03-13 13:16	<DIR>	d--------	c:\users\All Users\DFX

2009-03-13 13:16 . 2009-03-13 13:16	<DIR>	d--------	c:\programdata\DFX

2009-03-13 13:16 . 2009-03-13 13:16	<DIR>	d--------	c:\program files\Common Files\DFX

2009-03-11 10:54 . 2008-12-16 04:29	8,147,456	--a------	c:\windows\System32\wmploc.DLL

2009-03-11 10:54 . 2009-02-09 04:10	2,033,152	--a------	c:\windows\System32\win32k.sys

2009-03-11 10:54 . 2008-11-27 05:43	268,288	--a------	c:\windows\System32\schannel.dll

2009-03-11 10:54 . 2008-12-16 06:31	7,680	--a------	c:\windows\System32\spwmp.dll

2009-03-11 10:54 . 2008-12-16 06:31	4,096	--a------	c:\windows\System32\msdxm.ocx

2009-03-11 10:54 . 2008-12-16 06:31	4,096	--a------	c:\windows\System32\dxmasf.dll
 

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-10 14:56	---------	d-----w	c:\programdata\Kontiki

2009-04-09 08:56	---------	d-----w	c:\program files\Opera

2009-04-08 09:30	---------	d-----w	c:\program files\Kontiki

2009-04-05 17:47	---------	d-----w	c:\program files\Common Files\Adobe

2009-03-31 19:48	---------	d-----w	c:\program files\Funambol

2009-03-28 18:02	---------	d-----w	c:\program files\Stardock

2009-03-28 16:40	615,424	----a-w	c:\windows\System32\themeui.dll

2009-03-28 16:40	240,128	----a-w	c:\windows\System32\uxtheme.dll

2009-03-28 16:07	---------	d-----w	c:\users\Toby\AppData\Roaming\Skype

2009-03-28 16:03	---------	d-----w	c:\users\Toby\AppData\Roaming\skypePM

2009-03-28 16:02	---------	d-----w	c:\programdata\Skype

2009-03-28 14:50	---------	d-----w	c:\programdata\CyberLink

2009-03-28 11:18	---------	d-----w	c:\users\Toby\AppData\Roaming\CyberLink

2009-03-25 16:17	---------	d--h--w	c:\programdata\~0

2009-03-25 16:17	---------	d-----w	c:\programdata\FLEXnet

2009-03-25 16:17	---------	d-----w	c:\program files\XML Notepad 2007

2009-03-25 16:17	---------	d-----w	c:\program files\Flickr Uploadr

2009-03-25 09:20	---------	d-----w	c:\program files\Java

2009-03-25 09:04	---------	d--h--w	c:\program files\InstallShield Installation Information

2009-03-24 09:32	---------	d-----w	c:\program files\Microsoft Small Business

2009-03-19 10:23	---------	d-----w	c:\program files\Microsoft SQL Server

2009-03-12 09:44	---------	d-----w	c:\program files\Windows Mail

2009-03-12 09:28	---------	d-----w	c:\programdata\Microsoft Help

2009-03-09 05:19	410,984	----a-w	c:\windows\System32\deploytk.dll

2009-03-08 14:11	---------	d-----w	c:\programdata\Last.fm

2009-03-08 14:11	---------	d-----w	c:\program files\Last.fm

2009-03-06 12:11	---------	d-----w	c:\program files\Common Files\Nitro PDF

2009-03-06 12:11	---------	d-----w	c:\program files\Common Files\BCL Technologies

2009-03-06 10:25	---------	d-----w	c:\users\Toby\AppData\Roaming\Stardock

2009-03-04 16:43	508,200	----a-w	c:\windows\System32\ICCProfiles.dll

2009-03-04 08:43	---------	d-----w	c:\program files\Common Files\Adobe AIR

2009-03-03 21:21	---------	d-----w	c:\program files\MSECache

2009-02-27 09:27	---------	d-----w	c:\program files\Microsoft Silverlight

2009-02-23 17:19	---------	d-----w	c:\programdata\logs

2009-02-23 12:17	8,261	----a-w	c:\windows\System32\wdrctl.dll

2009-02-23 12:17	---------	d-----w	c:\programdata\LJZsoft

2009-02-23 12:17	---------	d-----w	c:\program files\LJZsoft

2009-02-20 11:46	---------	d-----w	c:\program files\Namo

2009-02-20 10:56	---------	d-----w	c:\users\Toby\AppData\Roaming\KompoZer

2009-02-17 15:33	---------	d-----w	c:\program files\Navman

2009-02-17 15:14	---------	d-----w	c:\program files\Microsoft Visual Studio 9.0

2009-02-17 13:41	---------	d-----w	c:\program files\Microsoft SDKs

2009-02-17 11:01	---------	d-----w	c:\program files\Acer GameZone

2009-02-16 20:20	---------	d-----w	c:\programdata\Apple Computer

2009-02-15 22:20	---------	d-----w	c:\program files\Temp

2009-02-15 22:11	---------	d-----w	c:\program files\Microsoft.NET

2009-02-15 21:38	---------	d-----w	c:\program files\Microsoft Works

2009-02-12 17:34	---------	d-----w	c:\users\Toby\AppData\Roaming\GetRightToGo

2009-02-10 16:16	---------	d-----w	c:\program files\Microsoft

2009-02-10 14:20	---------	d-----w	c:\programdata\Stylus Studio

2009-02-10 14:19	---------	d-----w	c:\users\Toby\AppData\Roaming\Stylus Studio

2009-01-15 06:11	827,392	----a-w	c:\windows\System32\wininet.dll

2008-12-02 12:53	958	----a-w	c:\users\Toby\AppData\Roaming\wklnhst.dat

2008-09-16 15:18	56	---ha-w	c:\users\All Users\ezsidmv.dat

2008-09-16 15:18	56	---ha-w	c:\programdata\ezsidmv.dat

2008-01-21 02:43	174	--sha-w	c:\program files\desktop.ini

.
 

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]

@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"

[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]

2008-01-03 10:00	39472	--a------	c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll 
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoeMonitor.exe"="c:\users\Toby\AppData\Local\Microsoft\Live Mesh\Bin\Servicing\[u]0[/u].9.3424.31\MoeMonitor.exe" [2009-03-24 13:11 1224000]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

"Google Update"="c:\users\Toby\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-10 133104]

"kdx"="c:\program files\Kontiki\KHost.exe" [2009-01-02 1041960]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-03-11 92704]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-11 8534560]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-11 88608]

"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2008-01-24 102400]

"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-02-25 518656]

"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-10-10 1286144]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-11-22 178712]

"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-01-02 707080]

"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2008-01-22 200704]

"PLFSet"="c:\windows\PLFSet.dll" [2007-04-25 45056]

"WarReg_PopUp"="c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe" [2008-01-29 303104]

"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-02-15 622592]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-08-18 1447168]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-10-28 150040]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-10-28 178712]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-10-28 154136]

"kdx"="c:\program files\Kontiki\KHost.exe" [2009-01-02 1041960]

"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2009-03-04 209216]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"RtHDVCpl"="RtHDVCpl.exe" [2008-01-24 c:\windows\RtHDVCpl.exe]
 

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-02-12 723496]

Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-03-13 535336]

Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-02 546288]

SETAUDIO.EXE [2008-04-04 20480]

SETRES.EXE [2008-04-04 20480]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FLWLEvents]

2007-12-18 17:57 343136 c:\program files\MobilityPass\Extend360\FiberlinkNetProv.dll
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]

"DisableMonitoring"=dword:00000001
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"{72123FFE-BB08-48F2-B7AF-257B2DDBCA8D}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe

"{33A26CA1-D20E-48B1-8009-39DBF7D59ADC}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician

"{419F4AE7-FEA0-457C-A110-0CCF57166A2E}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia

"{51AE317D-CA38-483D-AC9E-4BDDE83DDAF8}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard

"{3EB5E8B2-D4E5-4460-A0CE-D05801EE670F}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine

"{611AAF62-F8B0-4E8E-96C2-CD5965C6744D}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie

"{EDF4D733-AE67-4994-8D79-A267F78557E3}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program

"{4B4A6348-9B65-4245-9760-F9657D1822EF}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook

"{BF2FEA07-F177-4128-B25B-EAD9B3944890}"= UDP:c:\users\Toby\AppData\Local\Microsoft\Live Mesh\GacBase\Moe.exe:Live Mesh

"{4A0E09ED-ADD2-4CC8-ABD5-50E4194358CD}"= TCP:c:\users\Toby\AppData\Local\Microsoft\Live Mesh\GacBase\Moe.exe:Live Mesh

"TCP Query User{655B33B8-9E95-4EEF-BE05-A7D9069F002D}c:\\program files\\quicktime\\quicktimeplayer.exe"= UDP:c:\program files\quicktime\quicktimeplayer.exe:QuickTime Player

"UDP Query User{3EF15B47-99D2-4D51-8783-7A37B5C25D1C}c:\\program files\\quicktime\\quicktimeplayer.exe"= TCP:c:\program files\quicktime\quicktimeplayer.exe:QuickTime Player

"{71E6D5AF-E24E-4C44-89DD-F47AE5FEBD74}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service

"{9828D7B7-DC76-43A1-85BD-011FDBF1AFB3}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service

"{63C1C06C-6FB0-44CF-B224-A9F87314699C}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service

"{4F98CAE2-18E1-4331-A47A-1DE2B2FA4E08}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service

"{E5344730-FECA-4890-A5E2-E7736C72E8F9}"= c:\program files\Skype\Phone\Skype.exe:Skype

"{B5887EE0-909A-45B7-A3ED-F49425A8A7B3}"= TCP:67:DHCP Discovery Service

"{7382EB63-E725-4CB2-BD6E-EE23CF01782B}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{96C0B7E9-7802-49A7-9528-151DF91DD4A3}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{C83E570D-A654-4A5B-B52E-DAB810469002}"= TCP:67:0.0.0.0:DHCP Discovery Service

"TCP Query User{0E2D790A-2ED3-4341-8F9B-75BDB2F53A6F}c:\\program files\\opera\\opera.exe"= UDP:c:\program files\opera\opera.exe:Opera Internet Browser

"UDP Query User{27084288-05BF-4D5E-AC88-FF8CDF933173}c:\\program files\\opera\\opera.exe"= TCP:c:\program files\opera\opera.exe:Opera Internet Browser

"{CDF21CD8-03A4-4B37-BC64-4E18013C3A89}"= UDP:c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:Pure Networks Platform Service

"{BCC400D0-FA04-4F6C-BCBA-E506DC0E44C3}"= TCP:c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:Pure Networks Platform Service

"{C0CD870F-B4A9-4C15-B684-CD18C0AB3916}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

"{D54C8326-939C-47B6-9129-3A9A958B40A7}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

"TCP Query User{83DFA48E-E92E-4DB1-A804-0D181B42F46B}c:\\program files\\stylus studio 2009 xml home edition\\bin\\struzzo.exe"= UDP:c:\program files\stylus studio 2009 xml home edition\bin\struzzo.exe:Stylus Studio

"UDP Query User{4EB15260-D986-49DF-B0AD-6183B0762A2E}c:\\program files\\stylus studio 2009 xml home edition\\bin\\struzzo.exe"= TCP:c:\program files\stylus studio 2009 xml home edition\bin\struzzo.exe:Stylus Studio

"TCP Query User{A255AC44-12DB-4570-956E-C23A12DCA161}c:\\program files\\namo\\webeditor 8 trial\\bin\\webeditor.exe"= UDP:c:\program files\namo\webeditor 8 trial\bin\webeditor.exe:Namo WebEditor 8

"UDP Query User{AB6004F0-6E98-4F1F-ACB1-40F4B5E84F4E}c:\\program files\\namo\\webeditor 8 trial\\bin\\webeditor.exe"= TCP:c:\program files\namo\webeditor 8 trial\bin\webeditor.exe:Namo WebEditor 8

"TCP Query User{655760BE-E735-4D73-A0E4-16A6DCABB325}c:\\program files\\opera\\opera.exe"= UDP:c:\program files\opera\opera.exe:Opera Internet Browser

"UDP Query User{ABAD0905-9265-4E21-9D70-48A0C7E4FB8F}c:\\program files\\opera\\opera.exe"= TCP:c:\program files\opera\opera.exe:Opera Internet Browser

"TCP Query User{4DD396AF-8D81-49C1-8DC7-EFC5CACE43ED}c:\\program files\\namo\\webeditor 2006 trial\\bin\\webeditor.exe"= UDP:c:\program files\namo\webeditor 2006 trial\bin\webeditor.exe:Namo WebEditor 2006

"UDP Query User{9112AD60-04D2-4C9D-9342-09322082404D}c:\\program files\\namo\\webeditor 2006 trial\\bin\\webeditor.exe"= TCP:c:\program files\namo\webeditor 2006 trial\bin\webeditor.exe:Namo WebEditor 2006

"{E62D0C07-129F-4E11-A9BD-2C2A0B4CBB7E}"= UDP:c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe:Live Mesh Remote Desktop

"{FC84158A-1B63-4835-AD0D-71489AEEB6E0}"= TCP:c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe:Live Mesh Remote Desktop

"{2C5B2FE9-FB2F-4B67-9443-F2709EBC3F65}"= UDP:c:\users\Toby\AppData\Local\Microsoft\Live Mesh\GacBase\Moe.exe:Live Mesh

"{FDABF688-D998-4B57-BC76-F7DEF3924F70}"= TCP:c:\users\Toby\AppData\Local\Microsoft\Live Mesh\GacBase\Moe.exe:Live Mesh

"{4B1CA28D-D111-43D4-BF18-1659B292587F}"= Disabled:UDP:c:\program files\Adobe\Photoshop Elements 7.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server

"{0F10F2BB-5BFD-4DBB-8B86-2FB0EEAF63D5}"= Disabled:TCP:c:\program files\Adobe\Photoshop Elements 7.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]

"EnableFirewall"= 0 (0x0)

"DoNotAllowExceptions"= 0 (0x0)
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]

"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\eDSfsu.exe:*:Enabled:eDSfsu

"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\encryption.exe:*:Enabled:encryption

"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\decryption.exe:*:Enabled:decryption

"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDSMgr.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\eDSMgr.exe:*:Enabled:eDSMgr

"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDStbmngr.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\eDStbmngr.exe:*:Enabled:eDStbmngr

"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\eDSfsu.exe:*:Enabled:eDSfsu

"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\encryption.exe:*:Enabled:encryption

"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\decryption.exe:*:Enabled:decryption

"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDSMgr.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\eDSMgr.exe:*:Enabled:eDSMgr

"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDStbmngr.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\eDStbmngr.exe:*:Enabled:eDStbmngr

"c:\\Program Files\\Gameforge4D\\AirRivals\\Launcher.atm"= c:\program files\Gameforge4D\AirRivals\Launcher.atm:Enabled:GameExe2

"c:\\Program Files\\Gameforge4D\\AirRivals\\Res-Voip\\SCVoIP.exe"= c:\program files\Gameforge4D\AirRivals\Res-Voip\SCVoIP.exe:Enabled:GameVoIP
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
 

R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\[u]0[/u]00.fcl [2008-06-04 16:38:11 41456]

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]

R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2008-03-13 51200]

R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-08-18 468224]

R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]

R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [2008-12-01 42304]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2008-03-13 179712]

R3 RDPDISPM;RDPDISPM;c:\windows\System32\drivers\rdpdispm.sys [2008-08-23 12288]

R3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [2008-03-13 43008]

S3 extramond;extramond;c:\windows\System32\drivers\extramond.sys [2007-08-23 7824]

S3 FIBWLANAPI5;FIBWLANAPI5 NDIS Protocol Driver;c:\progra~1\MOBILI~1\EXTEND~1\FIBWLANAPI5.SYS [2007-12-18 32160]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs	REG_MULTI_SZ   	BthServ

WindowsMobile	REG_MULTI_SZ   	wcescomm rapimgr

LocalServiceRestricted	REG_MULTI_SZ   	WcesComm RapiMgr
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57bb1d76-324a-11dd-9139-806e6f6e6963}]

\shell\AutoRun\command - F:\install.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Nitro PDF Professional]

cscript //B "c:\program files\Nitro PDF\Professional\RemoveOldAddins.vbs"

.

Contents of the 'Scheduled Tasks' folder
 

2009-04-10 c:\windows\Tasks\Funambol Outlook Sync Client - Toby.job

- c:\program files\Funambol\Outlook Client\OutlookPlugin.exe [2009-01-09 16:03]
 

2009-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2445645980-2117121710-3886400821-1000.job

- c:\users\Toby\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-10 09:45]

.

- - - - ORPHANS REMOVED - - - -
 

HKLM-Run-ALaunch - c:\acer\ALaunch\AlaunchClient.exe

HKLM-Run-eRecoveryService - (no file)
 
 

.

------- Supplementary Scan -------

.

uStart Page = hxxp://maps.live.com/

mStart Page = hxxp://en.uk.acer.yahoo.com

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

.
 

**************************************************************************
 

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-10 15:56:40

Windows 6.0.6001 Service Pack 1 NTFS
 

scanning hidden processes ...  
 

scanning hidden autostart entries ... 
 

scanning hidden files ...  
 

scan completed successfully

hidden files: 
 

**************************************************************************

.

Completion time: 2009-04-10 15:59:09

ComboFix-quarantined-files.txt  2009-04-10 14:59:06
 

Pre-Run: 14,636,158,976 bytes free

Post-Run: 16,652,857,344 bytes free
 

301	--- E O F ---	2009-04-03 09:08:21

Open in new window

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 15

Expert Comment

by:greyknight17
ID: 24127244
Yes, please run Malwarebytes' also as mentioned earlier to see if it finds anything.

Do you still get the redirects now? Anything suspicious aux entries found in the driver32 registry key?
0
 

Author Closing Comment

by:hurst75
ID: 31568839
Many thanks!!!!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24168846
Glad to know the problem is solved.

In case you're not aware, you can also award points to more than one expert by clicking the 'Accept Multiple solutions" button and distribute points ... as I wasn't the first one to suggest combofix here.


If everything's fine you can then uninstall Combofix.
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u

Thanks!
0
 

Author Comment

by:hurst75
ID: 24168948
No you weren't the first to suggest it, but you provided full step-by-step instructions, which I followed to the letter.

I use this forum from time to time because I am not an expert and need someone to hold my hand, like the drooling IT idiot I am! So points have been awarded and distributed fairly in my eyes.

Thanks again.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24169829
That's okay... everyone needs assistance from time to time even those experts :) and we all are learning along the way...

Thanks for the points and thank you for using Experts-Exchange!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now