Multiple iexplore.exe, random popups, system wave muted

S

shocker

New member
Ran Malwarebytes (Updated 7/10/10 Ver: 4229) and Spybot updated to current version. Both programs ran separately and found nothing.

DDS (Ver_10-03-17.01) - NTFSx86
Run by rk at 11:08:50.98 on Mon 07/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.549 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

svchost.exe 4
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe 4
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\WebCam\M3000\M3000Mnt.exe
C:\Program Files\Acer\Acer VCM\AcerVCM.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\rk\Desktop\dds.scr
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0710&m=aspire_one
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0710&m=aspire_one
uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0710&m=aspire_one
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
mRun: [NotificationCenterLauncher] c:\program files\acer\acer erecovery management\NotificationLauncher.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\rk\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\acer\acer vcm\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rk\applic~1\mozilla\firefox\profiles\u940y0am.default\
FF - prefs.js: browser.startup.homepage - hxxps://webauth.usf.edu/login?service=https://my.usf.edu/webapps/login/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-12 214664]
R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-3-12 237568]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-3-3 38912]
R3 M3000Srv;USB2.0 UVC WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [2010-7-9 145408]
S2 0247841278947062mcinstcleanup;McAfee Application Installer Cleanup (0247841278947062);c:\windows\temp\024784~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\024784~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-12 198432]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-12 359952]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-3-12 144704]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-12 1684736]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-12 606736]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-12 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-12 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-12 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-12 40552]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rts5121.sys --> c:\windows\system32\drivers\RTS5121.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

=============== Created Last 30 ================

2010-07-10 14:25:16 0 d-----w- c:\windows\pss
2010-07-10 13:23:37 0 d-----w- c:\program files\Windows Media Connect 2
2010-07-10 13:18:39 0 d-----w- c:\windows\system32\URTTEMP
2010-07-10 12:46:42 0 d-----w- c:\docume~1\rk\applic~1\Malwarebytes
2010-07-10 12:46:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-10 12:46:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-10 12:46:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-10 12:46:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-09 15:23:22 0 d-----w- c:\windows\system32\XPSViewer
2010-07-09 15:20:41 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-09 15:20:41 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-09 15:20:40 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-09 15:20:40 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-09 15:20:40 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-09 15:20:39 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-09 15:20:39 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-09 15:20:37 0 d-----w- C:\13a5fe66e0d6088c83d4176f
2010-07-09 10:26:30 0 d-sh--w- c:\documents and settings\rk\IETldCache
2010-07-09 10:01:55 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-07-09 10:01:54 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-09 10:01:54 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-09 10:01:53 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-07-09 10:01:52 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-09 10:01:52 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-09 10:01:52 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-07-09 10:01:45 0 d-----w- c:\windows\ie8updates
2010-07-09 10:01:36 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-07-09 09:59:42 0 dc-h--w- c:\windows\ie8
2010-07-09 09:16:52 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-07-09 09:16:52 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-07-09 09:16:48 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-07-09 09:16:48 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-07-09 07:46:49 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-07-09 07:23:58 0 d--h--w- c:\windows\system32\CanonMF Uninstaller Information
2010-07-09 07:23:48 0 d--h--w- C:\CanonMF
2010-07-09 06:58:34 69632 ----a-w- c:\windows\system32\CNAS0MMK.DLL
2010-07-09 06:43:29 94208 ----a-w- c:\windows\system32\CNCLSC34d.DLL
2010-07-09 06:43:29 502 ----a-w- c:\windows\system32\CNCMFP34.INI
2010-07-09 06:43:29 188416 ----a-w- c:\windows\system32\CNCLSU34d.DLL
2010-07-09 06:43:29 131072 ----a-w- c:\windows\system32\CNCLSD34d.DLL
2010-07-09 06:43:29 110592 ----a-w- c:\windows\system32\CNCLST34d.DLL
2010-07-09 06:43:29 102400 ----a-w- c:\windows\system32\CNCLSI34d.DLL
2010-07-09 06:43:28 86016 ----a-w- c:\windows\system32\CNCI460.DLL
2010-07-09 06:43:28 53248 ----a-w- c:\windows\system32\CNCLSO34d.dll
2010-07-09 06:43:28 274432 ----a-w- c:\windows\system32\CNCC460.DLL
2010-07-09 06:43:28 118784 ----a-w- c:\windows\system32\CNCL460.DLL
2010-07-09 06:43:27 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-07-09 06:43:27 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-09 06:38:57 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-07-09 06:38:57 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-07-09 06:00:42 215920 ----a-w- c:\windows\system32\muweb.dll
2010-07-09 06:00:42 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-07-09 06:00:41 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-07-09 05:59:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-07-09 05:42:48 0 d-----w- c:\windows\system32\PreInstall
2010-07-09 04:58:28 0 d-----w- c:\windows\3G
2010-07-09 04:35:54 15944 ----a-w- c:\windows\system32\OEMINFO.PNF
2010-07-09 04:34:54 0 d-----w- c:\program files\Linksys EasyLink Advisor
2010-07-09 04:12:15 0 d-----w- c:\windows\Screensavers
2010-07-09 04:10:29 0 d---a-w- c:\windows\BTW
2010-07-09 04:09:36 0 d-----w- c:\program files\common files\CrystalEye
2010-07-09 04:07:20 0 d-----w- c:\docume~1\rk\applic~1\Super-Cow
2010-07-09 04:07:20 0 d-----w- c:\docume~1\rk\applic~1\Acer GameZone Console
2010-07-09 04:07:20 0 d-----w- c:\docume~1\rk\applic~1\Acer
2010-07-09 04:02:40 8192 ----a-w- c:\windows\REGLOCS.OLD
2010-07-09 02:45:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-09 02:45:48 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-09 02:24:13 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-09 02:24:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-09 02:14:29 0 d-----w- c:\program files\Microsoft Visual Studio 8
2010-07-09 01:51:25 0 d-----w- c:\windows\system32\LogFiles
2010-07-09 01:40:49 0 d-----w- c:\windows\system32\SoftwareDistribution

==================== Find3M ====================

2010-07-09 04:10:45 2575 ----a-w- c:\windows\CLEANUP.CMD
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ------w- c:\windows\system32\ieencode.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 11:10:22.76 ===============
 
Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
ComboFix 10-07-15.05 - rk 07/16/2010 18:24:20.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.441 [GMT -4:00]
Running from: c:\documents and settings\rk\Desktop\explorerfix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\rk\My Documents\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-16 to 2010-07-16 )))))))))))))))))))))))))))))))
.

2010-07-12 12:03 . 2010-07-12 12:03 -------- d-----w- c:\program files\ERUNT
2010-07-12 03:20 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-07-11 14:59 . 2010-07-11 14:59 -------- d-----w- c:\documents and settings\NetworkService\Application Data\SACore
2010-07-11 05:07 . 2010-07-12 04:07 -------- d-----w- c:\documents and settings\rk\Local Settings\Application Data\ApplicationHistory
2010-07-10 13:23 . 2010-07-10 13:23 -------- d-----w- c:\program files\Windows Media Connect 2
2010-07-10 13:21 . 2010-07-10 13:22 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-07-10 13:18 . 2010-07-10 13:18 -------- d-----w- c:\windows\system32\URTTEMP
2010-07-10 12:46 . 2010-07-10 12:46 -------- d-----w- c:\documents and settings\rk\Application Data\Malwarebytes
2010-07-10 12:46 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-10 12:46 . 2010-07-10 12:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-10 12:46 . 2010-07-10 12:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-10 12:46 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-10 05:13 . 2010-07-10 05:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-09 16:26 . 2010-07-09 16:26 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-09 15:23 . 2010-07-09 15:23 -------- d-----w- c:\windows\system32\XPSViewer
2010-07-09 15:22 . 2010-07-09 15:22 -------- d-----w- c:\program files\Reference Assemblies
2010-07-09 15:21 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-07-09 15:20 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-09 15:20 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-09 15:20 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-09 15:20 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-09 15:20 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-09 15:20 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-07-09 15:20 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-09 15:20 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-09 15:20 . 2010-07-09 15:22 -------- d-----w- C:\13a5fe66e0d6088c83d4176f
2010-07-09 12:40 . 2010-07-09 12:40 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-09 12:39 . 2010-07-09 12:39 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-07-09 10:27 . 2010-07-09 10:27 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-09 10:27 . 2010-07-09 10:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-07-09 10:26 . 2010-07-09 10:26 -------- d-sh--w- c:\documents and settings\rk\IETldCache
2010-07-09 10:26 . 2010-07-09 10:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-07-09 10:01 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-07-09 10:01 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-09 10:01 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-09 10:01 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-07-09 10:01 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-09 10:01 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-07-09 10:01 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-09 10:01 . 2010-07-10 03:34 -------- d-----w- c:\windows\ie8updates
2010-07-09 10:01 . 2010-04-16 11:43 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-07-09 09:59 . 2010-07-09 10:01 -------- dc-h--w- c:\windows\ie8
2010-07-09 09:16 . 2008-04-14 09:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-07-09 09:16 . 2008-04-14 09:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-07-09 09:16 . 2008-04-14 12:00 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-07-09 09:16 . 2008-04-14 12:00 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-07-09 08:06 . 2010-07-09 08:06 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-07-09 08:04 . 2010-07-09 10:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-09 07:46 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-07-09 07:23 . 2010-07-11 05:04 -------- d--h--w- c:\windows\system32\CanonMF Uninstaller Information
2010-07-09 07:23 . 2010-07-11 05:04 -------- d-----w- C:\CanonMF
2010-07-09 06:58 . 2007-04-18 21:14 69632 ----a-w- c:\windows\system32\CNAS0MMK.DLL
2010-07-09 06:43 . 2009-11-06 14:17 102400 ----a-w- c:\windows\system32\CNCLSI34d.DLL
2010-07-09 06:43 . 2009-11-06 14:17 131072 ----a-w- c:\windows\system32\CNCLSD34d.DLL
2010-07-09 06:43 . 2009-11-06 14:17 94208 ----a-w- c:\windows\system32\CNCLSC34d.DLL
2010-07-09 06:43 . 2009-11-06 14:17 110592 ----a-w- c:\windows\system32\CNCLST34d.DLL
2010-07-09 06:43 . 2009-11-06 14:16 188416 ----a-w- c:\windows\system32\CNCLSU34d.DLL
2010-07-09 06:43 . 2009-11-06 14:17 53248 ----a-w- c:\windows\system32\CNCLSO34d.dll
2010-07-09 06:43 . 2009-11-06 14:16 86016 ----a-w- c:\windows\system32\CNCI460.DLL
2010-07-09 06:43 . 2009-11-06 14:16 274432 ----a-w- c:\windows\system32\CNCC460.DLL
2010-07-09 06:43 . 2009-11-06 14:15 118784 ----a-w- c:\windows\system32\CNCL460.DLL
2010-07-09 06:43 . 2008-04-14 04:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-07-09 06:43 . 2008-04-14 04:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-09 06:38 . 2008-04-14 04:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-07-09 06:38 . 2008-04-14 04:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-07-09 06:11 . 2010-07-09 07:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-07-09 06:06 . 2010-07-09 06:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-07-09 06:00 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-07-09 06:00 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-07-09 05:59 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-07-09 04:58 . 2010-07-09 04:15 -------- d-----w- c:\windows\3G
2010-07-09 04:39 . 2010-07-11 04:53 -------- d-----w- c:\documents and settings\rk\Local Settings\Application Data\Adobe
2010-07-09 04:35 . 2010-07-09 04:36 -------- d--h--w- c:\documents and settings\rk\Application Data\GTek
2010-07-09 04:34 . 2010-07-09 04:36 -------- d--ha-w- c:\documents and settings\All Users\Application Data\GTek
2010-07-09 04:34 . 2010-07-09 04:36 -------- d-----w- c:\program files\Linksys EasyLink Advisor
2010-07-09 04:12 . 2010-07-09 04:12 -------- d-----w- c:\windows\Screensavers
2010-07-09 04:10 . 2010-07-09 04:35 -------- d---a-w- c:\windows\BTW
2010-07-09 04:09 . 2010-07-09 04:09 -------- d-----w- c:\windows\WebCam
2010-07-09 04:09 . 2008-04-14 09:42 53760 ----a-w- c:\windows\vfwwdm32.dll
2010-07-09 04:09 . 2009-01-02 23:07 331776 ----a-w- c:\windows\system\M3000Dex.dll
2010-07-09 04:09 . 2009-01-02 22:33 145408 ----a-w- c:\windows\system32\drivers\M3000KNT.sys
2010-07-09 04:09 . 2008-08-13 15:50 69632 ----a-w- c:\windows\system\M3000Rmv.dll
2010-07-09 04:09 . 2007-07-13 18:49 233472 ----a-w- c:\windows\system32\M3000DIF.dll
2010-07-09 04:09 . 2007-07-13 18:48 147456 ----a-w- c:\windows\system\M3000Vex.dll
2010-07-09 04:09 . 2010-07-09 04:09 -------- d-----w- c:\program files\Common Files\CrystalEye
2010-07-09 04:09 . 2008-12-03 18:34 40960 ----a-w- c:\windows\AutosetFrequency.exe
2010-07-09 04:06 . 2009-03-12 06:32 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Acer
2010-07-09 04:06 . 2009-03-12 06:06 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Acer GameZone Console
2010-07-09 04:06 . 2009-03-12 05:52 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\InstallShield
2010-07-09 04:06 . 2009-03-12 06:27 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Super-Cow
2010-07-09 02:48 . 2010-07-09 02:48 -------- d-----w- c:\windows\Sun
2010-07-09 02:46 . 2010-07-09 02:46 -------- d-----w- c:\program files\Common Files\Java
2010-07-09 02:46 . 2010-07-09 02:46 503808 ----a-w- c:\documents and settings\rk\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-43b56318-n\msvcp71.dll
2010-07-09 02:46 . 2010-07-09 02:46 499712 ----a-w- c:\documents and settings\rk\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-43b56318-n\jmc.dll
2010-07-09 02:46 . 2010-07-09 02:46 348160 ----a-w- c:\documents and settings\rk\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-43b56318-n\msvcr71.dll
2010-07-09 02:46 . 2010-07-09 02:46 61440 ----a-w- c:\documents and settings\rk\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-58ec8b08-n\decora-sse.dll
2010-07-09 02:46 . 2010-07-09 02:46 12800 ----a-w- c:\documents and settings\rk\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-58ec8b08-n\decora-d3d.dll
2010-07-09 02:45 . 2010-07-09 02:45 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-09 02:44 . 2010-07-09 02:44 -------- d-----w- c:\program files\Java
2010-07-09 02:24 . 2010-07-09 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-09 02:24 . 2010-07-09 02:28 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-09 02:19 . 2010-07-09 15:23 -------- d-----w- c:\program files\MSBuild
2010-07-09 02:14 . 2010-07-09 02:14 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-07-09 01:52 . 2010-07-09 01:52 0 ----a-w- c:\windows\nsreg.dat
2010-07-09 01:52 . 2010-07-09 01:52 -------- d-----w- c:\documents and settings\rk\Local Settings\Application Data\Mozilla
2010-07-09 01:51 . 2010-07-10 13:21 -------- d-----w- c:\windows\system32\LogFiles
2010-07-09 01:48 . 2010-07-16 22:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-16 17:03 . 2009-03-12 06:15 -------- d-----w- c:\program files\McAfee
2010-07-14 11:50 . 2009-03-12 05:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-13 11:36 . 2010-07-13 11:36 -------- d-----w- c:\documents and settings\LocalService\Application Data\Foxit Software
2010-07-12 23:52 . 2010-07-12 23:52 -------- d-----w- c:\documents and settings\rk\Application Data\Foxit Software
2010-07-12 23:51 . 2010-07-12 23:51 -------- d-----w- c:\program files\Foxit Software
2010-07-11 05:03 . 2009-03-12 06:06 -------- d-----w- c:\program files\Acer GameZone
2010-07-09 15:51 . 2010-07-09 04:07 92344 ----a-w- c:\documents and settings\rk\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-09 10:25 . 2009-03-12 06:32 -------- d-----w- c:\program files\Carbonite
2010-07-09 10:25 . 2009-03-12 06:06 -------- d-----w- c:\program files\Google
2010-07-09 09:19 . 2009-03-12 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-07-09 08:14 . 2009-03-12 06:31 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-09 04:11 . 2009-03-12 06:32 -------- d-----w- c:\program files\Acer
2010-07-09 04:10 . 2009-03-11 12:53 2575 ----a-w- c:\windows\CLEANUP.CMD
2010-07-09 02:50 . 2009-03-12 05:07 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-07-09 01:52 . 2009-03-12 05:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-09 01:52 . 2009-03-12 06:31 -------- d-----w- c:\program files\eSobi
2010-06-14 14:31 . 2009-03-12 05:06 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-06 10:41 . 2009-03-11 12:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2010-05-04 17:20 78336 ------w- c:\windows\system32\ieencode.dll
2010-05-02 05:22 . 2009-03-11 12:53 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2009-03-11 12:52 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M3000Mnt"="M3000Rmv.dll " [X]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2009-02-24 17529856]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-01-25 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-05 1430824]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-12-30 875016]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-10 1218008]
"NotificationCenterLauncher"="c:\program files\Acer\Acer eRecovery Management\NotificationLauncher.exe" [2008-12-22 225280]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\rk\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-3-12 565248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/12/2009 2:21 AM 198432]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [3/12/2009 2:32 AM 237568]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [3/3/2009 11:03 PM 38912]
R3 M3000Srv;USB2.0 UVC WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [7/9/2010 12:09 AM 145408]
S2 0297491279299785mcinstcleanup;McAfee Application Installer Cleanup (0297491279299785);c:\windows\TEMP\029749~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\029749~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [3/12/2009 1:56 AM 1684736]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys --> c:\windows\system32\Drivers\RTS5121.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-12 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-12 16:22]

2009-03-12 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-03-12 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0710&m=aspire_one
uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0710&m=aspire_one
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\rk\Application Data\Mozilla\Firefox\Profiles\u940y0am.default\
FF - prefs.js: browser.startup.homepage - hxxps://webauth.usf.edu/login?service=https://my.usf.edu/webapps/login/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-16 18:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,4d,0a,15,5b,ce,b3,40,91,62,23,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9d,4d,0a,15,5b,ce,b3,40,91,62,23,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-07-16 18:39:31
ComboFix-quarantined-files.txt 2010-07-16 22:39

Pre-Run: 136,927,367,168 bytes free
Post-Run: 137,356,001,280 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 0B1E3A3EFF761E14D03EDD1897BBAB91



DDS (Ver_10-03-17.01) - NTFSx86
Run by rk at 18:44:16.37 on Fri 07/16/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.362 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Acer\Acer VCM\RS_Service.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\WebCam\M3000\M3000Mnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\wscntfy.exe
svchost.exe 4
svchost.exe 4
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\rk\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0710&m=aspire_one
uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0710&m=aspire_one
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
mRun: [NotificationCenterLauncher] c:\program files\acer\acer erecovery management\NotificationLauncher.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\rk\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\acer\acer vcm\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rk\applic~1\mozilla\firefox\profiles\u940y0am.default\
FF - prefs.js: browser.startup.homepage - hxxps://webauth.usf.edu/login?service=https://my.usf.edu/webapps/login/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-12 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-12 198432]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-12 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-3-12 144704]
R2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-3-12 237568]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-3-3 38912]
R3 M3000Srv;USB2.0 UVC WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [2010-7-9 145408]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-12 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-12 35272]
S2 0297491279299785mcinstcleanup;McAfee Application Installer Cleanup (0297491279299785);c:\windows\temp\029749~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\029749~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-3-12 1684736]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-12 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-12 40552]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rts5121.sys --> c:\windows\system32\drivers\RTS5121.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-12 606736]

=============== Created Last 30 ================

2010-07-16 22:22:09 0 d-sha-r- C:\cmdcons
2010-07-16 22:20:54 98816 ----a-w- c:\windows\sed.exe
2010-07-16 22:20:54 77312 ----a-w- c:\windows\MBR.exe
2010-07-16 22:20:54 256512 ----a-w- c:\windows\PEV.exe
2010-07-16 22:20:54 161792 ----a-w- c:\windows\SWREG.exe
2010-07-12 23:52:08 0 d-----w- c:\docume~1\rk\applic~1\Foxit Software
2010-07-12 23:51:02 0 d-----w- c:\program files\Foxit Software
2010-07-10 14:25:16 0 d-----w- c:\windows\pss
2010-07-10 13:23:37 0 d-----w- c:\program files\Windows Media Connect 2
2010-07-10 13:18:39 0 d-----w- c:\windows\system32\URTTEMP
2010-07-10 12:46:42 0 d-----w- c:\docume~1\rk\applic~1\Malwarebytes
2010-07-10 12:46:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-10 12:46:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-10 12:46:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-10 12:46:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-09 15:23:22 0 d-----w- c:\windows\system32\XPSViewer
2010-07-09 15:20:41 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-09 15:20:41 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-09 15:20:40 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-09 15:20:40 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-09 15:20:40 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-09 15:20:39 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-09 15:20:39 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-09 15:20:37 0 d-----w- C:\13a5fe66e0d6088c83d4176f
2010-07-09 10:26:30 0 d-sh--w- c:\documents and settings\rk\IETldCache
2010-07-09 10:01:55 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-07-09 10:01:54 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-09 10:01:54 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-09 10:01:53 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-07-09 10:01:52 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-09 10:01:52 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-09 10:01:52 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-07-09 10:01:45 0 d-----w- c:\windows\ie8updates
2010-07-09 10:01:36 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-07-09 09:59:42 0 dc-h--w- c:\windows\ie8
2010-07-09 09:16:52 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-07-09 09:16:52 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-07-09 09:16:48 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-07-09 09:16:48 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-07-09 07:46:49 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-07-09 07:23:58 0 d--h--w- c:\windows\system32\CanonMF Uninstaller Information
2010-07-09 07:23:48 0 d-----w- C:\CanonMF
2010-07-09 06:58:34 69632 ----a-w- c:\windows\system32\CNAS0MMK.DLL
2010-07-09 06:43:29 94208 ----a-w- c:\windows\system32\CNCLSC34d.DLL
2010-07-09 06:43:29 502 ----a-w- c:\windows\system32\CNCMFP34.INI
2010-07-09 06:43:29 188416 ----a-w- c:\windows\system32\CNCLSU34d.DLL
2010-07-09 06:43:29 131072 ----a-w- c:\windows\system32\CNCLSD34d.DLL
2010-07-09 06:43:29 110592 ----a-w- c:\windows\system32\CNCLST34d.DLL
2010-07-09 06:43:29 102400 ----a-w- c:\windows\system32\CNCLSI34d.DLL
2010-07-09 06:43:28 86016 ----a-w- c:\windows\system32\CNCI460.DLL
2010-07-09 06:43:28 53248 ----a-w- c:\windows\system32\CNCLSO34d.dll
2010-07-09 06:43:28 274432 ----a-w- c:\windows\system32\CNCC460.DLL
2010-07-09 06:43:28 118784 ----a-w- c:\windows\system32\CNCL460.DLL
2010-07-09 06:43:27 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-07-09 06:43:27 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-07-09 06:38:57 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-07-09 06:38:57 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-07-09 06:00:42 215920 ----a-w- c:\windows\system32\muweb.dll
2010-07-09 06:00:42 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-07-09 06:00:41 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-07-09 05:59:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-07-09 05:42:48 0 d-----w- c:\windows\system32\PreInstall
2010-07-09 04:58:28 0 d-----w- c:\windows\3G
2010-07-09 04:35:54 15944 ----a-w- c:\windows\system32\OEMINFO.PNF
2010-07-09 04:34:54 0 d-----w- c:\program files\Linksys EasyLink Advisor
2010-07-09 04:12:15 0 d-----w- c:\windows\Screensavers
2010-07-09 04:10:29 0 d---a-w- c:\windows\BTW
2010-07-09 04:09:36 0 d-----w- c:\program files\common files\CrystalEye
2010-07-09 04:07:20 0 d-----w- c:\docume~1\rk\applic~1\Super-Cow
2010-07-09 04:07:20 0 d-----w- c:\docume~1\rk\applic~1\Acer GameZone Console
2010-07-09 04:07:20 0 d-----w- c:\docume~1\rk\applic~1\Acer
2010-07-09 04:02:40 8192 ----a-w- c:\windows\REGLOCS.OLD
2010-07-09 02:45:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-09 02:45:48 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-09 02:24:13 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-09 02:24:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-09 02:14:29 0 d-----w- c:\program files\Microsoft Visual Studio 8
2010-07-09 01:51:25 0 d-----w- c:\windows\system32\LogFiles
2010-07-09 01:40:49 0 d-----w- c:\windows\system32\SoftwareDistribution

==================== Find3M ====================

2010-07-09 04:10:45 2575 ----a-w- c:\windows\CLEANUP.CMD
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ------w- c:\windows\system32\ieencode.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 18:45:20.10 ===============
 
Hi,

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log in your reply.
 
MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

149 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:



Done! Press ENTER to exit...
 
Hi,

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter (let it fix MBR):

fixmbr

6. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading. Please run MBRCheck again and post back the report.
 
Hi,

Could you post the exact error message here, please?
 
When I try to go into the recovery console, this is what pops up:

"A disk read error occurred
Press ctrl+alt+del to restart"

I can't type anything, just can hit ctrl+alt+del to restart
 
Hi,

Do you have XP Home (with SP2 or SP3) installation cd handy? We could try to launch recovery console from it.
 
Well, this ACER netbook is rather weird, in a sense that it did not come with XP discs, but a utility called ACER eRecovery Manager where I burned the recovery disc. I can try that one and see if it is like the XP discs. I think it has the recovery console on it.
 
Ok (is it Acer Aspire One or some other netbook?). Let me know if it has the recovery console available.
 
Yes sir, its an Aspire One.

I ran the recovery cd by setting the dvd-rom to be the first read on boot and ran the disc, but I didn't find a recovery console on the disc, just a restore to factory defaults or reformat drive. Now, I did restart and tried to go into the Windows Recovery Console and I got this display:

"Windows could not start because the following file is missing or corrupt:

<Windows root>\system32\hal.dll

Please re-install a copy of the above file."

Unplugged the external dvd-rom and tried again and got the same error trying to go into Windows Recovery Console.

XP loaded up fine though.
 
Hi,

I'll get some other opinions about this. Shall see about further action after that.
 
If I have to, I have no problem reformatting and installing XP Pro from a disc onto this laptop and if the problem persists, then maybe Windows Recovery will work then?
 
Hi,

Let's keep reformat option in store for now (please do have your important stuff backuped though in case reformat is needed after all) :)

-----
Move MBRCheck.exe to root of your c: drive (c:\).
Re-run MBRCheck again.
When prompted, enter Y
Then enter 1 to dump the MBR to physical disk
Name the dumped file as Dump.dat

Enter -1 to exit

----

Please follow these instructions carefully.

You will need a CD to burn a boot disk

First if you don't have a utility that can burn an .iso file to disk please download this one from here:

Install this .iso burner on your machine first.



1) Download this file.

2) Click it and it shall create an ISO for you for which you need to burn to CD (double click the iso file the IsoBurner will step you through the burning process).

3) Once you have the boot disk created, boot the machine using this bootable CD.

While booting with the CD follow the steps below:
  • Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please press the 'Y' key and then press Enter
  • When program asks you Enter your choice: enter 1 and press the Enter key
  • Now the program will ask you Enter the physical disk number to fix (0-99, -1 to cancel):
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter.
  • The program will prompt for confirmation. Type 'YES' and hit Enter.
  • Left click on the title bar (where program name and path is written).
  • From the menu choose Edit -> Select All
  • Hit the Enter key on your keyboard to copy selected text.
  • Paste that text into Notepad, save it to your desktop as MBRCheck results.txt
  • Restart your PC.
  • Post the text in MBRCheck results.txt here, please.
 
I have some bad news. I ran the mpass.exe, created the iso and burned it onto a disc. When I rebooted the pc and made it run the disc on boot up, I got a black screen, then it flickered and a white underscore blinked a couple of times in top left corner, then got a black screen again and then went back to screen which asked to choose what to boot with, - - boot cd - -, Windows Recovery, or Windows.

I even redid the burning process in safe mode and that did not solve the issue either. Could the issue be that I'm running the mpass.exe on the desktop or should it be in c:\ drive or somewhere else?
 
Hi,

When you boot with cd do you see this:
Mpass.png


Please post fresh dds.txt log while booting with the cd.
 
Yes, that is the screen I see and when I go up to choose boot cd and hit enter, the screen will turn black and flicker a little bit, then I will see an underscore in top left corner for about 3 seconds and then screen will flicker some more and take me back to that exact screen again to choose what OS to boot with. Is this normal?

I also uninstalled McAfee because my subscription ran out and installed ESET AV. It ended up discovering Mebroot trojan on one of my boot ups and cleaned it to the point where the mutliple iexplore.exe do not start and no random popups and system wave is normal again, but MBR Check still finds my MBR to be infected.
 
Hi,

Please post a fresh dds.txt log + MBRCheck report (run MBRCheck and just close the window when it has finished and there should be a fresh log in the same folder).
 
You must log in or register to reply here.
Back
Top