[Triskelion]

Apparently my computer has this trojan but my [shaw] antivirus is not getting rid of it???

[Advertisements]

hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[Rorschach112]

hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[Triskelion]

Ok.. I printed off your post so I can follow along in safe mode but I have encountered a problem off the bat?
When I go to double click the RunThis.bat in safe mode... it opens for a brief moment and then closes again... I never get to the part where I hit "Y" to continue and so on with the rest of your post...

Did I install it wrong? I thought it was a pretty straight forward process.

[Rorschach112]

Try rename it to something like abcd123.bat

That work ?

If not do the next step

[Triskelion]

It didn't work to rename the batch file. I tried to re-install it and try everythign again, but that didn't work either.. I can open the batch file in normal mode but not safe mode... then again in normal mode, it tells me to reboot in safe mode [haha] Go figure???

Anyway.. here is the combofix log

ComboFix 08-12-31.01 - Butler 2009-01-01 13:56:59.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2813.1820 [GMT -7:00]
Running from: c:\users\Butler\Desktop\ComboFix.exe
FW: Shaw Secure 2.0 7.03 *enabled*
* Created a new restore point
.
ADS - Windows: deleted 48 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\program files\INSTALL.LOG
c:\program files\RichVideoCodec
C:\resycled
c:\resycled\boot.com
c:\users\Butler\AppData\Roaming\rbap550.dll
c:\users\Butler\AppData\Roaming\rbqt550.DLL
c:\users\Butler\AppData\Roaming\RBRegEx550.dll
c:\users\Butler\AppData\Roaming\RBShell555.dll
c:\windows\system32\drivers\msqpdxdwssbuxa.sys
c:\windows\system32\msqpdxdpqcyqtp.dll
c:\windows\system32\x64
c:\windows\system32\x64\csnp2uvc.dll
c:\windows\system32\x64\rsnpvc64.dll
c:\windows\system32\x64\sncduvc.sys
c:\windows\system32\x64\snp2uvc.sys
c:\windows\system32\x64\vsnpvc64.dll
c:\windows\Temp\log.txt
D:\Autorun.inf
D:\resycled
d:\resycled\boot.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSQPDXSERV.SYS
-------\Service_MSQPDXSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-12-01 to 2009-01-01 )))))))))))))))))))))))))))))))
.

2009-01-01 13:39 . 2009-01-01 13:44 <DIR> d-------- C:\SDFix
2008-12-27 15:27 . 2008-12-27 15:27 <DIR> d-------- c:\users\Butler\AppData\Roaming\Media Player Classic
2008-12-27 15:21 . 2007-09-04 09:56 164,352 --a------ c:\windows\System32\unrar.dll
2008-12-27 15:21 . 2008-07-30 12:09 38 --a------ c:\windows\avisplitter.ini
2008-12-18 22:22 . 2008-12-18 22:22 <DIR> d-------- c:\users\Butler\AppData\Roaming\Research In Motion
2008-12-18 22:19 . 2008-12-18 22:19 <DIR> d-------- c:\program files\Common Files\Research In Motion
2008-12-18 22:19 . 2007-01-18 10:24 26,496 --a------ c:\windows\System32\drivers\RimSerial.sys
2008-12-17 11:38 . 2008-12-17 11:38 <DIR> d-------- c:\users\All Users\Ascentive
2008-12-17 11:38 . 2008-12-17 11:38 <DIR> d-------- c:\programdata\Ascentive
2008-12-17 00:35 . 2008-07-29 11:27 208,896 --a------ c:\windows\System32\ConTest.dll
2008-12-17 00:35 . 2008-08-20 17:44 45,056 --a------ c:\windows\System32\CreateLog.dll
2008-12-17 00:35 . 2007-07-03 11:48 36,864 --a------ c:\windows\System32\ascbalon.dll
2008-12-17 00:35 . 2007-07-03 11:48 20,480 --a------ c:\windows\System32\SysRestore.dll
2008-12-17 00:34 . 2008-12-17 00:35 <DIR> d-------- c:\program files\Ascentive
2008-12-10 22:00 . 2008-10-21 18:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-10 21:26 . 2008-10-20 22:25 296,960 --a------ c:\windows\System32\gdi32.dll
2008-12-10 21:26 . 2008-10-31 20:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-06 14:17 . 2008-12-06 14:18 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 14:17 . 2008-12-06 14:18 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 14:17 . 2008-12-06 14:17 <DIR> d-------- c:\program files\iPod
2008-12-06 14:15 . 2008-12-06 14:15 <DIR> d-------- c:\program files\QuickTime
2008-12-02 10:03 . 2008-12-02 10:03 30,856 --a------ c:\windows\System32\drivers\fsbts.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 20:55 --------- d-----w c:\users\Butler\AppData\Roaming\DNA
2009-01-01 20:23 --------- d-----w c:\program files\Shaw Secure
2008-12-31 08:35 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-28 22:23 --------- d-----w c:\users\Butler\AppData\Roaming\BitTorrent
2008-12-24 06:57 --------- d-----w c:\users\Butler\AppData\Roaming\LimeWire
2008-12-17 07:35 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-15 17:22 --------- d-----w c:\program files\Java
2008-12-11 16:56 --------- d-----w c:\program files\Windows Mail
2008-12-11 05:03 --------- d-----w c:\programdata\Microsoft Help
2008-12-10 02:19 --------- d-----w c:\users\Butler\AppData\Roaming\DivX
2008-12-08 19:45 --------- d-----w c:\program files\Common Files\Adobe
2008-12-06 21:17 --------- d-----w c:\programdata\Apple Computer
2008-12-06 21:17 --------- d-----w c:\program files\Common Files\Apple
2008-12-02 16:53 --------- d-----w c:\programdata\fssg
2008-12-02 16:53 --------- d-----w c:\programdata\F-Secure
2008-11-24 20:35 --------- d-----w c:\program files\Manulife Financial
2008-11-24 20:34 --------- d-----w c:\program files\Common Files\Manulife Financial
2008-11-24 20:32 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-11 19:18 --------- d-----w c:\program files\Log Parser 2.2
2008-11-10 21:02 --------- d-----w c:\program files\Canada Life
2008-11-10 12:43 410,984 ----a-w c:\windows\System32\deploytk.dll
2008-11-03 20:10 --------- d-----w c:\program files\MSBuild
2008-11-03 20:10 --------- d-----w c:\program files\Microsoft Works
2008-11-03 20:05 --------- d-----w c:\program files\Microsoft Visual Studio 8
2008-11-03 19:45 --------- d-----w c:\program files\Microsoft.NET
2008-11-03 19:43 --------- d-----w c:\program files\Microsoft Small Business
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-10-28 22:36 823,296 ----a-w c:\windows\System32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\System32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\System32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\System32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\System32\DivX.dll
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
2008-10-16 21:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
2008-10-16 20:56 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-16 04:47 827,392 ----a-w c:\windows\System32\wininet.dll
2008-08-18 06:50 86,016 ----a-w c:\users\Butler\AppData\Roaming\ewsPlugin.dll
2008-08-18 06:50 81,920 ----a-w c:\users\Butler\AppData\Roaming\eselleratePlugin.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
1999-06-25 16:55 149,504 ----a-w c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 01:00 39472 --a------ c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-20 125952]
"googletalk"="c:\users\Butler\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-10 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-10 86960]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 218032]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-20 202240]
"BitTorrent DNA"="c:\users\Butler\Program Files\DNA\btdna.exe" [2008-12-18 342848]
"DSF-DFS Updates Installation"="c:\nodesys\Maj\ExemajLauncher.exe" [2008-11-25 778240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2008-09-23 182936]
"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" [2008-09-23 957024]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 81920]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-01-03 521776]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-01-07 858632]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"WinampAgent"="d:\winamp\winampa.exe" [2008-08-03 36352]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Afaria Client File Differencing"="c:\nodesys\Afaria\Bin\XCDiffCache.exe" [2006-11-30 167936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="D:\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Performance Center"="c:\program files\Ascentive\Performance Center\ApcMain.exe" [2008-08-13 3244032]
"PC SpeedScan Pro"="c:\program files\Ascentive\PC SpeedScan Pro\PCSpeedScan.exe" [2008-08-21 2093056]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-07 c:\windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-11-20 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DiamondView"="c:\program files\Manulife Financial\Diamond View\Diamondview.exe" [2008-01-11 949248]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Afaria Client Generic Scheduler.lnk - c:\nodesys\Afaria\Bin\XCGSTask.exe [2008-11-11 552960]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-06-09 471040]
PDFCreator.lnk - d:\pdfcreator\PDFCreator.exe [2008-08-11 2641920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{AF15A90A-3784-44A0-BD5D-FC0D15FD3B1C}"= c:\program files\CyberLink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{569CB108-441E-4C16-9F97-C827CD391DE4}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{6CB68E85-B0AD-4F29-BB8D-67D52D19C384}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C802AD6C-3A53-43F2-BE76-E1FE2861C3A5}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{B64DA3B4-ADE0-4622-9D3F-861ADE141465}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{8841B175-52BE-419B-A49D-FADC3ECFFE1D}"= UDP:d:\bittorrent\BitTorrent.exe:BitTorrent (TCP-In)
"{9ECC4BE4-1114-48C7-8882-E568215063B6}"= TCP:d:\bittorrent\BitTorrent.exe:BitTorrent (UDP-In)
"{C4FF6974-FC53-4EF8-9067-C69805344E0B}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{E2DCC695-DE07-49F5-85EF-D41B6D4667B0}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DC90491E-11E9-428D-BE30-D266C7D18D51}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3F0BD56B-79D6-4F4F-833A-6594B5562033}"= UDP:D:\iTunes.exe:iTunes
"{93868686-D16D-4E71-A1DC-29C12487657A}"= TCP:D:\iTunes.exe:iTunes
"{743DADC6-FB7A-4320-AA8D-8EC26DC53F8A}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{6C5E0895-D773-4847-9349-2B709E30CE04}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{98663A66-680B-4AAF-B08B-41507CA4047F}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{57DD8829-2F61-4174-A7A0-9744E2B402ED}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{1DCA74B8-8749-4962-B6BB-BF345C0DB882}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{F7F9BFDB-B1A8-48A3-BACB-5F94779504C1}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{43ECB52E-B653-4798-915F-6D42137E6042}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{ABE1E98A-5DB7-4F42-AA35-3A26BCAADF1B}"= UDP:D:\iTunes.exe:iTunes
"{9FCC704D-F434-4193-B783-2F171217C199}"= TCP:D:\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"d:\\BitTorrent\\bittorrent.exe"= d:\bittorrent\bittorrent.exe:*:Enabled:BitTorrent
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\encryption.exe:*:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\decryption.exe:*:Enabled:decryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDSMgr.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\eDSMgr.exe:*:Enabled:eDSMgr
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDStbmngr.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\eDStbmngr.exe:*:Enabled:eDStbmngr
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\encryption.exe:*:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\decryption.exe:*:Enabled:decryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDSMgr.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\eDSMgr.exe:*:Enabled:eDSMgr
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDStbmngr.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\eDStbmngr.exe:*:Enabled:eDStbmngr

R0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2008-12-02 30856]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-08-09 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2008-08-09 35712]
R1 F-Secure HIPS;F-Secure HIPS;\??\c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [2008-12-02 66720]
R1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [2008-08-08 35552]
R1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2008-08-08 70944]
R1 fsvista;F-Secure Vista Support Driver;\??\c:\program files\Shaw Secure\Anti-Virus\minifilter\fsvista.sys [2008-08-08 12384]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [2008-08-08 72288]
R3 FSORSPClient;F-Secure ORSP Client;"c:\program files\Shaw Secure\ORSP Client\fsorsp.exe" [2008-12-02 55904]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-20 179712]
S4 F-Secure Filter;F-Secure File System Filter;\??\c:\program files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2008-08-08 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\c:\program files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2008-08-08 25184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{148ca661-6973-11dd-97b2-000000000000}]
\shell\AutoRun\command - G:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
HKLM-Run-eRecoveryService - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/ig?hl=en
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
FF - ProfilePath - c:\users\Butler\AppData\Roaming\Mozilla\Firefox\Profiles\dtv3cfs3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\users\Butler\Program Files\DNA\plugins\npbtdna.dll
FF - plugin: d:\divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\divx\DivX Web Player\npdivx32.dll
FF - plugin: d:\mozilla plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 14:00:46
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'lsass.exe'(672)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'csrss.exe'(512)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'csrss.exe'(584)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll
.
Completion time: 2009-01-01 14:02:02
ComboFix-quarantined-files.txt 2009-01-01 21:02:00

Pre-Run: 31,342,067,712 bytes free
Post-Run: 31,750,148,096 bytes free

274 --- E O F --- 2008-12-22 18:33:41

[Triskelion]

BTW.... Happy New Year, to you and your family!!!

[Rorschach112]

hello

Please download the OTMoveIt3 by OldTimer or from here.

• Save it to your desktop.
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :Processes
  explorer.exe
  
  :Services
  
  :Reg
  [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{148ca661-6973-11dd-97b2-000000000000}]
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Then try SDFix once more

[Triskelion]

Here is the OT Moveit log: Trying SDFix again..

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{148ca661-6973-11dd-97b2-000000000000}\\ deleted successfully.
========== FILES ==========
========== COMMANDS ==========
File delete failed. C:\Users\Butler\AppData\Local\Temp\Low\~DF921.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Butler\AppData\Local\Temp\Low\~DF941.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Butler\AppData\Local\Temp\~DF8A5F.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 01012009_150633

[Triskelion]

Still a no-go on the SDFix...

[Rorschach112]

hello

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

[Triskelion]

Here is the Malware Report:

Malwarebytes' Anti-Malware 1.31
Database version: 1597
Windows 6.0.6001 Service Pack 1

02/01/2009 4:36:48 PM
mbam-log-2009-01-02 (16-36-48).txt

Scan type: Quick Scan
Objects scanned: 56094
Time elapsed: 5 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Windows\System32\SysRestore.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Ascentive (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Ascentive\PC SpeedScan Pro (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Ascentive\Performance Center (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Users\Butler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ascentive (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\SysRestore.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
C:\Program Files\Ascentive\PC SpeedScan Pro\PCSpeedScan.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Ascentive\PC SpeedScan Pro\SSRes.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Ascentive\PC SpeedScan Pro\WatchList.ini (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Ascentive\Performance Center\APCLang.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Ascentive\Performance Center\ApcMain.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Ascentive\Performance Center\GUID (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Ascentive\Performance Center\SOUND.WAV (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ascentive\PC SpeedScan Pro.lnk (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ascentive\Performance Center.lnk (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\videosoft\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Here is the Kaspersky Scan Report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, January 2, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 02, 2009 20:54:46
Records in database: 1549910
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 102227
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:24:13


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Windows\System32\msqpdxdpqcyqtp.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.ivf 1

The selected area was scanned.

[Rorschach112]

Try SDFix now, it work ?

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is Unchecked.
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

[Triskelion]

Still a No-Go on the SDFix???
I have read on some other sites that SDFix doesn't work on Vista? Is this true?

Here is the GMER scan report: You were right with the rootkit messages too. There was one in there.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-03 13:14:41
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwCreateProcess [0x8EB83C26]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwCreateProcessEx [0x8EB83C40]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwCreateThread [0x8EB82DE4]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwLoadDriver [0x8EB8310C]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwMapViewOfSection [0x8EB82B30]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwOpenSection [0x8EB8353E]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwRenameKey [0x8EB847DC]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwSetSystemInformation [0x8EB8338E]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwSuspendProcess [0x8EB829B6]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwSuspendThread [0x8EB82E18]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwSystemDebugControl [0x8EB82F92]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwTerminateProcess [0x8EB82916]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwTerminateThread [0x8EB82A6C]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwWriteVirtualMemory [0x8EB82EDC]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwCreateThreadEx [0x8EB82DFE]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwCreateUserProcess [0x8EB83C5A]

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!KeSetTimerEx + 43C 81EC1A00 8 Bytes [ 26, 3C, B8, 8E, 40, 3C, B8, ... ]
.text ntkrnlpa.exe!KeSetTimerEx + 454 81EC1A18 4 Bytes [ E4, 2D, B8, 8E ]
.text ntkrnlpa.exe!KeSetTimerEx + 5B0 81EC1B74 4 Bytes [ 0C, 31, B8, 8E ]
.text ntkrnlpa.exe!KeSetTimerEx + 5E0 81EC1BA4 4 Bytes [ 30, 2B, B8, 8E ]
.text ntkrnlpa.exe!KeSetTimerEx + 630 81EC1BF4 4 Bytes [ 3E, 35, B8, 8E ]
.text ...

---- User code sections - GMER 1.0.14 ----

.text C:\Windows\Explorer.EXE[3108] SHELL32.dll!InitNetworkAddressControl + 2939 76560064 4 Bytes [ F0, 1F, 00, 10 ]
.text C:\Windows\Explorer.EXE[3108] SHELL32.dll!ShellExecuteExW + 121F 765911DC 4 Bytes [ 40, 1D, 00, 10 ]

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74417BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [744598C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7441D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7440F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74417599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7440E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7444B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7441D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7441012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74410095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [744071F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7449D802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [744375E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7440DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7440668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [744066BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74411E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2e
c9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [10002300] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001B30] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002690] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Windows\Explorer.EXE[3108] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [10001290] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs psdfilter.sys (Acer eDataSecurity Management PSD Filter Driver/Egis Incorporated)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.14 ----

Service system32\drivers\msqpdxmsrvdbui.sys (*** hidden *** ) [SYSTEM] msqpdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxmsrvdbui.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules@msqpdxserv \\?\globalroot\systemroot\system32\drivers\msqpdxmsrvdbui.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys\modules@msqpdxl \\?\globalroot\systemroot\system32\msqpdxfwmyjxbp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys@imagepath \systemroot\system32\drivers\msqpdxmsrvdbui.sys
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys\modules@msqpdxserv \\?\globalroot\systemroot\system32\drivers\msqpdxmsrvdbui.sys
Reg HKLM\SYSTEM\ControlSet003\Services\msqpdxserv.sys\modules@msqpdxl \\?\globalroot\systemroot\system32\msqpdxfwmyjxbp.dll

---- EOF - GMER 1.0.14 ----

Edited by Phroddo, 03 January 2009 - 07:08 PM.

[Rorschach112]

Ah you are right about SDFix, lol should have known that myself



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Rootkit::
C:\windows\system32\drivers\msqpdxmsrvdbui.sys
C:\windows\system32\msqpdxfwmyjxbp.dll

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msqpdxserv.sys]
Driver::
msqpdxserv

KillAll::

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[Triskelion]

Here is the new ComboFix Log:

ComboFix 09-01-02.01 - Butler 2009-01-04 13:30:45.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2813.1744 [GMT -7:00]
Running from: c:\users\Butler\Desktop\Antivirus\ComboFix.exe
Command switches used :: c:\users\Butler\Desktop\Antivirus\CFScript.txt
FW: Shaw Secure 2.0 7.03 *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.

2009-01-03 11:37 . 2009-01-03 11:37 250 --a------ c:\windows\gmer.ini
2009-01-02 14:03 . 2009-01-02 14:03 <DIR> d-------- c:\users\Butler\AppData\Roaming\Malwarebytes
2009-01-02 14:03 . 2009-01-02 14:03 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-01-02 14:03 . 2009-01-02 14:03 <DIR> d-------- c:\programdata\Malwarebytes
2009-01-02 14:03 . 2008-12-03 19:59 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-01-02 14:03 . 2008-12-03 19:59 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-01-01 15:06 . 2009-01-01 15:06 <DIR> d-------- C:\_OTMoveIt
2008-12-27 15:27 . 2008-12-27 15:27 <DIR> d-------- c:\users\Butler\AppData\Roaming\Media Player Classic
2008-12-27 15:21 . 2007-09-04 09:56 164,352 --a------ c:\windows\System32\unrar.dll
2008-12-27 15:21 . 2008-07-30 12:09 38 --a------ c:\windows\avisplitter.ini
2008-12-18 22:22 . 2008-12-18 22:22 <DIR> d-------- c:\users\Butler\AppData\Roaming\Research In Motion
2008-12-18 22:19 . 2008-12-18 22:19 <DIR> d-------- c:\program files\Common Files\Research In Motion
2008-12-18 22:19 . 2007-01-18 10:24 26,496 --a------ c:\windows\System32\drivers\RimSerial.sys
2008-12-17 11:38 . 2008-12-17 11:38 <DIR> d-------- c:\users\All Users\Ascentive
2008-12-17 11:38 . 2008-12-17 11:38 <DIR> d-------- c:\programdata\Ascentive
2008-12-17 00:35 . 2008-07-29 11:27 208,896 --a------ c:\windows\System32\ConTest.dll
2008-12-17 00:35 . 2008-08-20 17:44 45,056 --a------ c:\windows\System32\CreateLog.dll
2008-12-17 00:35 . 2007-07-03 11:48 36,864 --a------ c:\windows\System32\ascbalon.dll
2008-12-10 22:00 . 2008-10-21 18:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-10 21:26 . 2008-10-20 22:25 296,960 --a------ c:\windows\System32\gdi32.dll
2008-12-10 21:26 . 2008-10-31 20:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-06 14:17 . 2008-12-06 14:18 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 14:17 . 2008-12-06 14:18 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 14:17 . 2008-12-06 14:17 <DIR> d-------- c:\program files\iPod
2008-12-06 14:15 . 2008-12-06 14:15 <DIR> d-------- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 20:24 --------- d-----w c:\program files\Shaw Secure
2009-01-04 20:22 --------- d-----w c:\users\Butler\AppData\Roaming\DNA
2008-12-31 08:35 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-28 22:23 --------- d-----w c:\users\Butler\AppData\Roaming\BitTorrent
2008-12-24 06:57 --------- d-----w c:\users\Butler\AppData\Roaming\LimeWire
2008-12-17 07:35 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-15 17:22 --------- d-----w c:\program files\Java
2008-12-11 16:56 --------- d-----w c:\program files\Windows Mail
2008-12-11 05:03 --------- d-----w c:\programdata\Microsoft Help
2008-12-10 02:19 --------- d-----w c:\users\Butler\AppData\Roaming\DivX
2008-12-08 19:45 --------- d-----w c:\program files\Common Files\Adobe
2008-12-06 21:17 --------- d-----w c:\programdata\Apple Computer
2008-12-06 21:17 --------- d-----w c:\program files\Common Files\Apple
2008-12-02 17:03 30,856 ----a-w c:\windows\system32\drivers\fsbts.sys
2008-12-02 16:53 --------- d-----w c:\programdata\fssg
2008-12-02 16:53 --------- d-----w c:\programdata\F-Secure
2008-11-24 20:35 --------- d-----w c:\program files\Manulife Financial
2008-11-24 20:34 --------- d-----w c:\program files\Common Files\Manulife Financial
2008-11-24 20:32 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-11 19:18 --------- d-----w c:\program files\Log Parser 2.2
2008-11-10 21:02 --------- d-----w c:\program files\Canada Life
2008-11-10 12:43 410,984 ----a-w c:\windows\System32\deploytk.dll
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-10-28 22:36 823,296 ----a-w c:\windows\System32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\System32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\System32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\System32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\System32\DivX.dll
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
2008-10-16 21:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
2008-10-16 20:56 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-16 04:47 827,392 ----a-w c:\windows\System32\wininet.dll
2008-08-18 06:50 86,016 ----a-w c:\users\Butler\AppData\Roaming\ewsPlugin.dll
2008-08-18 06:50 81,920 ----a-w c:\users\Butler\AppData\Roaming\eselleratePlugin.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
1999-06-25 16:55 149,504 ----a-w c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((( snapshot@2009-01-01_14.01.08.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-03 18:37:26 884,736 ----a-w c:\windows\gmer.dll
+ 2009-01-03 18:36:52 811,008 ----a-w c:\windows\gmer.exe
+ 2009-01-01 21:10:54 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-01-01 21:10:54 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-01 21:10:54 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-01-01 21:00:47 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-01-04 20:34:01 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-01-04 20:34:01 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2009-01-01 21:00:41 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-01-04 20:34:01 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-01-04 20:34:01 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-01-01 20:45:00 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-01-01 22:26:37 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-01-01 20:45:00 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-01 22:26:37 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-01 20:45:00 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-01-01 22:26:37 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-01-01 20:52:14 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2009-01-04 20:30:06 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2009-01-03 18:37:26 85,969 ----a-w c:\windows\System32\drivers\gmer.sys
- 2009-01-01 20:51:05 113,706 ----a-w c:\windows\System32\perfc009.dat
+ 2009-01-04 01:06:37 113,706 ----a-w c:\windows\System32\perfc009.dat
- 2009-01-01 20:51:05 618,740 ----a-w c:\windows\System32\perfh009.dat
+ 2009-01-04 01:06:37 618,740 ----a-w c:\windows\System32\perfh009.dat
- 2009-01-01 20:58:15 6,650 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3626016547-810892904-695224358-1003_UserData.bin
+ 2009-01-04 01:03:27 6,744 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3626016547-810892904-695224358-1003_UserData.bin
- 2009-01-01 20:58:15 89,682 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-01-04 01:03:27 90,244 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-01-01 20:58:08 60,576 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-01-04 01:03:25 60,818 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-01-01 11:19:49 297,120 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-01-04 11:18:33 299,888 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-01-01 20:21:48 258,002 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2009-01-04 20:22:07 263,046 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 01:00 39472 --a------ c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-20 125952]
"googletalk"="c:\users\Butler\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-10 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-10 86960]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 218032]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-20 202240]
"BitTorrent DNA"="c:\users\Butler\Program Files\DNA\btdna.exe" [2008-12-18 342848]
"DSF-DFS Updates Installation"="c:\nodesys\Maj\ExemajLauncher.exe" [2008-11-25 778240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2008-09-23 182936]
"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" [2008-09-23 957024]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"PLFSetI"="c:\windows\PLFSetI.exe" [2007-10-23 200704]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 81920]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-01-03 521776]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-01-07 858632]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"WinampAgent"="d:\winamp\winampa.exe" [2008-08-03 36352]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Afaria Client File Differencing"="c:\nodesys\Afaria\Bin\XCDiffCache.exe" [2006-11-30 167936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="D:\iTunesHelper.exe" [2008-11-20 290088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-07 c:\windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-11-20 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DiamondView"="c:\program files\Manulife Financial\Diamond View\Diamondview.exe" [2008-01-11 949248]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Afaria Client Generic Scheduler.lnk - c:\nodesys\Afaria\Bin\XCGSTask.exe [2008-11-11 552960]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-06-09 471040]
PDFCreator.lnk - d:\pdfcreator\PDFCreator.exe [2008-08-11 2641920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{AF15A90A-3784-44A0-BD5D-FC0D15FD3B1C}"= c:\program files\CyberLink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{569CB108-441E-4C16-9F97-C827CD391DE4}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{6CB68E85-B0AD-4F29-BB8D-67D52D19C384}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C802AD6C-3A53-43F2-BE76-E1FE2861C3A5}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{B64DA3B4-ADE0-4622-9D3F-861ADE141465}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{8841B175-52BE-419B-A49D-FADC3ECFFE1D}"= UDP:d:\bittorrent\BitTorrent.exe:BitTorrent (TCP-In)
"{9ECC4BE4-1114-48C7-8882-E568215063B6}"= TCP:d:\bittorrent\BitTorrent.exe:BitTorrent (UDP-In)
"{C4FF6974-FC53-4EF8-9067-C69805344E0B}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{E2DCC695-DE07-49F5-85EF-D41B6D4667B0}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DC90491E-11E9-428D-BE30-D266C7D18D51}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3F0BD56B-79D6-4F4F-833A-6594B5562033}"= UDP:D:\iTunes.exe:iTunes
"{93868686-D16D-4E71-A1DC-29C12487657A}"= TCP:D:\iTunes.exe:iTunes
"{743DADC6-FB7A-4320-AA8D-8EC26DC53F8A}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{6C5E0895-D773-4847-9349-2B709E30CE04}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{98663A66-680B-4AAF-B08B-41507CA4047F}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{57DD8829-2F61-4174-A7A0-9744E2B402ED}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{1DCA74B8-8749-4962-B6BB-BF345C0DB882}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{F7F9BFDB-B1A8-48A3-BACB-5F94779504C1}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{43ECB52E-B653-4798-915F-6D42137E6042}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{ABE1E98A-5DB7-4F42-AA35-3A26BCAADF1B}"= UDP:D:\iTunes.exe:iTunes
"{9FCC704D-F434-4193-B783-2F171217C199}"= TCP:D:\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"d:\\BitTorrent\\bittorrent.exe"= d:\bittorrent\bittorrent.exe:*:Enabled:BitTorrent
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\encryption.exe:*:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\decryption.exe:*:Enabled:decryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDSMgr.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\eDSMgr.exe:*:Enabled:eDSMgr
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDStbmngr.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\eDStbmngr.exe:*:Enabled:eDStbmngr
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\encryption.exe:*:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\decryption.exe:*:Enabled:decryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDSMgr.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\eDSMgr.exe:*:Enabled:eDSMgr
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDStbmngr.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\eDStbmngr.exe:*:Enabled:eDStbmngr

R0 fsbts;fsbts;c:\windows\System32\drivers\fsbts.sys [2008-12-02 30856]
R0 O2MDRDR;O2MDRDR;c:\windows\System32\drivers\o2media.sys [2008-08-09 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\System32\drivers\o2sd.sys [2008-08-09 35712]
R1 F-Secure HIPS;F-Secure HIPS;c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [2008-12-02 66720]
R1 FSES;F-Secure Email Scanning Driver;c:\windows\System32\drivers\fses.sys [2008-08-08 35552]
R1 FSFW;F-Secure Firewall Driver;c:\windows\System32\drivers\fsdfw.sys [2008-08-08 70944]
R1 fsvista;F-Secure Vista Support Driver;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsvista.sys [2008-08-08 12384]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [2008-08-08 72288]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Shaw Secure\ORSP Client\fsorsp.exe [2008-12-02 55904]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2008-01-20 179712]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Shaw Secure\Anti-Virus\win2k\fsfilter.sys [2008-08-08 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Shaw Secure\Anti-Virus\win2k\fsrec.sys [2008-08-08 25184]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Performance Center - c:\program files\Ascentive\Performance Center\ApcMain.exe
HKLM-Run-PC SpeedScan Pro - c:\program files\Ascentive\PC SpeedScan Pro\PCSpeedScan.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/ig?hl=en
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
FF - ProfilePath - c:\users\Butler\AppData\Roaming\Mozilla\Firefox\Profiles\dtv3cfs3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\users\Butler\Program Files\DNA\plugins\npbtdna.dll
FF - plugin: d:\divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: d:\divx\DivX Web Player\npdivx32.dll
FF - plugin: d:\mozilla plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 13:34:06
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'lsass.exe'(692)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'Explorer.exe'(1252)
c:\program files\Shaw Secure\Spam Control\fsscoepl.dll
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll

- - - - - - - > 'csrss.exe'(572)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll

- - - - - - - > 'csrss.exe'(644)
c:\program files\Shaw Secure\FWES\Program\fsdc32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\wlanext.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Shaw Secure\Anti-Virus\fsgk32st.exe
c:\program files\Shaw Secure\Common\FSMA32.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Shaw Secure\Anti-Virus\fsgk32.exe
c:\program files\Shaw Secure\Common\FSMB32.EXE
c:\acer\Mobility Center\MobilityService.exe
c:\windows\System32\drivers\XAudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\program files\Shaw Secure\Common\FCH32.EXE
c:\program files\Shaw Secure\Anti-Virus\fsqh.exe
c:\program files\Shaw Secure\Common\FAMEH32.EXE
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Shaw Secure\FSAUA\program\fsaua.exe
c:\program files\Shaw Secure\Anti-Virus\fssm32.exe
c:\program files\Shaw Secure\FWES\program\fsdfwd.exe
c:\program files\Shaw Secure\FSAUA\program\fsus.exe
c:\combofix\hidec.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\System32\wbem\unsecapp.exe
c:\users\Butler\AppData\Local\Temp\RtkBtMnt.exe
c:\program files\Shaw Secure\Anti-Virus\fsav32.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Launch Manager\LManager.exe
c:\program files\Shaw Secure\FSGUI\fsguidll.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Mcafee\MNA\McNASvc.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\combofix\Catchme.tmp
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-01-04 13:38:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-04 20:37:34
ComboFix2.txt 2009-01-01 21:02:03

Pre-Run: 38,403,678,208 bytes free
Post-Run: 38,254,206,976 bytes free

333 --- E O F --- 2009-01-02 03:05:00