Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

suspect win32.tidserv


  • Please log in to reply
2 replies to this topic

#1 renchy

renchy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 04 January 2009 - 06:25 AM

I have been having trouble with popups and my google searches being redirected through ecata.info. after many long hours i found that though the files and registry is not visible, i have a suspect file "msqpdxserv.sys" in system 32 (according to a GMER rootkit scan). i then was able to search for and find the invisible file "msqpdxuctxeqiq.dll" in my system32 folder but i still cannot SEE it, so i copy it to my desktop as a reference, and as soon as i restart my computer, it hides itself although according to the search function its still on my desktop.

i have run spybot, adaware and trend-micro pro with no luck, and i am in desperate need of help.

I have attached the GMER rootkit log (ark.txt) as a reference also.

DDS Log:

DDS (Version 1.1.0) - NTFSx86
Run by user at 17:03:54.49 on Fri 02/01/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2038.890 [GMT 11:00]

AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Mobile Action\Bluetooth Manager\MaBtSh.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\mobsync.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Program Files\Acer Arcade Live\Acer TV Share\Kernel\DMSTV\CLMSServer.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\user\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.google.com/mail
uSEARCH PAGE = hxxp://au.rd.yahoo.com/customize/ycomp/defaults/sp/*http://au.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.au.acer.yahoo.com
mDefault_Page_URL = hxxp://en.au.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://au.rd.yahoo.com/customize/ycomp/defaults/su/*http://au.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: TSToolbarBHO: {c1656cca-d2ea-4a32-94ae-ae0b180e6449} - c:\program files\trend micro\trendsecure\transactionprotector\TSToolbar.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Transaction Protector: {e7620c98-fccc-40e5-92ec-c7685d2e1e40} - c:\program files\trend micro\trendsecure\transactionprotector\TSToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Acer Tour Reminder]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [{966A6182-EE72-4C57-3273-BCE1CC57698A}] c:\users\user\appdata\Roaming:svhosts.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Acer Tour]
mRun: [PCMMediaSharing] c:\program files\acer arcade live\acer homemedia connect\kernel\dms\PCMMediaSharing.exe
mRun: [Acer Empowering Technology Monitor] c:\acer\empowering technology\SysMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Apanel] c:\acersw\config\NewSetApanel.cmd
mRun: [eRecoveryService]
mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
mRun: [MaBtSh] c:\program files\mobile action\bluetooth manager\MaBtSh.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\n3vduk7x.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail

============= SERVICES / DRIVERS ===============

R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2008-2-17 141840]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;"c:\program files\acer arcade live\acer homemedia connect\kernel\dms\CLMSServer.exe" [2007-8-16 269448]
R2 Acer TV Share Service;Acer TV Share Service;"c:\program files\acer arcade live\acer tv share\kernel\dmstv\CLMSServer.exe" [2007-9-20 269432]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-2-17 52240]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-2-17 36368]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2008-2-17 234512]
R3 Ma730Pt;MA730 Bluetooth VCOM Driver;c:\windows\system32\drivers\Ma730Pt.sys [2008-2-15 103040]
R3 Ma730Vad;MA730 Bluetooth Audio;c:\windows\system32\drivers\Ma730Vad.sys [2008-2-15 23376]
R3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\system32\drivers\OmniTV.sys [2007-8-16 221184]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2008-11-9 488768]
R3 tmproxy;Trend Micro Proxy Service;"c:\program files\trend micro\internet security\TmProxy.exe" [2008-11-9 648456]
S3 AVerM115S;AVerM115S service;c:\windows\system32\drivers\AVerM115S.sys [2007-8-16 856832]
S3 Ma730c;MA730 Bluetooth Core Driver;c:\windows\system32\drivers\MA730C.sys [2008-2-15 155648]

=============== Created Last 30 ================

2009-01-01 20:05 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-01-01 20:05 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-01 20:05 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-01-01 17:49 <DIR> --d----- c:\program files\Lavasoft
2009-01-01 17:49 <DIR> --d----- c:\programdata\Lavasoft
2008-12-28 21:32 <DIR> --d----- C:\share
2008-12-28 13:16 <DIR> --d--r-- c:\users\user\appdata\roaming\Brother
2008-12-26 23:13 <DIR> --d----- c:\programdata\Adobe Systems
2008-12-26 23:12 <DIR> --d----- c:\program files\common files\Adobe Systems Shared
2008-12-24 20:50 192,512 a------- c:\windows\system32\kdfvmgr.exe
2008-12-24 20:50 77,824 a------- c:\windows\system32\kdfapi.dll
2008-12-24 20:50 53,248 a------- c:\windows\system32\Kdfhok.dll
2008-12-20 22:08 <DIR> --d----- C:\Scenario
2008-12-20 19:58 <DIR> --d----- c:\users\user\appdata\roaming\Microsoft Games
2008-12-20 19:34 <DIR> --d----- c:\program files\GameSpy Arcade
2008-12-20 12:48 2,048 a------- c:\windows\system32\tzres.dll
2008-12-19 22:42 296,960 a------- c:\windows\system32\gdi32.dll
2008-12-19 22:40 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-12-19 22:40 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-12-19 22:38 2,927,104 a------- c:\windows\explorer.exe
2008-12-19 22:38 827,392 a------- c:\windows\system32\wininet.dll
2008-12-19 22:38 2,868,736 a------- c:\windows\system32\mf.dll
2008-12-19 22:38 996,352 a------- c:\windows\system32\WMNetMgr.dll
2008-12-19 22:38 94,720 a------- c:\windows\system32\logagent.exe

==================== Find3M ====================

2008-11-11 18:51 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-11-09 19:11 143,360 a------- c:\windows\inf\infstrng.dat
2008-11-09 19:11 51,200 a------- c:\windows\inf\infpub.dat
2008-11-09 19:11 86,016 a------- c:\windows\inf\infstor.dat
2008-11-05 18:16 174 a--sh--- c:\program files\desktop.ini
2008-11-05 18:09 665,600 a------- c:\windows\inf\drvindex.dat
2008-11-05 17:59 101,888 a------- c:\windows\system32\ifxcardm.dll
2008-11-05 17:59 82,432 a------- c:\windows\system32\axaltocm.dll
2008-11-03 14:51 361,984 a------- c:\windows\system32\IPSECSVC.DLL
2008-11-03 14:51 272,896 a------- c:\windows\system32\polstore.dll
2008-11-03 14:51 61,440 a------- c:\windows\system32\winipsec.dll
2008-11-03 14:51 28,672 a------- c:\windows\system32\FwRemoteSvr.dll
2008-11-03 14:50 2,560 a------- c:\windows\apppatch\AcRes.dll
2008-11-03 14:50 1,695,744 a------- c:\windows\system32\gameux.dll
2008-11-03 14:49 428,544 a------- c:\windows\system32\EncDec.dll
2008-11-03 14:49 293,376 a------- c:\windows\system32\psisdecd.dll
2008-11-03 14:45 269,312 a------- c:\windows\system32\es.dll
2008-11-03 14:44 303,616 a------- c:\windows\system32\wmpeffects.dll
2008-11-03 14:44 2,032,640 a------- c:\windows\system32\win32k.sys
2008-11-03 14:36 988,216 a------- c:\windows\system32\winload.exe
2008-11-03 14:36 927,288 a------- c:\windows\system32\winresume.exe
2008-11-03 14:36 378,368 a------- c:\windows\system32\srcore.dll
2008-11-03 14:36 318,464 a------- c:\windows\system32\rstrui.exe
2008-11-03 14:36 40,960 a------- c:\windows\system32\srclient.dll
2008-11-03 14:36 19,000 a------- c:\windows\system32\kd1394.dll
2008-11-03 14:36 14,848 a------- c:\windows\system32\srdelayed.exe
2008-11-03 14:36 6,656 a------- c:\windows\system32\kbd106n.dll
2008-11-03 14:36 615,992 a------- c:\windows\system32\ci.dll
2008-11-03 14:36 46,592 a------- c:\windows\system32\setbcdlocale.dll
2008-11-03 14:32 443,392 a------- c:\windows\system32\win32spl.dll
2008-11-03 14:32 37,888 a------- c:\windows\system32\printcom.dll
2008-11-03 14:32 14,848 a------- c:\windows\system32\wshrm.dll
2008-11-03 14:31 738,304 a------- c:\windows\system32\inetcomm.dll
2008-11-03 14:31 84,480 a------- c:\windows\system32\INETRES.dll
2008-11-03 14:30 1,314,816 a------- c:\windows\system32\quartz.dll
2008-11-03 14:29 3,601,464 a------- c:\windows\system32\ntkrnlpa.exe
2008-11-03 14:29 3,549,240 a------- c:\windows\system32\ntoskrnl.exe
2008-11-01 14:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-11-01 14:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-11-01 14:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-11-01 14:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-11-01 14:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-29 09:36 823,296 a------- c:\windows\system32\divx_xx0c.dll
2008-10-29 09:36 823,296 a------- c:\windows\system32\divx_xx07.dll
2008-10-29 09:35 815,104 a------- c:\windows\system32\divx_xx0a.dll
2008-10-29 09:35 802,816 a------- c:\windows\system32\divx_xx11.dll
2008-10-29 09:35 684,032 a------- c:\windows\system32\DivX.dll
2008-10-22 14:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-21 16:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-17 07:56 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-10-17 07:55 83,456 a------- c:\windows\system32\wudriver.dll
2008-10-16 14:08 162,064 a------- c:\windows\system32\wuwebv.dll
2008-10-16 13:56 31,232 a------- c:\windows\system32\wuapp.exe
2006-11-02 23:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 23:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 23:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 23:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 20:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 20:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 20:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 20:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 17:04:35.72 ===============


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08:15 AM, on 3/01/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Mobile Action\Bluetooth Manager\MaBtSh.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://au.rd.yahoo.com/customize/ycomp/def...://au.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.au.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.com/customize/ycomp/def...://au.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [Apanel] C:\ACERSW\config\NewSetApanel.cmd
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [MaBtSh] C:\Program Files\Mobile Action\Bluetooth Manager\MaBtSh.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [{966A6182-EE72-4C57-3273-BCE1CC57698A}] C:\Users\user\AppData\Roaming:svhosts.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
O23 - Service: Acer TV Share Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer TV Share\Kernel\DMSTV\CLMSServer.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 9479 bytes


thanks,

adam

Attached Files



BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:12:38 AM

Posted 06 January 2009 - 11:20 AM

renchy

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
    (How to extract (decompress) zipped or compressed files, help in the link here: )
2. Now, start The Avenger program by clicking on its icon on your desktop.
  • Make sure the "Scan for Rootkits" box is checked
  • Select Execute
  • You will be prompted "No Script loaded, do ytou want to scan for rootkits."
  • Select Yes
  • Answer Yes When prompted to reboot
3. The Avenger will automatically do the following:
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.
Posted Image
Microsoft MVP - Windows Security

#3 renchy

renchy
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 07 January 2009 - 03:05 AM

Thanks bamajim, but i only just now finished cleaning the computer with help from a similar forum. thread may now be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users