Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Data consuming and antivirus update blocking virus.


  • This topic is locked This topic is locked
18 replies to this topic

#1 Bromers

Bromers

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 09 April 2009 - 09:34 AM

Hello,

My hard drive has slowly depleted, and in the last three days, after a huge removal of files, gone from 15GB free to currently about 8GB. It has been full for quite some time, but it only occured to me something was wrong when my Kaspersky antivirus kept asking to be updated. About 7 times in the last week or so. Kaspersky managed to remove a huge amount last week, and thanks to the help of 'boopme' and 'DaChew' have managed to remove more. I've now been asked to post here.

Topic referenced is here: http://www.bleepingcomputer.com/forums/t/216826/i-think-i-have-a-virus-but-i-dont-know-what-to-do/ ~ OB




DDS (Ver_09-03-16.01) - NTFSx86
Run by Matthew at 14:57:16.13 on 09/04/2009
Internet Explorer: 7.0.6000.16809 BrowserJavaVersion: 1.5.0_12
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6000.0.1252.44.1033.18.2046.842 [GMT 1:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Acer\ALaunch\ALaunchSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Users\Matthew\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\On Demand Distribution\OD2 Music Manager\OD2MediaBar_VistaFileManager.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Matthew\Desktop\dds.scr
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSEARCH PAGE =
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar =
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: H - No File
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_12\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [eAudio] "c:\acer\empowering technology\eaudio\eAudio.exe"
mRun: [Acer Tour]
mRun: [PLFSet] rundll32.exe c:\windows\PLFSet.dll,PLFDefSetting
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [PlayMovie] "c:\program files\acer arcade deluxe\play movie\PMVService.exe"
mRun: [Skytel] Skytel.exe
mRun: [eRecoveryService]
mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [SetPanel] c:\acer\apanel\APanel.cmd
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_12\bin\jusched.exe"
mRun: [MediaBarFileManager] c:\program files\on demand distribution\od2 music manager\OD2MediaBar_VistaFileManager.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ALaunch] c:\acer\alaunch\AlaunchClient.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\users\matthew\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_12\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll c:\progra~1\kasper~1\kasper~1\adialhk.dll c:\progra~1\kasper~1\kasper~1\kloehk.dll eNetHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\matthew\appdata\roaming\mozilla\firefox\profiles\5uoijwdv.default\

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2008-3-26 20496]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\play movie\000.fcl [2007-7-23 13560]
R2 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2007-5-10 50688]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-5-9 43008]
S0 iaNvStor;Intel® Turbo Memory Technology NAND Controller;c:\windows\system32\drivers\iaNvStor.sys [2007-9-3 210432]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-5-9 179712]
S3 YMIDUSBW;Yamaha USB-MIDI Driver (WDM);c:\windows\system32\drivers\ymidusbw.sys [2007-2-26 32720]

=============== Created Last 30 ================

2009-04-09 03:02 0 a------- c:\windows\system32\setup_XP.ini
2009-04-07 23:43 --d----- c:\users\matthew\DoctorWeb
2009-04-07 18:14 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-07 18:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:19 --d----- c:\programdata\SUPERAntiSpyware.com
2009-04-06 22:19 --d----- c:\progra~2\SUPERAntiSpyware.com
2009-04-06 22:18 --d----- c:\users\matthew\appdata\roaming\SUPERAntiSpyware.com
2009-04-06 22:18 --d----- c:\program files\SUPERAntiSpyware
2009-04-06 22:17 --d----- c:\program files\common files\Wise Installation Wizard
2009-04-06 19:56 --d----- c:\windows\pss
2009-04-06 00:19 --d----- c:\users\matthew\appdata\roaming\Malwarebytes
2009-04-06 00:19 --d----- c:\programdata\Malwarebytes
2009-04-06 00:19 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-06 00:19 --d----- c:\progra~2\Malwarebytes
2009-03-22 03:01 596 a------- c:\windows\system32\%LocalXml%
2009-03-11 13:51 8,147,968 a------- c:\windows\system32\wmploc.DLL
2009-03-11 13:51 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-11 13:51 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-11 13:51 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-11 13:51 269,824 a------- c:\windows\system32\schannel.dll
2009-03-11 13:51 2,028,032 a------- c:\windows\system32\win32k.sys

==================== Find3M ====================

2009-04-09 14:55 13,119 a------- c:\users\matthew\appdata\roaming\nvModes.dat
2009-04-09 14:44 6,082,080 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-09 14:44 999,456 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-09 14:44 49,644 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-09 14:44 5,544 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-04 19:21 86,016 a------- c:\windows\inf\infstrng.dat
2009-04-04 19:21 86,016 a------- c:\windows\inf\infstor.dat
2009-04-04 19:21 51,200 a------- c:\windows\inf\infpub.dat
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-01-15 05:16 826,368 a------- c:\windows\system32\wininet.dll
2009-01-15 05:16 56,320 a------- c:\windows\system32\iesetup.dll
2009-01-15 05:16 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-01-15 05:15 26,624 a------- c:\windows\system32\ieUnatt.exe
2008-12-14 00:11 174 a--sh--- c:\program files\desktop.ini
2008-06-12 15:30 665,600 a------- c:\windows\inf\drvindex.dat
2007-11-18 16:09 150 a------- c:\users\matthew\appdata\roaming\wklnhst.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-11-24 15:03 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-11-24 15:03 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-11-24 15:03 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 15:00:24.82 ===============

Attached Files


Edited by Orange Blossom, 09 April 2009 - 05:55 PM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:12:18 PM

Posted 24 April 2009 - 10:11 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Bromers

Bromers
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 24 April 2009 - 03:29 PM

DDS (Ver_09-03-16.01) - NTFSx86
Run by Matthew at 21:24:12.27 on 24/04/2009
Internet Explorer: 7.0.6000.16830 BrowserJavaVersion: 1.5.0_12
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.2046.1029 [GMT 1:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Windows\System32\rundll32.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Users\Matthew\AppData\Local\Temp\RtkBtMnt.exe
C:\Acer\ALaunch\ALaunchSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\On Demand Distribution\OD2 Music Manager\OD2MediaBar_VistaFileManager.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Matthew\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Matthew\Downloads\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSEARCH PAGE =
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar =
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: H - No File
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_12\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\matthew\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [eAudio] "c:\acer\empowering technology\eaudio\eAudio.exe"
mRun: [Acer Tour]
mRun: [PLFSet] rundll32.exe c:\windows\PLFSet.dll,PLFDefSetting
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [PlayMovie] "c:\program files\acer arcade deluxe\play movie\PMVService.exe"
mRun: [Skytel] Skytel.exe
mRun: [eRecoveryService]
mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IaNvSrv] c:\program files\intel\intel matrix storage manager\orom\ianvsrv\IaNvSrv.exe
mRun: [SetPanel] c:\acer\apanel\APanel.cmd
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_12\bin\jusched.exe"
mRun: [MediaBarFileManager] c:\program files\on demand distribution\od2 music manager\OD2MediaBar_VistaFileManager.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ALaunch] c:\acer\alaunch\AlaunchClient.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\users\matthew\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_12\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll c:\progra~1\kasper~1\kasper~1\adialhk.dll c:\progra~1\kasper~1\kasper~1\kloehk.dll eNetHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\matthew\appdata\roaming\mozilla\firefox\profiles\j5dmwvv3.default\
FF - plugin: c:\users\matthew\appdata\local\google\update\1.2.141.5\npGoogleOneClick7.dll

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2008-3-26 20496]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\play movie\000.fcl [2007-7-23 13560]
R2 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2007-5-10 50688]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-5-9 43008]
S0 iaNvStor;Intel® Turbo Memory Technology NAND Controller;c:\windows\system32\drivers\iaNvStor.sys [2007-9-3 210432]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-5-9 179712]
S3 YMIDUSBW;Yamaha USB-MIDI Driver (WDM);c:\windows\system32\drivers\ymidusbw.sys [2007-2-26 32720]

=============== Created Last 30 ================

2009-04-22 21:40 <DIR> --d----- c:\programdata\Apple
2009-04-20 19:48 <DIR> --d----- c:\program files\Musicnotes
2009-04-09 03:02 0 a------- c:\windows\system32\setup_XP.ini
2009-04-07 23:43 <DIR> --d----- c:\users\matthew\DoctorWeb
2009-04-06 22:19 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-04-06 22:19 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-04-06 22:18 <DIR> --d----- c:\users\matthew\appdata\roaming\SUPERAntiSpyware.com
2009-04-06 22:18 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-06 19:56 <DIR> --d----- c:\windows\pss
2009-04-06 00:19 <DIR> --d----- c:\users\matthew\appdata\roaming\Malwarebytes
2009-04-06 00:19 <DIR> --d----- c:\programdata\Malwarebytes
2009-04-06 00:19 <DIR> --d----- c:\progra~2\Malwarebytes

==================== Find3M ====================

2009-04-24 21:06 13,119 a------- c:\users\matthew\appdata\roaming\nvModes.dat
2009-04-23 23:38 6,168,096 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-23 23:38 1,024,032 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-23 23:38 50,316 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-23 23:38 5,628 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-20 19:48 1,409 a------- c:\windows\fonts\RPRSSCRP.FOT
2009-04-04 19:21 86,016 a------- c:\windows\inf\infstrng.dat
2009-04-04 19:21 86,016 a------- c:\windows\inf\infstor.dat
2009-04-04 19:21 51,200 a------- c:\windows\inf\infpub.dat
2009-03-17 04:16 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-17 04:16 14,848 a------- c:\windows\system32\apilogen.dll
2009-03-17 04:16 25,600 a------- c:\windows\system32\amxread.dll
2009-03-03 05:24 3,503,584 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-03 05:24 3,469,280 a------- c:\windows\system32\ntoskrnl.exe
2009-03-03 05:20 826,368 a------- c:\windows\system32\wininet.dll
2009-03-03 05:19 158,720 a------- c:\windows\system32\sdohlp.dll
2009-03-03 05:19 549,888 a------- c:\windows\system32\rpcss.dll
2009-03-03 05:19 24,576 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 05:16 56,320 a------- c:\windows\system32\iesetup.dll
2009-03-03 05:16 97,280 a------- c:\windows\system32\iasrecst.dll
2009-03-03 05:16 78,336 a------- c:\windows\system32\ieencode.dll
2009-03-03 05:16 53,248 a------- c:\windows\system32\iasads.dll
2009-03-03 05:16 52,736 a------- c:\windows\apppatch\iebrshim.dll
2009-03-03 05:16 37,888 a------- c:\windows\system32\iasdatastore.dll
2009-03-03 05:15 72,704 a------- c:\windows\system32\admparse.dll
2009-03-03 03:40 654,336 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 03:08 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-03-03 01:44 48,128 a------- c:\windows\system32\mshtmler.dll
2009-02-13 08:26 72,704 a------- c:\windows\system32\secur32.dll
2009-02-13 08:26 1,233,408 a------- c:\windows\system32\lsasrv.dll
2009-02-13 08:26 7,680 a------- c:\windows\system32\lsass.exe
2009-02-09 02:59 2,028,032 a------- c:\windows\system32\win32k.sys
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
2008-12-14 00:11 174 a--sh--- c:\program files\desktop.ini
2008-06-12 15:30 665,600 a------- c:\windows\inf\drvindex.dat
2007-11-18 16:09 150 a------- c:\users\matthew\appdata\roaming\wklnhst.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-11-24 15:03 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-11-24 15:03 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-11-24 15:03 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 21:25:04.82 ===============

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:18 PM

Posted 24 April 2009 - 05:53 PM

Hi Bromers,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • I see on your log that Marketscore.RelevantKnowledge is installed on your computer:

    This program is known to be related to adware/spyware. More information here:http://research.sunbelt-software.com/threa...;threatid=15129" target="_blank" rel="nofollow"> http://research.sunbelt-software.com/threa...;threatid=15129

    Please go to Programs and features in Control Panel and uninstall the following program:

    RelevantKnowledge

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
    • Double click on ComboFix.exe & follow the prompts.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • Click here to download HijackThis Installer.
    • Save HJTInstall.exe to your Desktop.
    • Double click on the HJTInstall.exe icon to start the installation.
    • When a window pops up asking you the directory to install the program please accept the proposed default directory.
    • The program will automatically place a shortcut on your desktop and if further use of the program is required, you can click on the shortcut to run the program.
    • Please run Hijackthis. Click Do a system scan and save a logfile then copy and paste the content of the log to your reply.
Please include in your next reply:
  • The Combofix log.
  • The Hijackthis log.
  • Any comment or feedback about how it went.


#5 Bromers

Bromers
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 24 April 2009 - 07:37 PM

I found the relevent knowledge item in the uninstall bit. When I clicked on it, it said it had either moved or been removed as it couldnt find it, and said it would delete what was left of it. The two scans went fine.

Thanks for help!







ComboFix 09-04-25.03 - Matthew 25/04/2009 1:19.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.2046.1229 [GMT 1:00]
Running from: c:\users\Matthew\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.

2009-04-22 20:42 . 2009-04-22 20:42 -------- d-----w c:\users\Matthew\AppData\Roaming\Apple Computer
2009-04-22 20:42 . 2009-04-22 20:42 -------- d-----w c:\users\Matthew\AppData\Local\Apple Computer
2009-04-22 20:40 . 2009-04-22 20:40 -------- d-----w c:\users\Matthew\AppData\Local\Apple
2009-04-22 20:40 . 2009-04-22 20:40 -------- d-----w c:\users\All Users\Apple
2009-04-22 20:40 . 2009-04-22 20:40 -------- d-----w c:\programdata\Apple
2009-04-22 19:22 . 2009-04-22 19:22 -------- d-----w c:\users\Matthew\AppData\Local\Opera
2009-04-22 19:16 . 2009-04-22 19:16 -------- d-----w c:\users\Matthew\AppData\Local\Deployment
2009-04-22 19:16 . 2009-04-22 19:16 -------- d-----w c:\users\Matthew\AppData\Local\Apps
2009-04-09 02:02 . 2009-04-09 02:02 0 ----a-w c:\windows\system32\setup_XP.ini
2009-04-07 22:43 . 2009-04-07 22:43 -------- d-----w c:\users\Matthew\DoctorWeb
2009-04-06 23:08 . 2009-04-06 23:08 -------- d--h--w c:\users\Matthew\AppData\Local\acer eNM
2009-04-06 21:19 . 2009-04-06 21:19 -------- d-----w c:\users\All Users\SUPERAntiSpyware.com
2009-04-06 21:19 . 2009-04-06 21:19 -------- d-----w c:\programdata\SUPERAntiSpyware.com
2009-04-06 21:18 . 2009-04-11 22:01 -------- d-----w c:\users\Matthew\AppData\Roaming\SUPERAntiSpyware.com
2009-04-05 23:19 . 2009-04-05 23:19 -------- d-----w c:\users\Matthew\AppData\Roaming\Malwarebytes
2009-04-05 23:19 . 2009-04-05 23:19 -------- d-----w c:\users\All Users\Malwarebytes
2009-04-05 23:19 . 2009-04-05 23:19 -------- d-----w c:\programdata\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 21:55 . 2008-08-29 17:29 1032224 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-24 20:42 . 2008-08-29 17:29 5656 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-24 20:06 . 2007-09-03 11:49 13119 ----a-w c:\users\Matthew\AppData\Roaming\nvModes.dat
2009-04-24 20:06 . 2007-09-06 16:57 -------- d-----w c:\programdata\Kaspersky Lab
2009-04-23 22:38 . 2008-08-29 17:29 6168096 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-23 22:38 . 2008-08-29 17:29 50316 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-22 20:42 . 2009-04-22 20:41 -------- d-----w c:\program files\Safari
2009-04-22 20:40 . 2009-04-22 20:40 -------- d-----w c:\program files\Apple Software Update
2009-04-22 19:22 . 2009-04-22 19:21 -------- d-----w c:\program files\Opera
2009-04-21 10:28 . 2007-09-03 11:45 91888 ----a-w c:\users\Matthew\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-20 18:48 . 2009-04-20 18:48 -------- d-----w c:\program files\Musicnotes
2009-04-17 20:33 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-17 20:26 . 2007-05-10 00:08 -------- d-----w c:\programdata\Microsoft Help
2009-04-11 22:01 . 2009-04-06 21:18 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-07 01:49 . 2008-07-20 15:24 -------- d-----w c:\programdata\Yahoo!
2009-04-07 01:49 . 2008-10-17 22:20 -------- d-----w c:\programdata\Apple Computer
2009-04-07 01:49 . 2008-10-17 22:21 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 19:46 . 2007-12-24 00:31 1356 ----a-w c:\users\Matthew\AppData\Local\d3d9caps.dat
2009-04-05 09:20 . 2008-12-16 18:04 -------- d-----w c:\users\Matthew\AppData\Roaming\Mozilla(34)
2009-04-04 18:21 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstrng.dat
2009-04-04 18:21 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat
2009-04-04 18:21 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-04-04 18:16 . 2008-02-08 20:05 -------- d-----w c:\programdata\MakeMusic
2009-04-04 18:15 . 2008-07-20 15:24 156 ----a-w C:\YServer.txt
2009-04-04 18:14 . 2007-10-06 11:12 -------- d-----w c:\program files\Finale NotePad 2007
2009-04-04 18:13 . 2007-10-29 20:50 -------- d-----w c:\program files\Common Files\Real
2009-04-04 18:11 . 2007-12-11 19:42 -------- d-----w c:\program files\Saints & Sinners Bowling
2009-04-04 18:04 . 2007-05-09 23:17 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-04 17:37 . 2006-11-02 12:37 -------- d-----w c:\program files\Microsoft Games
2009-03-17 03:16 . 2009-04-16 23:15 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:16 . 2009-04-16 23:15 14848 ----a-w c:\windows\System32\apilogen.dll
2009-03-17 03:16 . 2009-04-16 23:15 25600 ----a-w c:\windows\System32\amxread.dll
2009-03-03 04:24 . 2009-04-16 23:15 3503584 ----a-w c:\windows\System32\ntkrnlpa.exe
2009-03-03 04:24 . 2009-04-16 23:15 3469280 ----a-w c:\windows\System32\ntoskrnl.exe
2009-03-03 04:20 . 2009-04-16 23:15 826368 ----a-w c:\windows\System32\wininet.dll
2009-03-03 04:19 . 2009-04-16 23:15 158720 ----a-w c:\windows\System32\sdohlp.dll
2009-03-03 04:19 . 2009-04-16 23:15 549888 ----a-w c:\windows\System32\rpcss.dll
2009-03-03 04:19 . 2009-04-16 23:15 24576 ----a-w c:\windows\System32\printfilterpipelineprxy.dll
2009-03-03 04:16 . 2009-04-16 23:15 56320 ----a-w c:\windows\System32\iesetup.dll
2009-03-03 04:16 . 2009-04-16 23:15 97280 ----a-w c:\windows\System32\iasrecst.dll
2009-03-03 04:16 . 2009-04-16 23:15 53248 ----a-w c:\windows\System32\iasads.dll
2009-03-03 04:16 . 2009-04-16 23:15 37888 ----a-w c:\windows\System32\iasdatastore.dll
2009-03-03 04:16 . 2009-04-16 23:15 78336 ----a-w c:\windows\System32\ieencode.dll
2009-03-03 04:16 . 2009-04-16 23:15 52736 ----a-w c:\windows\AppPatch\iebrshim.dll
2009-03-03 04:15 . 2009-04-16 23:15 72704 ----a-w c:\windows\System32\admparse.dll
2009-03-03 02:40 . 2009-04-16 23:15 654336 ----a-w c:\windows\System32\printfilterpipelinesvc.exe
2009-03-03 02:08 . 2009-04-16 23:15 26624 ----a-w c:\windows\System32\ieUnatt.exe
2009-03-03 00:44 . 2009-04-16 23:15 48128 ----a-w c:\windows\System32\mshtmler.dll
2009-02-13 07:26 . 2009-04-16 23:15 72704 ----a-w c:\windows\System32\secur32.dll
2009-02-13 07:26 . 2009-04-16 23:15 1233408 ----a-w c:\windows\System32\lsasrv.dll
2009-02-13 07:26 . 2009-04-16 23:15 7680 ----a-w c:\windows\System32\lsass.exe
2009-02-09 01:59 . 2009-03-11 12:51 2028032 ----a-w c:\windows\System32\win32k.sys
2009-02-06 18:52 . 2009-02-06 18:52 49504 ----a-w c:\windows\System32\sirenacm.dll
2008-12-13 23:11 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2007-11-18 15:09 . 2007-11-18 15:09 150 ----a-w c:\users\Matthew\AppData\Roaming\wklnhst.dat
2007-10-21 21:05 . 2007-10-21 21:05 95 ----a-w c:\users\Matthew\AppData\Local\fusioncache.dat
2008-11-24 14:03 . 2007-09-24 18:46 16384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-11-24 14:03 . 2007-09-24 18:46 32768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-11-24 14:03 . 2007-09-24 18:46 16384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"Google Update"="c:\users\Matthew\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-22 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-05-04 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-04 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-04 81920]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-13 457728]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-04-27 1286144]
"PLFSet"="c:\windows\PLFSet.dll" [2007-03-10 45056]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2007-05-04 502544]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2007-05-03 206952]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2007-03-13 33048]
"MediaBarFileManager"="c:\program files\On Demand Distribution\OD2 Music Manager\OD2MediaBar_VistaFileManager.exe" [2007-06-25 30024]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-06 201992]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840]
"MSConfig"="c:\windows\system32\msconfig.exe" [2006-11-02 222208]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-05-10 4468736]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-05-07 1826816]

c:\users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2007-7-23 1208320]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-5-10 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd.dll c:\progra~1\KASPER~1\KASPER~1\adialhk.dll c:\progra~1\KASPER~1\KASPER~1\kloehk.dll eNetHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E30A7207-0C49-464A-A2BD-D500B91DCDB9}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{120133B6-32D8-444B-9535-B9715C450D9F}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{8FB486AE-A211-42F3-B901-E9C5FEDDB00E}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{B8D85C9E-2380-4824-BDCF-7D36CACC7B4C}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{F54AFDD9-4072-4B70-A0E5-6AED010D45D7}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{642B9AB6-EC6D-40D7-A7FD-2FBA1100F47D}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{5C7A7DF1-A338-4CD3-96E3-311ADD053850}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"{C80972B0-6FA4-44DB-8F60-8EDB66A3842C}"= c:\program files\Acer\Acer VCM\VC.exe:Acer VCM
"{542DCBA6-AB98-4F37-AA71-DEA07411CF0C}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E38E082E-981F-4EAF-81AD-D2241DD88430}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FAE34D88-6D8E-48AA-B4D4-09C0613A51BA}"= UDP:c:\windows\System32\rlvknlg.exe:rlvknlg.exe
"{52025E1B-E247-4A0D-BE9B-EC45DD4ED830}"= TCP:c:\windows\System32\rlvknlg.exe:rlvknlg.exe
"{80147FFB-5F0C-4231-807F-37B5C21219A2}"= Disabled:UDP:c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{B716F8D6-4170-4691-BE9F-03D12831EF87}"= Disabled:TCP:c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{9D951E5C-13B2-4FA1-B418-A12195289B1A}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{FDAD9BBE-B3B7-4BFE-9AD7-AEEE4B87B247}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{E2A3CEF3-C86A-46B6-B3AC-CCA59EBCDBAA}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{07E96D0A-3AD9-4EFB-B994-0CBDC491503F}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 iaNvStor;Intel® Turbo Memory Technology NAND Controller;c:\windows\system32\DRIVERS\iaNvStor.sys [2007-03-11 210432]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-08 179712]
R3 YMIDUSBW;Yamaha USB-MIDI Driver (WDM);c:\windows\system32\drivers\ymidusbw.sys [2007-02-26 32720]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-02-06 33808]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2008-03-26 20496]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2006-11-02 23:51 13560]
S2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-01-26 50688]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
S3 winbondcir;Winbond IR Transceiver;c:\windows\system32\DRIVERS\winbondcir.sys [2007-04-19 43008]

.
Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1568780633-3694986773-2746263513-1000.job
- c:\users\Matthew\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-22 19:16]

2009-04-24 c:\windows\Tasks\User_Feed_Synchronization-{2E682788-E4A7-4FCC-A577-DE4C2AB16339}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SetPanel - c:\acer\APanel\APanel.cmd
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_12\bin\jusched.exe
HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe
HKLM-Run-ALaunch - c:\acer\ALaunch\AlaunchClient.exe
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
HKU-Default-Run-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\j5dmwvv3.default\
FF - plugin: c:\users\Matthew\AppData\Local\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 01:24
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1132)
c:\progra~1\KASPER~1\KASPER~1\adialhk.dll
c:\progra~1\KASPER~1\KASPER~1\kloehk.dll
c:\windows\system32\eNetHook.dll

- - - - - - - > 'lsass.exe'(740)
c:\progra~1\KASPER~1\KASPER~1\adialhk.dll
c:\progra~1\KASPER~1\KASPER~1\kloehk.dll
c:\windows\system32\eNetHook.dll

- - - - - - - > 'Explorer.exe'(5220)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
c:\acer\Empowering Technology\EPOWER\SysHook.dll
.
Completion time: 2009-04-25 1:25
ComboFix-quarantined-files.txt 2009-04-25 00:25

Pre-Run: 7,488,073,728 bytes free
Post-Run: 8,628,232,192 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4,57
248 --- E O F --- 2009-04-23 20:5



















Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:35:08, on 25/04/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16830)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Windows\System32\rundll32.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\On Demand Distribution\OD2 Music Manager\OD2MediaBar_VistaFileManager.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Matthew\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Windows\helppane.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/def...://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IaNvSrv] C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe
O4 - HKLM\..\Run: [MediaBarFileManager] C:\Program Files\On Demand Distribution\OD2 Music Manager\OD2MediaBar_VistaFileManager.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Matthew\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Acer VCM.lnk = ?
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll (file missing)
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...indows-i586.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll eNetHook.dll
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9015 bytes

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:18 PM

Posted 25 April 2009 - 04:43 PM

Thanks for the feedback.
  • If you can not find the following file make sure that you can view all hidden and system files. Instructions on how to do this can be found here: How to see hidden files in Windows

    Click on this link--> virustotal

    Click the browse button and navigate to the file below in bold, then click Send File.

    c:\windows\system32\CryptoAPI.dll

    If the file is analyzed before, click Reanalyse File Now button.
    Please copy and paste the results of the scan in your next post.

  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    R3 - URLSearchHook: (no name) - - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll (file missing)


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Close any open browsers.

    Open notepad and copy/paste the text in the code box below into it:

    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
    "{FAE34D88-6D8E-48AA-B4D4-09C0613A51BA}"=-
    "{52025E1B-E247-4A0D-BE9B-EC45DD4ED830}"=-
    FixCSet::

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#7 Bromers

Bromers
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 25 April 2009 - 08:37 PM

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.26 -
AhnLab-V3 5.0.0.2 2009.04.24 -
AntiVir 7.9.0.156 2009.04.25 -
Antiy-AVL 2.0.3.1 2009.04.24 -
Authentium 5.1.2.4 2009.04.25 -
Avast 4.8.1335.0 2009.04.25 -
AVG 8.5.0.287 2009.04.25 -
BitDefender 7.2 2009.04.26 -
CAT-QuickHeal 10.00 2009.04.25 -
ClamAV 0.94.1 2009.04.25 -
Comodo 1135 2009.04.25 -
DrWeb 4.44.0.09170 2009.04.26 -
eSafe 7.0.17.0 2009.04.23 -
eTrust-Vet 31.6.6475 2009.04.24 -
F-Prot 4.4.4.56 2009.04.25 -
F-Secure 8.0.14470.0 2009.04.25 -
Fortinet 3.117.0.0 2009.04.25 -
GData 19 2009.04.26 -
Ikarus T3.1.1.49.0 2009.04.26 -
K7AntiVirus 7.10.716 2009.04.25 -
Kaspersky 7.0.0.125 2009.04.26 -
McAfee 5596 2009.04.25 -
McAfee+Artemis 5596 2009.04.25 -
McAfee-GW-Edition 6.7.6 2009.04.26 -
Microsoft 1.4602 2009.04.25 -
NOD32 4035 2009.04.25 -
Norman 6.00.06 2009.04.24 -
nProtect 2009.1.8.0 2009.04.25 -
Panda 10.0.0.14 2009.04.25 -
PCTools 4.4.2.0 2009.04.25 -
Prevx1 3.0 2009.04.26 -
Rising 21.26.52.00 2009.04.25 -
Sophos 4.41.0 2009.04.25 -
Sunbelt 3.2.1858.2 2009.04.24 -
Symantec 1.4.4.12 2009.04.26 -
TheHacker 6.3.4.1.314 2009.04.26 -
TrendMicro 8.700.0.1004 2009.04.25 -
VBA32 3.12.10.3 2009.04.25 -
ViRobot 2009.4.24.1708 2009.04.24 -
VirusBuster 4.6.5.0 2009.04.25 -
Additional information
File size: 401408 bytes
MD5...: df53b8bd2c2d86e8cfeb4bb488b5ea37
SHA1..: 89b539a7fbe9cc12dbf481a504c6cda74c276f02
SHA256: 562acd6fa2df435dbaeb22e0819208de76ae31e58745c8272d6388e71e68c188
SHA512: da9c4e6e69c5a14d9dda22e5b698fc0bb9aba05ef36944d34907a0d5e89ae78e
35473b2c92dbc821d26749bfc8268ed427e2057a526a82e1240c0f39b27a7a6d
ssdeep: 6144:v/wGrWPANPBUEJuDaGoD303NLjHs+AwZxmT6zpyvo39T08gOfypgnFLO:vo
DPANPm07GVAwZ2QNG0ymFL
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3eb7a
timedatestamp.....: 0x456ab53e (Mon Nov 27 09:51:58 2006)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3e1a8 0x3f000 6.60 b1de08b416eaa8201a52efbb82f00437
.rdata 0x40000 0x11bf3 0x12000 6.41 c2dc99dd6bc5faec85c0e4a8fd489132
.data 0x52000 0xab64 0x9000 4.90 6453d5baebb273a9cd4b6385633de850
.rsrc 0x5d000 0x4ac 0x1000 4.01 70ae9d5bfbba29e48ab399ff08af6e3a
.reloc 0x5e000 0x58fa 0x6000 5.41 73cd7551e126babd8f3dd671d3c4e2da

( 4 imports )
> SHLWAPI.dll: PathFileExistsW
> KERNEL32.dll: GetDiskFreeSpaceExW, GetFileSizeEx, CreateFileW, GetFileAttributesW, CreateFileA, GetWindowsDirectoryA, GetCurrentThreadId, GetCurrentProcessId, GlobalMemoryStatus, CloseHandle, FreeLibrary, GetProcAddress, LoadLibraryA, GetVersionExA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, InterlockedCompareExchange, SetFilePointerEx, SetFileAttributesW, WideCharToMultiByte, GetTickCount, GetLastError, lstrlenA, WriteFile, ReadFile, IsDebuggerPresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InterlockedExchange, Sleep
> USER32.dll: TranslateMessage, DispatchMessageA, GetMessageA, PeekMessageA
> MSVCR80.dll: malloc, _itoa_s, memset, printf, __CxxFrameHandler3, _snprintf_s, free, rand, srand, memcpy, wcsncpy_s, _mbsnbcpy_s, _wsplitpath_s, realloc, strncpy, strchr, memchr, abort, fprintf, _iob, _pctype, _isctype, __mb_cur_max, strcmp, qsort, _ftol, bsearch, memmove, _errno, fopen, fclose, fread, fwrite, fflush, _setmode, ftell, fseek, fgets, tolower, strncmp, sscanf, getenv, _fileno, _encode_pointer, _malloc_crt, _encoded_null, _decode_pointer, _initterm, _initterm_e, _amsg_exit, _adjust_fdiv, __CppXcptFilter, _time32, _crt_debugger_hook, __clean_type_info_names_internal, _unlock, __dllonexit, _lock, _onexit, _except_handler4_common, _mbsnbcat_s, wcsncat_s

( 25 exports )
_HTCA_Base64EncodeW@@YAPA_WPA_WKPAK1@Z, _HTCA_PasswordEncryptTextBlockStrat@@YAPAEPAEI0IPAIK0KPAUHTCA_CTX@@PAK@Z, HTCA_Base64Decode, HTCA_Base64Encode, HTCA_CheckEncryptedFileA, HTCA_CheckEncryptedFileW, HTCA_CheckEncryptedTextBlock, HTCA_CheckLockedFileA, HTCA_CheckLockedFileW, HTCA_DualPasswordFileDecryptA, HTCA_DualPasswordFileDecryptW, HTCA_DualPasswordFileEncryptA, HTCA_DualPasswordFileEncryptW, HTCA_FreeMemory, HTCA_GenSymmetricKeyA, HTCA_GenSymmetricKeyW, HTCA_HashData, HTCA_LockFileA, HTCA_LockFileW, HTCA_PasswordDecryptStringA, HTCA_PasswordDecryptTextBlock, HTCA_PasswordEncryptStringA, HTCA_PasswordEncryptTextBlock, HTCA_PasswordTranscodeA, HTCA_PasswordTranscodeW
PDFiD.: -
RDS...: NSRL Reference Data Set
-












































ComboFix 09-04-25.03 - Matthew 26/04/2009 2:20.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.2046.1256 [GMT 1:00]
Running from: c:\users\Matthew\Desktop\ComboFix.exe
Command switches used :: c:\users\Matthew\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-26 to 2009-4-26 )))))))))))))))))))))))))))))))
.

2009-04-22 20:42 . 2009-04-22 20:42 -------- d-----w c:\users\Matthew\AppData\Roaming\Apple Computer
2009-04-22 20:42 . 2009-04-22 20:42 -------- d-----w c:\users\Matthew\AppData\Local\Apple Computer
2009-04-22 20:40 . 2009-04-22 20:40 -------- d-----w c:\users\Matthew\AppData\Local\Apple
2009-04-22 20:40 . 2009-04-22 20:40 -------- d-----w c:\users\All Users\Apple
2009-04-22 20:40 . 2009-04-22 20:40 -------- d-----w c:\programdata\Apple
2009-04-22 19:22 . 2009-04-22 19:22 -------- d-----w c:\users\Matthew\AppData\Local\Opera
2009-04-22 19:16 . 2009-04-22 19:16 -------- d-----w c:\users\Matthew\AppData\Local\Deployment
2009-04-22 19:16 . 2009-04-22 19:16 -------- d-----w c:\users\Matthew\AppData\Local\Apps
2009-04-09 02:02 . 2009-04-09 02:02 0 ----a-w c:\windows\system32\setup_XP.ini
2009-04-07 22:43 . 2009-04-07 22:43 -------- d-----w c:\users\Matthew\DoctorWeb
2009-04-06 23:08 . 2009-04-06 23:08 -------- d--h--w c:\users\Matthew\AppData\Local\acer eNM
2009-04-06 21:19 . 2009-04-06 21:19 -------- d-----w c:\users\All Users\SUPERAntiSpyware.com
2009-04-06 21:19 . 2009-04-06 21:19 -------- d-----w c:\programdata\SUPERAntiSpyware.com
2009-04-06 21:18 . 2009-04-11 22:01 -------- d-----w c:\users\Matthew\AppData\Roaming\SUPERAntiSpyware.com
2009-04-05 23:19 . 2009-04-05 23:19 -------- d-----w c:\users\Matthew\AppData\Roaming\Malwarebytes
2009-04-05 23:19 . 2009-04-05 23:19 -------- d-----w c:\users\All Users\Malwarebytes
2009-04-05 23:19 . 2009-04-05 23:19 -------- d-----w c:\programdata\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-26 01:28 . 2008-08-29 17:29 1048608 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-26 01:28 . 2008-08-29 17:29 5712 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-26 01:28 . 2007-09-06 16:57 -------- d-----w c:\programdata\Kaspersky Lab
2009-04-26 01:25 . 2008-08-29 17:29 6168096 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-26 01:25 . 2008-08-29 17:29 50316 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-25 20:12 . 2007-09-03 11:49 13119 ----a-w c:\users\Matthew\AppData\Roaming\nvModes.dat
2009-04-25 00:34 . 2009-04-25 00:34 -------- d-----w c:\program files\Trend Micro
2009-04-22 20:42 . 2009-04-22 20:41 -------- d-----w c:\program files\Safari
2009-04-22 20:40 . 2009-04-22 20:40 -------- d-----w c:\program files\Apple Software Update
2009-04-22 19:22 . 2009-04-22 19:21 -------- d-----w c:\program files\Opera
2009-04-21 10:28 . 2007-09-03 11:45 91888 ----a-w c:\users\Matthew\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-20 18:48 . 2009-04-20 18:48 -------- d-----w c:\program files\Musicnotes
2009-04-17 20:33 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-17 20:26 . 2007-05-10 00:08 -------- d-----w c:\programdata\Microsoft Help
2009-04-11 22:01 . 2009-04-06 21:18 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-07 01:49 . 2008-07-20 15:24 -------- d-----w c:\programdata\Yahoo!
2009-04-07 01:49 . 2008-10-17 22:20 -------- d-----w c:\programdata\Apple Computer
2009-04-07 01:49 . 2008-10-17 22:21 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 19:46 . 2007-12-24 00:31 1356 ----a-w c:\users\Matthew\AppData\Local\d3d9caps.dat
2009-04-05 09:20 . 2008-12-16 18:04 -------- d-----w c:\users\Matthew\AppData\Roaming\Mozilla(34)
2009-04-04 18:21 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstrng.dat
2009-04-04 18:21 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat
2009-04-04 18:21 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-04-04 18:16 . 2008-02-08 20:05 -------- d-----w c:\programdata\MakeMusic
2009-04-04 18:15 . 2008-07-20 15:24 156 ----a-w C:\YServer.txt
2009-04-04 18:14 . 2007-10-06 11:12 -------- d-----w c:\program files\Finale NotePad 2007
2009-04-04 18:13 . 2007-10-29 20:50 -------- d-----w c:\program files\Common Files\Real
2009-04-04 18:11 . 2007-12-11 19:42 -------- d-----w c:\program files\Saints & Sinners Bowling
2009-04-04 18:04 . 2007-05-09 23:17 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-04 17:37 . 2006-11-02 12:37 -------- d-----w c:\program files\Microsoft Games
2009-03-17 03:16 . 2009-04-16 23:15 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:16 . 2009-04-16 23:15 14848 ----a-w c:\windows\System32\apilogen.dll
2009-03-17 03:16 . 2009-04-16 23:15 25600 ----a-w c:\windows\System32\amxread.dll
2009-03-03 04:24 . 2009-04-16 23:15 3503584 ----a-w c:\windows\System32\ntkrnlpa.exe
2009-03-03 04:24 . 2009-04-16 23:15 3469280 ----a-w c:\windows\System32\ntoskrnl.exe
2009-03-03 04:20 . 2009-04-16 23:15 826368 ----a-w c:\windows\System32\wininet.dll
2009-03-03 04:19 . 2009-04-16 23:15 158720 ----a-w c:\windows\System32\sdohlp.dll
2009-03-03 04:19 . 2009-04-16 23:15 549888 ----a-w c:\windows\System32\rpcss.dll
2009-03-03 04:19 . 2009-04-16 23:15 24576 ----a-w c:\windows\System32\printfilterpipelineprxy.dll
2009-03-03 04:16 . 2009-04-16 23:15 56320 ----a-w c:\windows\System32\iesetup.dll
2009-03-03 04:16 . 2009-04-16 23:15 97280 ----a-w c:\windows\System32\iasrecst.dll
2009-03-03 04:16 . 2009-04-16 23:15 53248 ----a-w c:\windows\System32\iasads.dll
2009-03-03 04:16 . 2009-04-16 23:15 37888 ----a-w c:\windows\System32\iasdatastore.dll
2009-03-03 04:16 . 2009-04-16 23:15 78336 ----a-w c:\windows\System32\ieencode.dll
2009-03-03 04:16 . 2009-04-16 23:15 52736 ----a-w c:\windows\AppPatch\iebrshim.dll
2009-03-03 04:15 . 2009-04-16 23:15 72704 ----a-w c:\windows\System32\admparse.dll
2009-03-03 02:40 . 2009-04-16 23:15 654336 ----a-w c:\windows\System32\printfilterpipelinesvc.exe
2009-03-03 02:08 . 2009-04-16 23:15 26624 ----a-w c:\windows\System32\ieUnatt.exe
2009-03-03 00:44 . 2009-04-16 23:15 48128 ----a-w c:\windows\System32\mshtmler.dll
2009-02-13 07:26 . 2009-04-16 23:15 72704 ----a-w c:\windows\System32\secur32.dll
2009-02-13 07:26 . 2009-04-16 23:15 1233408 ----a-w c:\windows\System32\lsasrv.dll
2009-02-13 07:26 . 2009-04-16 23:15 7680 ----a-w c:\windows\System32\lsass.exe
2009-02-09 01:59 . 2009-03-11 12:51 2028032 ----a-w c:\windows\System32\win32k.sys
2009-02-06 18:52 . 2009-02-06 18:52 49504 ----a-w c:\windows\System32\sirenacm.dll
2008-12-13 23:11 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2007-11-18 15:09 . 2007-11-18 15:09 150 ----a-w c:\users\Matthew\AppData\Roaming\wklnhst.dat
2007-10-21 21:05 . 2007-10-21 21:05 95 ----a-w c:\users\Matthew\AppData\Local\fusioncache.dat
2008-11-24 14:03 . 2007-09-24 18:46 16384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-11-24 14:03 . 2007-09-24 18:46 32768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-11-24 14:03 . 2007-09-24 18:46 16384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-25_00.24.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-05-09 23:18 . 2009-04-26 01:29 83378 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-04-26 01:29 77016 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-09-03 11:47 . 2009-04-26 01:29 14816 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1568780633-3694986773-2746263513-1000_UserData.bin
- 2007-11-24 01:24 . 2009-04-22 23:52 3118 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2007-11-24 01:24 . 2009-04-25 17:39 3118 c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2009-04-24 20:05 . 2009-04-24 20:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-04-26 01:27 . 2009-04-26 01:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-04-26 01:27 . 2009-04-26 01:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-04-24 20:05 . 2009-04-24 20:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 10:33 . 2009-04-24 20:40 631670 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-04-25 21:12 631670 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-04-25 21:12 112216 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-04-24 20:40 112216 c:\windows\System32\perfc009.dat
- 2006-11-02 12:47 . 2009-04-24 20:07 262144 c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2006-11-02 12:47 . 2009-04-26 01:29 262144 c:\windows\ServiceProfiles\NetworkService\ntuser.dat
- 2006-11-02 12:47 . 2009-04-25 00:24 262144 c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2006-11-02 12:47 . 2009-04-26 01:28 262144 c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2007-02-28 13:21 . 2007-02-28 13:21 130472 c:\windows\Downloaded Program Files\MineSweeper.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-10 1232896]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"Google Update"="c:\users\Matthew\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-22 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-05-04 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-04 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-04 81920]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-13 457728]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-04-27 1286144]
"PLFSet"="c:\windows\PLFSet.dll" [2007-03-10 45056]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2007-05-04 502544]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2007-05-03 206952]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2007-03-13 33048]
"MediaBarFileManager"="c:\program files\On Demand Distribution\OD2 Music Manager\OD2MediaBar_VistaFileManager.exe" [2007-06-25 30024]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-02-06 201992]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840]
"MSConfig"="c:\windows\system32\msconfig.exe" [2006-11-02 222208]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-05-10 4468736]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-05-07 1826816]

c:\users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2007-7-23 1208320]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-5-10 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd.dll c:\progra~1\KASPER~1\KASPER~1\adialhk.dll c:\progra~1\KASPER~1\KASPER~1\kloehk.dll eNetHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E30A7207-0C49-464A-A2BD-D500B91DCDB9}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{120133B6-32D8-444B-9535-B9715C450D9F}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{8FB486AE-A211-42F3-B901-E9C5FEDDB00E}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{B8D85C9E-2380-4824-BDCF-7D36CACC7B4C}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{F54AFDD9-4072-4B70-A0E5-6AED010D45D7}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{642B9AB6-EC6D-40D7-A7FD-2FBA1100F47D}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{5C7A7DF1-A338-4CD3-96E3-311ADD053850}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"{C80972B0-6FA4-44DB-8F60-8EDB66A3842C}"= c:\program files\Acer\Acer VCM\VC.exe:Acer VCM
"{542DCBA6-AB98-4F37-AA71-DEA07411CF0C}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E38E082E-981F-4EAF-81AD-D2241DD88430}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{80147FFB-5F0C-4231-807F-37B5C21219A2}"= Disabled:UDP:c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{B716F8D6-4170-4691-BE9F-03D12831EF87}"= Disabled:TCP:c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{9D951E5C-13B2-4FA1-B418-A12195289B1A}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{FDAD9BBE-B3B7-4BFE-9AD7-AEEE4B87B247}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{E2A3CEF3-C86A-46B6-B3AC-CCA59EBCDBAA}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{07E96D0A-3AD9-4EFB-B994-0CBDC491503F}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 iaNvStor;Intel® Turbo Memory Technology NAND Controller;c:\windows\system32\DRIVERS\iaNvStor.sys [2007-03-11 210432]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-08 179712]
R3 YMIDUSBW;Yamaha USB-MIDI Driver (WDM);c:\windows\system32\drivers\ymidusbw.sys [2007-02-26 32720]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-02-06 33808]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2008-03-26 20496]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2006-11-02 23:51 13560]
S2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2007-01-26 50688]
S3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
S3 winbondcir;Winbond IR Transceiver;c:\windows\system32\DRIVERS\winbondcir.sys [2007-04-19 43008]

.
Contents of the 'Scheduled Tasks' folder

2009-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1568780633-3694986773-2746263513-1000.job
- c:\users\Matthew\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-22 19:16]

2009-04-25 c:\windows\Tasks\User_Feed_Synchronization-{2E682788-E4A7-4FCC-A577-DE4C2AB16339}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\j5dmwvv3.default\
FF - plugin: c:\users\Matthew\AppData\Local\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-26 02:30
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(6072)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\System32\drivers\XAudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Launch Manager\QtZgAcer.EXE
c:\users\Matthew\AppData\Local\Temp\RtkBtMnt.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\acer\Empowering Technology\eNet\eNMTray.exe
c:\acer\Empowering Technology\ePower\ePower_DMC.exe
c:\acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe
c:\program files\Acer\Acer VCM\acp2HID.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-04-26 2:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-26 01:33
ComboFix2.txt 2009-04-25 00:25

Pre-Run: 8,233,586,688 bytes free
Post-Run: 8,000,966,656 bytes free

282 --- E O F --- 2009-04-23 20:50

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:18 PM

Posted 26 April 2009 - 04:21 AM

  • Please apply Windows Disk Cleanup to clean all the temporary folders:
    • Click start and select run.
    • Type or copy and paste cleanmgr into run box and click OK.
    • It shows C drive to be cleaned, click OK.
    • Check the boxes next to all the items, the next time you may uncheck any item you don't want to clean. Click OK.
    • A window pops up, click Yes to confirm.
  • Delete ATF-Cleaner from you desktop.
    This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.
  • Now please tell me how is the computer behaving.


#9 Bromers

Bromers
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 26 April 2009 - 11:33 AM

I have done all the scans, and it removed a certain amount of files etc.

I still have only 7.47GB of space on my C drive, with no apparent reason or whereabouts of this data and it is still slowly going down :S

I haven't had to redo updates on the Kaspersky today, but will let you know if any changes occur.

Bromers

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:18 PM

Posted 26 April 2009 - 01:29 PM

Hi Bromers,

In the space between the first and the second run of ComboFix there is no unusual file addition.
  • To make sure the is no problem with the disk space allocation please perform a check disk as instructed here:

    http://www.windows-help-central.com/window...sta-chkdsk.html

    It might take quite long to perform it. You don't have to sit there as it the time taken might vary from a couple of hours to a whole day depending on the errors found and the amount of used space. You may initiate it and leave it there to finish.

  • After the disk check is finished and the Windows started go to Start => Run => type eventvwr in the run box and click OK.
    Go to the Applications section and search for the Winlogon entry (in the source column, click on it to sort the items alphabetically) that corresponds to when you ran the check disk. Double-click that entry and you'll find the scan's results there, click the third button on the right (this copies the info in the memory) then right-click => paste it here.


#11 Bromers

Bromers
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 26 April 2009 - 03:41 PM

After doing the scan i was asked once again to update my Kaspersky a/v

There were more than items of winlogon for today. They all seemed to be either event ID 6000 or Event ID 4101.

Log Name: Application
Source: Microsoft-Windows-Winlogon
Date: 26/04/2009 21:22:02
Event ID: 6000
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: Matthew-PC
Description:
The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Wlclntfy" />
<EventID Qualifiers="32768">6000</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-04-26T20:22:02.000Z" />
<EventRecordID>50751</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Matthew-PC</Computer>
<Security />
</System>
<EventData>
<Data>SessionEnv</Data>
<Binary>D9060000</Binary>
</EventData>
</Event>

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:18 PM

Posted 26 April 2009 - 04:33 PM

Doesn't Kaspersky update automatically?

#13 Bromers

Bromers
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 26 April 2009 - 04:58 PM

Well it's meant to, but since I've started having problems, it sometimes comes up with a message "Databases are obsolete" and prompts me to update, which I do, but it keeps doing it.

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:18 PM

Posted 26 April 2009 - 05:21 PM

We are going to remove a symatec leftover and enable monitoring kaspersky by Windows Security Center.

Go to start > Run copy and paste the following lines one by one in the run box and click OK after each line:

sc delete CLTNetCnService
cmd /c reg delete "HKLM\software\microsoft\security center\Monitoring\KasperskyAntiVirus" /v DisableMonitoring /f


A window flashes it is normal.

I think a repair install of Kaspersky might solve the problem. That could be done via Programs and Features, but instead of uninstalling you select change and then select repair install. If not you may consider uninstalling and reinstalling Kaspersky or open a topic at Kaspersky forum.

#15 Bromers

Bromers
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 26 April 2009 - 06:06 PM

Okay, I did the two run sequences. I attempted to do the Kaspersky repair, but can't find the disk needed to do it. If I remember rightly, when we upgraded we did an online upgrade. I'll go to the Kaspersky forum now.

Do you have any idea where my space ca be, there's honestly not that amount in data that I've put on there. I've hovered over everything in there, and seem to be only about to account for about 5gb max, and I know vistas about 15.. but where the other 43 gb is, I haven't a clue.. =/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users