Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

persistent malware.. Malwarebytes Antimalware unable to get rid of it despit repeated tries and restarts


  • This topic is locked This topic is locked
14 replies to this topic

#1 lvanimegrl

lvanimegrl

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 11 May 2009 - 12:11 AM

IE has been acting slow and has a popups.. I can open google but any site after that I get redirected to has an ad geared directly to whatever I was just searching.. Firefox is usable but I sometiimes get popups.. I usually use google chrome but recently it has slowed down and frozen on screens and the tab never finishes loading..
Also a yellow "!" triangle appears on my lower right side bar.. It tells me I have infections on my computer. I dont trust it however because sometimes multiple will appear in the corner at the same time. Also the picture doesnt look official to me since its distorted and blurry..
Whenever I run Malwarebytes Anti-Malware it gives me a list of my infections, I go through the normal procedure of deleting them, then it tells me to restart for the changes to take effect, and then I click yes and the computer restarts. However on startup when I rerun the program I still have infections on the computer.
I see the "blue screen of death" much more frequently now (im not sure if this is applicable).. just in the past 24 hours its happened at least 15 times..

Thanks for your help!

DDS:

DDS (Ver_09-03-16.01) - FAT32x86
Run by Clifford at 0:54:37.90 on Mon 05/11/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.417 [GMT -4:00]


============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
SVCHOST.EXE
C:WINDOWSSystem32svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:Program FilesLavasoftAd-Awareaawservice.exe
C:WINDOWSExplorer.EXE
C:WINDOWSehomeehtray.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:WINDOWSRTHDCPL.EXE
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:WINDOWSeHomeehmsas.exe
C:PROGRA~1LAUNCH~1LManager.exe
C:AcerEmpowering TechnologyePowerePower_DMC.exe
C:AcerEmpowering TechnologyePresentationePresentation.exe
C:AcerEmpowering TechnologyeDataSecurityeDSloader.exe
C:AcerEmpowering TechnologyeRecoveryeRAgent.exe
C:WINDOWSBUtilityBarBisonBar.exe
C:Program FilesJavajre6binjusched.exe
C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe
C:WINDOWSTempminisvr4.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesMessengermsmsgs.exe
C:WINDOWSsystem32ctfmon.exe
C:Documents and SettingsClifford.ACER-47253A5CC0Local SettingsApplication DataGoogleUpdateGoogleUpdate.exe
C:Program FilesDNAbtdna.exe
C:DOCUME~1CLIFFO~1.ACELOCALS~1Temp639374824.exe
C:Documents and SettingsClifford.ACER-47253A5CC0Application Datapidlepidle.exe
C:Documents and SettingsClifford.ACER-47253A5CC0Application Datadigifastdigifast.exe
C:Documents and SettingsClifford.ACER-47253A5CC0Application DataMicrosofttmfwr.exe
C:AcerEmpowering TechnologyeLockMonitorLockMon.exe
C:AcerEmpowering TechnologyAcer.Empowering.Framework.Launcher.exe
C:WINDOWSsystem32spoolsv.exe
C:DOCUME~1CLIFFO~1.ACELOCALS~1TempRtkBtMnt.exe
C:AcerEmpowering TechnologyePerformanceMemCheck.exe
C:Documents and SettingsClifford.ACER-47253A5CC0Local SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:WINDOWSeHomeehRecvr.exe
C:WINDOWSeHomeehSched.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesLightScribeLSSrvc.exe
C:AcerEmpowering TechnologyeLockLockServ.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGmdm.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32rpcnet.exe
SVCHOST.EXE
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesiPodbiniPodService.exe
C:WINDOWSsystem32wbemwmiapsrv.exe
C:WINDOWSsystem32dllhost.exe
C:WINDOWSsystem32wbemunsecapp.exe
C:WINDOWSSystem32svchost.exe -k HTTPFilter
C:Documents and SettingsClifford.ACER-47253A5CC0Local SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsClifford.ACER-47253A5CC0Local SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsClifford.ACER-47253A5CC0Local SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsClifford.ACER-47253A5CC0Local SettingsApplication DataGoogleChromeApplicationchrome.exe
C:Documents and SettingsClifford.ACER-47253A5CC0My DocumentsDownloadsdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://global.acer.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
BHO: {C2BA40A1-74F3-42BD-F434-12345A2C8953} - No File
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:windowssystem32eDStoolbar.dll
EB: DF Bar: {67fcef90-073e-11de-8c30-0800200c9a66} - %SystemRoot%system32shdocvw.dll
uRun: [MSMSGS] "c:program filesmessengermsmsgs.exe" /background
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [Google Update] "c:documents and settingsclifford.acer-47253a5cc0local settingsapplication datagoogleupdateGoogleUpdate.exe" /c
uRun: [Vidalia] "c:documents and settingsclifford.acer-47253a5cc0my documentsdownloadsfirefoxportablevidalia bundlevidaliavidalia.exe"
uRun: [BitTorrent DNA] "c:program filesdnabtdna.exe"
uRun: [Diagnostic Manager] c:docume~1cliffo~1.acelocals~1temp639374824.exe
uRun: [prnet] "c:windowssystem32prnet.tmp"
uRun: [pidle] "c:documents and settingsclifford.acer-47253a5cc0application datapidlepidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [DigiFast] c:documents and settingsclifford.acer-47253a5cc0application datadigifastdigifast.exe
uRun: [SfKg6wIPuSpdc] c:documents and settingsclifford.acer-47253a5cc0application datamicrosofttmfwr.exe
mRun: [ehTray] c:windowsehomeehtray.exe
mRun: [preload] c:windowsRUNXMLPL.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:program filesrealtekinstallshieldAzMixerSel.exe
mRun: [SynTPEnh] c:program filessynapticssyntpSynTPEnh.exe
mRun: [ntiMUI] c:program filesnewtech infosystemsnti cd & dvd-maker 7ntiMUI.exe
mRun: [<NO NAME>]
mRun: [IMJPMIG8.1] "c:windowsimeimjp8_1IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:windowssystem32imepintlgntImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:windowssystem32imetintlgntTINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:windowssystem32imetintlgntTINTSETP.EXE /IMEName
mRun: [LManager] c:progra~1launch~1LManager.exe
mRun: [ePower_DMC] c:acerempowering technologyepowerePower_DMC.exe
mRun: [Boot] c:acerempowering technologyepowerBoot.exe
mRun: [Acer ePresentation HPD] c:acerempowering technologyepresentationePresentation.exe
mRun: [eLockMonitor] c:acerempowering technologyelockmonitorLaunchMonitor.exe
mRun: [eDataSecurity Loader] c:acerempowering technologyedatasecurityeDSloader.exe 1
mRun: [eRecoveryService] c:acerempowering technologyerecoveryeRAgent.exe
mRun: [BisonBar] c:windowsbutilitybarBisonBar.exe
mRun: [WarReg_PopUp] c:acerwr_popupWarReg_PopUp.exe /idle
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [GrooveMonitor] "c:program filesmicrosoft officeoffice12GrooveMonitor.exe"
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [Java Load] c:windowstempminisvr4.exe
mRun: [prnet] "c:windowssystem32prnet.tmp"
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [AppleSyncNotifier] c:program filescommon filesapplemobile device supportbinAppleSyncNotifier.exe
dRun: [Windows Update Utility] ?globalrootsystemrootsystem32vfhr.exe
dRun: [Java Syncro] c:windowstempzchMiB.exe
dRun: [nDler2] ?globalrootsystemrootsystem32nDler2.exe
dRun: [InetChk] c:windowstempms1238874013.exe work
dRun: [<NO NAME>] c:windowstempdyc1mod.exe
dRun: [Windows Resurections] c:windowstempqrk8l3iw.exe
dRun: [Diagnostic Manager] c:windowstemp2717454516.exe
dRun: [autochk] rundll32.exe c:windowssystem32configsystem~1protect.dll,_IWMPEvents@16
dRun: [uidenhiufgsduiazghs] c:windowstempdyc1mod.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupadober~1.lnk - c:program filesadobeacrobat 7.0readerreader_sl.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupacerem~1.lnk - c:acerempowering technologyAcer.Empowering.Framework.Launcher.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupprivoxy.lnk - c:documents and settingsclifford.acer-47253a5cc0my documentsdownloadsfirefoxportablevidalia bundleprivoxyprivoxy.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:progra~1micros~4office12EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~4office12ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~4office12REFIEBAR.DLL
LSP: c:docume~1templocals~1tempntdll64.dll
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:progra~1micros~4office12GR99D3~1.DLL
AppInit_DLLs: qxlync.dll uxqdsp.dll bqaoqq.dll fpqizg.dll jedilp.dll nohmoz.dll wklimb.dll mangnd.dll ,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:progra~1micros~4office12GRA8E1~1.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1cliffo~1.aceapplic~1mozillafirefoxprofileslewzclm5.default
FF - component: c:program filesmozilla firefoxcomponentsdfff.dll
FF - component: c:program filesmozilla firefoxcomponentsWWShow.dll
FF - plugin: c:documents and settingsclifford.acer-47253a5cc0application datamozillafirefoxprofileslewzclm5.defaultextensionsmoveplayer@movenetworks.complatformwinnt_x86-msvcpluginsnpmnqmp071303000004.dll
FF - plugin: c:documents and settingsclifford.acer-47253a5cc0local settingsapplication datagoogleupdate1.2.145.5npGoogleOneClick8.dll
FF - plugin: c:program filesmozilla firefoxpluginsnpbittorrent.dll
FF - HiddenExtension: XUL Cache: {E752F6B9-DFFF-4C5B-8EC1-9787BF92E431} - c:documents and settingscliffordlocal settingsapplication data{E752F6B9-DFFF-4C5B-8EC1-9787BF92E431}

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareaawservice.exe [2008-9-10 611664]
R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:windowssystem32eLock2BurnerLockDriver.sys [2008-10-26 17664]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:windowssystem32eLock2FSCTLDriver.sys [2008-10-26 90112]
R2 LockServ;LockServ;c:acerempowering technologyelocklockserv.exe -p --> c:acerempowering technologyelockLockServ.exe -p [?]
R2 McrdSvc;Media Center Extender Service;c:windowsehomemcrdsvc.exe [2005-8-5 99328]
S0 ulfnzjxv;ulfnzjxv;c:windowssystem32driverssximkqya.sys []
S1 913269d8;913269d8;c:windowssystem32drivers913269d8.sys [2009-3-27 96750]
S1 d9dd527a;d9dd527a;c:windowssystem32driversd9dd527a.sys [2009-3-27 95342]
S3 botdrv;botdrv;??c:windowssystem32driver.sys --> c:windowssystem32driver.sys [?]
S3 epindd;epindd;c:windowssystem32driversEPINDD.SYS [2008-10-26 8448]

=============== Created Last 30 ================

2009-05-09 23:59 27,648 a------- c:windowssystem32lmn_setup.exe
2009-05-09 15:50 34 a------- c:documents and settingsclifford.acer-47253a5cc0jagex_runescape_preferences.dat
2009-05-01 20:54 22,538 a------- c:windowssystem32lmppcsetup.exe
2009-04-27 23:52 <DIR> --d----- c:program filesiPod
2009-04-27 23:52 <DIR> --d----- c:program filesiTunes
2009-04-27 23:52 <DIR> --d----- c:docume~1alluse~1applic~1{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-27 19:53 29,696 a------- c:windowssystem32loader49.exe
2009-04-24 22:34 <DIR> --d----- c:docume~1cliffo~1.aceapplic~1digifast
2009-04-24 22:29 <DIR> --d----- c:docume~1cliffo~1.aceapplic~1Twain
2009-04-24 22:24 <DIR> --d----- c:program filesWWShow
2009-04-24 22:19 <DIR> --d----- c:program filesJcore
2009-04-23 22:13 <DIR> --d----- c:docume~1cliffo~1.aceapplic~1pidle
2009-04-23 22:13 35,328 a------- c:windowssystem32prnet.tmp
2009-04-23 17:59 100 a------- C:xcrashdump.dat
2009-04-23 17:51 39,936 a------- c:windowssystem32winglsetup.exe
2009-04-22 18:38 0 a------- C:E.tmp
2009-04-22 18:38 0 a------- C:D.tmp
2009-04-22 18:38 0 a------- C:C.tmp
2009-04-22 18:38 0 a------- C:B.tmp
2009-04-22 18:38 0 a------- C:A.tmp
2009-04-22 18:38 0 a------- C:9.tmp
2009-04-22 18:38 38 a------- C:8.tmp
2009-04-22 18:38 0 a------- C:7.tmp
2009-04-22 18:38 0 a------- C:6.tmp
2009-04-22 18:37 38 a------- C:5.tmp
2009-04-22 18:37 52,736 a------- C:4.tmp
2009-04-22 18:37 21,504 a------- C:3.tmp
2009-04-18 13:14 17,920 a------- c:windowssystem32ak1.exe
2009-04-16 00:20 <DIR> --d----- c:docume~1cliffo~1.aceapplic~1BitTorrent
2009-04-16 00:19 <DIR> --d----- c:program filesBitTorrent
2009-04-16 00:19 <DIR> --d----- c:docume~1cliffo~1.aceapplic~1DNA
2009-04-15 21:24 <DIR> --d----- c:docume~1cliffo~1.aceapplic~1mIRC
2009-04-14 14:17 41,808 a------- c:windowssystem32xfcodec.dll

==================== Find3M ====================

2009-05-11 00:45 17,408 a------- c:windowssystem32rpcnetp.exe
2009-05-11 00:45 47,104 a------- c:windowssystem32rpcnet.dll
2009-05-09 13:53 17,408 a------- c:windowssystem32rpcnetp.dll
2009-05-07 20:19 98,304 a------- c:windowsDUMP4ae3.tmp
2009-04-30 23:32 98,304 a------- c:windowsDUMP51e8.tmp
2009-04-23 22:13 51,200 a--sh--- c:windowssystem32fanenoto.exe
2009-04-23 18:21 84,045 a------- c:windowssystem32ftp_non_crp.exe
2009-04-21 18:25 98,304 a------- c:windowsDUMP4d16.tmp
2009-04-09 20:43 20,480 a------- c:windowssystem32nDler2.exe
2009-03-28 09:45 92,672 a------- c:windowssystem32GDIPFONTCACHEV1.DAT
2009-03-28 02:14 96,750 a------- c:windowssystem32drivers913269d8.sys
2009-03-28 02:14 95,342 a------- c:windowssystem32driversd9dd527a.sys
2009-03-27 20:54 43,008 a------- C:dxxrp.exe
2009-03-27 20:53 27,136 a------- C:vaybq.exe
2009-03-27 20:53 7,680 a------- C:ijmaxk.exe
2009-03-27 20:53 40,448 a------- C:liymwuq.exe
2009-03-27 17:11 79,872 a------- c:windowssystem32supamadi.dll
2009-03-27 17:07 182,912 a------- c:windowssystem32driversndis.sys
2009-03-27 17:07 182,912 a------- c:windowssystem32dllcachendis.sys
2009-03-27 17:06 43,008 a------- C:aoqckrns.exe
2009-03-27 17:06 27,136 a------- C:ajtbyh.exe
2009-03-27 17:06 7,680 a------- C:wicnin.exe
2009-03-27 17:06 40,448 a------- C:dmsiacq.exe
2009-03-27 17:06 9,216 a------- c:windowsinstsp2.exe
2009-03-27 16:59 2,713 ---sh--- c:windowssystem32kajazanu.dll
2009-03-25 18:55 33,280 a------- c:windowssystem32identprv.dll
2009-03-24 23:41 36,352 a------- c:windowssystem32gldx.exe
2009-03-24 17:31 40,448 a------- c:windowssystem32KuzSmall.exe
2009-03-24 17:16 42,496 a------- c:windowssystem32kuzSniper.exe
2009-03-24 17:01 477,266 a------- c:windowssystem32vfhr.exe
2009-03-24 17:01 45,056 a------- c:windowssystem32dLer.exe
2009-03-24 16:46 124,928 a--sh--- c:windowssystem32towosuko.dll
2009-03-24 16:46 124,928 a--sh--- c:windowssystem32mangnd.dll
2009-03-23 23:52 124,928 a--sh--- c:windowssystem32wisepale.dll
2009-03-23 23:52 124,928 a--sh--- c:windowssystem32ljjhih.dll
2009-03-19 16:32 23,400 a------- c:windowssystem32driversGEARAspiWDM.sys
2009-03-05 23:59 1,900,544 a------- c:windowssystem32usbaaplrc.dll
2009-03-04 20:44 98,304 a------- c:windowsDUMP665b.tmp
2009-02-24 16:58 104,960 a------- c:windowssystem32userinit.exe
2009-02-24 16:58 104,960 a------- c:windowssystem32dllcacheuserinit.exe
2009-02-22 17:25 125,440 a------- c:windowssystem32yrbyyh.dll
2009-02-22 17:25 125,440 a------- c:windowssystem32xyeljjfq.dll
2009-02-22 16:19 47,104 a------- c:windowssystem32rpcnet.exe
2009-02-22 14:26 98,304 a------- c:windowsDUMP5236.tmp

============= FINISH: 0:55:10.78 ===============

This is the MBAM log I did BEFORE I ran the above DDS scans.. not sure if it would be helpfull..

I also checked my previous logs.. All of the below infections have already "supposedly" been quaranteened and deleted before..

Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 5.1.2600 Service Pack 2

5/11/2009 12:11:26 AM
mbam-log-2009-05-11 (00-11-26).txt

Scan type: Full Scan (C:|D:|E:|)
Objects scanned: 171184
Time elapsed: 22 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:WINDOWSsystem32autochk.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunautochk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunautochk (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit (Trojan.Agent) -> Data: c:windowssystem32userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit (Trojan.Agent) -> Data: system32userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerNoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:WINDOWSsystem32autochk.dll (Trojan.Agent) -> Delete on reboot.
C:Documents and SettingsLocalServiceprotect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:Documents and SettingsClifford.ACER-47253A5CC0protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:Documents and SettingsClifford.ACER-47253A5CC0Start MenuProgramsStartupChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:Documents and SettingsClifford.ACER-47253A5CC0Start MenuProgramsStartupChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 16 May 2009 - 08:43 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,113 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:48 PM

Posted 26 May 2009 - 01:05 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#3 lvanimegrl

lvanimegrl
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 26 May 2009 - 02:50 PM

I am unable to make the DDs report! I tried with both both links provided. When I click dds it opens and gives me the opening infor but before it begins to check, my computer goes to a blue screen then shuts down and restarts.

Since my fist post alot of changes were made. For a while i was unable to run any program and it would call it "corrutped". I was told how I could bypass this by restarting the computer in safe mode with networking.
After I ran Malwarebytes anti-malware while in safe mode and it restarted the computer seemed to be malware free. That was up until my computer restarted again and now I have a false antimalware program called "Malware Doctor" which continues to come back despite my frequent runs of MBAM. I am getting alot of warnings to run chkdsk since things are corrupted.
Also, I am unable to use any of my previous internet programs. Whenever I start Google Chrome, FireFox or internet explorer they say they are not connected to the internet. But I downloaded Portable Firefox and that works fine on this computer.



This is my last MBAM test I ran:
Malwarebytes' Anti-Malware 1.34
Database version: 1814
Windows 5.1.2600 Service Pack 2

3/28/2009 5:19:01 PM
mbam-log-2009-03-28 (17-18-58).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 149210
Time elapsed: 20 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\TEMP\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Clifford.ACER-47253A5CC0\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\TEMP\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Clifford.ACER-47253A5CC0\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> No action taken.

THANKS!!!!!!

Edited by lvanimegrl, 26 May 2009 - 02:56 PM.


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,113 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:48 PM

Posted 26 May 2009 - 03:00 PM

Hello there,

That was clever of you to try Portable Firefox. I'm glad that worked for you. Since you cannot get DDS to run, please try this:

Download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Post the log as a response to this thread.
If RSIT did not work, let us know that too.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#5 lvanimegrl

lvanimegrl
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 26 May 2009 - 03:07 PM

Logfile of random's system information tool 1.06 (written by random/random)
Run by Clifford at 2009-05-26 16:06:00
Microsoft Windows XP Professional Service Pack 2
System drive C: has 12 GB (21%) free of 54 GB
Total RAM: 895 MB (56% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:04 PM, on 5/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\WINDOWS\BUtilityBar\BisonBar.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Documents and Settings\Clifford.ACER-47253A5CC0\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Acer\Empowering Technology\eLock\Monitor\LockMon.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\DOCUME~1\CLIFFO~1.ACE\LOCALS~1\Temp\RtkBtMnt.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rpcnet.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Documents and Settings\Clifford.ACER-47253A5CC0\My Documents\Downloads\FirefoxPortable\FirefoxPortable.exe
C:\Documents and Settings\Clifford.ACER-47253A5CC0\My Documents\Downloads\FirefoxPortable\App\firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
\?\globalroot\C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\ld08.exe
\?\globalroot\C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\SYSDLL.exe
C:\Documents and Settings\Clifford.ACER-47253A5CC0\My Documents\Downloads\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\Clifford.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost:7171 *.local <local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: C:\WINDOWS\system32\sdjee3inf.dll - {c6c7b2a1-00f3-42bd-f434-00aaba2c8953} - C:\WINDOWS\system32\sdjee3inf.dll
O2 - BHO: Microsoft copyright - {f30b5e7e-cfbb-44fb-a947-226e5a7a4290} - jhxm32.dll (file missing)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [eLockMonitor] C:\Acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 1
O4 - HKLM\..\Run: [BisonBar] C:\WINDOWS\BUtilityBar\BisonBar.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe /normal-run2
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\916653139.exe
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [sysldtray] c:\windows\ld08.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vidalia] "C:\Documents and Settings\Clifford.ACER-47253A5CC0\My Documents\Downloads\FirefoxPortable\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Clifford.ACER-47253A5CC0\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\916653139.exe
O4 - HKUS\S-1-5-18\..\Run: [Windows Update Utility] \\?\globalroot\systemroot\system32\vfhr.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Java Syncro] C:\WINDOWS\TEMP\zchMiB.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [nDler2] \\?\globalroot\systemroot\system32\nDler2.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\d7fo5f.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\d7fo5f.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\4230879148.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FE1A1B.exe] C:\WINDOWS\TEMP\_A00FE1A1B.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SYSDLL] SYSDLL (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Update Utility] \\?\globalroot\systemroot\system32\vfhr.exe (User 'Default user')
O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: Privoxy.lnk = C:\Documents and Settings\Clifford.ACER-47253A5CC0\My Documents\Downloads\FirefoxPortable\Vidalia Bundle\Privoxy\privoxy.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\docume~1\temp\locals~1\temp\ntdll64.dll' missing
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsol...scueControl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: qxlync.dll uxqdsp.dll bqaoqq.dll fpqizg.dll jedilp.dll nohmoz.dll wklimb.dll mangnd.dll ,
O22 - SharedTaskScheduler: gsf87hfunf98398jd - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - C:\WINDOWS\system32\sdjee3inf.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LockServ - Unknown owner - C:\Acer\Empowering Technology\eLock\LockServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\WINDOWS\system32\rpcnet.exe

--
End of file - 12259 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1465148375-2546929370-2795459751-1005.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c6c7b2a1-00f3-42bd-f434-00aaba2c8953}]
C:\WINDOWS\system32\sdjee3inf.dll - C:\WINDOWS\system32\sdjee3inf.dll [2009-05-24 15000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f30b5e7e-cfbb-44fb-a947-226e5a7a4290}]
Microsoft copyright - C:\WINDOWS\system32\jhxm32.dll [2009-05-26 29184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer eDataSecurity Management - C:\WINDOWS\system32\eDStoolbar.dll [2006-03-08 106496]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]
"preload"=C:\Windows\RUNXMLPL.exe [2005-05-19 32768]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-07-20 7581696]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2006-07-20 86016]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-07-21 16261632]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"AzMixerSel"=C:\Program Files\Realtek\InstallShield\AzMixerSel.exe [2005-06-11 53248]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-05-25 786521]
"ntiMUI"=C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe [2006-05-15 45056]
""= []
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-10 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-10 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-10 455168]
"LManager"=C:\PROGRA~1\LAUNCH~1\LManager.exe [2006-08-08 634880]
"ePower_DMC"=C:\Acer\Empowering Technology\ePower\ePower_DMC.exe [2006-07-18 438272]
"Boot"=C:\Acer\Empowering Technology\ePower\Boot.exe [2006-03-15 579584]
"Acer ePresentation HPD"=C:\Acer\Empowering Technology\ePresentation\ePresentation.exe [2006-06-07 208896]
"eLockMonitor"=C:\Acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe [2006-03-31 16384]
"eDataSecurity Loader"=C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe [2006-03-17 345088]
"BisonBar"=C:\WINDOWS\BUtilityBar\BisonBar.exe [2006-09-08 245760]
"WarReg_PopUp"=C:\Acer\WR_PopUp\WarReg_PopUp.exe [2006-09-23 61440]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-29 136600]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-04-02 342312]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-03-26 177472]
"Malware Doctor"=C:\Documents and Settings\LocalService\Application Data\916653139.exe [2009-05-26 96768]
"autochk"=C:\WINDOWS\system32\autochk.dll [2009-05-26 23552]
"sysldtray"=c:\windows\ld08.exe [2009-05-26 14848]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-08-04 1667584]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-10 15360]
"Vidalia"=C:\Documents and Settings\Clifford.ACER-47253A5CC0\My Documents\Downloads\FirefoxPortable\Vidalia Bundle\Vidalia\vidalia.exe []
"BitTorrent DNA"=C:\Program Files\DNA\btdna.exe [2009-04-16 321344]
"Google Update"=C:\Documents and Settings\Clifford.ACER-47253A5CC0\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-24 133104]
"Malware Doctor"=C:\Documents and Settings\LocalService\Application Data\916653139.exe [2009-05-26 96768]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Acer Empowering Technology.lnk - C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
Privoxy.lnk - C:\Documents and Settings\Clifford.ACER-47253A5CC0\My Documents\Downloads\FirefoxPortable\Vidalia Bundle\Privoxy\privoxy.exe

C:\Documents and Settings\Clifford.ACER-47253A5CC0\Start Menu\Programs\Startup
ChkDisk.dll
ChkDisk.lnk - C:\WINDOWS\system32\rundll32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="qxlync.dll uxqdsp.dll bqaoqq.dll fpqizg.dll jedilp.dll nohmoz.dll wklimb.dll mangnd.dll , "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
gsf87hfunf98398jd - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - C:\WINDOWS\system32\sdjee3inf.dll [2009-05-24 15000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=1
"DisableTaskMgr"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0
"NoSetActiveDesktop"=0
"NoActiveDesktopChanges"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoSetActiveDesktop"=
"NoActiveDesktopChanges"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"="C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:*:Disabled:Veoh Web Player "
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Xfire\Xfire.exe"="C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"
"C:\untitled folder 2\files\button1\haloce.exe"="C:\untitled folder 2\files\button1\haloce.exe:*:Enabled:Halo"
"C:\Program Files\Messenger\MSMSGS.EXE"="C:\Program Files\Messenger\MSMSGS.EXE:*:Enabled:Windows Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\EXPLORER.EXE"="C:\WINDOWS\EXPLORER.EXE:*:Enabled:Explorer"
"C:\WINDOWS\TEMP\zchMiB.exe"="C:\WINDOWS\TEMP\zchMiB.exe:*:Enabled:Windows Time Synchronization"
"C:\WINDOWS\Temp\minisvr4.exe"="C:\WINDOWS\Temp\minisvr4.exe:*:Enabled:WinSvrHost32"
"C:\WINDOWS\System32\SERVICES.EXE"="C:\WINDOWS\System32\SERVICES.EXE:*:Enabled:services"
"C:\WINDOWS\System32\LSASS.EXE"="C:\WINDOWS\System32\LSASS.EXE:*:Enabled:lsass"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
shell\AutoRun\command - RECYCLER\Iasass.exe
shell\open\command - RECYCLER\Iasass.exe


======List of files/folders created in the last 1 months======

2009-05-26 16:06:00 ----D---- C:\rsit
2009-05-26 15:53:16 ----D---- C:\WINDOWS\system32\sysloc
2009-05-26 15:53:16 ----A---- C:\WINDOWS\system32\SYSDLL.exe
2009-05-26 15:38:11 ----A---- C:\WINDOWS\system32\lmn_setup.exe
2009-05-26 15:35:57 ----HD---- C:\WINDOWS\PIF
2009-05-26 15:07:25 ----H---- C:\WINDOWS\ld08.exe
2009-05-26 15:07:25 ----A---- C:\487656.bat
2009-05-26 15:07:24 ----A---- C:\WINDOWS\system32\ser.exe
2009-05-26 14:52:24 ----ASH---- C:\WINDOWS\system32\autochk.dll
2009-05-24 23:27:29 ----A---- C:\63.tmp
2009-05-24 23:27:26 ----A---- C:\62.tmp
2009-05-24 23:27:20 ----A---- C:\61.tmp
2009-05-24 23:27:18 ----A---- C:\60.tmp
2009-05-24 23:27:15 ----A---- C:\5F.tmp
2009-05-24 23:27:12 ----A---- C:\5E.tmp
2009-05-24 23:27:09 ----A---- C:\5D.tmp
2009-05-24 23:27:06 ----A---- C:\5C.tmp
2009-05-24 23:27:06 ----A---- C:\5B.tmp
2009-05-24 23:27:06 ----A---- C:\5A.tmp
2009-05-24 23:27:03 ----A---- C:\59.tmp
2009-05-24 23:27:03 ----A---- C:\58.tmp
2009-05-24 23:27:03 ----A---- C:\57.tmp
2009-05-24 23:27:00 ----A---- C:\56.tmp
2009-05-24 23:27:00 ----A---- C:\55.tmp
2009-05-24 23:26:57 ----A---- C:\54.tmp
2009-05-24 23:26:54 ----A---- C:\53.tmp
2009-05-24 23:26:52 ----A---- C:\WINDOWS\system32\sdjee3inf.dll
2009-05-24 22:32:44 ----D---- C:\Avenger
2009-05-24 21:31:34 ----D---- C:\Documents and Settings\Clifford.ACER-47253A5CC0\Application Data\IObit
2009-05-24 21:31:18 ----A---- C:\52.tmp
2009-05-24 21:31:15 ----A---- C:\51.tmp
2009-05-24 21:31:12 ----A---- C:\50.tmp
2009-05-24 21:31:09 ----A---- C:\4F.tmp
2009-05-24 21:31:05 ----A---- C:\4E.tmp
2009-05-24 21:31:02 ----A---- C:\4D.tmp
2009-05-24 21:30:59 ----A---- C:\4C.tmp
2009-05-24 21:30:58 ----A---- C:\4B.tmp
2009-05-24 21:30:56 ----A---- C:\4A.tmp
2009-05-24 21:30:52 ----A---- C:\49.tmp
2009-05-24 21:30:51 ----A---- C:\48.tmp
2009-05-24 21:30:48 ----A---- C:\47.tmp
2009-05-24 21:30:48 ----A---- C:\46.tmp
2009-05-24 21:30:45 ----A---- C:\45.tmp
2009-05-24 21:30:44 ----A---- C:\44.tmp
2009-05-24 21:30:42 ----A---- C:\43.tmp
2009-05-24 21:30:39 ----A---- C:\42.tmp
2009-05-24 21:00:10 ----A---- C:\41.tmp
2009-05-24 21:00:08 ----A---- C:\40.tmp
2009-05-24 21:00:05 ----A---- C:\3F.tmp
2009-05-24 21:00:02 ----A---- C:\3E.tmp
2009-05-24 20:59:59 ----A---- C:\3D.tmp
2009-05-24 20:59:57 ----A---- C:\3C.tmp
2009-05-24 20:59:54 ----A---- C:\3B.tmp
2009-05-24 20:59:53 ----A---- C:\33.tmp
2009-05-24 20:59:51 ----A---- C:\32.tmp
2009-05-24 20:59:48 ----A---- C:\28.tmp
2009-05-24 20:59:47 ----A---- C:\27.tmp
2009-05-24 20:59:44 ----A---- C:\26.tmp
2009-05-24 20:59:41 ----A---- C:\24.tmp
2009-05-24 20:59:41 ----A---- C:\23.tmp
2009-05-24 20:59:38 ----A---- C:\22.tmp
2009-05-24 20:59:35 ----A---- C:\20.tmp
2009-05-24 20:24:42 ----A---- C:\WINDOWS\system32\lklf32.dll
2009-05-24 20:05:57 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-24 19:36:53 ----D---- C:\Program Files\Microsoft Games
2009-05-24 19:36:32 ----A---- C:\WINDOWS\system32\gdiplus.dll
2009-05-24 19:25:47 ----A---- C:\WINDOWS\system32\jhxm32.dll
2009-05-24 19:25:37 ----A---- C:\WINDOWS\system32\avast!Antivirus.exe
2009-05-24 18:23:34 ----A---- C:\3A.tmp
2009-05-24 18:23:29 ----A---- C:\39.tmp
2009-05-24 18:23:26 ----A---- C:\38.tmp
2009-05-24 18:23:23 ----A---- C:\37.tmp
2009-05-24 18:23:20 ----A---- C:\36.tmp
2009-05-24 18:23:17 ----A---- C:\35.tmp
2009-05-24 18:23:15 ----A---- C:\34.tmp
2009-05-24 18:23:12 ----A---- C:\30.tmp
2009-05-24 18:23:08 ----A---- C:\WINDOWS\OEWABLog.txt
2009-05-24 18:23:08 ----A---- C:\2F.tmp
2009-05-24 18:23:08 ----A---- C:\2E.tmp
2009-05-24 18:23:06 ----A---- C:\2D.tmp
2009-05-24 18:23:05 ----A---- C:\2C.tmp
2009-05-24 18:23:05 ----A---- C:\2B.tmp
2009-05-24 18:23:03 ----A---- C:\2A.tmp
2009-05-24 18:23:02 ----A---- C:\29.tmp
2009-05-24 18:22:59 ----A---- C:\25.tmp
2009-05-24 18:22:56 ----A---- C:\21.tmp
2009-05-24 17:15:01 ----A---- C:\1F.tmp
2009-05-24 17:14:55 ----A---- C:\1E.tmp
2009-05-24 17:14:52 ----A---- C:\1D.tmp
2009-05-24 17:14:49 ----A---- C:\1C.tmp
2009-05-24 17:14:47 ----A---- C:\1B.tmp
2009-05-24 17:14:44 ----A---- C:\1A.tmp
2009-05-24 17:14:41 ----A---- C:\19.tmp
2009-05-24 17:14:38 ----A---- C:\18.tmp
2009-05-24 17:14:38 ----A---- C:\17.tmp
2009-05-24 17:14:38 ----A---- C:\16.tmp
2009-05-24 17:14:35 ----A---- C:\15.tmp
2009-05-24 17:14:35 ----A---- C:\14.tmp
2009-05-24 17:14:35 ----A---- C:\13.tmp
2009-05-24 17:14:32 ----A---- C:\12.tmp
2009-05-24 17:14:32 ----A---- C:\11.tmp
2009-05-24 17:14:29 ----A---- C:\10.tmp
2009-05-24 17:14:26 ----A---- C:\F.tmp
2009-05-24 17:11:12 ----SHD---- C:\WINDOWS\CSC
2009-05-16 20:04:57 ----A---- C:\Documents and Settings\All Users\Application Data\96061246.ini
2009-05-16 20:04:17 ----D---- C:\Program Files\Common Files\Adobe
2009-05-12 20:57:05 ----D---- C:\Documents and Settings\Clifford.ACER-47253A5CC0\Application Data\Adobe
2009-05-09 15:49:54 ----D---- C:\Documents and Settings\Clifford.ACER-47253A5CC0\Application Data\Sun
2009-04-29 17:19:22 ----A---- C:\WINDOWS\system32\xfcodec.dll
2009-04-27 23:52:52 ----D---- C:\Program Files\iPod
2009-04-27 23:52:50 ----D---- C:\Program Files\iTunes
2009-04-27 23:52:50 ----D---- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-27 23:44:57 ----D---- C:\Program Files\Safari

======List of files/folders modified in the last 1 months======

2009-05-26 15:38:10 ----A---- C:\WINDOWS\ModemLog_HDAUDIO Soft Data Fax Modem with SmartCP.txt
2009-05-26 15:38:00 ----A---- C:\WINDOWS\system32\rpcnetp.exe
2009-05-26 15:37:58 ----A---- C:\WINDOWS\system32\rpcnet.dll
2009-05-26 15:37:32 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-25 21:18:58 ----A---- C:\WINDOWS\system32\rpcnetp.dll
2009-05-24 17:45:54 ----A---- C:\WINDOWS\system32\rpcnet.exe
2009-05-07 20:19:12 ----A---- C:\WINDOWS\DUMP4ae3.tmp
2009-04-30 23:32:36 ----A---- C:\WINDOWS\DUMP51e8.tmp

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-05-10 36864]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2004-08-03 8832]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-10 12032]
R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver; \??\C:\WINDOWS\system32\eLock2BurnerLockDriver.sys []
R2 eLock2FSCTLDriver;eLock2FSCTLDriver; \??\C:\WINDOWS\system32\eLock2FSCTLDriver.sys []
R2 int15;int15; \??\C:\WINDOWS\system32\drivers\int15.sys []
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2004-08-03 87424]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
R2 tvicport;tvicport; \??\C:\WINDOWS\system32\drivers\tvicport.sys []
R2 zntport;zntport; \??\C:\WINDOWS\system32\drivers\zntport.sys []
R3 AR5211;Atheros Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2005-01-10 449888]
R3 Cam5603D;Acer OrbiCam; C:\WINDOWS\System32\Drivers\BisonCam.sys [2006-06-30 775936]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\WINDOWS\system32\DRIVERS\DKbFltr.sys [2006-01-20 17408]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-10-18 998656]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2005-10-24 218496]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-07-24 4353024]
R3 NTIDrvr;Upper Class Filter Driver; C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys [2006-08-21 6144]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-07-20 3685152]
R3 nvsmu;nvsmu; C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-07 11136]
R3 psdfilter;psdfilter; \??\C:\WINDOWS\system32\Drivers\psdfilter.sys []
R3 psdvdisk;psdvdisk; \??\C:\WINDOWS\system32\Drivers\psdvdisk.sys []
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2006-05-25 193088]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2006-04-19 30080]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-10 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-04-19 17152]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-10-18 721280]
S1 913269d8;913269d8; C:\WINDOWS\System32\drivers\913269d8.sys [2009-03-28 96750]
S1 d9dd527a;d9dd527a; C:\WINDOWS\System32\drivers\d9dd527a.sys [2009-03-28 95342]
S1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
S1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
S1 seneka;seneka; C:\WINDOWS\system32\drivers\senekacfmxnmgt.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-10 60800]
S3 botdrv;botdrv; \??\C:\WINDOWS\system32\driver.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 epindd;epindd; \??\C:\WINDOWS\system32\drivers\epindd.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-10 61824]
S3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\system32\DRIVERS\nscirda.sys [2004-08-03 28672]
S3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-03-04 34176]
S3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-03-04 13056]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2006-05-17 162560]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-03-05 36864]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2006-04-19 20608]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 AcerMemUsageCheckService;Memory Check Service; C:\Acer\Empowering Technology\ePerformance\MemCheck.exe [2006-05-11 28672]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-06 132424]
R2 avast!Antivirus;avast!Antivirus; C:\WINDOWS\System32\avast!Antivirus.exe [2009-05-24 32768]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-10-09 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2004-08-10 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-11-29 152984]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-05-18 49152]
R2 LockServ;LockServ; C:\Acer\Empowering Technology\eLock\LockServ.exe [2006-06-28 520192]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [2003-03-19 335872]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-07-20 143426]
R2 rpcnet;Remote Procedure Call (RPC) Net; C:\WINDOWS\system32\rpcnet.exe [2009-05-24 56680]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-04-02 656168]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2004-08-10 14336]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-10 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------

Attached Files

  • Attached File  info.txt   21.3KB   14 downloads

Edited by lvanimegrl, 26 May 2009 - 03:12 PM.


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 PM

Posted 26 May 2009 - 04:45 PM

Hello.

You have a nasty infection here. One of them is a backdoor/rootkit. A format is a good idea here. If you have any question(s) regarding this you may ask me. If you do any financial/banking on the computer it would be wise if you changed your passwords using another clean machine and contact them and let them know the situation you are currently in.

If you wish to continue follow the steps below.


Download and Run ComboFix (Rename Before Saving)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

Posted Image

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Download the appropriate Windows XP setup boot disk and drag it on Combofix like the image below:
    Posted Image
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • After you succusfully install the recovery console, will see this window.
    Posted Image
    Please select No. to skip the ComboFix scan for now.
  • Save all document or windows that are open because when running combofix you won't have internet connection and everything will be closed.
  • Click on your Start Menu, then Run, In the run box type:
    "%userprofile%\desktop\Combo-Fix.exe" /killall
  • Combofix will now run
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 lvanimegrl

lvanimegrl
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 26 May 2009 - 04:58 PM

"A format is a good idea here."

What do you mean by format?? :) EDIT: I googled formatting! thats fine with me! I just need instructions on how >.<

Luckily I don't have financial/banking stuff on this computer :thumbup2:

I did some research and found out that if I connect a flashdrive to an infected computer there is a high chance it is infected. How do I specifically clean my flashdrive since I really need that for school and don't want to ruin and infect the school computers.

Also I have another computer that I connected the flashdrive to and It's been running slow. Can I just make another thread in this forum about that one?

And now I'm going to go run the combofix.

Edited by lvanimegrl, 27 May 2009 - 03:27 PM.


#8 lvanimegrl

lvanimegrl
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 26 May 2009 - 05:04 PM

"Download the appropriate Windows XP setup boot disk"

Where can I find this?

Edited by extremeboy, 27 May 2009 - 03:37 PM.
Remove Unnecessary Quotes


#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 PM

Posted 27 May 2009 - 03:37 PM

Hello.

For you other computers, you will need to start another computer.

First. You need to make it clear if you want to FORMAT or CONTINUE with the disinfection process. I assume you do NOT want to format since you are going to run Combofix.

Please follow the instructions for running Combofix from here
Please read the guide carefully and follow every instructions percisly and remeber to install the Recovery Console first

Let me know how it goes.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 lvanimegrl

lvanimegrl
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 27 May 2009 - 03:42 PM

I think I want to format. Will you be able to help me with that process?

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 PM

Posted 27 May 2009 - 03:56 PM

Hello.

I can give you a tutorial for you to read and see if you can perform the format yourself. However, if you have any questions or problems you should start a topic over here and someone should help you.

This forum is for malware removal and not general questions on formatting so starting a topic there is better.

Regarding format:

IF YOU NEED TO BACKUP THERE ARE 2 general guidelines:

First, decide whether you are going to backup via a removable disk or a CD. Using some spare CDs and a CD Burner software is the safest method.

If you are going to use a removable disk run this tool as it will help prevent any autorun worm infections.

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Note: Some may want to be safe, wondering if their data files are infected or not so to make sure you should scan those files using an anti-virus scanner and an anti-malware/anti-spyware scanner making sure they are free from malware before transfering it to your new formatted computer. From what I have seen the results were always CLEAN, meaning they were not infected at all.

Remember a format will remove everything.

TUTORIAL ON FORMAT: http://spyware-free.us/tutorials/reformat/

Hope that helps. Any thing else you want to ask?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 lvanimegrl

lvanimegrl
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:48 PM

Posted 27 May 2009 - 04:08 PM

Thanks for your help! Ill read the tutorial!

But first one more question. How do I clean a possibly infected flashdrive?

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 PM

Posted 27 May 2009 - 04:30 PM

Hello.

Cleaning a flash-drive will vary and will depend on what infection you may have present.

An easy way to clean a flash-drive is format it as well. The flash-drive disinfector tool was to help prevent any of the nasty autorun.inf worms from spreading especially if you have autorun enabled. I will provide some prevention tips for you that will also discuss about the autorun feature in windows.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 PM

Posted 31 May 2009 - 08:55 AM

Hello.

Are you still with me?

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:48 PM

Posted 02 June 2009 - 07:50 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users