Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BHO Trojan I think.


  • This topic is locked This topic is locked
66 replies to this topic

#1 israelnajar

israelnajar

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 28 August 2009 - 11:48 PM

Symantec Endpoint shows notifications of 4a98xxxx.qsp Cant really say anything else is happening because I dont know. However in the span of 21 minutes I get 1376 notifications from symantec either a security risk or risk found. The locations are c:\windows\temp\ and C:\Users\Israel\AppData\Local\Temp\ and C:\ProgramData\Symantec\Symantec Corporate Edition\7.5\xfer\




DDS (Ver_09-07-30.01) - NTFSx86
Run by Israel at 21:51:46.19 on Fri 08/28/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2814.1423 [GMT -6:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec Endpoint Protection *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\rundll32.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\bin32\nSvcAppFlt.exe
C:\Program Files\bin32\nSvcIp.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Acer\Empowering Technology\NotificationCenter\Framework.NotificationCenter.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Acer\Empowering Technology\SysMonitor.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\vVX3000.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\DWHWizrd.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SescLU.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\Windows\system32\DllHost.exe
C:\Users\Israel\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Google Update] "c:\users\israel\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Acer Empowering Technology Monitor] c:\program files\acer\empowering technology\SysMonitor.exe
mRun: [EmpoweringTechnology] c:\program files\acer\empowering technology\Framework.Launcher.exe boot
mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [PCMMediaSharing] c:\program files\acer arcade live\acer homemedia connect\kernel\dms\PCMMediaSharing.exe
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eRecoveryService]
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Acer Product Registration] "c:\program files\acer\acer registration\ACE1.exe" /startup
mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NWEReboot]
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\israel\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\israel\appdata\roaming\mozilla\firefox\profiles\9z4l6ncc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\israel\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\israel\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\acer arcade live\acer homemedia connect\kernel\dms\CLMSServer.exe [2009-1-19 269448]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2009-1-19 24576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-19 210216]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2009-5-15 935208]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-9-23 144632]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-27 102448]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-1-19 43552]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-4-16 23888]
S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-9-23 50424]
S3 Partner Service;Partner Service;c:\programdata\partner\partner.exe [2009-8-14 110576]

=============== Created Last 30 ================

2009-08-28 11:18 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-08-28 11:18 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-28 11:18 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-08-26 21:14 2,048 a------- c:\windows\system32\tzres.dll
2009-08-26 07:06 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-26 07:06 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-24 08:47 72,704 a------- c:\windows\system32\admparse.dll
2009-08-19 03:11 395,730,692 a------- c:\windows\MEMORY.DMP
2009-08-18 16:10 69 a------- c:\windows\NeroDigital.ini
2009-08-18 13:49 4,767 a------- c:\windows\Irremote.ini
2009-08-18 13:38 <DIR> --d----- c:\programdata\Nero
2009-08-18 13:38 <DIR> --d----- c:\progra~2\Nero
2009-08-18 13:38 1,315,328 a------- c:\windows\system32\ole32.dll
2009-08-18 13:05 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-18 12:52 <DIR> --d----- c:\program files\Microsoft LifeCam
2009-08-18 12:51 3,727,720 a------- c:\windows\system32\d3dx9_35.dll
2009-08-18 12:06 <DIR> --d----- c:\programdata\NtiDvdCopy
2009-08-18 12:06 <DIR> --d----- c:\progra~2\NtiDvdCopy
2009-08-18 11:57 <DIR> --d----- c:\program files\Nero
2009-08-17 16:26 819,200 a------- c:\windows\system32\xvidcore.dll
2009-08-17 16:26 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-08-17 16:26 77,824 a------- c:\windows\system32\xvid.ax
2009-08-17 16:26 <DIR> --d----- c:\program files\Xvid
2009-08-16 10:01 91,520 a------- c:\windows\system32\drivers\SysPlant.sys
2009-08-16 10:01 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-16 10:01 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-16 10:01 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-16 09:59 <DIR> --d----- c:\programdata\Symantec
2009-08-16 09:59 <DIR> --d----- c:\program files\Symantec
2009-08-16 09:59 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-08-16 09:59 <DIR> --d----- c:\progra~2\Symantec
2009-08-15 20:15 <DIR> --d----- c:\program files\common files\Steam
2009-08-15 16:49 <DIR> --d----- c:\users\israel\Tracing
2009-08-14 19:24 <DIR> --d----- c:\users\israel\appdata\roaming\uTorrent
2009-08-14 19:23 97,800 a------- c:\windows\system32\infocardapi.dll
2009-08-14 19:23 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-08-14 19:23 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-08-14 19:23 622,080 a------- c:\windows\system32\icardagt.exe
2009-08-14 19:23 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-08-14 19:23 11,264 a------- c:\windows\system32\icardres.dll
2009-08-14 19:23 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-08-14 19:23 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-08-14 19:18 96,760 a------- c:\windows\system32\dfshim.dll
2009-08-14 19:18 282,112 a------- c:\windows\system32\mscoree.dll
2009-08-14 19:18 41,984 a------- c:\windows\system32\netfxperf.dll
2009-08-14 19:18 158,720 a------- c:\windows\system32\mscorier.dll
2009-08-14 19:18 83,968 a------- c:\windows\system32\mscories.dll
2009-08-14 19:18 <DIR> --d----- c:\program files\MSXML 4.0
2009-08-14 19:16 <DIR> --d----- c:\users\israel\appdata\roaming\eSobi
2009-08-14 19:11 <DIR> --d----- c:\users\israel\appdata\roaming\Acer
2009-08-14 19:09 <DIR> --d----- c:\programdata\Partner
2009-08-14 19:09 <DIR> --d----- c:\progra~2\Partner
2009-08-14 19:09 <DIR> --d----- C:\ACERSW
2009-08-14 19:08 <DIR> --d----- c:\programdata\Google
2009-08-14 19:08 <DIR> --d----- c:\users\israel\appdata\roaming\Acer GameZone Console
2009-08-14 19:08 <DIR> --d----- c:\users\Israel
2009-08-14 19:05 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-08-14 19:05 83,456 a------- c:\windows\system32\wudriver.dll
2009-08-14 19:05 162,064 a------- c:\windows\system32\wuwebv.dll
2009-08-14 19:05 31,232 a------- c:\windows\system32\wuapp.exe

==================== Find3M ====================

2009-08-18 12:55 86,016 a------- c:\windows\inf\infstor.dat
2009-08-18 12:55 51,200 a------- c:\windows\inf\infpub.dat
2009-08-18 12:55 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-21 15:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 15:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 15:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 14:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-17 08:35 71,680 a------- c:\windows\system32\atl.dll
2009-07-15 08:51 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-15 08:51 7,680 a------- c:\windows\system32\spwmp.dll
2009-07-15 07:07 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-07-14 07:00 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-06-26 17:21 671,744 a------- c:\windows\system32\LCCoin30.dll
2009-06-26 17:21 96,256 a------- c:\windows\VX3000.dll
2009-06-26 17:21 757,248 a------- c:\windows\vVX3000.exe
2009-06-26 17:21 222,720 a------- c:\windows\vVX3000.dll
2009-06-26 17:21 170,496 a------- c:\windows\system32\cVX3000.dll
2009-06-15 09:24 175,104 a------- c:\windows\system32\wdigest.dll
2009-06-15 09:24 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 09:24 72,704 a------- c:\windows\system32\secur32.dll
2009-06-15 09:24 270,848 a------- c:\windows\system32\schannel.dll
2009-06-15 09:23 1,256,448 a------- c:\windows\system32\lsasrv.dll
2009-06-15 09:22 213,504 a------- c:\windows\system32\msv1_0.dll
2009-06-15 09:21 499,712 a------- c:\windows\system32\kerberos.dll
2009-06-15 09:20 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 09:20 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 06:57 9,728 a------- c:\windows\system32\lsass.exe
2009-06-15 06:52 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-10 06:12 160,256 a------- c:\windows\system32\wkssvc.dll
2009-06-10 06:07 91,136 a------- c:\windows\system32\avifil32.dll
2009-06-05 06:34 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-06-05 06:33 459,776 a------- c:\windows\apppatch\AcSpecfc.dll
2009-06-05 06:33 541,696 a------- c:\windows\apppatch\AcLayers.dll
2009-06-05 06:33 2,153,984 a------- c:\windows\apppatch\AcGenral.dll
2009-06-04 06:34 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-01-19 18:17 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 20:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 21:53:55.31 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:11 AM

Posted 13 September 2009 - 11:04 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 israelnajar

israelnajar
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 13 September 2009 - 07:49 PM

I ran Malwarebytes and it removed some things and I was still having issues.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Israel at 10:30:10.10 on Sun 09/13/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2814.1761 [GMT -6:00]

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec Endpoint Protection *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\rundll32.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskeng.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\bin32\nSvcAppFlt.exe
C:\Program Files\bin32\nSvcIp.exe
C:\Windows\system32\WUDFHost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\vVX3000.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Acer\Empowering Technology\NotificationCenter\Framework.NotificationCenter.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Israel\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Google Update] "c:\users\israel\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Acer Empowering Technology Monitor] c:\program files\acer\empowering technology\SysMonitor.exe
mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [PCMMediaSharing] c:\program files\acer arcade live\acer homemedia connect\kernel\dms\PCMMediaSharing.exe
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eRecoveryService]
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Acer Product Registration] "c:\program files\acer\acer registration\ACE1.exe" /startup
mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NWEReboot]
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\israel\appdata\roaming\mozilla\firefox\profiles\9z4l6ncc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\israel\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\israel\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-9-2 28544]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\acer arcade live\acer homemedia connect\kernel\dms\CLMSServer.exe [2009-1-19 269448]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2009-1-19 24576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-19 210216]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2009-5-15 935208]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-9-23 144632]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-2 102448]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-1-19 43552]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-4-16 23888]
S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-9-23 50424]
S3 PS3 Media Server;PS3 Media Server;c:\program files\ps3 media server\win32\service\wrapper.exe [2008-8-17 217088]

=============== Created Last 30 ================

2009-09-11 20:56 <DIR> --d----- c:\users\israel\appdata\roaming\OpenOffice.org
2009-09-11 20:52 <DIR> --d----- c:\program files\JRE
2009-09-11 20:51 <DIR> --d----- c:\program files\OpenOffice.org 3
2009-09-08 22:06 897,608 a------- c:\windows\system32\drivers\tcpip.sys
2009-09-08 22:06 104,960 a------- c:\windows\system32\netiohlp.dll
2009-09-08 22:06 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-09-08 22:06 19,968 a------- c:\windows\system32\ARP.EXE
2009-09-08 22:06 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-09-08 22:06 10,240 a------- c:\windows\system32\finger.exe
2009-09-08 22:06 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-09-08 22:06 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-09-08 22:06 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-09-08 22:06 17,920 a------- c:\windows\system32\netevent.dll
2009-09-08 22:05 2,501,921 a------- c:\windows\system32\wlan.tmf
2009-09-08 22:05 513,024 a------- c:\windows\system32\wlansvc.dll
2009-09-08 22:05 302,592 a------- c:\windows\system32\wlansec.dll
2009-09-08 22:05 293,376 a------- c:\windows\system32\wlanmsm.dll
2009-09-08 22:05 127,488 a------- c:\windows\system32\L2SecHC.dll
2009-09-08 22:05 2,868,224 a------- c:\windows\system32\mf.dll
2009-09-03 12:41 230,424 a------- C:\img2-001.raw
2009-09-02 19:50 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-09-02 19:50 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-02 11:01 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-09-02 11:00 <DIR> --d----- c:\program files\Panda Security
2009-09-02 10:59 <DIR> --d----- c:\users\israel\.housecall6.6
2009-09-01 00:32 67 a------- c:\windows\wininit.ini
2009-08-31 23:05 0 a------- c:\windows\iPlayer.INI
2009-08-31 23:04 <DIR> --d----- c:\program files\InterActual
2009-08-31 22:26 <DIR> --d----- c:\users\israel\appdata\roaming\Malwarebytes
2009-08-31 22:26 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 22:26 <DIR> --d----- c:\programdata\Malwarebytes
2009-08-31 22:26 <DIR> --d----- c:\progra~2\Malwarebytes
2009-08-31 22:26 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-31 22:26 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 20:55 <DIR> --d----- c:\users\israel\appdata\roaming\PMS
2009-08-31 18:21 <DIR> --d----- c:\users\israel\.dvdcss
2009-08-31 17:51 <DIR> --d----- c:\program files\PS3 Media Server
2009-08-28 11:18 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-08-28 11:18 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-28 11:18 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-08-26 21:14 2,048 a------- c:\windows\system32\tzres.dll
2009-08-24 08:47 72,704 a------- c:\windows\system32\admparse.dll
2009-08-19 03:11 395,730,692 a------- c:\windows\MEMORY.DMP
2009-08-18 16:10 69 a------- c:\windows\NeroDigital.ini
2009-08-18 13:49 4,767 a------- c:\windows\Irremote.ini
2009-08-18 13:38 <DIR> --d----- c:\programdata\Nero
2009-08-18 13:38 <DIR> --d----- c:\progra~2\Nero
2009-08-18 13:38 1,315,328 a------- c:\windows\system32\ole32.dll
2009-08-18 13:05 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-18 12:52 <DIR> --d----- c:\program files\Microsoft LifeCam
2009-08-18 12:51 3,727,720 a------- c:\windows\system32\d3dx9_35.dll
2009-08-18 12:06 <DIR> --d----- c:\programdata\NtiDvdCopy
2009-08-18 12:06 <DIR> --d----- c:\progra~2\NtiDvdCopy
2009-08-18 11:57 <DIR> --d----- c:\program files\Nero
2009-08-17 16:26 819,200 a------- c:\windows\system32\xvidcore.dll
2009-08-17 16:26 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-08-17 16:26 77,824 a------- c:\windows\system32\xvid.ax
2009-08-17 16:26 <DIR> --d----- c:\program files\Xvid
2009-08-16 10:01 91,520 a------- c:\windows\system32\drivers\SysPlant.sys
2009-08-16 10:01 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-16 10:01 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-16 10:01 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-16 09:59 <DIR> --d----- c:\programdata\Symantec
2009-08-16 09:59 <DIR> --d----- c:\program files\Symantec
2009-08-16 09:59 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-08-16 09:59 <DIR> --d----- c:\progra~2\Symantec
2009-08-15 20:15 <DIR> --d----- c:\program files\common files\Steam
2009-08-15 16:49 <DIR> --d----- c:\users\israel\Tracing
2009-08-14 19:24 <DIR> --d----- c:\users\israel\appdata\roaming\uTorrent
2009-08-14 19:23 97,800 a------- c:\windows\system32\infocardapi.dll
2009-08-14 19:23 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-08-14 19:23 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-08-14 19:23 622,080 a------- c:\windows\system32\icardagt.exe
2009-08-14 19:23 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-08-14 19:23 11,264 a------- c:\windows\system32\icardres.dll
2009-08-14 19:23 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-08-14 19:23 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-08-14 19:18 96,760 a------- c:\windows\system32\dfshim.dll
2009-08-14 19:18 282,112 a------- c:\windows\system32\mscoree.dll
2009-08-14 19:18 41,984 a------- c:\windows\system32\netfxperf.dll
2009-08-14 19:18 158,720 a------- c:\windows\system32\mscorier.dll
2009-08-14 19:18 83,968 a------- c:\windows\system32\mscories.dll
2009-08-14 19:18 <DIR> --d----- c:\program files\MSXML 4.0
2009-08-14 19:16 <DIR> --d----- c:\users\israel\appdata\roaming\eSobi
2009-08-14 19:11 <DIR> --d----- c:\users\israel\appdata\roaming\Acer
2009-08-14 19:09 <DIR> --d----- c:\programdata\Partner
2009-08-14 19:09 <DIR> --d----- c:\progra~2\Partner
2009-08-14 19:09 <DIR> --d----- C:\ACERSW
2009-08-14 19:08 <DIR> --d----- c:\programdata\Google
2009-08-14 19:08 <DIR> --d----- c:\users\israel\appdata\roaming\Acer GameZone Console
2009-08-14 19:08 <DIR> --d----- c:\users\Israel
2009-08-14 19:05 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-08-14 19:05 83,456 a------- c:\windows\system32\wudriver.dll
2009-08-14 19:05 162,064 a------- c:\windows\system32\wuwebv.dll
2009-08-14 19:05 31,232 a------- c:\windows\system32\wuapp.exe

==================== Find3M ====================

2009-08-28 06:39 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 06:38 2,153,984 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 06:38 541,696 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 06:38 459,776 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-18 12:55 86,016 a------- c:\windows\inf\infstor.dat
2009-08-18 12:55 51,200 a------- c:\windows\inf\infpub.dat
2009-08-18 12:55 143,360 a------- c:\windows\inf\infstrng.dat
2009-07-21 15:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 15:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 15:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 14:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-17 08:35 71,680 a------- c:\windows\system32\atl.dll
2009-07-15 08:51 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-15 08:51 7,680 a------- c:\windows\system32\spwmp.dll
2009-07-15 07:07 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-07-14 07:00 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-06-26 17:21 671,744 a------- c:\windows\system32\LCCoin30.dll
2009-06-26 17:21 96,256 a------- c:\windows\VX3000.dll
2009-06-26 17:21 757,248 a------- c:\windows\vVX3000.exe
2009-06-26 17:21 222,720 a------- c:\windows\vVX3000.dll
2009-06-26 17:21 170,496 a------- c:\windows\system32\cVX3000.dll
2009-01-19 18:17 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 20:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 10:30:39.41 ===============

#4 israelnajar

israelnajar
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 15 September 2009 - 10:40 AM

.

Edited by israelnajar, 15 September 2009 - 10:56 AM.


#5 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:11 AM

Posted 16 September 2009 - 10:34 AM

Hello israelnajar :( Welcome to the BC HijackThis Log and Analysis forum. Sorry about your wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



Please download mbr.exe to your Desktop. Run the tool by doubleclicking on it. It will produce a log which I will need in your next reply.



Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#6 israelnajar

israelnajar
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 16 September 2009 - 03:40 PM

I ran it and here is it



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: error reading MBR

#7 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:11 AM

Posted 16 September 2009 - 05:59 PM

Let's try this:


Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#8 israelnajar

israelnajar
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 16 September 2009 - 07:10 PM

It crashed 3 times before I was able to get a complete scan. But here it is.

Attached Files



#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:11 AM

Posted 16 September 2009 - 07:50 PM

Let's see if we can run ComboFix:

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Post the log in the window and not as an attachment.

Edited by thewall, 16 September 2009 - 07:51 PM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 israelnajar

israelnajar
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 16 September 2009 - 08:25 PM

I have Symantec Endpoint for some reason I am not able to disable protection on it. McAfee I can disable no problem. Should I uninstall SEP until my system is clean?

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:11 AM

Posted 16 September 2009 - 08:43 PM

I know it's a hassle but it would be better if you did it that way. Those AVs can cause problems with CF.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 israelnajar

israelnajar
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 16 September 2009 - 09:18 PM

Here we go.



ComboFix 09-09-16.02 - Israel 09/16/2009 20:06.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2814.1844 [GMT -6:00]
Running from: c:\users\Israel\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2477596596-2653741283-735745766-500
c:\users\Israel\Documents\backup 8-16-09.reg
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.

2009-09-17 02:12 . 2009-09-17 02:12 -------- d-----w- c:\users\Israel\AppData\Local\temp
2009-09-17 02:12 . 2009-09-17 02:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-12 02:56 . 2009-09-12 02:56 -------- d-----w- c:\users\Israel\AppData\Roaming\OpenOffice.org
2009-09-12 02:52 . 2009-09-12 02:52 -------- d-----w- c:\program files\JRE
2009-09-12 02:51 . 2009-09-12 02:52 -------- d-----w- c:\program files\OpenOffice.org 3
2009-09-12 02:50 . 2009-09-12 02:50 -------- d-----w- c:\program files\Java
2009-09-09 04:06 . 2009-08-14 17:07 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-09 04:06 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-09 04:06 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-09 04:06 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-09 04:06 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-09 04:06 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-09 04:06 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-09 04:06 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-09 04:06 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-09 04:06 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-09 04:05 . 2009-07-11 19:32 513024 ----a-w- c:\windows\system32\wlansvc.dll
2009-09-09 04:05 . 2009-07-11 19:32 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-09-09 04:05 . 2009-07-11 19:32 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-09-09 04:05 . 2009-07-11 19:29 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-09-09 04:05 . 2009-06-10 12:11 2868224 ----a-w- c:\windows\system32\mf.dll
2009-09-04 04:04 . 2009-09-04 04:49 -------- d-----w- c:\users\Israel\AppData\Local\Microsoft Games
2009-09-03 01:50 . 2009-08-28 12:39 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-03 01:50 . 2009-08-28 10:15 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-02 17:01 . 2008-06-19 23:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-09-02 17:00 . 2009-09-02 17:00 -------- d-----w- c:\program files\Panda Security
2009-09-02 16:59 . 2009-09-02 17:00 -------- d-----w- c:\users\Israel\.housecall6.6
2009-09-01 05:07 . 2009-09-01 05:30 680 ----a-w- c:\users\Israel\AppData\Local\d3d9caps.dat
2009-09-01 05:04 . 2009-09-01 06:43 -------- d-----w- c:\program files\InterActual
2009-09-01 04:26 . 2009-09-01 04:26 -------- d-----w- c:\users\Israel\AppData\Roaming\Malwarebytes
2009-09-01 04:26 . 2009-08-03 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-01 04:26 . 2009-09-01 04:26 -------- d-----w- c:\programdata\Malwarebytes
2009-09-01 04:26 . 2009-09-01 04:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-01 04:26 . 2009-08-03 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 02:55 . 2009-09-01 02:55 -------- d-----w- c:\users\Israel\AppData\Roaming\PMS
2009-09-01 00:21 . 2009-09-01 00:27 -------- d-----w- c:\users\Israel\.dvdcss
2009-08-31 23:51 . 2009-09-01 00:29 -------- d-----w- c:\program files\PS3 Media Server
2009-08-28 17:18 . 2009-08-29 03:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-08-28 17:18 . 2009-08-28 17:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-27 03:14 . 2009-06-22 10:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-26 15:06 . 2009-08-28 16:48 -------- d-----w- c:\program files\7-Zip
2009-08-24 14:47 . 2009-03-08 11:32 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-18 22:08 . 2009-08-18 23:01 -------- d-----w- c:\users\Israel\AppData\Roaming\Nero
2009-08-18 19:38 . 2009-08-18 19:41 -------- d-----w- c:\programdata\Nero
2009-08-18 19:38 . 2009-08-18 19:50 -------- d-----w- c:\program files\Common Files\Nero
2009-08-18 19:38 . 2008-08-20 03:33 1315328 ----a-w- c:\windows\system32\ole32.dll
2009-08-18 19:09 . 2009-08-18 19:09 -------- d-----w- c:\windows\Sun
2009-08-18 19:05 . 2009-09-12 02:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-18 18:52 . 2009-08-18 18:52 -------- d-----w- c:\program files\Microsoft LifeCam
2009-08-18 18:51 . 2007-07-20 00:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-08-18 18:08 . 2009-08-31 23:22 -------- d-----w- c:\users\Israel\AppData\Roaming\Vso
2009-08-18 18:06 . 2009-08-18 18:06 -------- d-----w- c:\programdata\NtiDvdCopy
2009-08-18 17:57 . 2009-08-18 17:57 -------- d-----w- c:\users\Israel\AppData\Roaming\Ahead
2009-08-18 17:57 . 2009-08-18 17:57 -------- d-----w- c:\program files\Nero
2009-08-18 05:00 . 2009-08-18 05:00 -------- d-----w- c:\users\Israel\AppData\Local\Microsoft Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 02:00 . 2009-08-16 15:59 -------- d-----w- c:\programdata\Symantec
2009-09-17 01:59 . 2009-08-16 15:59 -------- d-----w- c:\program files\Symantec
2009-09-17 01:59 . 2009-08-16 15:59 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-12 23:35 . 2009-08-15 01:24 -------- d-----w- c:\users\Israel\AppData\Roaming\uTorrent
2009-09-12 04:08 . 2009-08-15 01:11 74280 ----a-w- c:\users\Israel\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-09 15:47 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-04 19:56 . 2009-01-20 01:32 -------- d-----w- c:\programdata\Microsoft Help
2009-09-01 05:42 . 2009-08-15 01:09 -------- d-----w- c:\programdata\Partner
2009-08-28 16:48 . 2009-01-20 01:34 -------- d-----w- c:\program files\Microsoft Works
2009-08-22 16:49 . 2009-01-20 01:31 -------- d-----w- c:\program files\Google
2009-08-18 16:30 . 2006-10-10 12:34 -------- d-----w- c:\programdata\NVIDIA
2009-08-17 22:26 . 2009-08-17 22:26 -------- d-----w- c:\program files\Xvid
2009-08-17 15:48 . 2009-01-20 02:01 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-16 03:47 . 2009-08-16 02:15 -------- d-----w- c:\program files\Common Files\Steam
2009-08-15 22:47 . 2009-01-20 01:44 -------- d-----w- c:\program files\Windows Live
2009-08-15 22:33 . 2009-01-20 01:47 -------- d-----w- c:\program files\McAfee
2009-08-15 15:24 . 2009-08-15 15:24 0 ----a-w- c:\windows\nsreg.dat
2009-08-15 01:18 . 2009-08-15 01:18 -------- d-----w- c:\program files\MSXML 4.0
2009-08-15 01:17 . 2009-01-20 01:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-15 01:17 . 2009-01-20 02:20 -------- d-----w- c:\program files\eSobi
2009-08-15 01:17 . 2009-08-15 01:16 -------- d-----w- c:\users\Israel\AppData\Roaming\eSobi
2009-08-15 01:16 . 2009-01-20 02:20 -------- d-----w- c:\programdata\eSobi
2009-08-15 01:11 . 2009-08-15 01:11 -------- d-----w- c:\users\Israel\AppData\Roaming\Acer
2009-08-15 01:11 . 2009-08-15 01:11 -------- d-----w- c:\users\Israel\AppData\Roaming\Leadertech
2009-08-15 01:10 . 2009-01-20 01:47 -------- d-----w- c:\programdata\McAfee
2009-08-15 01:09 . 2009-01-20 01:42 -------- d-----w- c:\program files\Acer
2009-07-21 21:52 . 2009-08-24 14:48 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-08-24 14:48 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-08-24 14:48 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-08-24 14:48 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 14:35 . 2009-08-15 01:16 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 14:51 . 2009-08-15 01:13 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 14:51 . 2009-08-15 01:13 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-15 13:07 . 2009-08-15 01:13 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-14 13:00 . 2009-08-15 01:13 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 23:21 . 2009-06-26 23:21 96256 ----a-w- c:\windows\VX3000.dll
2009-06-26 23:21 . 2009-06-26 23:21 671744 ----a-w- c:\windows\system32\LCCoin30.dll
2009-06-26 23:21 . 2009-06-26 23:21 1956352 ----a-w- c:\windows\system32\drivers\VX3000.sys
2009-06-26 23:21 . 2009-06-26 23:21 757248 ----a-w- c:\windows\vVX3000.exe
2009-06-26 23:21 . 2009-06-26 23:21 222720 ----a-w- c:\windows\vVX3000.dll
2009-06-26 23:21 . 2009-06-26 23:21 170496 ----a-w- c:\windows\system32\cVX3000.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-30 01:52 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Israel\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-08-18 133104]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-15 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Acer Empowering Technology Monitor"="c:\program files\Acer\Empowering Technology\SysMonitor.exe" [2008-10-01 319488]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-30 526896]
"PCMMediaSharing"="c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2008-05-21 204908]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2008-10-03 294544]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-10-31 641208]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 92704]
"VX3000"="c:\windows\vVX3000.exe" [2009-06-26 757248]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-12 149280]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-03-26 5369856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{828125FB-4B2B-4892-89CE-DFD0297A4A99}"= c:\program files\Acer Arcade Live\Acer Arcade Live Main Page\Acer Arcade Live.exe:Acer Arcade Live
"{55DA2ED7-0452-469B-B146-32B31C806321}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{69AC4762-70F6-4105-84EA-61C2D9F2B0A3}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B136E457-6896-40F4-AB93-CD9F457B588F}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{7AF2AB31-77ED-4D76-8695-DEB2D8D65A8D}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{B121609F-BE7C-4CBE-8038-2553FAB415D0}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{17B26786-8B9C-4322-87F5-714C3550682C}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{914F42F1-2C07-4FAA-823D-9D5764BCE676}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{D03AFF1D-21E0-4231-90E0-156C65B1FF5A}"= c:\program files\Acer Arcade Live\Acer SlideShow DVD\Acer SlideShow DVD.exe:Acer SlideShow DVD
"{F1DE6163-8175-4D47-8CC4-E58A7D2E16EF}"= c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Acer HomeMedia Connect.exe:Acer HomeMedia Connect
"{948B0315-30B0-49D1-B09C-33BF8EB08262}"= c:\program files\Acer Arcade Live\Acer DVDivine\Acer DVDivine.exe:Acer DVDivine
"{5D6B01B3-61EA-4995-BABF-9E3CF7DDD992}"= c:\program files\Acer Arcade Live\Acer HomeMedia\Acer HomeMedia.exe:Acer HomeMedia
"{1F2A0765-C9A3-4AD7-A438-AD1CA13FE20F}"= c:\program files\Acer Arcade Live\Acer DV Magician\Acer DV Magician.exe:Acer DV Magician
"{8C0251F1-2E22-4CA4-8ADF-B1E1FF819CD1}"= c:\program files\Acer Arcade Live\Acer VideoMagician\Acer VideoMagician.exe:Acer VideoMagician
"{F2E14084-A17B-4AF0-81C6-58F18F2E6838}"= c:\program files\Acer Arcade Live\Acer HomeMedia Trial Creator\Acer HomeMedia Trial Creator.exe:Acer HomeMedia Trial Creator
"{BAD98F9C-8A95-4C8D-A39E-D7AB6A5AF1BD}"= c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.EXE:Acer HomeMedia Connect Service
"{BDBB1FA6-ACBD-45E0-865D-A177BFE786B2}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{516D20F8-17E7-4ADC-8D99-C00A51ED9037}"= UDP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{DCF469D6-F477-49EC-9B2F-9B2242337FB2}"= TCP:c:\program files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{EA796E86-119A-4B4C-ADCC-9EBEC3BFC32A}"= UDP:c:\program files\Microsoft LifeCam\LifeEnC2.exe:LifeEnC2.exe
"{73F24FC1-74D9-44AD-8085-AC683A30A2CB}"= TCP:c:\program files\Microsoft LifeCam\LifeEnC2.exe:LifeEnC2.exe
"{23FBC7D8-1331-4F79-8ABE-E5B7F272F057}"= UDP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{08648FF6-63E9-45C1-A8AB-5606086DECEE}"= TCP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{E27D6886-BD5A-4421-BFF0-3E2DE0ECDF26}"= UDP:c:\program files\Microsoft LifeCam\LifeTray.exe:LifeTray.exe
"{63DCDD31-4A38-447A-A7AE-4C7F3FE7D11B}"= TCP:c:\program files\Microsoft LifeCam\LifeTray.exe:LifeTray.exe
"TCP Query User{AC1DE7BB-74CB-47F9-80D1-7BC1B0ABE277}c:\\program files\\java\\jre6\\bin\\javaw.exe"= UDP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"UDP Query User{B20A2176-CCE8-478E-AEBA-E58FF34C33BF}c:\\program files\\java\\jre6\\bin\\javaw.exe"= TCP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"TCP Query User{3A1682C4-DCEA-4FB7-BD1F-402C2E2F2E9C}e:\\utorrent.exe"= UDP:E:\utorrent.exe:µTorrent
"UDP Query User{A893B3D8-E430-43C8-8CC5-2B1BD30126C0}e:\\utorrent.exe"= TCP:E:\utorrent.exe:µTorrent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [9/2/2009 11:01 AM 28544]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [1/19/2009 7:58 PM 269448]
R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [1/19/2009 7:42 PM 24576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/19/2009 7:52 PM 210216]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [9/23/2008 4:11 PM 144632]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [1/19/2009 5:36 PM 43552]
S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [9/23/2008 4:11 PM 50424]
S3 PS3 Media Server;PS3 Media Server;c:\program files\PS3 Media Server\win32\service\wrapper.exe [8/17/2008 2:40 AM 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2477596596-2653741283-735745766-1000Core.job
- c:\users\Israel\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-18 19:03]

2009-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2477596596-2653741283-735745766-1000UA.job
- c:\users\Israel\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-18 19:03]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-20 08:32]

2009-01-20 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-20 08:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=1&o=vp32&d=1006&m=aspire_x1300
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvLsp.dll
FF - ProfilePath - c:\users\Israel\AppData\Roaming\Mozilla\Firefox\Profiles\9z4l6ncc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Israel\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\Israel\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-eRecoveryService - (no file)
HKLM-Run-NWEReboot - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 20:12
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000005C1218E8D7FFC7DEBB 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-09-17 20:13
ComboFix-quarantined-files.txt 2009-09-17 02:13

Pre-Run: 93,790,167,040 bytes free
Post-Run: 94,012,473,344 bytes free

246 --- E O F --- 2009-09-14 14:37

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:11 AM

Posted 16 September 2009 - 09:27 PM

I want to get another look, this is a little slow sometimes but hopefully it will run:


Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 israelnajar

israelnajar
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:11 AM

Posted 17 September 2009 - 11:46 AM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, September 17, 2009
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, September 17, 2009 04:13:36
Records in database: 2837353
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
W:\
X:\

Scan statistics:
Objects scanned: 205462
Threats found: 3
Infected objects found: 10
Suspicious objects found: 0
Scan duration: 13:43:15


File name / Threat / Threats count
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer\4a9aa0ae.tmp Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer\4a9aa106.tmp Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer\4aa06463.tmp Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer\4a9aa0ae.tmp Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer\4a9aa106.tmp Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer\4aa06463.tmp Infected: Trojan-Downloader.Java.OpenConnection.at 1
E:\Downloads\DVDFab Platinum 5.0.3.0 - Final.rar Infected: Trojan.Win32.Agent.bvjc 1
E:\Program Files\DVDFab 5\DVDFab.exe Infected: Trojan.Win32.Agent.bvjc 1
F:\apps\TMD-Recruit.5.0.zip Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1
F:\Downloads\DVDFab Platinum 5.0.3.0 - Final.rar Infected: Trojan.Win32.Agent.bvjc 1

Selected area has been scanned.

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:11 AM

Posted 17 September 2009 - 04:55 PM

Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer\4a9aa0ae.tmp
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer\4a9aa106.tmp
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer\4aa06463.tmp
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer\4a9aa0ae.tmp
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer\4a9aa106.tmp
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer\4aa06463.tmp
E:\Downloads\DVDFab Platinum 5.0.3.0 - Final.rar
E:\Program Files\DVDFab 5\DVDFab.exe
F:\apps\TMD-Recruit.5.0.zip
F:\Downloads\DVDFab Platinum 5.0.3.0 - Final.rar


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.





I need to make you aware that the Client-IRC.Win32.mIRC.62 1 is considered a security threat and I want to give you the following security warning.


The following link gives more info on it:

http://www.threatexpert.com/report.aspx?md...8db1fc05e455236


One or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.


How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users