Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue Browser Window Opens Pointing to storage.conduit.com


  • This topic is locked This topic is locked
21 replies to this topic

#1 MVC

MVC

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 23 September 2009 - 11:57 AM

Each time I open a browser window, a new tab opens pointing to hxxp://storage.conduit.com/52/156/CT1561552/BrowserFiles/5a3dc691-4296-4a6b-b36e-c71f83c967f8.html Luckily, I live in the UAE, where the internet is censored, and that site is blocked, probably saving me from even more misfortune (and here I thought censorship was a bad thing!).

Logs below. Thanks in advance for the help.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Mike at 20:30:30.77 on Wed 09/23/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.3061.1807 [GMT 4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32svchost.exe -k rpcss
C:WindowsSystem32svchost.exe -k secsvcs
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32SLsvc.exe
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32svchost.exe -k NetworkService
C:WindowsSystem32spoolsv.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Windowssystem32svchost.exe -k bthsvcs
C:Program FilesHotspot Shieldbinopenvpnas.exe
C:Program FilesHotspot ShieldHssWPRhsssrv.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Program FilesPurgeIEPurgeIE_Service.exe
C:Windowssystem32svchost.exe -k imgsvc
C:WindowsSystem32svchost.exe -k WerSvcGroup
C:Windowssystem32SearchIndexer.exe
C:WindowsSystem32alg.exe
C:Windowssystem32taskeng.exe
C:Windowssystem32Dwm.exe
C:Windowssystem32taskeng.exe
C:WindowsExplorer.EXE
C:Program FilesWindows DefenderMSASCui.exe
C:WindowsRtHDVCpl.exe
C:AcerEmpowering TechnologyeDataSecurityx86eDSLoader.exe
C:WindowsSystem32igfxtray.exe
C:WindowsSystem32igfxpers.exe
C:WindowsBR040286.exe
C:Program FilesIntelIntel Matrix Storage ManagerIAAnotif.exe
C:Program FilesLaunch ManagerLManager.exe
C:Program FilesApoint2KApoint.exe
C:AcerEmpowering TechnologyeAudioeAudio.exe
C:Program FilesElaborate BytesVirtualCloneDriveVCDDaemon.exe
C:Program FilesJavajre6binjusched.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Windowssystem32igfxext.exe
C:Windowsehomeehtray.exe
C:Windowssystem32igfxsrvc.exe
C:Program FilesWindows Media Playerwmpnscfg.exe
C:Windowssystem32wbemunsecapp.exe
C:Windowssystem32igfxsrvc.exe
C:Windowssystem32wbemwmiprvse.exe
C:Windowsehomeehmsas.exe
C:Program FilesHotspot Shieldbinopenvpntray.exe
C:UsersMikeAppDataLocalTempRtkBtMnt.exe
C:Program FilesApoint2KApMsgFwd.exe
C:Program FilesApoint2KApntex.exe
C:Windowssystem32taskeng.exe
C:Program FilesInternet ExplorerIEUser.exe
C:Program FilesInternet Exploreriexplore.exe
C:Windowssystem32MacromedFlashFlashUtil9f.exe
C:Program FilesWindows MailWinMail.exe
C:Windowssystem32wbemwmiprvse.exe
C:Windowssystem32SearchProtocolHost.exe
C:Windowssystem32SearchFilterHost.exe
C:Windowssystem32DllHost.exe
C:Windowssystem32DllHost.exe
C:UsersMikeDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.vancleaves.com/
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uURLSearchHooks: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:program fileshotspot_shieldtbHot1.dll
mURLSearchHooks: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:program fileshotspot_shieldtbHot1.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:acerempowering technologyedatasecurityx86ActiveToolBand.dll
BHO: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:program fileshotspot_shieldtbHot1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:program fileshotspot shieldhssieHssIE.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:acerempowering technologyedatasecurityx86eDStoolbar.dll
TB: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:program fileshotspot_shieldtbHot1.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [Sidebar] c:program fileswindows sidebarsidebar.exe /autoRun
uRun: [ehTray.exe] c:windowsehomeehTray.exe
uRun: [swg] c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe
uRun: [WMPNSCFG] c:program fileswindows media playerWMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
mRun: [ALaunch] c:aceralaunchAlaunchClient.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eDataSecurity Loader] c:acerempowering technologyedatasecurityx86eDSloader.exe
mRun: [IgfxTray] c:windowssystem32igfxtray.exe
mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe
mRun: [Persistence] c:windowssystem32igfxpers.exe
mRun: [BisonInst0402] c:windowsBR040286.exe
mRun: [IAAnotif] "c:program filesintelintel matrix storage managerIaanotif.exe"
mRun: [Apoint] c:program filesapoint2kApoint.exe
mRun: [eRecoveryService]
mRun: [WarReg_PopUp] c:program filesacerwr_popupWarReg_PopUp.exe
mRun: [eAudio] "c:acerempowering technologyeaudioeAudio.exe"
mRun: [VirtualCloneDrive] "c:program fileselaborate bytesvirtualclonedriveVCDDaemon.exe" /s
mRun: [SSBkgdUpdate] "c:program filescommon filesscansoft sharedssbkgdupdateSSBkgdupdate.exe" -Embedding -boot
mRun: [PPort11reminder] "c:program filesscansoftpaperporteregereg.exe" -r "c:programdatascansoftpaperport11configeregEreg.ini
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupwinzip~1.lnk - c:program fileswinzipWZQKPICK.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:progra~1micros~2office12EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:program fileswidcommbluetooth softwarebtsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:program fileswidcommbluetooth softwarebtsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:program fileswidcommbluetooth softwarebtsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~2office12ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:program filesskypetoolbarsinternet explorerSkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL
LSP: c:windowssystem32wpclsp.dll
Trusted Zone: intuit.com
Trusted Zone: intuit.comwww
Trusted Zone: trendmicro.com
Trusted Zone: vancleaves.com
Trusted Zone: vancleaves.comwww
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab?
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 vcdrom;Virtual CD-ROM Device Driver;c:windowssystem32VCdRom.sys [2001-12-19 8576]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:program filesacer arcade deluxeplay movie000.fcl [2008-4-29 41456]
R2 HssSrv;Hotspot Shield Routing Service;c:program fileshotspot shieldhsswprhsssrv.exe [2009-8-6 331824]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:windowssystem32driversb57nd60x.sys [2008-3-17 180736]
R3 enecir;ENE CIR Receiver;c:windowssystem32driversenecir.sys [2008-3-17 32256]
R3 HssDrv;Hotspot Shield Helper Miniport;c:windowssystem32drivershssdrv.sys [2009-6-30 33840]
R3 tap0901;TAP-Win32 Adapter V9;c:windowssystem32driverstap0901.sys [2009-7-22 28592]
S3 HssTrayService;Hotspot Shield Tray Service;c:program fileshotspot shieldbinHssTrayService.exe [2009-8-11 57640]
S4 ALaunchService;ALaunch Service;c:aceralaunchALaunchSvc.exe [2008-3-17 51200]

=============== Created Last 30 ================

2009-09-23 19:29 <DIR> --d----- c:program filesTrend Micro
2009-09-15 20:05 <DIR> --d----- c:programdataWinZip

==================== Find3M ====================

2009-09-12 10:50 143,360 a------- c:windowsinfinfstrng.dat
2009-09-12 10:50 86,016 a------- c:windowsinfinfstor.dat
2009-09-12 10:50 51,200 a------- c:windowsinfinfpub.dat
2009-01-09 10:36 984 a------- c:usersmikeappdataroamingwklnhst.dat
2008-09-19 12:03 56 a---h--- c:programdataezsidmv.dat
2008-09-19 12:03 56 a---h--- c:progra~2ezsidmv.dat
2008-09-13 10:31 665,600 a------- c:windowsinfdrvindex.dat
2008-01-21 06:43 174 a--sh--- c:program filesdesktop.ini
2006-11-02 16:42 287,440 a------- c:windowsinfperflib0409perfi.dat
2006-11-02 16:42 287,440 a------- c:windowsinfperflib0409perfh.dat
2006-11-02 16:42 30,674 a------- c:windowsinfperflib0409perfd.dat
2006-11-02 16:42 30,674 a------- c:windowsinfperflib0409perfc.dat
2006-11-02 13:20 287,440 a------- c:windowsinfperflib0000perfi.dat
2006-11-02 13:20 287,440 a------- c:windowsinfperflib0000perfh.dat
2006-11-02 13:20 30,674 a------- c:windowsinfperflib0000perfd.dat
2006-11-02 13:20 30,674 a------- c:windowsinfperflib0000perfc.dat
2009-05-07 08:03 16,384 a--sh--- c:windowsserviceprofileslocalserviceappdatalocalmicrosoftwindowshistoryhistory.ie5index.dat
2009-05-07 08:03 32,768 a--sh--- c:windowsserviceprofileslocalserviceappdatalocalmicrosoftwindowstemporary internet filescontent.ie5index.dat
2009-05-07 08:03 16,384 a--sh--- c:windowsserviceprofileslocalserviceappdataroamingmicrosoftwindowscookiesindex.dat
2009-05-16 20:03 16,384 a--sh--- c:windowstempcookiesindex.dat
2009-05-16 20:03 32,768 a--sh--- c:windowstemphistoryhistory.ie5index.dat
2009-05-16 20:03 32,768 a--sh--- c:windowstemptemporary internet filescontent.ie5index.dat

============= FINISH: 20:31:13.72 ===============

Update: moments after posting this, I started getting repeated "Windows Explorer Has Stopped Working" errors, each followed by a "Windows is Restarting" error. This happens over and over again. System all windows stay open and system responds to Ctl-Alt-Del. I have shut down and re-booted twice. The error messages begin as soon as I log on, without any software open.

Thanks.

Deactivate links and merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 23 September 2009 - 11:17 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:29 PM

Posted 10 October 2009 - 08:46 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 MVC

MVC
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 10 October 2009 - 11:07 AM

Ok, to recap, each time I open a browser window, a new tab opens pointing to hxxp://storage.conduit.com/52/156/CT1561552/BrowserFiles/5a3dc691-4296-4a6b-b36e-c71f83c967f8.html.

A while (couple of hours maybe) after the browser issue started occurring, I started getting repeated "Windows Explorer Has Stopped Working" errors, each followed by a "Windows is Restarting" message. This happens over and over again. It is almost impossible to do anything. I had to run DDS from the command prompt (luckily I have Command on my quicklaunch bar, or else I would not have been able to get to it!). Once in a while I get a message that it is a codec problem with Power Cinema (text from message pasted below), but I know that's not the problem.

System responds to Ctl-Alt-Del and this happens in Safe mode as well.

I have 3 different users on computer and these problems only affects one login. All other logins work fine.

---------- Windows Problem Resolution Message ----------

Troubleshoot a problem with Power Cinema
Power Cinema has stopped working properly.

Power Cinema is a codec. The file name of this codec is CLDemuxer.ax.

To try to solve this problem, follow these steps. One step might solve the problem, but if it doesn't, then go on to the next step.

Click to go to the CyberLink Corp. website to check for and install CLDemuxer.ax updates

Disable thumbnail view in Windows Explorer

Click the Start button , click Control Panel, click Appearance and Personalization, and then click Folder Options.

Click the View tab, and then select the Always show icons, never thumbnails check box.

Click Apply, and then click OK.

Use the regsvr32 command to unregister CLDemuxer.ax

If you don't know which program is causing this problem, you can remove CLDemuxer.ax from the list of installed codecs by unregistering it.

Warning
Disabling CLDemuxer.ax will cause any programs that depend on the codec to stop working or lose functionality.

Click the Start button , and then, in the Search box, type Command Prompt. From the list of results, right-click Command Prompt, and then click Run as administrator. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

At the command prompt, type regsvr32 /u CLDemuxer.ax, and then press ENTER. CLDemuxer.ax is now unregistered.
What should I do if the regsvr32 command fails or returns an error?

If the steps to disable the CLDemuxer.ax did not work, you can try renaming the file to disable it.

Click the Start button , and then, in the Search box, type CLDemuxer.ax.

In the list of search results, right-click CLDemuxer.ax, and then click Open file location.

Right click CLDemuxer.ax, and then click Rename.

Rename the file (for example, change the name to CLDemuxer.ax.old). Remember the file name so you can enable it later if you need to.

If these steps don't solve the problem and you continue to receive problem reports, please consider filling out the survey at the bottom of this page. To help us continue to investigate this error, include the names of the add-ons that are currently enabled in Internet Explorer in the comments area of the survey.

What is a codec?

A codec is software that is used to compress or decompress a digital media file, such as a song or video. Media players and other programs use codecs to play and create digital media files.

---------- END ----------


---------- DDS Log ----------


DDS (Ver_09-07-30.01) - NTFSx86
Run by Mike at 19:46:30.87 on Sat 10/10/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3061.1791 [GMT 4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\BR040286.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Users\Natalie\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\BR040286.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Mike\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WerCon.exe
C:\Windows\explorer.exe
C:\Windows\system32\WerFault.exe
C:\Users\Mike\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.vancleaves.com/
mStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uURLSearchHooks: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot0.dll
mURLSearchHooks: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot0.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot0.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ALaunch] c:\acer\alaunch\AlaunchClient.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [BisonInst0402] c:\windows\BR040286.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [eRecoveryService]
mRun: [WarReg_PopUp] c:\program files\acer\wr_popup\WarReg_PopUp.exe
mRun: [eAudio] "c:\acer\empowering technology\eaudio\eAudio.exe"
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\amazon~1.lnk - c:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: intuit.com
Trusted Zone: intuit.com\www
Trusted Zone: trendmicro.com
Trusted Zone: vancleaves.com
Trusted Zone: vancleaves.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FD07749-EFFA-48C6-947C-45A8D7BF422F} - hxxp://www.cyberlink.com/prog/vista/prog/CLVistaGenie.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab?
TCP: {361774D6-A9D1-490E-807B-830DA6D1DD23} = 10.11.128.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\VCdRom.sys [2001-12-19 8576]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\play movie\000.fcl [2008-4-29 41456]
R2 HssSrv;Hotspot Shield Routing Service;c:\program files\hotspot shield\hsswpr\hsssrv.exe [2009-9-16 331824]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-3-17 180736]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-3-17 32256]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2009-9-16 37376]
R3 taphss;Anchorfree HSS Adapter;c:\windows\system32\drivers\taphss.sys [2009-9-16 32768]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\hotspot shield\bin\HssTrayService.exe [2009-9-16 57640]
S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2009-7-22 28592]
S4 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2008-3-17 51200]

=============== Created Last 30 ================

2009-10-06 17:35 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-02 19:57 <DIR> --d----- c:\program files\common files\Logitech
2009-10-02 14:47 524,288 a--sh--- C:\ntuser.dat{93027ff4-ad5c-11de-806e-b21bd2c760d8}.TMContainer00000000000000000002.regtrans-ms
2009-10-02 14:47 524,288 a--sh--- C:\ntuser.dat{93027ff4-ad5c-11de-806e-b21bd2c760d8}.TMContainer00000000000000000001.regtrans-ms
2009-10-02 14:47 524,288 a--sh--- C:\ntuser.dat{93027ff0-ad5c-11de-806e-b21bd2c760d8}.TMContainer00000000000000000002.regtrans-ms
2009-10-02 14:47 524,288 a--sh--- C:\ntuser.dat{93027ff0-ad5c-11de-806e-b21bd2c760d8}.TMContainer00000000000000000001.regtrans-ms
2009-10-02 14:47 65,536 a--sh--- C:\ntuser.dat{93027ff4-ad5c-11de-806e-b21bd2c760d8}.TM.blf
2009-10-02 14:47 65,536 a--sh--- C:\ntuser.dat{93027ff0-ad5c-11de-806e-b21bd2c760d8}.TM.blf
2009-10-02 14:47 5,120 a---h--- C:\ntuser.dat.LOG1
2009-10-02 14:47 0 a---h--- C:\ntuser.dat.LOG2
2009-10-02 14:47 262,144 a------- C:\ntuser.dat
2009-09-28 20:55 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-09-28 20:21 <DIR> --d----- c:\programdata\Amazon
2009-09-28 20:21 <DIR> --d----- c:\progra~2\Amazon
2009-09-28 20:10 <DIR> --d----- c:\windows\Downloaded Installations
2009-09-23 19:29 <DIR> --d----- c:\program files\Trend Micro
2009-09-16 00:04 37,376 a------- c:\windows\system32\drivers\hssdrv.sys
2009-09-16 00:04 32,768 a------- c:\windows\system32\drivers\taphss.sys
2009-09-15 20:05 <DIR> --d----- c:\programdata\WinZip

==================== Find3M ====================

2009-10-02 20:06 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-09-28 19:43 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-28 19:43 86,016 a------- c:\windows\inf\infstor.dat
2009-09-28 19:43 51,200 a------- c:\windows\inf\infpub.dat
2009-09-03 11:38 1,184,984 a----r-- c:\windows\system32\wvc1dmod.dll
2009-01-09 10:36 984 a------- c:\users\mike\appdata\roaming\wklnhst.dat
2008-09-13 10:31 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 06:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 16:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 16:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 16:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 16:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 13:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 13:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 13:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 13:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-05-07 08:03 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-07 08:03 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-07 08:03 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-05-16 20:03 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-05-16 20:03 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-05-16 20:03 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 19:47:26.88 ===============


I think that's everything.

Thanks in advance for the help.

Mike

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:29 PM

Posted 19 October 2009 - 02:58 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 MVC

MVC
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 20 October 2009 - 10:19 AM

Hi and thanks for the help. Problems are still the same as described above. Look forward to working with you!

Ran DDS and RootRepeal again. Logs pasted/attached here.

I got an error on RootRepeal:

19:02:56: Unrecognized partition type 6 (0x6)!
19:07:48: Could not read system registry! Please contact the author!


DDS Log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Mike at 18:47:56.15 on Tue 10/20/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3061.1131 [GMT 4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\BR040286.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Users\Natalie\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\BR040286.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Users\Mike\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\system32\WerCon.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Users\Mike\Desktop\dds.scr
C:\Windows\system32\WerFault.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.vancleaves.com/
mStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uURLSearchHooks: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot0.dll
mURLSearchHooks: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot0.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot0.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ALaunch] c:\acer\alaunch\AlaunchClient.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [BisonInst0402] c:\windows\BR040286.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [eRecoveryService]
mRun: [WarReg_PopUp] c:\program files\acer\wr_popup\WarReg_PopUp.exe
mRun: [eAudio] "c:\acer\empowering technology\eaudio\eAudio.exe"
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\amazon~1.lnk - c:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: intuit.com
Trusted Zone: intuit.com\www
Trusted Zone: trendmicro.com
Trusted Zone: vancleaves.com
Trusted Zone: vancleaves.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FD07749-EFFA-48C6-947C-45A8D7BF422F} - hxxp://www.cyberlink.com/prog/vista/prog/CLVistaGenie.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab?
TCP: {361774D6-A9D1-490E-807B-830DA6D1DD23} = 10.28.64.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\VCdRom.sys [2001-12-19 8576]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\play movie\000.fcl [2008-4-29 41456]
R2 HssSrv;Hotspot Shield Routing Service;c:\program files\hotspot shield\hsswpr\hsssrv.exe [2009-9-16 331824]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-3-17 180736]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-3-17 32256]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2009-9-16 37376]
R3 taphss;Anchorfree HSS Adapter;c:\windows\system32\drivers\taphss.sys [2009-9-16 32768]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\hotspot shield\bin\HssTrayService.exe [2009-9-16 57640]
S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2009-7-22 28592]
S4 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2008-3-17 51200]

=============== Created Last 30 ================

2009-10-06 17:35 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-02 19:57 <DIR> --d----- c:\program files\common files\Logitech
2009-10-02 14:47 524,288 a--sh--- C:\ntuser.dat{93027ff4-ad5c-11de-806e-b21bd2c760d8}.TMContainer00000000000000000002.regtrans-ms
2009-10-02 14:47 524,288 a--sh--- C:\ntuser.dat{93027ff4-ad5c-11de-806e-b21bd2c760d8}.TMContainer00000000000000000001.regtrans-ms
2009-10-02 14:47 524,288 a--sh--- C:\ntuser.dat{93027ff0-ad5c-11de-806e-b21bd2c760d8}.TMContainer00000000000000000002.regtrans-ms
2009-10-02 14:47 524,288 a--sh--- C:\ntuser.dat{93027ff0-ad5c-11de-806e-b21bd2c760d8}.TMContainer00000000000000000001.regtrans-ms
2009-10-02 14:47 65,536 a--sh--- C:\ntuser.dat{93027ff4-ad5c-11de-806e-b21bd2c760d8}.TM.blf
2009-10-02 14:47 65,536 a--sh--- C:\ntuser.dat{93027ff0-ad5c-11de-806e-b21bd2c760d8}.TM.blf
2009-10-02 14:47 5,120 a---h--- C:\ntuser.dat.LOG1
2009-10-02 14:47 0 a---h--- C:\ntuser.dat.LOG2
2009-10-02 14:47 262,144 a------- C:\ntuser.dat
2009-09-28 20:55 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-09-28 20:21 <DIR> --d----- c:\programdata\Amazon
2009-09-28 20:21 <DIR> --d----- c:\progra~2\Amazon
2009-09-28 20:10 <DIR> --d----- c:\windows\Downloaded Installations
2009-09-23 19:29 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-10-02 20:06 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-09-28 19:43 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-28 19:43 86,016 a------- c:\windows\inf\infstor.dat
2009-09-28 19:43 51,200 a------- c:\windows\inf\infpub.dat
2009-09-16 00:04 37,376 a------- c:\windows\system32\drivers\hssdrv.sys
2009-09-16 00:04 32,768 a------- c:\windows\system32\drivers\taphss.sys
2009-09-03 11:38 1,184,984 a----r-- c:\windows\system32\wvc1dmod.dll
2009-01-09 10:36 984 a------- c:\users\mike\appdata\roaming\wklnhst.dat
2008-09-13 10:31 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 06:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 16:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 16:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 16:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 16:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 13:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 13:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 13:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 13:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-05-07 08:03 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-07 08:03 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-07 08:03 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-05-16 20:03 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-05-16 20:03 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-05-16 20:03 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 18:49:01.24 ===============

Attached Files



#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:29 PM

Posted 20 October 2009 - 02:59 PM

Hello.

Thanks for the logs.

We'll check for malware as well as see if we can fix those issues you have afterward. Not all of those are malware related from what I see.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 MVC

MVC
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 21 October 2009 - 11:35 AM

Looks like somehow Wondows Defender was still enabled. Do I need to re-run? I hope not. Everything is a huge hassle with Windows crashing. I have to run things from the command window as I don't get access to the desktop long enough to run anything.

Log below.


ComboFix 09-10-20.03 - Mike 10/21/2009 20:10.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3061.2034 [GMT 4:00]
Running from: c:\users\Mike\Desktop\ComboFix.exe
Command switches used :: combofix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2770101765-2151009926-1020980331-500
c:\users\Mike\AppData\Roaming\.#
c:\windows\Installer\24715c16.msi

.
((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.

2009-10-21 16:17 . 2009-10-21 16:17 -------- d-----w- c:\users\Natalie\AppData\Local\temp
2009-10-21 16:17 . 2009-10-21 16:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-21 16:17 . 2009-10-21 16:17 -------- d-----w- c:\users\Bethy\AppData\Local\temp
2009-10-06 13:35 . 2009-10-01 06:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-02 15:57 . 2009-10-02 15:57 -------- d-----w- c:\program files\Common Files\Logitech
2009-10-02 15:57 . 2009-10-02 15:57 -------- d-----w- c:\users\Natalie\AppData\Local\Downloaded Installations
2009-10-02 10:48 . 2009-10-02 16:48 -------- d-----w- c:\users\Natalie\AppData\Local\Yahoo
2009-10-02 10:47 . 2009-10-02 10:47 262144 ----a-w- C:\ntuser.dat
2009-09-28 16:55 . 2009-09-28 16:55 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-09-28 16:31 . 2009-09-28 16:31 -------- d-----w- c:\windows\Sun
2009-09-28 16:21 . 2009-09-28 16:21 -------- d-----w- c:\programdata\Amazon
2009-09-28 16:10 . 2009-09-28 16:10 -------- d-----w- c:\windows\Downloaded Installations
2009-09-23 15:29 . 2009-09-23 15:29 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-21 14:08 . 2008-09-27 01:55 -------- d-----w- c:\users\Natalie\AppData\Roaming\Skype
2009-10-21 14:06 . 2008-12-31 07:42 -------- d-----w- c:\users\Natalie\AppData\Roaming\skypePM
2009-10-13 14:44 . 2008-10-11 10:26 -------- d-----w- c:\program files\WinBoard-4.2.7
2009-10-10 14:32 . 2008-04-28 21:02 12 ----a-w- c:\windows\bthservsdp.dat
2009-10-06 13:19 . 2009-06-08 12:29 -------- d-----w- c:\program files\Hotspot_Shield
2009-10-02 18:08 . 2008-03-17 19:09 -------- d-----w- c:\program files\Yahoo!
2009-10-02 16:48 . 2009-01-11 16:50 -------- d-----w- c:\users\Natalie\AppData\Roaming\Yahoo!
2009-10-02 16:06 . 2008-10-04 10:51 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-10-02 10:46 . 2008-09-19 10:10 -------- d-----w- c:\programdata\Yahoo!
2009-09-28 16:22 . 2008-03-17 18:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-28 16:21 . 2009-02-02 11:09 -------- d-----w- c:\program files\Amazon
2009-09-28 15:43 . 2009-06-08 12:29 -------- d-----w- c:\program files\Hotspot Shield
2009-09-25 13:10 . 2008-03-18 10:59 -------- d-----w- c:\programdata\Microsoft Help
2009-09-21 12:25 . 2008-09-19 04:53 -------- d-----w- c:\users\Mike\AppData\Roaming\Skype
2009-09-21 12:24 . 2008-09-19 08:03 -------- d-----w- c:\users\Mike\AppData\Roaming\skypePM
2009-09-15 20:04 . 2009-09-15 20:04 37376 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2009-09-15 20:04 . 2009-09-15 20:04 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2009-09-15 16:06 . 2009-09-15 16:05 -------- d-----w- c:\programdata\WinZip
2009-09-03 07:38 . 2009-09-03 07:38 1184984 ----a-r- c:\windows\system32\wvc1dmod.dll
2009-08-13 13:41 . 2008-12-01 17:49 1356 ----a-w- c:\users\Mike\AppData\Local\d3d9caps.dat
2009-08-03 10:44 . 2008-12-01 13:55 72344 ----a-w- c:\users\Bethy\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-01 08:57 . 2008-09-12 05:07 72344 ----a-w- c:\users\Mike\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-31 11:56 . 2008-09-14 06:29 72344 ----a-w- c:\users\Natalie\AppData\Local\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{c95a4e8e-816d-4655-8c79-d736da1adb6d}"= "c:\program files\Hotspot_Shield\tbHot0.dll" [2009-10-06 2215960]

[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
2009-10-06 13:20 2215960 ----a-w- c:\program files\Hotspot_Shield\tbHot0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-06-08 12:29 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{c95a4e8e-816d-4655-8c79-d736da1adb6d}"= "c:\program files\Hotspot_Shield\tbHot0.dll" [2009-10-06 2215960]

[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C95A4E8E-816D-4655-8C79-D736DA1ADB6D}"= "c:\program files\Hotspot_Shield\tbHot0.dll" [2009-10-06 2215960]

[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-05 525360]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-22 133656]
"BisonInst0402"="c:\windows\BR040286.exe" [2007-05-08 53248]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-21 159744]
"WarReg_PopUp"="c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe" [2008-01-29 303104]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-10-10 1286144]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2008-06-29 52168]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-09-03 4702208]

c:\users\Natalie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Amazon Unbox.lnk - c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2009-9-3 97384]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-19 525640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Blink.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Blink.lnk
backup=c:\windows\pss\Blink.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\System32\VCdRom.sys [12/19/2001 11:45 AM 8576]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [4/29/2008 12:58 AM 41456]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [3/17/2008 9:44 PM 180736]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [3/17/2008 9:45 PM 32256]
S4 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [3/17/2008 11:10 PM 51200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2009-10-21 c:\windows\Tasks\User_Feed_Synchronization-{A993F387-350F-4756-8C45-9E599F5D0422}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.vancleaves.com/
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: intuit.com
Trusted Zone: intuit.com\www
Trusted Zone: trendmicro.com
Trusted Zone: vancleaves.com
Trusted Zone: vancleaves.com\www
TCP: {361774D6-A9D1-490E-807B-830DA6D1DD23} = 10.28.80.1
DPF: {8FD07749-EFFA-48C6-947C-45A8D7BF422F} - hxxp://www.cyberlink.com/prog/vista/prog/CLVistaGenie.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab?
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKLM-Run-ALaunch - c:\acer\ALaunch\AlaunchClient.exe
HKLM-Run-eRecoveryService - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 20:18
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2770101765-2151009926-1020980331-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-10-21 20:19
ComboFix-quarantined-files.txt 2009-10-21 16:19

Pre-Run: 58,760,032,256 bytes free
Post-Run: 61,124,579,328 bytes free

- - End Of File - - D3DE2233D9901E4B96FB0855CA34EE67

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:29 PM

Posted 21 October 2009 - 03:19 PM

Hello.

First install an Anti-Virus software!

This is crucial.

Install Antivirus

An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a (ONE) free anti-virus program from one of the links below:Update It after the installation is complete please.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    ReglockDel::
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}]
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 MVC

MVC
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 24 October 2009 - 09:49 PM

I cannot drag and drop anything due to the repeated "Windows Explorer Has Stopped Working" errors (note, this entire situation only affects one of three logins on this computer, the other two have no problems). I don't have access to the desktop nor start menu for long enough to accomplish anything at all. I have to do everything from the command line. Is there a command line option to run ComboFix using the CFScript file? I tried a couple of things, but I'm not sure if ComboFix ran with the script or just on it's own).

I have installed Avast and updated. I did this from one of the unaffected logins on this computer, but confirmed that it is in affect on all three logins.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:29 PM

Posted 25 October 2009 - 09:58 AM

Hello.

Go to Start >> Run>> In the open field type in the following in blue and bold:

"%userprofile%\desktop\Combofix.exe" "%userprofile%\desktop\CFScript.txt"

Now press Ok. This shall execute Combofix with the CFScript.txt

You need to make sure that Combofix is on your desktop and so is CFScript.txt

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:29 PM

Posted 28 October 2009 - 07:04 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 MVC

MVC
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 29 October 2009 - 01:59 AM

I am still here. I am working very long hours right now, so I can't find time at home to work on this problem. Weekend is coming up for us tomorrow, so I will complete the next step by then.

Thanks for your help and patience.

#13 MVC

MVC
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 30 October 2009 - 11:36 AM

Ok, here goes.

ComboFix results:

ComboFix 09-10-20.03 - Mike 10/26/2009 18:25.4.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3061.1889 [GMT 4:00]
Running from: c:\users\Mike\Desktop\ComboFix.exe
Command switches used :: c:\users\Mike\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.

2009-10-26 14:36 . 2009-10-26 14:36 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-26 14:36 . 2009-10-26 14:36 -------- d-----w- c:\users\Natalie\AppData\Local\temp
2009-10-26 14:36 . 2009-10-26 14:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-26 14:36 . 2009-10-26 14:36 -------- d-----w- c:\users\Bethy\AppData\Local\temp
2009-10-24 16:04 . 2009-10-26 14:37 -------- d-----w- c:\users\Mike\AppData\Local\temp
2009-10-23 05:09 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-10-23 05:09 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-10-23 05:08 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-10-23 05:08 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-10-23 05:08 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-10-23 05:08 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-10-23 05:08 . 2009-09-15 10:55 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-10-23 05:08 . 2009-10-23 05:08 -------- d-----w- c:\program files\Alwil Software
2009-10-06 13:35 . 2009-10-01 06:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-02 15:57 . 2009-10-02 15:57 -------- d-----w- c:\program files\Common Files\Logitech
2009-10-02 15:57 . 2009-10-02 15:57 -------- d-----w- c:\users\Natalie\AppData\Local\Downloaded Installations
2009-10-02 10:48 . 2009-10-02 16:48 -------- d-----w- c:\users\Natalie\AppData\Local\Yahoo
2009-10-02 10:47 . 2009-10-02 10:47 262144 ----a-w- C:\ntuser.dat
2009-09-28 16:55 . 2009-09-28 16:55 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-09-28 16:31 . 2009-09-28 16:31 -------- d-----w- c:\windows\Sun
2009-09-28 16:21 . 2009-09-28 16:21 -------- d-----w- c:\programdata\Amazon
2009-09-28 16:10 . 2009-09-28 16:10 -------- d-----w- c:\windows\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 14:17 . 2008-04-28 21:02 12 ----a-w- c:\windows\bthservsdp.dat
2009-10-26 14:04 . 2008-09-27 01:55 -------- d-----w- c:\users\Natalie\AppData\Roaming\Skype
2009-10-26 12:01 . 2008-12-31 07:42 -------- d-----w- c:\users\Natalie\AppData\Roaming\skypePM
2009-10-23 13:31 . 2009-06-08 12:29 -------- d-----w- c:\program files\Hotspot Shield
2009-10-13 14:44 . 2008-10-11 10:26 -------- d-----w- c:\program files\WinBoard-4.2.7
2009-10-06 13:19 . 2009-06-08 12:29 -------- d-----w- c:\program files\Hotspot_Shield
2009-10-02 18:08 . 2008-03-17 19:09 -------- d-----w- c:\program files\Yahoo!
2009-10-02 16:48 . 2009-01-11 16:50 -------- d-----w- c:\users\Natalie\AppData\Roaming\Yahoo!
2009-10-02 16:06 . 2008-10-04 10:51 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-10-02 10:46 . 2008-09-19 10:10 -------- d-----w- c:\programdata\Yahoo!
2009-09-28 16:22 . 2008-03-17 18:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-28 16:21 . 2009-02-02 11:09 -------- d-----w- c:\program files\Amazon
2009-09-25 13:10 . 2008-03-18 10:59 -------- d-----w- c:\programdata\Microsoft Help
2009-09-23 15:29 . 2009-09-23 15:29 -------- d-----w- c:\program files\Trend Micro
2009-09-21 12:25 . 2008-09-19 04:53 -------- d-----w- c:\users\Mike\AppData\Roaming\Skype
2009-09-21 12:24 . 2008-09-19 08:03 -------- d-----w- c:\users\Mike\AppData\Roaming\skypePM
2009-09-15 20:04 . 2009-09-15 20:04 37376 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2009-09-15 20:04 . 2009-09-15 20:04 32768 ----a-w- c:\windows\system32\drivers\taphss.sys
2009-09-15 16:06 . 2009-09-15 16:05 -------- d-----w- c:\programdata\WinZip
2009-09-03 07:38 . 2009-09-03 07:38 1184984 ----a-r- c:\windows\system32\wvc1dmod.dll
2009-08-13 13:41 . 2008-12-01 17:49 1356 ----a-w- c:\users\Mike\AppData\Local\d3d9caps.dat
2009-08-03 10:44 . 2008-12-01 13:55 72344 ----a-w- c:\users\Bethy\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-01 08:57 . 2008-09-12 05:07 72344 ----a-w- c:\users\Mike\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-31 11:56 . 2008-09-14 06:29 72344 ----a-w- c:\users\Natalie\AppData\Local\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-10-21_16.18.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 13:05 . 2009-10-26 14:21 92582 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-12 08:49 . 2009-10-21 16:09 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-12 08:49 . 2009-10-26 14:19 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-12 08:49 . 2009-10-21 16:09 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-12 08:49 . 2009-10-26 14:19 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-12 08:49 . 2009-10-26 14:19 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-09-12 08:49 . 2009-10-21 16:09 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-23 00:42 . 2009-10-23 07:08 9744 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2770101765-2151009926-1020980331-1001_UserData.bin
+ 2008-09-12 05:07 . 2009-10-26 14:21 9872 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2770101765-2151009926-1020980331-1000_UserData.bin
- 2009-10-10 15:27 . 2009-10-21 16:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-26 14:19 . 2009-10-26 14:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-26 14:19 . 2009-10-26 14:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-10-10 15:27 . 2009-10-21 16:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-09-12 12:27 . 2009-10-26 02:21 421444 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2008-09-12 07:17 . 2009-10-26 10:01 323204 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 10:33 . 2009-10-26 14:25 595684 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-10-21 16:13 595684 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-10-21 16:13 101350 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-10-26 14:25 101350 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{c95a4e8e-816d-4655-8c79-d736da1adb6d}"= "c:\program files\Hotspot_Shield\tbHot0.dll" [2009-10-06 2215960]

[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
2009-10-06 13:20 2215960 ----a-w- c:\program files\Hotspot_Shield\tbHot0.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-06-08 12:29 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{c95a4e8e-816d-4655-8c79-d736da1adb6d}"= "c:\program files\Hotspot_Shield\tbHot0.dll" [2009-10-06 2215960]

[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{C95A4E8E-816D-4655-8C79-D736DA1ADB6D}"= "c:\program files\Hotspot_Shield\tbHot0.dll" [2009-10-06 2215960]

[HKEY_CLASSES_ROOT\clsid\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-05 525360]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-22 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-22 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-22 133656]
"BisonInst0402"="c:\windows\BR040286.exe" [2007-05-08 53248]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-21 159744]
"WarReg_PopUp"="c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe" [2008-01-29 303104]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-10-10 1286144]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2008-06-29 52168]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-09-03 4702208]

c:\users\Natalie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Amazon Unbox.lnk - c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2009-9-3 97384]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-19 525640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Blink.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Blink.lnk
backup=c:\windows\pss\Blink.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [10/23/2009 9:08 AM 114768]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\System32\VCdRom.sys [12/19/2001 11:45 AM 8576]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [4/29/2008 12:58 AM 41456]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [10/23/2009 9:08 AM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [10/23/2009 9:08 AM 53328]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [3/17/2008 9:44 PM 180736]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [3/17/2008 9:45 PM 32256]
S4 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [3/17/2008 11:10 PM 51200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\User_Feed_Synchronization-{A993F387-350F-4756-8C45-9E599F5D0422}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.vancleaves.com/
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: intuit.com
Trusted Zone: intuit.com\www
Trusted Zone: trendmicro.com
Trusted Zone: vancleaves.com
Trusted Zone: vancleaves.com\www
TCP: {361774D6-A9D1-490E-807B-830DA6D1DD23} = 10.25.80.1
DPF: {8FD07749-EFFA-48C6-947C-45A8D7BF422F} - hxxp://www.cyberlink.com/prog/vista/prog/CLVistaGenie.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab?
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-26 18:36
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2770101765-2151009926-1020980331-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2912)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\Video\CLMedia.dll
c:\program files\Acer Arcade Deluxe\VideoMagician\Kernel\EditMovie\MDTLM1Splter.ax
c:\program files\Acer Arcade Deluxe\VideoMagician\Kernel\EditMovie\MDTLM2Splter.ax
c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLWMFDemux.ax
c:\program files\Acer Arcade Deluxe\VideoMagician\Kernel\Movie\CLDemuxer.ax
.
Completion time: 2009-10-26 18:39
ComboFix-quarantined-files.txt 2009-10-26 14:39
ComboFix2.txt 2009-10-24 16:23
ComboFix3.txt 2009-10-24 16:04
ComboFix4.txt 2009-10-21 16:19

Pre-Run: 60,873,195,520 bytes free
Post-Run: 60,850,933,760 bytes free

- - End Of File - - F20A528C238A81E7AC70FE5E4AA350F2


MWBytes results:

Malwarebytes' Anti-Malware 1.41
Database version: 3052
Windows 6.0.6001 Service Pack 1

10/29/2009 4:58:36 PM
mbam-log-2009-10-29 (16-58-36).txt

Scan type: Quick Scan
Objects scanned: 106624
Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



- MLV Edited - Inadvertantly posted ComboFix log twice in orginal post. Corrected to show MW Bytes log.

Edited by MVC, 31 October 2009 - 02:03 AM.


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:29 PM

Posted 31 October 2009 - 12:41 PM

Hello.

That looks good. Let's run an online scan now.

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
You can refer to this animation by neomage if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 MVC

MVC
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 01 November 2009 - 10:59 AM

Ok, browser problem appears gone, but the Windows Explorer error is still happenning.


ESET Results:

C:\ProgramData\Applications\Cache\{3AA5B60C-A775-416A-9867-4C0DF3450C30}v4.3.1.2150.msi probably unknown NewHeur_PE virus deleted - quarantined
C:\Users\Mike\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\00CD4BDE-000022DB.eml Win32/PSW.YahooPass.AF trojan contained infected files
C:\Users\Mike\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\1FCD50A8-000022D6.eml a variant of Win32/Kryptik.AMZ trojan contained infected files
C:\Users\Mike\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\2ED776CC-00002308.eml a variant of Win32/Kryptik.AOF trojan contained infected files
C:\Users\Mike\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\52CE7D1F-0000220E.eml Win32/PSW.YahooPass.AF trojan contained infected files
C:\Users\Mike\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\5B692779-000022F2.eml a variant of Win32/Kryptik.AOF trojan contained infected files

DDS Results:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Mike at 20:30:30.77 on Wed 09/23/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3061.1807 [GMT 4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\BR040286.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxext.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Users\Mike\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Mike\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.vancleaves.com/
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uURLSearchHooks: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot1.dll
mURLSearchHooks: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot1.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot1.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ALaunch] c:\acer\alaunch\AlaunchClient.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [BisonInst0402] c:\windows\BR040286.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [eRecoveryService]
mRun: [WarReg_PopUp] c:\program files\acer\wr_popup\WarReg_PopUp.exe
mRun: [eAudio] "c:\acer\empowering technology\eaudio\eAudio.exe"
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: intuit.com
Trusted Zone: intuit.com\www
Trusted Zone: trendmicro.com
Trusted Zone: vancleaves.com
Trusted Zone: vancleaves.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab?
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\VCdRom.sys [2001-12-19 8576]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\play movie\000.fcl [2008-4-29 41456]
R2 HssSrv;Hotspot Shield Routing Service;c:\program files\hotspot shield\hsswpr\hsssrv.exe [2009-8-6 331824]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-3-17 180736]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-3-17 32256]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\hssdrv.sys [2009-6-30 33840]
R3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2009-7-22 28592]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\hotspot shield\bin\HssTrayService.exe [2009-8-11 57640]
S4 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2008-3-17 51200]

=============== Created Last 30 ================

2009-09-23 19:29 <DIR> --d----- c:\program files\Trend Micro
2009-09-15 20:05 <DIR> --d----- c:\programdata\WinZip

==================== Find3M ====================

2009-09-12 10:50 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-12 10:50 86,016 a------- c:\windows\inf\infstor.dat
2009-09-12 10:50 51,200 a------- c:\windows\inf\infpub.dat
2009-01-09 10:36 984 a------- c:\users\mike\appdata\roaming\wklnhst.dat
2008-09-19 12:03 56 a---h--- c:\programdata\ezsidmv.dat
2008-09-19 12:03 56 a---h--- c:\progra~2\ezsidmv.dat
2008-09-13 10:31 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 06:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 16:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 16:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 16:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 16:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 13:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 13:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 13:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 13:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-05-07 08:03 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-07 08:03 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-07 08:03 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-05-16 20:03 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2009-05-16 20:03 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-05-16 20:03 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 20:31:13.72 ===============

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users