Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Virus/Browsers Hijacked


  • This topic is locked This topic is locked
11 replies to this topic

#1 jtcomfyinpjs

jtcomfyinpjs

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 24 March 2010 - 04:45 PM

Hi there, I'm Jen and I recently got a spyware virus. A friend sent me a link on facebook and being ignorant about it, I clicked on the link. I had many random ad popups as well as anti-virus ads such as Nuprotection and Antispywarepotent. However, I downloaded Malwarebytes as well as SuperAntispyware and was able to get rid of the pop ups and some trojans. Now the only problem I have left is most of my links are getting redirected. Also, I am sending the virus sites to my friends on facebook without knowing it. It's affecting both the Firefox and IE explorers on my laptop. Can someone please help me? Please and Thank You smile.gif

this is my log from Hijack This (I hope I did this correctly):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:04:38 AM, on 3/24/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\ntvdm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Acer\Desktop\HijackThis.exe

O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

--
End of file - 2268 bytes

I tried making a Gmer log, but my laptop seems to freeze or not respond whenever I run Gmer.


Not sure if this is enough, but if you need something more, please instruct me further. I really appreciate the help.
:D

BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:14 PM

Posted 27 March 2010 - 12:18 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log





Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 jtcomfyinpjs

jtcomfyinpjs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 28 March 2010 - 01:04 PM

I have taken the steps that I've been instructed to do, however, I need to use a proxy site to go on bleepingcomputer.com and it doesn't allow me to add attachments. But, I did make a dds attachment file and gmer log in safe mode. (that was the only way I was able to run gmer).

DDS (Ver_10-03-17.01) - NTFSx86
Run by Acer at 22:28:30.57 on Sat 03/27/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1013.212 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\ntvdm.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\svchost.exe -k tapisrvs
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxctcoms.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\conime.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\notepad.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Acer\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://search.myheritage.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uWindows: Load= c:\bc5\pipeline\remind.exe
BHO: MHTBPos00 Class: {0c37b053-fd68-456a-82e1-d788ee342e6f} - c:\program files\celebrity toolbar\tbcore3.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: CMySite Class: {d62ec836-bf1e-4cac-81be-fb9179835d8e} - c:\program files\celebrity toolbar\mhxpcomi.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: Celebrity Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} - c:\program files\celebrity toolbar\tbcore3.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/5.0_(Windows;_U;_Windows_NT_6.0;_en-US;_rv:1.9.1.8)_Gecko/20100202_Firefox/3.5.8_(.NET_CLR_3.5.30729)" -"http://www.pearsonsuccessnet.com/ebook/products/0-13-190443-4/chemasap/dswmedia/rsc/asap1_chem05_cmps0417.htm"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Acer Tour]
mRun: [eRecoveryService]
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [LXCTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCTtime.dll,_RunDLLEntry@16
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\acer\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {2FF8D282-F78A-4A33-ABC2-49E72A341482} - hxxp://riteaid.storefront.com/images/global/activex/SFImageUpload1_10.CAB
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: eNetHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\acer\appdata\roaming\mozilla\firefox\profiles\1go1t3ua.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\acer\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\acer\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 apto6ko;Windows Band port;c:\windows\system32\drivers\imapioko.sys [2008-3-24 33280]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20070108.003\IDSvix86.sys [2009-3-2 212280]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 cpqoko6;AutoComplete Intelligent Socket Firewall Property Server driver Protocol Fax;c:\windows\system32\svchost.exe -k tapisrvs [2008-9-30 21504]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-15 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-2 102712]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-3-23 19160]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
R3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2009-3-2 1251720]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2008-10-3 37936]
S2 captcha;captcha;c:\windows\system32\svchost.exe -k captcha [2008-9-30 21504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-24 135664]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-3-23 236368]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-4-6 88192]
S3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2008-3-8 1170976]
S3 WisLMSvc;WisLMSvc;c:\program files\launch manager\WisLMSvc.exe [2008-3-8 118784]
S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2008-7-15 80744]

=============== Created Last 30 ================

2010-03-26 04:39:20 0 d-----w- c:\users\acer\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-03-24 16:29:56 93056 ----a-w- C:\kgtdrpob.sys
2010-03-24 03:47:29 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-24 03:46:32 0 d-----w- c:\users\acer\appdata\roaming\SUPERAntiSpyware.com
2010-03-24 03:46:32 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-24 03:44:19 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-23 23:31:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 23:31:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 00:37:20 0 d-----w- c:\users\acer\appdata\roaming\Malwarebytes
2010-03-23 00:36:55 0 d-----w- c:\programdata\Malwarebytes
2010-03-23 00:36:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-22 03:09:31 1 ----a-w- c:\windows\ligh
2010-03-22 03:09:14 65536 ---h--w- c:\windows\bill104.exe
2010-03-14 06:19:35 0 d-----w- c:\users\acer\Tracing
2010-03-14 06:17:21 0 d-----w- c:\program files\Microsoft
2010-03-14 06:16:54 0 d-----w- c:\program files\Windows Live SkyDrive
2010-03-14 06:10:53 0 d-----w- c:\program files\common files\Windows Live
2010-03-11 00:05:24 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-11 00:05:10 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-11 00:05:08 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-04 02:52:47 0 d-----w- c:\windows\FSX Flight Weather Report
2010-03-04 02:52:46 0 d-----w- c:\program files\FSX Flight Weather Report

==================== Find3M ====================

2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-24 20:27:37 2572 ----a-w- c:\windows\WINDVDBOOTRECDOE.sys
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-09-16 05:18:37 51200 ----a-w- c:\windows\inf\infpub.dat
2009-09-16 05:18:36 86016 ----a-w- c:\windows\inf\infstor.dat
2009-09-16 05:18:36 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-09-16 05:07:53 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-11-12 21:02:36 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-16 18:12:35 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 22:29:02.67 ===============

Could I privately email someone my gmer and attach.txt?

My computer has also began shutting down on me in the middle of using the laptop. The Microsoft program also stops responding a lot and I have to shut down the laptop. Could that be caused by the hijacker/virus?

Thank You smile.gif

#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:14 AM

Posted 29 March 2010 - 01:30 AM

Hi jtcomfyinpjs,



Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum, welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1
  1. Go to this thread and Download TDSSKiller.zip to your Desktop.
  2. Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  3. Vista Start logo >All Programs> Accessories> RIGHT-click on Command Prompt and Select Run As Administrator. Copy/paste the following bolded command and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  4. If TDSSKiller alerts you that the system needs to reboot, please consent.
  5. When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Step2
  1. If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  2. Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  3. Note: If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu.
    The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.
  4. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  5. Click Yes to allow Combofix to continue scanning for malware.
  6. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  7. Do not mouse click on Combofix while it is running. That may cause it to stall.


In your next reply, please post back:

1.TDSSKiller.txt
2.ComboFix log Thanks.

#5 jtcomfyinpjs

jtcomfyinpjs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 29 March 2010 - 08:28 PM

Here are my two log files:

1.

15:34:24:557 0348 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
15:34:24:557 0348 ================================================================================
15:34:24:557 0348 SystemInfo:

15:34:24:557 0348 OS Version: 6.0.6002 ServicePack: 2.0
15:34:24:557 0348 Product type: Workstation
15:34:24:558 0348 ComputerName: ACER-PC
15:34:24:559 0348 UserName: Acer
15:34:24:559 0348 Windows directory: C:\Windows
15:34:24:559 0348 Processor architecture: Intel x86
15:34:24:559 0348 Number of processors: 2
15:34:24:559 0348 Page size: 0x1000
15:34:24:563 0348 Boot type: Normal boot
15:34:24:563 0348 ================================================================================
15:34:24:572 0348 UnloadDriverW: NtUnloadDriver error 2
15:34:24:572 0348 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:34:24:636 0348 wfopen_ex: Trying to open file C:\Windows\system32\config\system
15:34:24:637 0348 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:34:24:637 0348 wfopen_ex: Trying to KLMD file open
15:34:24:638 0348 wfopen_ex: File opened ok (Flags 2)
15:34:24:651 0348 wfopen_ex: Trying to open file C:\Windows\system32\config\software
15:34:24:653 0348 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:34:24:653 0348 wfopen_ex: Trying to KLMD file open
15:34:24:654 0348 wfopen_ex: File opened ok (Flags 2)
15:34:24:654 0348 Initialize success
15:34:24:654 0348
15:34:24:654 0348 Scanning Services ...
15:34:25:634 0348 Raw services enum returned 470 services
15:34:25:655 0348
15:34:25:656 0348 Scanning Kernel memory ...
15:34:25:656 0348 Devices to scan: 1
15:34:25:656 0348
15:34:25:656 0348 Driver Name: atapi
15:34:25:656 0348 IRP_MJ_CREATE : 805D6140
15:34:25:657 0348 IRP_MJ_CREATE_NAMED_PIPE : 81E79A22
15:34:25:657 0348 IRP_MJ_CLOSE : 805D6140
15:34:25:657 0348 IRP_MJ_READ : 81E79A22
15:34:25:657 0348 IRP_MJ_WRITE : 81E79A22
15:34:25:657 0348 IRP_MJ_QUERY_INFORMATION : 81E79A22
15:34:25:657 0348 IRP_MJ_SET_INFORMATION : 81E79A22
15:34:25:657 0348 IRP_MJ_QUERY_EA : 81E79A22
15:34:25:657 0348 IRP_MJ_SET_EA : 81E79A22
15:34:25:657 0348 IRP_MJ_FLUSH_BUFFERS : 81E79A22
15:34:25:657 0348 IRP_MJ_QUERY_VOLUME_INFORMATION : 81E79A22
15:34:25:657 0348 IRP_MJ_SET_VOLUME_INFORMATION : 81E79A22
15:34:25:657 0348 IRP_MJ_DIRECTORY_CONTROL : 81E79A22
15:34:25:657 0348 IRP_MJ_FILE_SYSTEM_CONTROL : 81E79A22
15:34:25:657 0348 IRP_MJ_DEVICE_CONTROL : 805C4A5A
15:34:25:657 0348 IRP_MJ_INTERNAL_DEVICE_CONTROL : 805C4A2C
15:34:25:657 0348 IRP_MJ_SHUTDOWN : 81E79A22
15:34:25:657 0348 IRP_MJ_LOCK_CONTROL : 81E79A22
15:34:25:657 0348 IRP_MJ_CLEANUP : 81E79A22
15:34:25:658 0348 IRP_MJ_CREATE_MAILSLOT : 81E79A22
15:34:25:658 0348 IRP_MJ_QUERY_SECURITY : 81E79A22
15:34:25:658 0348 IRP_MJ_SET_SECURITY : 81E79A22
15:34:25:658 0348 IRP_MJ_POWER : 805C4A88
15:34:25:658 0348 IRP_MJ_SYSTEM_CONTROL : 805D1B70
15:34:25:658 0348 IRP_MJ_DEVICE_CHANGE : 81E79A22
15:34:25:658 0348 IRP_MJ_QUERY_QUOTA : 81E79A22
15:34:25:658 0348 IRP_MJ_SET_QUOTA : 81E79A22
15:34:25:671 0348 C:\Windows\system32\drivers\atapi.sys - Verdict: 1
15:34:25:671 0348
15:34:25:672 0348 Completed
15:34:25:672 0348
15:34:25:673 0348 Results:
15:34:25:673 0348 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
15:34:25:673 0348 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:34:25:674 0348 File objects infected / cured / cured on reboot: 0 / 0 / 0
15:34:25:675 0348
15:34:25:675 0348 fclose_ex: Trying to close file C:\Windows\system32\config\system
15:34:25:676 0348 fclose_ex: Trying to close file C:\Windows\system32\config\software
15:34:25:679 0348 KLMD(ARK) unloaded successfully







2.

ComboFix 10-03-28.03 - Acer 03/29/2010 16:24:08.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1013.388 [GMT -4:00]
Running from: c:\users\Acer\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-5998451-3964980244-3786414968-1001
c:\program files\Common Files\System\Uninstall
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\users\Acer\AppData\Local\010112010146111103.xxe
c:\users\Acer\AppData\Local\rdr_1269230445.exe
c:\users\Acer\AppData\Local\rdr_1269234335.exe
c:\users\Acer\AppData\Local\rdr_1269286030.exe
c:\users\Acer\AppData\Local\rdr_1269286346.exe
c:\windows\bill104.exe
c:\windows\ligh
c:\windows\system32\ada93ee7-d0ee-3197-9fdd-fdea8030c3b2.exe
c:\windows\system32\drivers\imapioko.sys
c:\windows\system32\erokosvc.dll
c:\windows\system32\Ijl11.dll
c:\windows\Temp\log.txt
c:\windows\winhelp.ini

----- BITS: Possible infected sites -----

hxxp://download.newaol.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_APTO6KO
-------\Service_apto6ko
-------\Service_captcha
-------\Service_cpqoko6


((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-29 )))))))))))))))))))))))))))))))
.

2010-03-29 20:36 . 2010-03-29 20:44 -------- d-----w- c:\users\Acer\AppData\Local\temp
2010-03-29 20:36 . 2010-03-29 20:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-26 04:39 . 2010-03-26 04:39 -------- d-----w- c:\users\Acer\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-03-24 16:29 . 2010-03-24 16:29 93056 ----a-w- C:\kgtdrpob.sys
2010-03-24 03:47 . 2010-03-24 03:47 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-24 03:46 . 2010-03-24 03:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-24 03:46 . 2010-03-24 03:46 -------- d-----w- c:\users\Acer\AppData\Roaming\SUPERAntiSpyware.com
2010-03-24 03:44 . 2010-03-24 03:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-23 23:31 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 23:31 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 00:37 . 2010-03-23 00:37 -------- d-----w- c:\users\Acer\AppData\Roaming\Malwarebytes
2010-03-23 00:36 . 2010-03-23 00:36 -------- d-----w- c:\programdata\Malwarebytes
2010-03-23 00:36 . 2010-03-23 23:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-14 06:19 . 2010-03-28 21:12 -------- d-----w- c:\users\Acer\Tracing
2010-03-14 06:17 . 2010-03-14 06:17 -------- d-----w- c:\program files\Microsoft
2010-03-14 06:16 . 2010-03-14 06:16 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-14 06:16 . 2010-03-14 06:17 -------- d-----w- c:\program files\Windows Live
2010-03-14 06:10 . 2010-03-14 06:10 -------- d-----w- c:\program files\Common Files\Windows Live
2010-03-11 00:05 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-11 00:05 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-11 00:05 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-04 02:52 . 2010-03-04 02:52 -------- d-----w- c:\windows\FSX Flight Weather Report
2010-03-04 02:52 . 2010-03-07 20:24 -------- d-----w- c:\program files\FSX Flight Weather Report

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 17:50 . 2008-03-11 13:40 1356 ----a-w- c:\users\Acer\AppData\Local\d3d9caps.dat
2010-03-27 16:03 . 2008-07-21 22:11 -------- d-----w- c:\program files\Lx_cats
2010-03-24 06:13 . 2008-07-16 04:15 -------- d-----w- c:\program files\Google
2010-03-24 03:48 . 2010-03-24 03:48 52224 ----a-w- c:\users\Acer\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-24 03:48 . 2010-03-24 03:48 117760 ----a-w- c:\users\Acer\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-12 18:46 . 2009-02-15 05:15 -------- d-----w- c:\users\Acer\AppData\Roaming\Skype
2010-03-12 18:46 . 2009-02-15 05:21 -------- d-----w- c:\users\Acer\AppData\Roaming\skypePM
2010-03-11 00:25 . 2008-08-09 13:36 -------- d-----w- c:\programdata\Microsoft Help
2010-02-28 22:05 . 2010-02-28 22:05 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-02-24 14:16 . 2009-10-02 20:43 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-30 06:24 . 2010-01-30 05:43 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-01-30 06:05 . 2010-01-30 05:47 -------- d-----w- c:\users\Acer\AppData\Roaming\AVS4YOU
2010-01-30 05:47 . 2010-01-30 05:47 -------- d-----w- c:\programdata\AVS4YOU
2010-01-24 20:27 . 2005-04-27 17:40 2572 ----a-w- c:\windows\WINDVDBOOTRECDOE.sys
2010-01-23 09:26 . 2010-02-23 19:39 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-02 06:38 . 2010-01-21 19:01 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 19:01 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-21 19:01 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-21 19:01 133632 ----a-w- c:\windows\system32\ieUnatt.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-01 02:35 121392 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-15 39408]
"Sidebar"="c:\program files\windows sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-02 509464]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-01-17 151552]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-01 526896]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-02-27 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-27 7770112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-27 81920]
"LXCTCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 106496]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-23 685904]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]

c:\users\Acer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 18:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\eNetHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Exif Launcher 2.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Exif Launcher 2.lnk
backup=c:\windows\pss\Exif Launcher 2.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2007-03-19 12:58 82864 ----a-w- c:\program files\Lexmark 5400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-03-13 00:56 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchAp]
2005-07-25 19:36 32768 ----a-w- c:\program files\Launch Manager\LaunchAp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5400 Series Fax Server]
2007-03-19 12:59 304048 ----a-w- c:\program files\Lexmark 5400 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2007-01-10 17:34 200704 ----a-w- c:\program files\Launch Manager\HotkeyApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LMgrOSD]
2006-08-29 15:26 241664 ----a-w- c:\program files\Launch Manager\OSDCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxctmon.exe]
2007-03-19 12:58 291760 ----a-w- c:\program files\Lexmark 5400 Series\lxctmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wbutton]
2006-11-09 20:37 86016 ----a-w- c:\program files\Launch Manager\WButton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:32,b1,f9,4a,8d,36,ca,01

R1 mailKmd;mailKmd; [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-24 135664]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-01-07 236368]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2006-04-06 88192]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\DRIVERS\lv321av.sys [2007-04-25 1170976]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
R3 WisLMSvc;WisLMSvc;c:\program files\Launch Manager\WisLMSvc.exe [2006-11-18 118784]
R3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2006-09-19 80744]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20070108.003\IDSvix86.sys [2006-12-28 212280]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2007-01-10 102712]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-01-07 19160]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2008-10-03 37936]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrvs REG_MULTI_SZ cpqoko6
.
Contents of the 'Scheduled Tasks' folder

2010-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-24 06:13]

2010-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-24 06:13]

2010-03-29 c:\windows\Tasks\Malwarebytes' Scheduled Update for Acer.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-03-23 04:00]

2010-03-23 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Acer.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]

2010-03-26 c:\windows\Tasks\Norton Security Scan for Acer.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-11 16:50]

2010-03-29 c:\windows\Tasks\User_Feed_Synchronization-{0B59BDE1-96B4-47F4-B956-7714437D6CCD}.job
- c:\windows\system32\msfeedssync.exe [2010-01-21 04:56]

2010-03-29 c:\windows\Tasks\User_Feed_Synchronization-{EFA47361-F495-49A7-A5F7-3BC814A807BA}.job
- c:\windows\system32\msfeedssync.exe [2010-01-21 04:56]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://search.myheritage.com
uInternet Settings,ProxyOverride = *.local
Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} -
DPF: {2FF8D282-F78A-4A33-ABC2-49E72A341482} - hxxp://riteaid.storefront.com/images/global/activex/SFImageUpload1_10.CAB
FF - ProfilePath - c:\users\Acer\AppData\Roaming\Mozilla\Firefox\Profiles\1go1t3ua.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Acer\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Acer\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{0C37B053-FD68-456a-82E1-D788EE342E6F} - c:\program files\Celebrity Toolbar\tbcore3.dll
BHO-{D62EC836-BF1E-4CAC-81BE-FB9179835D8E} - c:\program files\Celebrity Toolbar\mhxpcomi.dll
Toolbar-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - c:\program files\Celebrity Toolbar\tbcore3.dll
WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - c:\program files\Celebrity Toolbar\tbcore3.dll
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
MSConfigStartUp-PowerKey - c:\program files\Launch Manager\PowerKey.exe
AddRemove-ada93ee7-d0ee-3197-9fdd-fdea8030c3b2 - c:\windows\system32\ada93ee7-d0ee-3197-9fdd-fdea8030c3b2.exe
AddRemove-Celebrity Toolbar - c:\program files\Celebrity Toolbar\ToolUninstall.exe
AddRemove-Marine Aquarium 2, Sharks & Carousel Bundle - c:\program files\Prolific Publishing



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-29 16:44
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCTCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2572)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\lxctcoms.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2010-03-29 16:53:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-29 20:53

Pre-Run: 24,683,679,744 bytes free
Post-Run: 25,734,172,672 bytes free

- - End Of File - - 2E99F042F457998400602AE1EB9A0B1E



I hope it's all right.



#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:14 AM

Posted 29 March 2010 - 09:25 PM

Hi jtcomfyinpjs,




Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Control Panel > programs and features and remove the following programs if present.

Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar


Vista Start logo > Run > type: MSConfig > Press Enter
In the General tab, Startup Selection, choose: Normal Startup--load all device drivers and services
Press OK and Reboot your pc.
Vista user, you may refer to this thread --If you don't know how.


Step1
  1. Close any open browsers
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  3. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
CODE
Reglock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}]
DDS::
uInternet Settings,ProxyOverride = *.local
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop



Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step2

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.



Step3

Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.--->Vista user, Right click on your browser and select Run As Administrator to run.
  1. Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  2. Click Accept button on the "Requirements and limitations".
  3. When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  4. It will be Downloading and installing the program and Updating the database.
  5. When Updating the database have finished, click on Settings.
  6. Make sure all boxes are checked. then click on the Save button.
  7. Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  8. Once the scan is completed, Click on View Scan Report.
  9. You may see a list of infected items over there. Click on Save Report As.
  10. Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  11. Please post the contents in your next reply.
  12. You can refer to this animation

Note for Internet Explorer 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


In your next reply, please post back:

1.ComboFix log
2.Kas Online Scan Report

Tell me if you have any remaining issues on your pc.

#7 jtcomfyinpjs

jtcomfyinpjs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 30 March 2010 - 03:30 PM

Hello sundavis,

Here is my second ComboFix log:

ComboFix 10-03-29.02 - Acer 03/30/2010 0:34.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1013.334 [GMT -4:00]
Running from: c:\users\Acer\Desktop\ComboFix.exe
Command switches used :: c:\users\Acer\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))
.

2010-03-30 04:44 . 2010-03-30 04:44 -------- d-----w- c:\users\Acer\AppData\Local\temp
2010-03-30 04:44 . 2010-03-30 04:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-30 04:44 . 2010-03-30 04:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-26 04:39 . 2010-03-26 04:39 -------- d-----w- c:\users\Acer\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-03-24 16:29 . 2010-03-24 16:29 93056 ----a-w- C:\kgtdrpob.sys
2010-03-24 03:48 . 2010-03-24 03:48 52224 ----a-w- c:\users\Acer\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-24 03:48 . 2010-03-24 03:48 117760 ----a-w- c:\users\Acer\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-24 03:47 . 2010-03-24 03:47 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-03-24 03:46 . 2010-03-24 03:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-24 03:46 . 2010-03-24 03:46 -------- d-----w- c:\users\Acer\AppData\Roaming\SUPERAntiSpyware.com
2010-03-24 03:44 . 2010-03-24 03:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-23 23:31 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 23:31 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 00:37 . 2010-03-23 00:37 -------- d-----w- c:\users\Acer\AppData\Roaming\Malwarebytes
2010-03-23 00:36 . 2010-03-23 00:36 -------- d-----w- c:\programdata\Malwarebytes
2010-03-23 00:36 . 2010-03-23 23:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-14 06:19 . 2010-03-30 04:09 -------- d-----w- c:\users\Acer\Tracing
2010-03-14 06:17 . 2010-03-14 06:17 -------- d-----w- c:\program files\Microsoft
2010-03-14 06:16 . 2010-03-14 06:16 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-14 06:16 . 2010-03-14 06:17 -------- d-----w- c:\program files\Windows Live
2010-03-14 06:10 . 2010-03-14 06:10 -------- d-----w- c:\program files\Common Files\Windows Live
2010-03-11 00:05 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-03-11 00:05 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-03-11 00:05 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-03-04 02:52 . 2010-03-04 02:52 -------- d-----w- c:\windows\FSX Flight Weather Report
2010-03-04 02:52 . 2010-03-07 20:24 -------- d-----w- c:\program files\FSX Flight Weather Report
2010-02-28 22:05 . 2010-02-28 22:05 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 03:48 . 2008-07-15 16:56 -------- d-----w- c:\programdata\Viewpoint
2010-03-30 03:48 . 2008-07-15 16:56 -------- d-----w- c:\program files\Viewpoint
2010-03-29 23:51 . 2008-07-21 22:11 -------- d-----w- c:\program files\Lx_cats
2010-03-28 17:50 . 2008-03-11 13:40 1356 ----a-w- c:\users\Acer\AppData\Local\d3d9caps.dat
2010-03-24 06:13 . 2008-07-16 04:15 -------- d-----w- c:\program files\Google
2010-03-12 18:46 . 2009-02-15 05:15 -------- d-----w- c:\users\Acer\AppData\Roaming\Skype
2010-03-12 18:46 . 2009-02-15 05:21 -------- d-----w- c:\users\Acer\AppData\Roaming\skypePM
2010-03-11 00:25 . 2008-08-09 13:36 -------- d-----w- c:\programdata\Microsoft Help
2010-02-24 14:16 . 2009-10-02 20:43 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-30 06:24 . 2010-01-30 05:43 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-01-30 06:05 . 2010-01-30 05:47 -------- d-----w- c:\users\Acer\AppData\Roaming\AVS4YOU
2010-01-30 05:47 . 2010-01-30 05:47 -------- d-----w- c:\programdata\AVS4YOU
2010-01-24 20:27 . 2005-04-27 17:40 2572 ----a-w- c:\windows\WINDVDBOOTRECDOE.sys
2010-01-23 09:26 . 2010-02-23 19:39 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-02 06:38 . 2010-01-21 19:01 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 19:01 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-21 19:01 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-21 19:01 133632 ----a-w- c:\windows\system32\ieUnatt.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-01 02:35 121392 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\windows sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-05-02 509464]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-01-17 151552]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-01 526896]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-02-27 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-27 7770112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-02-27 81920]
"LXCTCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 106496]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-23 685904]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 18:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\eNetHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Exif Launcher 2.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Exif Launcher 2.lnk
backup=c:\windows\pss\Exif Launcher 2.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Acer^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Acer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 06:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2007-03-19 12:58 82864 ----a-w- c:\program files\Lexmark 5400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-03-13 00:56 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchAp]
2005-07-25 19:36 32768 ----a-w- c:\program files\Launch Manager\LaunchAp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5400 Series Fax Server]
2007-03-19 12:59 304048 ----a-w- c:\program files\Lexmark 5400 Series\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2007-01-10 17:34 200704 ----a-w- c:\program files\Launch Manager\HotkeyApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LMgrOSD]
2006-08-29 15:26 241664 ----a-w- c:\program files\Launch Manager\OSDCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxctmon.exe]
2007-03-19 12:58 291760 ----a-w- c:\program files\Lexmark 5400 Series\lxctmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-15 04:01 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wbutton]
2006-11-09 20:37 86016 ----a-w- c:\program files\Launch Manager\WButton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:32,b1,f9,4a,8d,36,ca,01

R1 mailKmd;mailKmd; [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-24 135664]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-01-07 236368]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\DRIVERS\gtipci21.sys [2006-04-06 88192]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\DRIVERS\lv321av.sys [2007-04-25 1170976]
R3 WisLMSvc;WisLMSvc;c:\program files\Launch Manager\WisLMSvc.exe [2006-11-18 118784]
R3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2006-09-19 80744]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20070108.003\IDSvix86.sys [2006-12-28 212280]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2007-01-10 102712]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-01-07 19160]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2008-10-03 37936]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrvs REG_MULTI_SZ cpqoko6
.
Contents of the 'Scheduled Tasks' folder

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-24 06:13]

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-24 06:13]

2010-03-29 c:\windows\Tasks\Malwarebytes' Scheduled Update for Acer.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-03-23 04:00]

2010-03-30 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Acer.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]

2010-03-26 c:\windows\Tasks\Norton Security Scan for Acer.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-11 16:50]

2010-03-30 c:\windows\Tasks\User_Feed_Synchronization-{0B59BDE1-96B4-47F4-B956-7714437D6CCD}.job
- c:\windows\system32\msfeedssync.exe [2010-01-21 04:56]

2010-03-30 c:\windows\Tasks\User_Feed_Synchronization-{EFA47361-F495-49A7-A5F7-3BC814A807BA}.job
- c:\windows\system32\msfeedssync.exe [2010-01-21 04:56]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://search.myheritage.com
Handler: mhtb - {669A2A3A-F19C-452D-800D-1240299756C1} -
DPF: {2FF8D282-F78A-4A33-ABC2-49E72A341482} - hxxp://riteaid.storefront.com/images/global/activex/SFImageUpload1_10.CAB
FF - ProfilePath - c:\users\Acer\AppData\Roaming\Mozilla\Firefox\Profiles\1go1t3ua.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\users\Acer\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Acer\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-30 00:44
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCTCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2956)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
Completion time: 2010-03-30 00:49:16
ComboFix-quarantined-files.txt 2010-03-30 04:49
ComboFix2.txt 2010-03-29 20:53

Pre-Run: 26,371,108,864 bytes free
Post-Run: 26,332,061,696 bytes free

- - End Of File - - F358001B3CCC0BA027A3C2609A1C15F9


Although I was able to complete the first two steps, I couldn't run Kaspersky Online Scanner on IE or Firefox. I took screenshots of both the browsers' issues.

The java interruption happened on IE and the although I did run both on administrator, a warning kept popping up on firefox that I should be running the browser as an administrator so Kaspersky may scan. Should I change any settings on my laptop to get java running correctly and not interrupt my internet connection?

Thank you

Attached Files



#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:14 AM

Posted 30 March 2010 - 03:39 PM

Hi jtcomfyinpjs,



Please clear your java cache as instructed in this thread. If still not working, please try the following instead:


Step1

Please run the ESET Online Scanner --->Vista user, Right click on your browser and select Run As Administrator to run.
Note: You will need to use Internet explorer for this scan
  1. Turn off the real time scanner of any existing antivirus program while performing the online scan
  2. Tick the box next to YES, I accept the Terms of Use.
  3. Click Start
  4. When asked, allow the activeX control to install
  5. Click Start
  6. Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  7. Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  8. Click Scan
  9. Wait for the scan to finish
  10. Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt .
  11. Copy and paste that log as a reply to this topic and also let me know how things are now.

I will give you another one, just in case. wink.gif


Please go to F-Secure Online Scanner
  1. Follow the on screen prompts to download activeX. Once that has completed, you'll be presented with types of scans.
  2. Tick 'My Scan' and click 'Show Options'
  3. Under Select File Types, tick All File Types
  4. Under Select Folders for Scanning, tick 'Scan a Folder' and click Select
  5. Select the C:\ drive, otherwise it will scan all drives.
  6. Click OK
  7. Click Start
  8. After it has completed, save the log and copy/paste the results in your next reply.
  9. If you have problems to run F-Secure Online Scanner, You may refer to this thread


Let me know how things went. thumbup2.gif


#9 jtcomfyinpjs

jtcomfyinpjs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 30 March 2010 - 08:29 PM

So I was finally able to do an online scan. I tried removing the Java cache, but Kaspersky still didn't work. Thank you for the backups. smile.gif
After the scan I also saved a copy of the threats found, if you'd like that I could post those results on here too.

This is the ESET scanner log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=8b9a6a1efae94243adc2e42f289b8bb4
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-03-31 01:07:20
# local_time=2010-03-30 09:07:20 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776637 100 100 127545 106592187 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=140039
# found=13
# cleaned=0
# scan_time=12984
C:\Qoobox\Quarantine\C\Users\Acer\AppData\Local\rdr_1269230445.exe.vir Win32/Tinxy.BF trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\Acer\AppData\Local\rdr_1269234335.exe.vir Win32/Tinxy.BF trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\Acer\AppData\Local\rdr_1269286030.exe.vir Win32/Tinxy.BH trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Users\Acer\AppData\Local\rdr_1269286346.exe.vir Win32/Agent.QWU trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Windows\bill104.exe.vir probably a variant of Win32/Injector.BEL trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Windows\System32\ada93ee7-d0ee-3197-9fdd-fdea8030c3b2.exe.vir Win32/Adware.GooochiBiz application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Windows\System32\drivers\imapioko.sys.vir probably a variant of Win32/Tinxy.AU trojan 00000000000000000000000000000000 I
C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\ada93ee7-d0ee-3197-9fdd-fdea8030c3b2.exe Win32/Adware.GooochiBiz application 00000000000000000000000000000000 I
C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\erokosvc.dll Win32/Tinxy.BF trojan 00000000000000000000000000000000 I
C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\drivers\imapioko.sys probably a variant of Win32/Tinxy.AU trojan 00000000000000000000000000000000 I
C:\Users\Acer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Component Update 533 a variant of Win32/Adware.GooochiBiz application 00000000000000000000000000000000 I
C:\Users\Acer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Component Update 727 a variant of Win32/Adware.GooochiBiz application 00000000000000000000000000000000 I
C:\Users\Acer\Documents\LimeWire\Saved\First love.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I







#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:14 AM

Posted 30 March 2010 - 09:14 PM

Hi jtcomfyinpjs,



As far as those infected items listed in ESET Online Scanner Report, those can be safely removed in ComboFix's quarantine folder or in old System Restore Points, which we will be taking care of now.

Please go to the following filepath and delete the bolded files manually. It seemed those files were infected.

C:\Users\Acer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Component Update 533
C:\Users\Acer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Component Update 727
C:\Users\Acer\Documents\LimeWire\Saved\First love.mp3

Other than that, your system appears clean now. thumbup.gif If you have no remaining issues on your pc, let's do some tidy up and we can send you on your way.


Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the x and the /Uninstall, it needs to be there.



This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step2

Download OTC by OldTimer and save it to your desktop.
  1. Double click OTC and let it run
  2. Then Click the Cleanup button.
  3. You will get a prompt saying "Being Cleanup Process". Please select Yes.
  4. Restart your computer when prompted.


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  2. Update all these programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  3. Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .

Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!



#11 jtcomfyinpjs

jtcomfyinpjs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 31 March 2010 - 08:45 PM

Hello Sundavis,

I just wanted to thank you so much for your help. :D I really appreciate everything you did and taking out time to do something like this. My laptop is cured. Hehe.

Thank you again!

#12 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:14 AM

Posted 03 April 2010 - 09:22 AM

Since this issue appears resolved ... this Topic is closed.

Glad to have helped.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users