Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Tool Infection


  • This topic is locked This topic is locked
22 replies to this topic

#1 RhonB

RhonB

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:02:58 AM

Posted 24 March 2010 - 11:09 PM

This topic is a continuation from the AII Forum Link:
http://www.bleepingcomputer.com/forums/t/304532/security-tool-infected-my-computer/

Hi Net Surfer...here are some logs...

exeHelper by Raktor
Build 20091220
Run at 20:26:41 on 03/24/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--



DDS (Ver_10-03-17.01) - NTFSx86
Run by Hollywood at 19:05:23.30 on 24/03/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2037.910 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Convesoft\Orion\Messenger.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\wuauclt.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Hollywood\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uSEARCH PAGE = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://en.ca.acer.yahoo.com
mDefault_Page_URL = hxxp://en.ca.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: LimeWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
TB: {75CD0BC5-E317-449C-9FF6-4986B3D48F64} - No File
TB: {A8415B7A-F661-4D31-92D7-4398E50483DF} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Acer Tour Reminder]
uRun: [lphcrn5j0eae9] c:\windows\system32\lphcrn5j0eae9.exe
uRun: [blehbook] "c:\programdata\16 Mp3 Mp3.nctj26"
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
StartupFolder: c:\users\hollyw~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\users\hollyw~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\orion.lnk - c:\convesoft\orion\Messenger.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
uPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~2.0_0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: eNetHook.dll
SEH: {4cafaf0c-c38f-43c1-8080-390e776254de} - c:\windows\system32\tuvTkhee.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-9-25 11608]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\play movie\000.fcl [2008-5-25 13560]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-9-25 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-9-25 151297]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-9-25 52056]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2007-8-8 32256]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-15 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-8-8 179712]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

=============== Created Last 30 ================

2010-03-25 02:03:51 0 ----a-w- c:\users\hollywood\defogger_reenable
2010-03-24 23:35:31 0 d-----w- c:\users\hollyw~1\appdata\roaming\Malwarebytes
2010-03-24 23:35:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-24 23:35:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-24 23:35:24 0 d-----w- c:\programdata\Malwarebytes
2010-03-24 23:35:24 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-18 07:47:18 0 d-----w- c:\program files\Veoh Networks
2010-03-18 04:21:30 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-18 04:21:30 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-03-18 04:20:54 0 d-----w- c:\program files\iPod
2010-03-18 04:20:49 0 d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-18 04:20:49 0 d-----w- c:\program files\iTunes
2010-03-18 04:01:23 0 d-----w- c:\program files\Bonjour
2010-03-15 16:53:58 0 d-----w- c:\programdata\McAfee Security Scan
2010-03-15 16:53:58 0 d-----w- c:\programdata\McAfee
2010-03-15 16:53:54 0 d-----w- c:\program files\McAfee Security Scan
2010-03-15 10:29:07 0 d-----w- c:\windows\CheckSur
2010-03-15 10:04:58 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-03-15 03:41:06 0 d-----w- c:\program files\Ask.com
2010-03-14 23:24:26 0 d-----w- c:\users\hollywood\Tracing
2010-03-14 23:20:21 0 d-----w- c:\program files\Microsoft
2010-03-14 23:19:56 0 d-----w- c:\program files\Windows Live SkyDrive
2010-03-14 23:02:42 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-03-14 22:59:31 0 d-----w- c:\program files\common files\DivX Shared
2010-03-14 22:59:30 0 d-----w- c:\program files\DivX
2010-03-14 22:56:50 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-03-14 22:56:44 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-03-14 22:56:44 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-03-14 22:56:44 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-03-14 22:04:29 0 d-----w- c:\program files\common files\Windows Live
2010-03-11 04:00:19 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf

==================== Find3M ====================

2010-03-18 04:15:53 86016 ----a-w- c:\windows\inf\infpub.dat
2010-03-18 04:15:53 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-18 04:15:53 143360 ----a-w- c:\windows\inf\infstor.dat
2009-12-13 06:58:50 54113 ----a-w- c:\program files\INSTALL.LOG
2008-09-24 15:49:51 174 --sha-w- c:\program files\desktop.ini
2008-09-24 15:32:35 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-05-28 02:53:59 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-05-28 02:53:59 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-05-28 02:53:59 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-09-10 15:18:44 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-09-10 15:18:44 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-09-10 15:18:44 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 19:06:37.63 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 5/26/2008 11:19:57 AM
System Uptime: 3/24/2010 6:36:28 PM (1 hours ago)

Motherboard: Acer | | Nettiling
Processor: Intel® Pentium® Dual CPU T2330 @ 1.60GHz | uPGA-478 | 1600/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 70 GiB total, 30.725 GiB free.
D: is FIXED (NTFS) - 70 GiB total, 69.305 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0001
Manufacturer: Microsoft
Name: isatap.{1E85983C-DBFB-4B5F-A9DE-217709074E14}
PNP Device ID: ROOT\*ISATAP\0001
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Broadcom NetLink ™ Gigabit Ethernet
Device ID: PCI\VEN_14E4&DEV_1693&SUBSYS_011E1025&REV_02\4&185174AE&0&00E2
Manufacturer: Broadcom
Name: Broadcom NetLink ™ Gigabit Ethernet
PNP Device ID: PCI\VEN_14E4&DEV_1693&SUBSYS_011E1025&REV_02\4&185174AE&0&00E2
Service: b57nd60x

==== System Restore Points ===================

RP318: 3/19/2010 6:36:56 AM - Windows Update
RP319: 3/21/2010 8:19:29 AM - Windows Update
RP320: 3/22/2010 4:48:40 PM - Windows Update
RP321: 3/22/2010 4:51:08 PM - Windows Update
RP322: 3/23/2010 7:37:43 PM - Windows Update
RP323: 3/24/2010 3:21:24 PM - Windows Update

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Avira AntiVir Personal - Free Antivirus
Bonjour
DivX Plus Web Player
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
LimeWire 5.5.6
Malwarebytes' Anti-Malware
McAfee Security Scan Plus
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Works
MSVCRT
MSXML 4.0 SP2 (KB973688)
QuickTime
Safari
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.4053
Veoh Video Compass
Veoh Web Player
VLC media player 0.9.6
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Upload Tool

==== Event Viewer Messages From Past Week ========

3/23/2010 7:33:29 PM, Error: EventLog [6008] - The previous system shutdown at 2:42:56 AM on 23/03/2010 was unexpected.
3/21/2010 8:15:14 AM, Error: EventLog [6008] - The previous system shutdown at 9:11:59 AM on 20/03/2010 was unexpected.
3/18/2010 8:16:53 PM, Error: EventLog [6008] - The previous system shutdown at 2:00:18 AM on 18/03/2010 was unexpected.
3/18/2010 1:53:34 AM, Error: PlugPlayManager [12] - The device 'Atheros AR5007EG Wireless Network Adapter' (PCI\VEN_168C&DEV_001C&SUBSYS_04281468&REV_01\4&32e0b5b9&0&00E3) disappeared from the system without first being prepared for removal.
3/17/2010 9:16:03 PM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/17/2010 9:13:16 PM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

==== End Of File ===========================



I did not see a log created by Comedian......does it store somewhere on the computer...

Edited by Net_Surfer, 25 March 2010 - 12:53 AM.


BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 AM

Posted 25 March 2010 - 01:40 AM

Hello again RhonB and Esh.busy.gif


The comedian tool does not produce a log.


What this tool does: It explains what it does to the person executing the tool and adds a little joke to every step, so you have something to ponder over while you wait for the step to finish

* it turns off wordwrap,
* fixes file associations,
* downloads,installs and creates a backup with erunt
* sets a new system restore point
~~~
From your Malwarebyte's log:

QUOTE
Folders Infected:
C:\Users\Guest\Documents\LimeWire\Saved\_ (Worm.Archive) -> Quarantined and deleted successfully.
C:\Users\Hollywood\Documents\LimeWire\Saved\_ (Worm.Archive) -> Quarantined and deleted successfully.



P2P (File Sharing) Warning!

Going over your logs I noticed that you have LimeWire installed.

Please note that as long as you're using any form of Peer-to-Peer networking (Morpheus, Ares, Limewire, Bit Torrent etc.) and downloading files from non-documented sources, you can expect infestations of malware to occur.

Once upon a time, P2P file sharing was fairly safe. That is no longer true.
P2P programmes form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

Many of the programmes come bundled with other unwanted programmes, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

There are some very good reasons for this, and they are for your protection:


From a security standpoint, p2p forms a direct connection into your computer and circumvents or by passes most security, Anti-Malware and firewall software or hardware.

Any type of security on these programs is poor at best and non existent on some, this could lead to Malware being downloaded into your computer without your knowledge.

Additionally, in cases where the program has not been configured correctly, a lot more than your music files have finished up being shared with others.

Passwords, PIN numbers, bank accounts, and other personal details have been harvested by the unscrupulous for their own gain at your expense.

Have a read of the below article to see where that happened:

Update: Seattle man arrested for p-to-p ID theft | InfoWorld | News | 2007-09-06 | By Robert McMillan, IDG News Service

I would recommend that you uninstall LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Programs and Features.

You may decide to continue P2P sharing, but keep in mind that this practice may be the source of future malware infestation.
If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programmes, we may refuse to help you.

We need to give you the standard "compromised system" schpeel before we go on:
IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read "How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?"

Although we MIGHT be able to remove the rootkit, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that IF the rootkit can be removed the computer will then be secure.

In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let us know how you wish to proceed.

If you will like to proceed then do the following:

Please follow my next set of steps:

Since you were not able to get Gmer to run, please take a note:


The speed and ability to complete a scan depends on a variety of factors.
  • The program itself and how its scanning engine is designed to scan: using a signature database vs heuristic scanning for suspicious behavior or a combination of both.
  • Options to scan for spyware, adware, riskware and potentially unwanted or unsafe programs (PUPs).
  • Options to scan memory, boot sectors, registry and alternate data streams (ADS).
  • Type of scan performed: Deep, Quick or Custom scanning.
  • What action has to be performed when malware is detected.
  • A computer's hard drive size.
  • Disk used capacity (number of files to include temporary files) that have to be scanned.
  • Types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, email, etc) that are scanned.
  • Whether external drives are included in the scan.
  • Competition for and utilization of system resources by the scanner.
  • Other running processes and programs in the background.
  • Interference from malware.
  • Interference from the user.
Before performing an anti-rootkit (ARK) scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

If you are using a CD Emulator (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD, etc) be aware that they use rootkit-like techniques to hide from other applications. When dealing with a malware infection, CD Emulators can interfere with investigative or anti-rootkit (ARK) tools. This interference can produce misleading or inaccurate scan results, false detection of legitimate file, cause unexpected crashes, BSODs, and general dross. This 'dross' often makes it hard to differentiate between genuine malicious rootkits and the legitimate drivers used by CM Emulators. In some cases, the drivers related to such tools can cause crashes or system hanging when attempting to boot into safe mode.

Since CD Emulators use a hidden driver which can be seen as a rootkit and interfere with providing accurate results or cause other problems, it is recommended that they be removed or disabled until disinfection is completed.

Some ARK scanners have settings which you can adjust if the scan hangs or freezes while others do not. If that's the case and you still cannot complete a scan, then try another ARK.
I will like you to try Sophos Anti-rootkit first with the following instructions:

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Please try that and let me know how it went!

Kind regards
Net_Surfer



#3 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:02:58 AM

Posted 25 March 2010 - 06:16 AM

Good morning Net_Serfer,

So,did you not want me to try running GMER in safemode tonight?

#4 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 AM

Posted 25 March 2010 - 04:28 PM

Hello RhonB, icon_hello.gif

I posted instructions for a rootkit scan above., But I will like you to uninstall your antivirus before you scan either with Gmer in safe mode or with Sophos Anti-Rootkit, Then when you are done scanning re-install the antivirus again. After you have done that I will post new steps for you to follow to get the rest of the malware.

Please ensure that you read my above reply.

Regards
Net_Surfer
horse.gif

#5 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:02:58 AM

Posted 25 March 2010 - 06:39 PM

Hi Net_Surfer....

Ok, I ran GMER in safe mode and it ran all the way...when it was done the message said "No modifications were found"
clicked save and saved the log as ark.txt anways just in case...but when I opened the log, it was empty. I am guessing that is good news.

I will not re-install ani virus until I hear back from you with the next steps.



#6 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:02:58 AM

Posted 25 March 2010 - 08:18 PM

HI there...

I was just looking around her computer and I found that she has Windows Defender...apparently it ran a scan and it found something...a "very serious" threat. Trojan:Win32/Winwebsec
It is asking me to remove it......should I click remove all?

#7 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 AM

Posted 25 March 2010 - 08:19 PM

Hello again RhonB and Esh... icon_hello.gif

Go ahead and delete it if you can find it, also I need you to disable windows defender before you run combofix.

Since they were a few rootkits inside of the infected computer that MBAM took care of, I will like us to run combofix tool and see if it detect any baddies hidden from us.


Let's start cleaning any left overs malware from your computer. smile.gif

There is a potentially unwanted pieces of software I have detected on your PC called: "AskBar"

Remove Adware.AskBar.a | Spyware Removal Information

It is optional to remove. But, I strongly suggest that you uninstall Ask Toolbar. Some of the bad practices of this toolbar are:
  1. Promoting its toolbars on sites targeted to kids. Details.
  2. Promoting its toolbars through ads that appear to be part of other companies' sites. Details.
  3. Promoting its toolbars through other companies' spyware. Details.
  4. Installing without any disclosure whatsoever and without any consent whatsoever. Details.
  5. Soliciting installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link. Details.
  6. Making confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit. Details.
Plesae read the full details HERE.

If you decided to remove Ask Toolbar. Go to Start > Control Panel > Add Remove programs and remove:
AskBar {Anything related to AskBar.

Then go to C: > Program Files and delete these folders if present:

AskBarDis
Ask.com

----------------------------^-------------------------------

Please follow the next set of steps in the way given:

*Firstly...

Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


Please disable Windows Defender's real-time protection as it will interfere with the fix. you can re-enable it when we're finished the cleanup.
  • Open Windows Defender
  • Click on "Tools"
  • Click on "General Settings"
  • Scroll down to "Real-time protection options"
  • Uncheck "Turn on Real-time protection (recommended)"
  • Click "Save"
    After all of the fixes are complete it is very important that you enable Real-time Protection again.
step1.gif Online Multi Antivirus file scan

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows


Please go to either: Jotti or Virus Total and upload the following file(s) for scanning:

c:\windows\system32\tuvTkhee.dll

Using Jotti:
    1. Please copy and paste... the above full path and file name(s)...in the text box next to the Browse button.
    2. Click on Submit..button.
    3. The file will be uploaded and scanned by various antivirus scanners..this may take a few minutes.
    4. When all scans have completed... Highlight the results text, beginning with "File...and select all text down to the last scan result.
    5. Copy the selected text... Open Notepad... Paste the contents into Notepad... Save the file to a convenient place.
    6. Please repeat this procedure for each file listed above.
    7. Paste the contents of all the Jotti scan results in your next reply.
Using Virus Total:
    1. Please copy and paste... the above full path and file name(s)...in the text box next to the Browse button.
    2. Click on Send File...button.
    3. The file will be queued, uploaded and scanned by various antivirus scanners..this may take a few minutes.
    4. When the scan is completed...press the "Compact" icon
    5. The results will be shown in a grid like window...please Select and Copy the entire contents.
    6. Open Notepad...Paste the result contents into the Notepad window...Save this file to a convenient place.
    7. Please repeat this procedure for each file listed above.
    8. Paste the contents of all the Virus Total results in your next reply.
* ComboFix Tool
**Note: In the event you already have old versions of Combofix I need you to delete them, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

  • For Internet Explorer:
    o Choose to save, not open the file
    o When prompted - save the file to your desktop, and rename it to CFscan with .exe extension on the end.
step2.gif Please download Combofix from any of the links below but rename it to CFscan before saving it to your desktop.
Link 1
Link 2

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

step3.gif Please insert your flash drive and all usb-drives before running Combofix
    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
  • Close any open browsers.
    WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
  • Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
-----------------------------------------------------------

step4.gif Double click on the renamed on your desktop & follow the prompts.
If you are unsure how to run ComboFix tool, please visit this webpage for instructions: How-to-use-combofix
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.

    NOTE: If you have Windows XP: Combofix may ask you to install the Recovery Console, please allow it to do so.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
*** When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review.***

A word of advise if you are a lurker: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix.
It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.


step5.gif * MBAM

You already have Malwarebytes' Anti-Malware installed.
  • Open MBAM
  • Go to the updates tab, and click Update to update to the latest version
  • Once the program has updated, select Perform a quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

    * Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
MBAM Tutorial if needed

step6.gif * Re-Scan with DDS and post the log.

Make sure, you re-enable your security programs, when you're done with Combofix.

Summary of the logs I will need in your next reply:
  • The contents of the report log of the Jotti or virus total scan results
  • The report log of combofix C:\combofix.text
  • The report log of MBAM
  • The report log of DDS
And a description of any remaining problems.

How are things your end RhonB???.


Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Please DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean and free of malware!!!

Kind regards
Net_Surfer


Edited by Net_Surfer, 25 March 2010 - 10:12 PM.


#8 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:02:58 AM

Posted 25 March 2010 - 09:45 PM

Ok, I disabled everying, made hidden files visible...did Jotti but it said that file was empty.

Here are all the logs....


ComboFix 10-03-25.04 - Hollywood 25/03/2010 19:16:50.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2037.826 [GMT -7:00]
Running from: c:\users\Hollywood\Desktop\CFscan.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\drv\Tuner\Yuan\Resources\_desktop.ini
c:\program files\INSTALL.LOG
c:\programdata\Microsoft\Windows\Start Menu\Programs\Acer Crystal Eye Webcam Video Class Camera
c:\programdata\Microsoft\Windows\Start Menu\Programs\Acer Crystal Eye Webcam Video Class Camera \Uninstall.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\PlayMP3z
c:\programdata\Microsoft\Windows\Start Menu\Programs\PlayMP3z\Run PlayMP3z.lnk
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\tn3

.
((((((((((((((((((((((((( Files Created from 2010-02-26 to 2010-03-26 )))))))))))))))))))))))))))))))
.

2010-03-26 02:24 . 2010-03-26 02:25 -------- d-----w- c:\users\Hollywood\AppData\Local\temp
2010-03-26 02:24 . 2010-03-26 02:24 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-03-26 02:24 . 2010-03-26 02:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-25 04:03 . 2010-03-25 04:03 -------- d-----w- c:\program files\ERUNT
2010-03-24 23:35 . 2010-03-24 23:35 -------- d-----w- c:\users\Hollywood\AppData\Roaming\Malwarebytes
2010-03-24 23:35 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-24 23:35 . 2010-03-24 23:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 23:35 . 2010-03-24 23:35 -------- d-----w- c:\programdata\Malwarebytes
2010-03-24 23:35 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-18 07:47 . 2010-03-18 07:47 -------- d-----w- c:\program files\Veoh Networks
2010-03-18 04:21 . 2010-03-18 04:21 -------- dc----w- c:\windows\system32\DRVSTORE
2010-03-18 04:21 . 2009-05-18 21:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-18 04:21 . 2008-04-17 20:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-03-18 04:20 . 2010-03-18 04:20 -------- d-----w- c:\program files\iPod
2010-03-18 04:20 . 2010-03-18 04:21 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-18 04:20 . 2010-03-18 04:21 -------- d-----w- c:\program files\iTunes
2010-03-18 04:18 . 2010-03-18 04:19 -------- d-----w- c:\program files\QuickTime
2010-03-18 04:09 . 2010-03-18 04:09 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-03-18 04:05 . 2010-03-18 04:05 -------- d-----w- c:\program files\Safari
2010-03-18 04:02 . 2010-03-18 04:02 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-18 04:01 . 2010-03-18 04:01 -------- d-----w- c:\program files\Bonjour
2010-03-16 01:14 . 2010-03-16 01:14 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb91D5.tmp.exe
2010-03-15 16:53 . 2010-03-15 16:53 -------- d-----w- c:\programdata\McAfee Security Scan
2010-03-15 16:53 . 2010-03-15 16:53 -------- d-----w- c:\programdata\McAfee
2010-03-15 16:53 . 2010-03-19 03:29 -------- d-----w- c:\program files\McAfee Security Scan
2010-03-15 16:52 . 2010-03-15 16:52 -------- d-----w- c:\users\Hollywood\AppData\Local\AskToolbar
2010-03-15 10:29 . 2010-03-15 10:29 -------- d-----w- c:\windows\CheckSur
2010-03-15 10:04 . 2008-07-27 18:00 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-03-14 23:24 . 2010-03-22 03:11 -------- d-----w- c:\users\Hollywood\Tracing
2010-03-14 23:21 . 2010-03-14 23:21 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-03-14 23:20 . 2010-03-14 23:20 -------- d-----w- c:\program files\Microsoft
2010-03-14 23:19 . 2010-03-14 23:19 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-14 23:02 . 2010-02-24 17:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-03-14 22:59 . 2010-03-14 22:59 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-14 22:59 . 2010-03-14 22:59 -------- d-----w- c:\program files\DivX
2010-03-14 22:56 . 2009-09-04 12:38 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-03-14 22:56 . 2009-12-28 12:36 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-03-14 22:56 . 2009-12-28 12:34 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-03-14 22:56 . 2009-12-28 12:32 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-03-14 22:28 . 2010-03-14 22:28 -------- d-----w- c:\users\Hollywood\AppData\Local\ICS
2010-03-14 22:27 . 2010-03-14 22:27 -------- d-----w- c:\users\Hollywood\AppData\Local\Apps
2010-03-14 22:27 . 2010-03-14 22:27 -------- d-----w- c:\users\Hollywood\AppData\Local\Deployment
2010-03-14 22:04 . 2010-03-14 22:04 -------- d-----w- c:\program files\Common Files\Windows Live
2010-03-12 04:36 . 2010-03-12 04:36 -------- d-----w- c:\users\Hollywood\AppData\Local\VideoMagician
2010-03-11 04:05 . 2010-03-11 04:05 -------- d-----w- c:\program files\Apple Software Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 00:17 . 2008-05-28 20:28 -------- d-----w- c:\users\Hollywood\AppData\Roaming\LimeWire
2010-03-25 03:44 . 2008-09-28 17:47 -------- d-----w- c:\programdata\Google Updater
2010-03-21 17:25 . 2008-06-20 17:35 -------- d-----w- c:\users\Hollywood\AppData\Roaming\Apple Computer
2010-03-18 04:20 . 2008-07-01 04:18 -------- d-----w- c:\program files\Common Files\Apple
2010-03-18 04:19 . 2008-07-01 04:18 -------- d-----w- c:\programdata\Apple
2010-03-16 02:56 . 2008-05-28 20:25 -------- d-----w- c:\program files\Google
2010-03-16 01:15 . 2008-09-14 01:02 -------- d-----w- c:\programdata\Iso Web Bags Else
2010-03-15 16:48 . 2008-05-26 06:40 71376 ----a-w- c:\users\Hollywood\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-15 10:47 . 2007-08-08 23:23 -------- d-----w- c:\programdata\Microsoft Help
2010-03-15 10:25 . 2007-08-08 23:25 -------- d-----w- c:\program files\Microsoft Works
2010-03-15 03:40 . 2008-05-28 20:19 -------- d-----w- c:\program files\LimeWire
2010-03-14 23:21 . 2008-06-16 23:04 -------- d-----w- c:\program files\Windows Live
2010-03-11 04:00 . 2010-03-11 04:00 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-02-05 02:37 . 2010-02-03 04:31 -------- d-----w- c:\users\Hollywood\AppData\Roaming\dvdcss
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"blehbook"="c:\programdata\16 Mp3 Mp3.nctj26" [X]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-28 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-02-22 2633976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]

c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\users\Hollywood\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Orion.lnk - c:\convesoft\Orion\Messenger.exe [2007-8-31 2482176]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-8-8 535336]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-2-20 282624]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\eNetHook.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 135664]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-06-05 179712]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2007-03-07 32256]

.
Contents of the 'Scheduled Tasks' folder

2010-03-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-28 01:07]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 02:55]

2010-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 02:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.ca.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\Ask.com\GenericAskToolbar.dll
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
HKCU-Run-Acer Tour Reminder - (no file)
HKCU-Run-lphcrn5j0eae9 - c:\windows\system32\lphcrn5j0eae9.exe
ShellExecuteHooks-{4CAFAF0C-C38F-43C1-8080-390E776254DE} - c:\windows\system32\tuvTkhee.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-25 19:25
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\eNetHook.dll

- - - - - - - > 'lsass.exe'(672)
c:\windows\system32\eNetHook.dll
.
Completion time: 2010-03-25 19:28:09
ComboFix-quarantined-files.txt 2010-03-26 02:28

Pre-Run: 35,277,266,944 bytes free
Post-Run: 35,802,898,432 bytes free

- - End Of File - - A5A2B7B393AF2D0617586D52E1EED72D



Malwarebytes' Anti-Malware 1.44
Database version: 3915
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

25/03/2010 7:35:48 PM
mbam-log-2010-03-25 (19-35-48).txt

Scan type: Quick Scan
Objects scanned: 119036
Time elapsed: 4 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



DDS (Ver_10-03-17.01) - NTFSx86
Run by Hollywood at 19:37:19.18 on 25/03/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2037.905 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Convesoft\Orion\Messenger.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wuauclt.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Hollywood\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.ca.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
TB: {75CD0BC5-E317-449C-9FF6-4986B3D48F64} - No File
TB: {A8415B7A-F661-4D31-92D7-4398E50483DF} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [blehbook] "c:\programdata\16 Mp3 Mp3.nctj26"
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
StartupFolder: c:\users\hollyw~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\users\hollyw~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\orion.lnk - c:\convesoft\orion\Messenger.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
uPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~2.0_0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\eNetHook.dll

============= SERVICES / DRIVERS ===============

R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\play movie\000.fcl [2008-5-25 13560]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2007-8-8 32256]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-15 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-8-8 179712]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]

=============== Created Last 30 ================

2010-03-26 02:28:14 0 d-sh--w- C:\$RECYCLE.BIN
2010-03-26 02:15:50 98816 ----a-w- c:\windows\sed.exe
2010-03-26 02:15:50 77312 ----a-w- c:\windows\MBR.exe
2010-03-26 02:15:50 261632 ----a-w- c:\windows\PEV.exe
2010-03-26 02:15:50 161792 ----a-w- c:\windows\SWREG.exe
2010-03-26 02:15:44 0 d-----w- C:\CFscan
2010-03-25 02:03:51 0 ----a-w- c:\users\hollywood\defogger_reenable
2010-03-24 23:35:31 0 d-----w- c:\users\hollyw~1\appdata\roaming\Malwarebytes
2010-03-24 23:35:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-24 23:35:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-24 23:35:24 0 d-----w- c:\programdata\Malwarebytes
2010-03-24 23:35:24 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-18 07:47:18 0 d-----w- c:\program files\Veoh Networks
2010-03-18 04:21:30 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-18 04:21:30 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-03-18 04:20:54 0 d-----w- c:\program files\iPod
2010-03-18 04:20:49 0 d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-18 04:20:49 0 d-----w- c:\program files\iTunes
2010-03-18 04:01:23 0 d-----w- c:\program files\Bonjour
2010-03-15 16:53:58 0 d-----w- c:\programdata\McAfee Security Scan
2010-03-15 16:53:58 0 d-----w- c:\programdata\McAfee
2010-03-15 16:53:54 0 d-----w- c:\program files\McAfee Security Scan
2010-03-15 10:29:07 0 d-----w- c:\windows\CheckSur
2010-03-15 10:04:58 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-03-14 23:24:26 0 d-----w- c:\users\hollywood\Tracing
2010-03-14 23:20:21 0 d-----w- c:\program files\Microsoft
2010-03-14 23:19:56 0 d-----w- c:\program files\Windows Live SkyDrive
2010-03-14 23:02:42 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-03-14 22:59:31 0 d-----w- c:\program files\common files\DivX Shared
2010-03-14 22:59:30 0 d-----w- c:\program files\DivX
2010-03-14 22:56:50 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-03-14 22:56:44 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-03-14 22:56:44 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-03-14 22:56:44 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-03-14 22:04:29 0 d-----w- c:\program files\common files\Windows Live
2010-03-11 04:00:19 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf

==================== Find3M ====================

2010-03-18 04:15:53 86016 ----a-w- c:\windows\inf\infpub.dat
2010-03-18 04:15:53 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-18 04:15:53 143360 ----a-w- c:\windows\inf\infstor.dat
2008-09-24 15:49:51 174 --sha-w- c:\program files\desktop.ini
2008-09-24 15:32:35 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-05-28 02:53:59 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-05-28 02:53:59 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-05-28 02:53:59 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 19:37:32.44 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 5/26/2008 11:19:57 AM
System Uptime: 3/25/2010 4:35:12 PM (3 hours ago)

Motherboard: Acer | | Nettiling
Processor: Intel® Pentium® Dual CPU T2330 @ 1.60GHz | uPGA-478 | 1600/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 70 GiB total, 33.382 GiB free.
D: is FIXED (NTFS) - 70 GiB total, 69.305 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0001
Manufacturer: Microsoft
Name: isatap.{1E85983C-DBFB-4B5F-A9DE-217709074E14}
PNP Device ID: ROOT\*ISATAP\0001
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Broadcom NetLink ™ Gigabit Ethernet
Device ID: PCI\VEN_14E4&DEV_1693&SUBSYS_011E1025&REV_02\4&185174AE&0&00E2
Manufacturer: Broadcom
Name: Broadcom NetLink ™ Gigabit Ethernet
PNP Device ID: PCI\VEN_14E4&DEV_1693&SUBSYS_011E1025&REV_02\4&185174AE&0&00E2
Service: b57nd60x

==== System Restore Points ===================

RP320: 3/22/2010 4:48:40 PM - Windows Update
RP321: 3/22/2010 4:51:08 PM - Windows Update
RP322: 3/23/2010 7:37:43 PM - Windows Update
RP323: 3/24/2010 3:21:24 PM - Windows Update
RP324: 3/25/2010 3:02:52 PM - Windows Update
RP326: 3/25/2010 3:05:23 PM - Avira AntiVir Personal - 25/03/2010 15:03
RP327: 3/25/2010 3:07:30 PM - Windows Update
RP329: 3/25/2010 6:29:16 PM - Windows Defender Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Bonjour
DivX Plus Web Player
ERUNT 1.1j
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
LimeWire 5.5.6
Malwarebytes' Anti-Malware
McAfee Security Scan Plus
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Works
MSVCRT
MSXML 4.0 SP2 (KB973688)
QuickTime
Safari
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.4053
Veoh Video Compass
Veoh Web Player
VLC media player 0.9.6
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Upload Tool

==== Event Viewer Messages From Past Week ========

3/25/2010 7:16:22 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
3/25/2010 7:16:21 PM, Error: Service Control Manager [7034] - The MobilityService service terminated unexpectedly. It has done this 1 time(s).
3/25/2010 7:16:21 PM, Error: Service Control Manager [7034] - The McciCMService service terminated unexpectedly. It has done this 1 time(s).
3/25/2010 7:16:21 PM, Error: Service Control Manager [7031] - The eSettings Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/25/2010 4:02:03 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
3/25/2010 4:02:03 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
3/25/2010 4:02:03 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
3/25/2010 4:02:03 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
3/25/2010 4:02:03 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
3/25/2010 4:02:03 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
3/25/2010 4:02:03 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
3/25/2010 4:02:03 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
3/25/2010 4:02:03 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
3/25/2010 4:02:03 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
3/25/2010 4:02:03 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
3/25/2010 4:02:03 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
3/25/2010 4:02:03 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/25/2010 4:02:03 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
3/25/2010 4:02:03 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
3/25/2010 4:02:01 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
3/25/2010 4:02:01 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
3/25/2010 4:01:27 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
3/25/2010 4:01:27 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
3/25/2010 4:01:27 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
3/25/2010 4:01:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/25/2010 4:01:17 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
3/25/2010 4:00:47 PM, Error: EventLog [6008] - The previous system shutdown at 3:59:15 PM on 25/03/2010 was unexpected.
3/24/2010 8:40:56 PM, Error: EventLog [6008] - The previous system shutdown at 8:39:01 PM on 24/03/2010 was unexpected.
3/24/2010 8:22:01 PM, Error: EventLog [6008] - The previous system shutdown at 8:19:54 PM on 24/03/2010 was unexpected.
3/23/2010 7:33:29 PM, Error: EventLog [6008] - The previous system shutdown at 2:42:56 AM on 23/03/2010 was unexpected.
3/21/2010 8:15:14 AM, Error: EventLog [6008] - The previous system shutdown at 9:11:59 AM on 20/03/2010 was unexpected.
3/18/2010 8:16:53 PM, Error: EventLog [6008] - The previous system shutdown at 2:00:18 AM on 18/03/2010 was unexpected.
3/18/2010 1:53:34 AM, Error: PlugPlayManager [12] - The device 'Atheros AR5007EG Wireless Network Adapter' (PCI\VEN_168C&DEV_001C&SUBSYS_04281468&REV_01\4&32e0b5b9&0&00E3) disappeared from the system without first being prepared for removal.

==== End Of File ===========================




#9 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 AM

Posted 25 March 2010 - 11:06 PM

Hi RhonB and Esh icon_hello.gif

Combofix deleted that file as an orphan.

Let's get the rest of the malware, please follow the next set of steps ensure that Windows Defender still disable before you run combofix again, after you run the tools ensure that you re-install your Avira anti-virus again before you reconnect to the internet:

step1.gif * JavaRa and Java update.

Your Java program is out of date.

Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
Please follow these steps to remove older version Java components and update:
Download and Run JavaRA

Please download JavaRa and unzip it to your desktop.
  • Double-click on JavaRa.exe to start.
  • Use the drop down box to choose your language and click Select.
  • Select "Remove Older Versions".
  • Click Yes when asked "This will remove all older versions of the Java JRE...Are you sure you want to proceed?"
  • Click Ok when search and removal of old versions has completed.
  • A notice will appear indicating "Finished searching for all old versions...A logfile has been created...called JavaRa.log...
    JavaRa will now open its logfile.
    "
  • Click Ok and notepad will open with the log results of what was found and removed.
  • View the logfile and close notepad.
  • A copy of JavaRa.log will automatically be saved to your primary hard drive (usually C\:JavaRa.log).
  • Return to JavaRa and click the button for Additonal Tasks.
  • Select these Tasks:
    • Remove Useless JRE Files
    • Remove Startup Entry
    • Remove JavaRa Logfile (optional)
  • Click Go and then Ok when prompted "Finished searching for useless JRE files.
  • Click Ok again when prompted "Finished searching for JRE startup entries.
  • Close the Additional Tasks window, exit JavaRa and reboot your computer.
step2.gif Then download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 18 (JDK or JRE)"
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • From your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
-- The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.
step3.gif * TFC (Temp File Cleaner)

Lets clean up the temp files and make sure there are not any other leftovers.

Download: to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
NOTE:
_It's normal after running TFC cleaner that the PC will be slower to boot the first time.

_TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.


step4.gif Rerun ComboFix with some additional directives.

Complex Malware removal is to be performed by trained personnel, as they’re capable of doing a surgical cleanup without affecting other components of the Operating System.
:
  1. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  2. Make sure that combofix.exe that you downloaded is on your Desktop but do NOT run it!
    o *If it is not on your Desktop, the below will not work.
  3. Go to Start -> Run... and in the "Open:" box that opens type Notepad and press Enter (alternatively, navigate to Start -> Accessories -> Notepad).
  4. Copy the entire contents inside the CODE box below into Notepad (do NOT copy the word "CODE"!) - don't use any other text editor than Notepad or the script will fail.
    CODE
    KillAll::

    Driver::
    49DE1C67-83F8-4102-99E0-C16DCC7EEC796

    File::
    c:\programdata\16 Mp3 Mp3.nctj26
    c:\program files\acer arcade deluxe\play movie\000.fcl

    DDS::
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
    TB: {75CD0BC5-E317-449C-9FF6-4986B3D48F64} - No File
    TB: {A8415B7A-F661-4D31-92D7-4398E50483DF} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "blehbook"=-
    [-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]

    Reglockdel::
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}
    WARNING: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
    Looking at the image below as an example:
  5. Go to File -> Save and save as CFScript.txt in the same location as ComboFix.exe.
  6. Close all applications and windows so that you have nothing open and are at your Desktop.
  7. Drag CFScript.txt on top of ComboFix.exe. (This will start ComboFix again). Please follow the prompts.
  8. When finished, ComboFix shall produce a log for you at C:\ComboFix.txt. Please post the entire contents of that report in your next reply for further review.


    NOTE: Do NOT mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
step5.gif * FREE ESET Online Virus Scan

Sometimes malware that is removed from your computer leaves other traces behind. These traces may not be active, but they are unwanted on your computer.
Therefore, by using ESET online scanner it is possible for us to find leftover or missed malware files on your computer and we can now further clean up your computer
.

You can use either Internet Explorer or Mozilla FireFox for this scan.
    Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.
  1. Please go here then click on: button.
    QUOTE
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  2. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  3. Check
  4. Click the button.
  5. Accept any security warnings from your browser.
  6. Check
  7. Push the Start button.
  8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  9. When the scan completes, push
  10. Push , and save the file to your desktop using a unique name, such as ESETScan. the logfile will be located at C:\Program Files\ESET\EsetOnlineScanner\log.txt. Include the contents of this report in your next reply.
    Note: If Eset finds not bad files it will NOT produce a log. This is normal.
  11. Push the button.
  12. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this animation by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing anti-virus program while performing the online scan.
step6.gif * Re-install your Avira anti-virus program and Re-scan with DDS so we can verify nothing new is back.

Summary of the logs I will need in your next reply:
  • The report log of ComboFix
  • The report log of Eset Online scan if something bad was found.
  • The report log of DDS
And a description of any remaining problems in your next post.

How are things your end RhonB ???.


Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks.
Kind regards
Net_Surfer


Edited by Net_Surfer, 25 March 2010 - 11:11 PM.


#10 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:02:58 AM

Posted 26 March 2010 - 12:23 AM

Here you go....ComboFix log....



ComboFix 10-03-25.05 - Hollywood 25/03/2010 21:46:37.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2037.1183 [GMT -7:00]
Running from: c:\users\Hollywood\Desktop\CFscan.exe
Command switches used :: c:\users\Hollywood\Desktop\CFScript.txt

FILE ::
"c:\program files\acer arcade deluxe\play movie\000.fcl"
"c:\programdata\16 Mp3 Mp3.nctj26"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\acer arcade deluxe\play movie\000.fcl
c:\programdata\16 Mp3 Mp3.nctj26

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}
-------\Service_{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}


((((((((((((((((((((((((( Files Created from 2010-02-26 to 2010-03-26 )))))))))))))))))))))))))))))))
.

2010-03-26 04:52 . 2010-03-26 04:54 -------- d-----w- c:\users\Hollywood\AppData\Local\temp
2010-03-26 04:52 . 2010-03-26 04:52 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-26 04:52 . 2010-03-26 04:52 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-03-26 04:52 . 2010-03-26 04:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-26 04:30 . 2010-03-26 04:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-26 02:15 . 2010-03-26 02:28 -------- d-----w- C:\CFscan
2010-03-25 04:03 . 2010-03-25 04:03 -------- d-----w- c:\program files\ERUNT
2010-03-24 23:35 . 2010-03-24 23:35 -------- d-----w- c:\users\Hollywood\AppData\Roaming\Malwarebytes
2010-03-24 23:35 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-24 23:35 . 2010-03-24 23:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 23:35 . 2010-03-24 23:35 -------- d-----w- c:\programdata\Malwarebytes
2010-03-24 23:35 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-18 07:47 . 2010-03-18 07:47 -------- d-----w- c:\program files\Veoh Networks
2010-03-18 04:21 . 2010-03-18 04:21 -------- dc----w- c:\windows\system32\DRVSTORE
2010-03-18 04:21 . 2009-05-18 21:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-18 04:21 . 2008-04-17 20:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-03-18 04:20 . 2010-03-18 04:20 -------- d-----w- c:\program files\iPod
2010-03-18 04:20 . 2010-03-18 04:21 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-18 04:20 . 2010-03-18 04:21 -------- d-----w- c:\program files\iTunes
2010-03-18 04:18 . 2010-03-18 04:19 -------- d-----w- c:\program files\QuickTime
2010-03-18 04:05 . 2010-03-18 04:05 -------- d-----w- c:\program files\Safari
2010-03-18 04:01 . 2010-03-18 04:01 -------- d-----w- c:\program files\Bonjour
2010-03-15 16:53 . 2010-03-15 16:53 -------- d-----w- c:\programdata\McAfee
2010-03-15 16:52 . 2010-03-15 16:52 -------- d-----w- c:\users\Hollywood\AppData\Local\AskToolbar
2010-03-15 10:29 . 2010-03-15 10:29 -------- d-----w- c:\windows\CheckSur
2010-03-15 10:04 . 2008-07-27 18:00 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-03-14 23:24 . 2010-03-22 03:11 -------- d-----w- c:\users\Hollywood\Tracing
2010-03-14 23:21 . 2010-03-14 23:21 -------- d-----w- c:\program files\Microsoft Sync Framework
2010-03-14 23:20 . 2010-03-14 23:20 -------- d-----w- c:\program files\Microsoft
2010-03-14 23:19 . 2010-03-14 23:19 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-14 23:02 . 2010-02-24 17:16 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-03-14 22:59 . 2010-03-14 22:59 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-03-14 22:59 . 2010-03-14 22:59 -------- d-----w- c:\program files\DivX
2010-03-14 22:56 . 2009-09-04 12:38 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-03-14 22:56 . 2009-12-28 12:36 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-03-14 22:56 . 2009-12-28 12:34 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-03-14 22:56 . 2009-12-28 12:32 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-03-14 22:28 . 2010-03-14 22:28 -------- d-----w- c:\users\Hollywood\AppData\Local\ICS
2010-03-14 22:27 . 2010-03-14 22:27 -------- d-----w- c:\users\Hollywood\AppData\Local\Apps
2010-03-14 22:27 . 2010-03-14 22:27 -------- d-----w- c:\users\Hollywood\AppData\Local\Deployment
2010-03-14 22:04 . 2010-03-14 22:04 -------- d-----w- c:\program files\Common Files\Windows Live
2010-03-12 04:36 . 2010-03-12 04:36 -------- d-----w- c:\users\Hollywood\AppData\Local\VideoMagician
2010-03-11 04:05 . 2010-03-11 04:05 -------- d-----w- c:\program files\Apple Software Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 04:45 . 2008-09-28 17:47 -------- d-----w- c:\programdata\Google Updater
2010-03-26 04:32 . 2008-05-28 20:22 -------- d-----w- c:\program files\Common Files\Java
2010-03-26 04:30 . 2008-05-28 20:22 -------- d-----w- c:\program files\Java
2010-03-26 00:17 . 2008-05-28 20:28 -------- d-----w- c:\users\Hollywood\AppData\Roaming\LimeWire
2010-03-21 17:25 . 2008-06-20 17:35 -------- d-----w- c:\users\Hollywood\AppData\Roaming\Apple Computer
2010-03-18 04:20 . 2008-07-01 04:18 -------- d-----w- c:\program files\Common Files\Apple
2010-03-18 04:19 . 2008-07-01 04:18 -------- d-----w- c:\programdata\Apple
2010-03-18 04:09 . 2010-03-18 04:09 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-03-18 04:02 . 2010-03-18 04:02 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-16 02:56 . 2008-05-28 20:25 -------- d-----w- c:\program files\Google
2010-03-16 01:15 . 2008-09-14 01:02 -------- d-----w- c:\programdata\Iso Web Bags Else
2010-03-16 01:14 . 2010-03-16 01:14 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb91D5.tmp.exe
2010-03-15 16:48 . 2008-05-26 06:40 71376 ----a-w- c:\users\Hollywood\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-15 10:47 . 2007-08-08 23:23 -------- d-----w- c:\programdata\Microsoft Help
2010-03-15 10:25 . 2007-08-08 23:25 -------- d-----w- c:\program files\Microsoft Works
2010-03-15 03:40 . 2008-05-28 20:19 -------- d-----w- c:\program files\LimeWire
2010-03-14 23:21 . 2008-06-16 23:04 -------- d-----w- c:\program files\Windows Live
2010-03-11 04:00 . 2010-03-11 04:00 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-02-05 02:37 . 2010-02-03 04:31 -------- d-----w- c:\users\Hollywood\AppData\Roaming\dvdcss
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]

c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\users\Hollywood\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Orion.lnk - c:\convesoft\Orion\Messenger.exe [2007-8-31 2482176]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-8-8 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\eNetHook.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 135664]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-06-05 179712]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2007-03-07 32256]

.
Contents of the 'Scheduled Tasks' folder

2010-03-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-28 01:07]

2010-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 02:55]

2010-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-16 02:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.ca.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-25 21:54
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\conime.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\acer\Empowering Technology\ENET\ENMTRAY.EXE
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\acer\Empowering Technology\eRecovery\ERAGENT.EXE
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-03-25 21:59:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-26 04:59
ComboFix2.txt 2010-03-26 02:28

Pre-Run: 34,244,874,240 bytes free
Post-Run: 33,953,583,104 bytes free

- - End Of File - - 739700492B6D0582E93AF7107C236C2D


#11 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:02:58 AM

Posted 26 March 2010 - 08:35 PM

Hi there, I did all the instructions. Eset did find 2 threats.
Avira is downloaded and enabled. I also turned the Firewall back on.
The computer is working well now.... smile.gif

I had posted the ComboFix log last night...so here are the Eset and DDS logs..
let me know if it is ok to install Firefox and can I do the windows updates now...

I will wait for your next set of instructions...

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=57af1322e0fb79469c9e3939d21f56da
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-03-27 12:47:25
# local_time=2010-03-26 05:47:25 (-0800, Pacific Daylight Time)
# country="Canada"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=1024 16777215 100 0 47098408 47098408 0 0
# compatibility_mode=5892 16776637 100 100 0 106250714 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=119861
# found=2
# cleaned=2
# scan_time=7659
C:\Users\Guest\AppData\Local\VirtualStore\Windows\System32\phcrn5j0eae9.bmp Win32/TrojanDownloader.FakeAlert.GS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Hollywood\AppData\Local\VirtualStore\Windows\System32\phcrn5j0eae9.bmp Win32/TrojanDownloader.FakeAlert.GS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


DDS (Ver_10-03-17.01) - NTFSx86
Run by Hollywood at 18:19:13.36 on 26/03/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2037.973 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Convesoft\Orion\Messenger.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conime.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avnotify.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Hollywood\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.ca.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
StartupFolder: c:\users\hollyw~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\users\hollyw~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\orion.lnk - c:\convesoft\orion\Messenger.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
uPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\eNetHook.dll

============= SERVICES / DRIVERS ===============

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-26 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-26 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-3-26 60936]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2007-8-8 32256]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-15 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-8-8 179712]

=============== Created Last 30 ================

2010-03-27 01:16:01 0 d-----w- c:\users\hollyw~1\appdata\roaming\Avira
2010-03-27 01:10:45 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-03-27 01:10:44 0 d-----w- c:\programdata\Avira
2010-03-27 01:10:44 0 d-----w- c:\program files\Avira
2010-03-26 22:37:59 0 d-----w- c:\program files\ESET
2010-03-26 04:54:13 0 d-sh--w- C:\$RECYCLE.BIN
2010-03-26 04:32:27 0 d-----w- c:\programdata\Sun
2010-03-26 04:30:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-26 02:15:50 98816 ----a-w- c:\windows\sed.exe
2010-03-26 02:15:50 77312 ----a-w- c:\windows\MBR.exe
2010-03-26 02:15:50 261632 ----a-w- c:\windows\PEV.exe
2010-03-26 02:15:50 161792 ----a-w- c:\windows\SWREG.exe
2010-03-26 02:15:44 0 d-----w- C:\CFscan
2010-03-25 02:03:51 0 ----a-w- c:\users\hollywood\defogger_reenable
2010-03-24 23:35:31 0 d-----w- c:\users\hollyw~1\appdata\roaming\Malwarebytes
2010-03-24 23:35:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-24 23:35:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-24 23:35:24 0 d-----w- c:\programdata\Malwarebytes
2010-03-24 23:35:24 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-18 07:47:18 0 d-----w- c:\program files\Veoh Networks
2010-03-18 04:21:30 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-18 04:21:30 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-03-18 04:20:54 0 d-----w- c:\program files\iPod
2010-03-18 04:20:49 0 d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-18 04:20:49 0 d-----w- c:\program files\iTunes
2010-03-18 04:01:23 0 d-----w- c:\program files\Bonjour
2010-03-15 16:53:58 0 d-----w- c:\programdata\McAfee
2010-03-15 10:29:07 0 d-----w- c:\windows\CheckSur
2010-03-15 10:04:58 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-03-14 23:24:26 0 d-----w- c:\users\hollywood\Tracing
2010-03-14 23:20:21 0 d-----w- c:\program files\Microsoft
2010-03-14 23:19:56 0 d-----w- c:\program files\Windows Live SkyDrive
2010-03-14 23:02:42 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-03-14 22:59:31 0 d-----w- c:\program files\common files\DivX Shared
2010-03-14 22:59:30 0 d-----w- c:\program files\DivX
2010-03-14 22:56:50 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-03-14 22:56:44 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-03-14 22:56:44 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-03-14 22:56:44 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-03-14 22:04:29 0 d-----w- c:\program files\common files\Windows Live
2010-03-11 04:00:19 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf

==================== Find3M ====================

2010-03-18 04:15:53 86016 ----a-w- c:\windows\inf\infpub.dat
2010-03-18 04:15:53 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-18 04:15:53 143360 ----a-w- c:\windows\inf\infstor.dat
2008-09-24 15:49:51 174 --sha-w- c:\program files\desktop.ini
2008-09-24 15:32:35 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-05-28 02:53:59 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-05-28 02:53:59 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-05-28 02:53:59 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 18:19:45.87 ===============





UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 5/26/2008 11:19:57 AM
System Uptime: 3/26/2010 3:31:27 PM (3 hours ago)

Motherboard: Acer | | Nettiling
Processor: Intel® Pentium® Dual CPU T2330 @ 1.60GHz | uPGA-478 | 1600/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 70 GiB total, 30.545 GiB free.
D: is FIXED (NTFS) - 70 GiB total, 69.305 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0001
Manufacturer: Microsoft
Name: isatap.{1E85983C-DBFB-4B5F-A9DE-217709074E14}
PNP Device ID: ROOT\*ISATAP\0001
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Broadcom NetLink ™ Gigabit Ethernet
Device ID: PCI\VEN_14E4&DEV_1693&SUBSYS_011E1025&REV_02\4&185174AE&0&00E2
Manufacturer: Broadcom
Name: Broadcom NetLink ™ Gigabit Ethernet
PNP Device ID: PCI\VEN_14E4&DEV_1693&SUBSYS_011E1025&REV_02\4&185174AE&0&00E2
Service: b57nd60x

Class GUID:
Description:
Device ID: ROOT\LEGACY_BEEP\XX_{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}_XX
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_BEEP\XX_{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}_XX
Service: {49DE1C67-83F8-4102-99E0-C16DCC7EEC796}

==== System Restore Points ===================

RP320: 3/22/2010 4:48:40 PM - Windows Update
RP321: 3/22/2010 4:51:08 PM - Windows Update
RP322: 3/23/2010 7:37:43 PM - Windows Update
RP323: 3/24/2010 3:21:24 PM - Windows Update
RP324: 3/25/2010 3:02:52 PM - Windows Update
RP326: 3/25/2010 3:05:23 PM - Avira AntiVir Personal - 25/03/2010 15:03
RP327: 3/25/2010 3:07:30 PM - Windows Update
RP329: 3/25/2010 6:29:16 PM - Windows Defender Checkpoint
RP330: 3/25/2010 8:55:41 PM - Removed LimeWire Toolbar.
RP331: 3/25/2010 9:00:48 PM - Removed LimeWire Toolbar.
RP332: 3/25/2010 9:30:17 PM - Installed Java™ 6 Update 18
RP333: 3/25/2010 10:25:25 PM - Removed Safari
RP334: 3/26/2010 3:35:14 PM - Windows Update

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Bonjour
DivX Plus Web Player
ERUNT 1.1j
ESET Online Scanner v3
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java Auto Updater
Java™ 6 Update 18
LimeWire 5.5.6
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
MSVCRT
MSXML 4.0 SP2 (KB973688)
QuickTime
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.4053
Veoh Video Compass
Veoh Web Player
VLC media player 0.9.6
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Upload Tool

==== End Of File ===========================






#12 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 AM

Posted 27 March 2010 - 07:03 AM

Hello again RhonB and Esh,

Your logs appear clean of malware. clapping.gif

Now we can get rid of the tools we used from your computer and the logs that they created. thumbup2.gif

Please follow my next set of steps:


step1.gif Uninstall Combofix
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Make sure that combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on your Start Menu, then Run....
    o (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    between the "x" and "/".> <--- It needs to be there
    Windows vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall

  • Please advise if this step is missed for any reason as it performs some important actions:
"This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".


step2.gif Enable CD Emulation steps:
  • DeFogger - Re-Enable (only run when instructed to when your system is clean again)To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers.
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
  • IMPORTANT!: If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.
  • Your Emulation drivers are now re-enabled.

step3.gif Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

To help you with this chores do the following:



Download and Run OTC
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
OTC will delete: DDS, Gmer and any logs that any of the tools produced. If not then you can delete them manually delete DDS.exe and (C:\DDS). from your desktop.
I recommend keeping TFC (Temp File Cleaner), and use Malwarebyte's Anti-Malware to scan your computer regularly.

If you don't plan to use ESET OnlineScan again, then you can uninstall them through Add/Remove Programs. You can also delete: Rkill.exe, exeHelper and JavaRa and the logs they created.


If you have done all of the above, Your Computer should be Clean of Malware.
CONGRATULATIONS.
thumbup2.gif

Are things running okay? Do you have any more questions?

System Still Slow?

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve performance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware

The following can help speed up your computer:

Fragmented files (Drive C) De-fragmenting is a must.

It's one of the large reasons for system slowdowns. I use JkDefrag to defragment. You can use it forever. I recommend installing it and defragmenting as soon as possible

To improve performance I recommend to check this LINK.

---------------------------^--------------------------------

OK...RhonB, I'm not skilled at mincing words but I believe that by now you already figure it out how your Niece got infected. Using P2P (File Sharing Programs: Limewire) wink.gif So, especially for you and your FRIEND I will use my long version of my "All Clean Canned Speech".

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.:

Please take the time to read below to secure your machine and take the necessary steps to keep it Clean, some of the following you may already have, So. just disregard them.
  1. * Windows firewall uninstall.

    Firewall: It is real important that you use a third party Firewall on your computer. Without a firewall your computer is susceptible to
    being hacked and taken over. Windows firewall is good for blocking inbound connections but it does not
    block outbound connections. So if Malware manages to get onto your computer it will be able to send data out when it wants.
    Here are some free firewall's i would suggest trying:

    Here are some free firewalls: *PC Tool Firewall Plus or Zonealarm
    See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

    *If you choose the PC Tools Firewall Plus and you are asked to install ThreatFire do not do so.


    After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.
  2. Make sure that you keep your anti-virus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your anti-virus program to provide you with the best possible protection from malicious software.
    Note: You should only have one anti-virus installed at a time. Having more than one anti-virus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  3. Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  4. If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  5. Keep your non-Microsoft applications updated as well

    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector
    - I suggest that you run it at least once a month.

    Bottom line: the software you use every day is the biggest source of danger to your personal information. Keeping your software up to date is your best defense. You cannot afford to let vulnerabilities go un-patched.
  6. Make Internet Explorer more secure
    You are using Internet Explorer, Therefore please read and follow the recommendations at this SITE

    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  7. Backup regularly.
    You never know when your PC will become unstable or get infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.
    Alternatively, you can use 3rd-party programs to back up your data. It can be found at Bleeping Computer.
==============***============


Recommended Programs:
    To help protect your computer in the future I would recommend the download and installation of some or all of the following free programs (if not already present), and the updating of them on a regular basis:.
  1. WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    *Green to go
    *Yellow for caution
    *Red to stop
    WOT has an addon available for both Firefox and IE.
  2. WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  3. McAfee Site Advisor --free version.
    To give you an indication of which sites may contain bad links or suspect downloads. It loads an icon to the taskbar of your browser (versions for IE and Firefox), As you browse, a small button on your browser toolbar changes color based on SiteAdvisor's safety results indicating the trustworthiness of the site you are on. Green for safe and Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site. It also gives the same colour indications in the results page when you do a Google search, making it easier to decide which sites are safe to visit. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. Safety ratings from McAfee SiteAdvisor appear next to search results. Works with Google, Yahoo!, Live Search, AOL or ASK.
    This is a utility that can be downloaded and installed it from: HERE
  4. ERUNT (Emergency Recovery Utility NT):
    This utility allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
    You can get this utility from: HERE and instructions how to Practice "Safe Computer" with regular automated Registry Backups with ERUNT from: HERE



Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

To find out more information about how you got infected in the first place? and some great guidelines to follow to prevent future infections you can read this article by Tony Klein and this one by Miekiemoes.

To learn more about how to protect yourself while on the internet read this guide How did I get infected in the first place ?

Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.
Stay clean and be safe wink.gif
That's it, happy surfing!

Cheers,
Net_Surfer


***If ComboFix tool helped you***, please kindly consider a donation to it's author, As you just experienced for yourself, ComboFix is a very effective tool. Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via:


I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

I'd be grateful if you could reply to this post so that I know you have read it and if you've no other questions, the thread can be closed.
horse.gif

Edited by Net_Surfer, 27 March 2010 - 07:08 AM.


#13 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:02:58 AM

Posted 27 March 2010 - 09:20 AM

Good morning NetSurfer.... I wil do all the steps you have listed..but remember that we saved Combofix as CFscan so I will also go to C and delete this folder...correct?

But I still have a few questions....
I am hoping you will answer soon as I have to try and have the PC ready for her to pickup at 4:00 today (1:00 your time)... Here goes....

1) Will the system files that I made "uhhidden" go back to being hidden automatically? They must be hidden right?

2) She already has ERUNT on her sytem..it loaded with one of the tools we used the other day...but ...when the PC starts up I get the following message...

Unable to Creat file C:\Windows\ERUNT\AutoBackup\27-03-2010\ERDNT.INF
(Access Denied)
Then..Error saving file for all the following files:
SecuritySystem
Default
Sam
Components
NTuser.dat
BCD
etc...

Should I unistall ERUNT and re-install using your link?
Also, after I do that (if you think I should) do I have to leave the ERUNT icon on her desktop? Does she need it there?

3) I am trying to clean her desktop and I am not sure if I can safely delete the following icons:
Adobe Reader 8 (does she need this on her desktop??)
2 icons named desptop.ini (do these need to be there??)

And lastly.....can I run the waiting windows updates now??

Vey grateful...once again..for all your help and watching for your answers to the above...hopefully before 1:00 your time ;-)

Thanks!



#14 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:02:58 AM

Posted 27 March 2010 - 11:35 AM

Hi Me again....

So I did all in your instructions....and installed Firewall, Secunia, Firefox & Wot (for both browsers).

As for my questions....

Those 2 desktop icons (desktop.ini) dissapeared after running OTC...

So my only questions left are (from previous message)

About the ERUNT
About the hidden files
And....Can I take Adobe Reader 8 icon off of her desktop

Once you reply to these I will be all done.....

The computer is running beautifully now...I will say it agan.....You're the Best!!!


Awaiting your reply on these last questions.....

Thanks again!

#15 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:58 AM

Posted 27 March 2010 - 02:05 PM

Hi RhonB and Esh...........

You can uninstall erunt and use my links to get it back install the right way just follow my instructions.

Combofix will hide the system files if you use the uninstall comand it also make a new restore point.

About adobe uninstall that old version if that does not delete the shortcut icon from the desktop go ahead and delete it and get the latest version.

Let me know how it goes, if you have to refrase to uninstall combofix just use the name we rename it with.

Kind regards
Net_Surfer

Edited by Net_Surfer, 27 March 2010 - 02:09 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users