Our November Competition
 User Reviews - Add Yours!
The PCHF Lounge
Go Back   PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs
Reload this Page Fixed: can you review these logs; had a virus
Register for a Free Account

[Fixed] Hijackthis! Logs - can you review these logs; had a virus posted in the Security & Safety forums; Running vista sp2 on an Acer laptop. Had a virusI belive from games. I ran malwarebytes and removed the ones it showed and now have a clean malwarebytes report. But, ...


Reply
Scan your PC for Errors
Page 1 of 2 1 2
Old 09-17-2009   #1
Bronze Member
 
Join Date: Jan 2009
Posts: 8
PC Experience: Some Experience
Question can you review these logs; had a virus
Running vista sp2 on an Acer laptop. Had a virusI belive from games. I ran malwarebytes and removed the ones it showed and now have a clean malwarebytes report. But, could you review the logs. I ran active scan after malwarebytes and it is showing 2 adware infections. All logs below:

Malwarebytes' Anti-Malware 1.41
Database version: 2812
Windows 6.0.6002 Service Pack 2
9/17/2009 8:20:17 PM
mbam-log-2009-09-17 (20-20-17).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 237602
Time elapsed: 1 hour(s), 14 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:16 PM, on 9/17/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal
Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\marian\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\marian\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = iGoogle Redirect
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = iGoogle Redirect
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = iGoogle Redirect
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ArcadeDeluxeAgent] "C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O13 - Gopher Prefix:
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mahjong%2...es/stg_drm.ocx
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} (CPlayFirstNightshiftControl Object) - http://www.gamehouse.com/realarcade-...JaguarsEye.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (RealArcade Games Player) - http://www.gamehouse.com/realarcade-...amesplayer.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mahjong%2.../armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE96E37-EDAB-427C-BCC8-66EB51AA8A54}: NameServer = 66.174.95.44 69.78.96.14
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: CLHNService - Unknown owner - C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
--
End of file - 11296 bytes


;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2009-09-17 18:53:59
PROTECTIONS: 1
MALWARE: 1
SUSPECTS: 1
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
Windows Defender 1.1.1505.0 No Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
00034463 adware/wupd Adware No 0 Yes No hkey_classes_root\install.install.1
00034463 adware/wupd Adware No 0 Yes No hkey_classes_root\install.install
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location �<�P�'
�9
;================================================= ================================================== ================================================== ==============================
No C:\My Games\Nightshift Legacy - The Jaguar's Eye\nightshiftlegacy.exe �<�P�'
�9
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description �<�P�'
�9
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================
Rusty5 is offline   Reply With Quote
Advertisement - Register to Remove
Old 09-17-2009   #2
Moderator
 
Ankur's Avatar
 
Join Date: Jul 2009
Location: India
Posts: 129
PC Experience: Experienced
Default Re: can you review these logs; had a virus
Hello Rusty!! Welcome back to the forum.


I appreciate that you did a mbam scan and posted the logs here.But we have a tested and proven method of malware removal.Please click the prework link in my signature.Carefully follow all the instructions and post the required logs in your next reply.


Looking forward to your reply!!

Regards,
Ankur
__________________
Ankur is offline   Reply With Quote
Old 09-17-2009   #3
Bronze Member
 
Join Date: Jan 2009
Posts: 8
PC Experience: Some Experience
Question Re: can you review these logs; had a virus
here are the logs. I am not sure if I am to attach the first one but in 1a it says too for 64 bit users, which I am not, so I am attaching step 1.


DDS (Ver_09-07-30.01) - NTFSx86
Run by marian at 3:12:34.05 on Fri 09/18/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1976.923 [GMT -7:00]
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Dwm.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\marian\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN\Toolbar\3.0.1125.0\msntask.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Windows\system32\WerCon.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.ex e
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\marian\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1008&m=aspire_ 5735
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1008&m=aspire_ 5735
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1008&m=aspire_ 5735
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\s wg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNo tifier.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [CLMLServer] "c:\program files\acer arcade deluxe\acer arcade deluxe\kernel\clml\CLMLSvc.exe"
mRun: [PlayMovie] "c:\program files\acer arcade deluxe\playmovie\PMVService.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ePower_DMC] c:\program files\acer\empowering technology\epower\ePower_DMC.exe
mRun: [eRecoveryService]
mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [ArcadeDeluxeAgent] "c:\program files\acer arcade deluxe\acer arcade deluxe\ArcadeDeluxeAgent.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [Acer Product Registration] "c:\program files\acer\acer registration\ACE1.exe" /startup
mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\sta rtup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\sta rtup\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mahjong%2...es/stg_drm.ocx
DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} - hxxp://www.gamehouse.com/realarcade-webgames/nightshiftlegacythejaguarseye/NightshiftJaguarsEye.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://www.gamehouse.com/realarcade-webgames/realarcade/realarcadegamesplayer.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mahjong%2.../armhelper.ocx
TCP: {AEE96E37-EDAB-427C-BCC8-66EB51AA8A54} = 66.174.95.44 66.174.92.14
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
================= FIREFOX ===================
FF - ProfilePath - c:\users\marian\appdata\roaming\mozilla\firefox\pr ofiles\9c257fjp.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components \qfaservices.dll
FF - component: c:\programdata\mozilla\firefox extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\programdata\mozilla\firefox extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/up...r={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lo...r={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
============= SERVICES / DRIVERS ===============
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\acer arcade deluxe\playmovie\000.fcl [2008-4-30 61424]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 CLHNService;CLHNService;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\CLHNService.exe [2008-4-30 81504]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-4-30 24576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-25 210216]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-6 50424]
R2 NTIPPKernel;NTIPPKernel;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\NTIPPKernel.sys [2008-4-30 122368]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-4 131072]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2008-12-21 29824]
R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2008-12-21 41344]
R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2008-12-21 39936]
R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2008-12-21 59776]
RUnknown pavboot;pavboot; [x]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-20 179712]
SUnknown rootrepeal;rootrepeal; [x]
=============== Created Last 30 ================
2009-09-17 17:42 <DIR> --d----- c:\program files\Panda Security
2009-09-17 07:50 <DIR> --d----- c:\windows\system32\eu-ES
2009-09-17 07:50 <DIR> --d----- c:\windows\system32\ca-ES
2009-09-17 07:50 <DIR> --d----- c:\windows\system32\vi-VN
2009-09-17 06:00 <DIR> --d----- c:\windows\system32\EventProviders
2009-09-17 05:58 1,183,232 a------- c:\windows\system32\msxml3.dll
2009-09-17 05:57 551,936 a------- c:\windows\system32\prnntfy.dll
2009-09-17 05:56 41,472 a------- c:\windows\system32\drivers\raspppoe.sys
2009-09-17 04:23 <DIR> --d----- c:\windows\pss
2009-09-17 02:47 <DIR> --d----- c:\users\marian\appdata\roaming\Malwarebytes
2009-09-17 02:47 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-17 02:47 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-17 02:47 <DIR> --d----- c:\programdata\Malwarebytes
2009-09-17 02:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 02:47 <DIR> --d----- c:\progra~2\Malwarebytes
2009-09-17 02:46 <DIR> --d----- c:\program files\CCleaner
2009-09-13 01:33 <DIR> --d----- c:\users\marian\appdata\roaming\Flood Light Games
2009-09-13 01:33 <DIR> --d----- c:\programdata\Flood Light Games
2009-09-13 01:33 <DIR> --d----- c:\progra~2\Flood Light Games
2009-09-09 09:02 904,776 a------- c:\windows\system32\drivers\tcpip.sys
2009-09-09 09:02 105,984 a------- c:\windows\system32\netiohlp.dll
2009-09-09 09:02 30,720 a------- c:\windows\system32\drivers\tcpipreg.sys
2009-09-09 09:01 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-09-09 09:01 19,968 a------- c:\windows\system32\ARP.EXE
2009-09-09 09:01 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-09-09 09:01 10,240 a------- c:\windows\system32\finger.exe
2009-09-09 09:01 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-09-09 09:01 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-09-09 09:01 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-09-09 09:01 17,920 a------- c:\windows\system32\netevent.dll
2009-09-09 08:59 2,501,921 a------- c:\windows\system32\wlan.tmf
2009-09-09 08:59 513,536 a------- c:\windows\system32\wlansvc.dll
2009-09-09 08:59 302,592 a------- c:\windows\system32\wlansec.dll
2009-09-09 08:59 293,376 a------- c:\windows\system32\wlanmsm.dll
2009-09-09 08:59 127,488 a------- c:\windows\system32\L2SecHC.dll
2009-09-09 08:59 68,096 a------- c:\windows\system32\wlanhlp.dll
2009-09-09 08:59 65,024 a------- c:\windows\system32\wlanapi.dll
2009-09-09 08:58 2,868,224 a------- c:\windows\system32\mf.dll
2009-09-09 08:58 98,816 a------- c:\windows\system32\mfps.dll
2009-09-09 08:58 53,248 a------- c:\windows\system32\rrinstaller.exe
2009-09-09 08:58 24,576 a------- c:\windows\system32\mfpmp.exe
2009-09-09 08:58 2,048 a------- c:\windows\system32\mferror.dll
2009-09-03 06:35 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-09-03 06:35 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-01 03:26 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_0 1005.Wdf
2009-08-29 13:38 <DIR> --d----- c:\users\marian\appdata\roaming\Princess Isabella
2009-08-29 09:08 <DIR> --d----- c:\program files\bfgclient
2009-08-28 05:10 2,048 a------- c:\windows\system32\tzres.dll
2009-08-28 05:09 270,848 a------- c:\windows\system32\schannel.dll
2009-08-28 05:09 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-28 05:09 218,624 a------- c:\windows\system32\msv1_0.dll
2009-08-28 05:09 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-28 05:09 439,864 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-28 05:09 72,704 a------- c:\windows\system32\secur32.dll
2009-08-28 05:09 9,728 a------- c:\windows\system32\lsass.exe
2009-08-28 05:09 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-08-27 03:37 1,696,768 a------- c:\windows\system32\gameux.dll
2009-08-22 10:07 41,984 a------- c:\windows\system32\netfxperf.dll
==================== Find3M ====================
2009-09-17 07:57 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-17 07:57 86,016 a------- c:\windows\inf\infstor.dat
2009-09-17 07:57 51,200 a------- c:\windows\inf\infpub.dat
2009-09-17 07:50 665,600 a------- c:\windows\inf\drvindex.dat
2009-08-28 19:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 19:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 19:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 19:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-07-21 14:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 14:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 14:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 13:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-17 06:54 71,680 a------- c:\windows\system32\atl.dll
2009-07-15 05:40 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-07-15 05:39 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-07-15 05:39 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-15 05:39 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-02 00:49 460 a------- c:\users\marian\appdata\roaming\wklnhst.dat
2008-01-20 19:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-10-22 15:34 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT
============= FINISH: 3:13:29.40 ===============
Attached Files
File Type: txt RootRepeal report 09-18-09 (02-23-50).txt (59.0 KB, 1 views)
File Type: txt Attach.txt (6.1 KB, 1 views)
File Type: txt checkup.txt (968 Bytes, 1 views)
Rusty5 is offline   Reply With Quote
Old 09-18-2009   #4
Senior Security Analyst
 
Pancake's Avatar
 
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 6,867
PC Experience: Elite PC Guru
Default Re: can you review these logs; had a virus
Does that scan give you a path to those adware infections ?.

You will need to download ComboFix.exe. This will give a better view to the files running, those that are hidden, and also those in the registry..Please download from one of these webpages .

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe


* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools. More help on your specific AV here: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Double-click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes to continue scanning for malware.
When finished, it shall produce a log for you. Please include the ComboFix.txt in your reply.

Caution.....
Never use this program to remove files.Only use it with help from an experienced user.Wrongful use can damage your computer.
__________________
  • An Australian Member of
  • and
My real name is Eddy
Pancake is offline   Reply With Quote
Old 09-18-2009   #5
Bronze Member
 
Join Date: Jan 2009
Posts: 8
PC Experience: Some Experience
Exclamation Re: can you review these logs; had a virus
ComboFix 09-09-17.04 - marian 09/18/2009 17:00.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1976.938 [GMT -7:00]
Running from: c:\users\marian\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\marian\AppData\Roaming\.#
c:\users\marian\AppData\Roaming\.#\MBX@114@1B02990 .###
c:\users\marian\AppData\Roaming\.#\MBX@114@1B029C0 .###
c:\users\marian\AppData\Roaming\.#\MBX@114@1B029F0 .###
c:\users\marian\AppData\Roaming\.#\MBX@1F3C@1DC299 0.###
c:\users\marian\AppData\Roaming\.#\MBX@1F3C@1DC29C 0.###
c:\users\marian\AppData\Roaming\.#\MBX@1F3C@1DC29F 0.###
c:\users\marian\AppData\Roaming\.#\MBX@BFC@252990. ###
c:\users\marian\AppData\Roaming\.#\MBX@BFC@2529C0. ###
c:\users\marian\AppData\Roaming\.#\MBX@BFC@2529F0. ###
c:\users\marian\AppData\Roaming\.#\MBX@E64@1832990 .###
c:\users\marian\AppData\Roaming\.#\MBX@E64@18329C0 .###
c:\users\marian\AppData\Roaming\.#\MBX@E64@18329F0 .###
c:\users\marian\AppData\Roaming\.#\MBX@F1C@1C82990 .###
c:\users\marian\AppData\Roaming\.#\MBX@F1C@1C829C0 .###
c:\users\marian\AppData\Roaming\.#\MBX@F1C@1C829F0 .###
c:\windows\Installer\14eeab.msi
.
((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.
2009-09-19 00:07 . 2009-09-19 00:07 -------- d-----w- c:\users\marian\AppData\Local\temp
2009-09-19 00:07 . 2009-09-19 00:07 -------- d-----w- c:\users\Jennifer\AppData\Local\temp
2009-09-19 00:07 . 2009-09-19 00:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-18 08:54 . 2009-09-18 08:54 -------- d-----w- c:\program files\7-Zip
2009-09-18 00:42 . 2009-09-18 09:05 -------- d-----w- c:\program files\Panda Security
2009-09-17 14:50 . 2009-09-17 14:51 -------- d-----w- c:\windows\system32\ca-ES
2009-09-17 14:50 . 2009-09-17 14:51 -------- d-----w- c:\windows\system32\eu-ES
2009-09-17 14:50 . 2009-09-17 14:51 -------- d-----w- c:\windows\system32\vi-VN
2009-09-17 13:00 . 2009-09-17 13:00 -------- d-----w- c:\windows\system32\EventProviders
2009-09-17 12:58 . 2009-04-11 06:33 986600 ----a-w- c:\windows\system32\winload.exe
2009-09-17 12:57 . 2009-04-11 06:28 99840 ----a-w- c:\windows\system32\ulib.dll
2009-09-17 12:56 . 2009-04-11 04:46 41472 ----a-w- c:\windows\system32\drivers\raspppoe.sys
2009-09-17 09:47 . 2009-09-17 09:47 -------- d-----w- c:\users\marian\AppData\Roaming\Malwarebytes
2009-09-17 09:47 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-17 09:47 . 2009-09-17 09:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 09:47 . 2009-09-17 09:47 -------- d-----w- c:\programdata\Malwarebytes
2009-09-17 09:47 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-17 09:46 . 2009-09-17 09:46 -------- d-----w- c:\program files\CCleaner
2009-09-13 08:33 . 2009-09-13 08:33 -------- d-----w- c:\users\marian\AppData\Roaming\Flood Light Games
2009-09-13 08:33 . 2009-09-13 08:33 -------- d-----w- c:\programdata\Flood Light Games
2009-09-09 16:02 . 2009-08-14 16:27 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-09 16:02 . 2009-08-14 13:48 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-09-09 16:02 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-09 16:01 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-09 16:01 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-09 16:01 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-09 16:01 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-09 16:01 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-09 16:01 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-09 16:01 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-09 16:01 . 2009-08-14 15:53 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-09 15:59 . 2009-07-11 19:01 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-09-09 15:59 . 2009-07-11 19:01 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-09-09 15:59 . 2009-07-11 19:01 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-09-09 15:59 . 2009-07-11 17:03 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-09-09 15:59 . 2009-04-11 06:28 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2009-09-09 15:59 . 2009-07-11 19:01 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-09-09 15:58 . 2009-06-10 11:41 2868224 ----a-w- c:\windows\system32\mf.dll
2009-09-09 15:58 . 2009-04-11 06:28 98816 ----a-w- c:\windows\system32\mfps.dll
2009-09-09 15:58 . 2009-04-11 06:27 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2009-09-09 15:58 . 2009-04-11 06:27 24576 ----a-w- c:\windows\system32\mfpmp.exe
2009-09-09 15:58 . 2009-04-11 04:54 2048 ----a-w- c:\windows\system32\mferror.dll
2009-09-04 17:04 . 2009-09-04 17:04 -------- d-----w- c:\users\marian\AppData\Roaming\Talkback
2009-09-04 17:04 . 2009-09-04 17:04 -------- d-----w- c:\users\marian\AppData\Local\Mozilla
2009-09-03 13:35 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-03 13:35 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 20:38 . 2009-08-29 20:38 -------- d-----w- c:\users\marian\AppData\Roaming\Princess Isabella
2009-08-29 16:08 . 2009-08-29 16:08 -------- d-----w- c:\program files\bfgclient
2009-08-28 12:10 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-28 12:09 . 2009-06-15 14:53 270848 ----a-w- c:\windows\system32\schannel.dll
2009-08-28 12:09 . 2009-06-15 14:54 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-08-28 12:09 . 2009-06-15 14:53 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-28 12:09 . 2009-06-15 14:52 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-08-28 12:09 . 2009-06-15 23:15 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-08-28 12:09 . 2009-06-15 14:53 72704 ----a-w- c:\windows\system32\secur32.dll
2009-08-28 12:09 . 2009-06-15 12:48 9728 ----a-w- c:\windows\system32\lsass.exe
2009-08-28 12:09 . 2009-06-15 15:23 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2009-08-27 10:37 . 2009-04-11 06:28 1696768 ----a-w- c:\windows\system32\gameux.dll
2009-08-22 17:07 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-09-18 09:04 . 2009-01-18 10:14 -------- d-----w- c:\programdata\WinZip
2009-09-17 14:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-17 14:51 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-17 14:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-17 14:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-09-17 14:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-09-17 14:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-17 14:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-17 09:50 . 2008-12-21 17:53 -------- d-----w- c:\program files\Google
2009-09-17 09:24 . 2008-12-21 17:54 77280 ----a-w- c:\users\marian\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-17 09:14 . 2008-04-30 09:38 -------- d-----w- c:\programdata\Microsoft Help
2009-09-17 09:14 . 2008-04-30 09:39 -------- d-----w- c:\program files\Microsoft Works
2009-09-17 09:08 . 2008-12-25 17:17 -------- d-----w- c:\program files\RealArcade
2009-09-01 10:33 . 2009-02-25 14:19 -------- d-----w- c:\programdata\CanonIJPLM
2009-09-01 10:26 . 2009-09-01 10:26 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_0 1005.Wdf
2009-08-31 14:28 . 2009-01-18 10:48 -------- d-----w- c:\program files\PopCap Games
2009-08-31 14:28 . 2008-12-25 17:40 -------- d-----w- c:\programdata\PopCap Games
2009-08-31 14:27 . 2009-01-05 00:18 -------- d-----w- c:\programdata\SpinTop Games
2009-08-27 16:45 . 2009-01-06 11:49 -------- d-----w- c:\program files\Oberon Media
2009-08-22 17:03 . 2009-01-02 20:37 5972 ----a-w- c:\users\marian\AppData\Local\d3d9caps.dat
2009-08-15 15:36 . 2009-08-15 15:36 -------- d-----w- c:\users\marian\AppData\Roaming\Eyeblaster
2009-08-12 13:02 . 2009-01-18 10:28 -------- d-----w- c:\programdata\FLEXnet
2009-07-30 23:16 . 2009-07-30 23:16 983936 ----a-w- c:\users\Public\MyWebTattoo.exe
2009-07-21 21:52 . 2009-07-30 08:52 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-30 08:52 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-30 08:52 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-30 08:52 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 13:54 . 2009-08-13 11:03 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-13 11:02 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-13 11:02 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-13 11:02 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-13 11:02 7680 ----a-w- c:\windows\system32\spwmp.dll
2007-09-16 06:35 . 2008-12-25 17:20 66408 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-09-16 06:35 . 2008-12-25 17:20 54112 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-09-16 06:35 . 2008-12-25 17:20 34688 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2007-09-16 06:35 . 2008-12-25 17:20 46456 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2007-09-16 06:35 . 2008-12-25 17:20 171880 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-22 22:34 . 2008-10-22 22:32 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\eg isPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-15 00:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2008-12-21 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-04-10 167936]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-04-18 167936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2008-07-16 145944]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 1848648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-04-10 147456]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-15 526896]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-06-13 6183456]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-11-21 1826816]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2009-1-18 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):24,65,0f,2e,a7,37,ca,01
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{70CC5AC4-BC5B-4279-AD8B-69DC32822290}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{CBFCEE09-B268-40D0-9B98-8253B9881C48}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{0F388B47-814E-4F3F-82B2-859760D32881}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{0B538B91-DA99-4709-B4D4-0B6AC6ADA895}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{782B1532-616A-4555-933B-0D7A609CB435}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{55E5AC1D-E66C-4A6D-AB6E-40A1926AA6D5}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{5B94FB7E-4F9E-4B8F-BE1F-9FE57EAFC1EE}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{BA5EEAC4-BBD4-4655-BAE8-94F3EE16812F}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{D5A0E150-9516-42DF-B866-BED21BA3EFA0}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{50D7FB1E-66D8-435A-98F7-DFFA0E9B02E7}"= c:\program files\Acer Arcade Deluxe\PlayMovie\PlayMovie.exe:Acer Play Movie
"{1C65A0D9-F940-4663-9FEB-5289907DAE59}"= c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe:Acer Play Movie Resident Program
"{07B34CE5-90CF-46CF-ABCD-20CFC2ECD58A}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:Acer HomeMedia
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [4/30/2008 2:58 AM 61424]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [3/3/2008 1:11 PM 16384]
R2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [4/30/2008 2:59 AM 81504]
R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [4/30/2008 2:56 AM 24576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/25/2008 8:18 AM 210216]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/6/2008 10:42 PM 50424]
R2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [4/30/2008 2:59 AM 122368]
R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\System32\drivers\PTDUBus.sys [12/21/2008 11:07 AM 29824]
R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\System32\drivers\PTDUMdm.sys [12/21/2008 11:07 AM 41344]
R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\System32\drivers\PTDUVsp.sys [12/21/2008 11:07 AM 39936]
R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\System32\drivers\PTDUWWAN.sys [12/21/2008 11:07 AM 59776]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [4/4/2008 3:03 AM 131072]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [1/20/2008 7:23 PM 179712]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - PAVBOOT
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3771441245-2609298450-2583732049-1001.job
- c:\users\Jennifer\AppData\Local\Google\Update\Goog leUpdate.exe [2009-05-07 15:35]
2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-18 21:32]
2008-04-30 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-18 21:32]
2009-09-19 c:\windows\Tasks\User_Feed_Synchronization-{49BF4DF5-CC6B-49A1-A1C1-3FE10B5CD160}.job
- c:\windows\system32\msfeedssync.exe [2009-07-30 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1008&m=aspire_ 5735
TCP: {AEE96E37-EDAB-427C-BCC8-66EB51AA8A54} = 66.174.95.44 66.174.92.14
DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} - hxxp://www.gamehouse.com/realarcade-webgames/nightshiftlegacythejaguarseye/NightshiftJaguarsEye.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://www.gamehouse.com/realarcade-webgames/realarcade/realarcadegamesplayer.cab
FF - ProfilePath - c:\users\marian\AppData\Roaming\Mozilla\Firefox\Pr ofiles\9c257fjp.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components \qfaservices.dll
FF - component: c:\programdata\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\programdata\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/up...r={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lo...r={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-eRecoveryService - (no file)
AddRemove-HijackThis - e:\malware\Utilities\Trend Micro\HijackThis\HijackThis.exe

************************************************** ************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
************************************************** ************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{ 49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ***\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ***\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ***\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ***\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-09-19 17:09
ComboFix-quarantined-files.txt 2009-09-19 00:09
Pre-Run: 48,996,167,680 bytes free
Post-Run: 48,935,821,312 bytes free
289 --- E O F --- 2009-09-18 05:39
Rusty5 is offline   Reply With Quote
Old 09-18-2009   #6
Senior Security Analyst
 
Pancake's Avatar
 
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 6,867
PC Experience: Elite PC Guru
Default Re: can you review these logs; had a virus
Ok.Just this to fix and you are done....

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while
you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the red text in the quotebox below into it:


File::
Folder::
c:\windows\system32\ca-ES
c:\windows\system32\eu-ES
c:\windows\system32\vi-VN
Registry::

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt
Please [b]copy and paste the ComboFix.txt in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could
damage your computer*
__________________
  • An Australian Member of
  • and
My real name is Eddy
Pancake is offline   Reply With Quote
Old 09-18-2009   #7
Bronze Member
 
Join Date: Jan 2009
Posts: 8
PC Experience: Some Experience
Thumbs up Re: can you review these logs; had a virus
ComboFix 09-09-17.04 - marian 09/18/2009 20:48.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1976.976 [GMT -7:00]
Running from: c:\users\marian\Desktop\ComboFix.exe
Command switches used :: c:\users\marian\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\ca-ES
c:\windows\system32\ca-ES\msimsg.dll.mui
c:\windows\system32\eu-ES
c:\windows\system32\eu-ES\msimsg.dll.mui
c:\windows\system32\vi-VN
c:\windows\system32\vi-VN\msimsg.dll.mui
.
((((((((((((((((((((((((( Files Created from 2009-08-19 to 2009-09-19 )))))))))))))))))))))))))))))))
.
2009-09-19 03:55 . 2009-09-19 03:55 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-19 03:55 . 2009-09-19 03:55 -------- d-----w- c:\users\Jennifer\AppData\Local\temp
2009-09-19 03:55 . 2009-09-19 03:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-19 00:09 . 2009-09-19 03:55 -------- d-----w- c:\users\marian\AppData\Local\temp
2009-09-18 08:54 . 2009-09-18 08:54 -------- d-----w- c:\program files\7-Zip
2009-09-18 00:42 . 2009-09-18 09:05 -------- d-----w- c:\program files\Panda Security
2009-09-17 13:00 . 2009-09-17 13:00 -------- d-----w- c:\windows\system32\EventProviders
2009-09-17 12:58 . 2009-04-11 06:33 986600 ----a-w- c:\windows\system32\winload.exe
2009-09-17 12:57 . 2009-04-11 06:28 99840 ----a-w- c:\windows\system32\ulib.dll
2009-09-17 12:56 . 2009-04-11 04:46 41472 ----a-w- c:\windows\system32\drivers\raspppoe.sys
2009-09-17 09:47 . 2009-09-17 09:47 -------- d-----w- c:\users\marian\AppData\Roaming\Malwarebytes
2009-09-17 09:47 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-17 09:47 . 2009-09-17 09:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 09:47 . 2009-09-17 09:47 -------- d-----w- c:\programdata\Malwarebytes
2009-09-17 09:47 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-17 09:46 . 2009-09-17 09:46 -------- d-----w- c:\program files\CCleaner
2009-09-13 08:33 . 2009-09-13 08:33 -------- d-----w- c:\users\marian\AppData\Roaming\Flood Light Games
2009-09-13 08:33 . 2009-09-13 08:33 -------- d-----w- c:\programdata\Flood Light Games
2009-09-09 16:02 . 2009-08-14 16:27 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-09 16:02 . 2009-08-14 13:48 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-09-09 16:02 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-09 16:01 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-09 16:01 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-09 16:01 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-09 16:01 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-09 16:01 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-09 16:01 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-09 16:01 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-09 16:01 . 2009-08-14 15:53 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-09 15:59 . 2009-07-11 19:01 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-09-09 15:59 . 2009-07-11 19:01 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-09-09 15:59 . 2009-07-11 19:01 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-09-09 15:59 . 2009-07-11 17:03 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-09-09 15:59 . 2009-04-11 06:28 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2009-09-09 15:59 . 2009-07-11 19:01 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-09-09 15:58 . 2009-06-10 11:41 2868224 ----a-w- c:\windows\system32\mf.dll
2009-09-09 15:58 . 2009-04-11 06:28 98816 ----a-w- c:\windows\system32\mfps.dll
2009-09-09 15:58 . 2009-04-11 06:27 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2009-09-09 15:58 . 2009-04-11 06:27 24576 ----a-w- c:\windows\system32\mfpmp.exe
2009-09-09 15:58 . 2009-04-11 04:54 2048 ----a-w- c:\windows\system32\mferror.dll
2009-09-04 17:04 . 2009-09-04 17:04 -------- d-----w- c:\users\marian\AppData\Roaming\Talkback
2009-09-04 17:04 . 2009-09-04 17:04 -------- d-----w- c:\users\marian\AppData\Local\Mozilla
2009-09-03 13:35 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-03 13:35 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 20:38 . 2009-08-29 20:38 -------- d-----w- c:\users\marian\AppData\Roaming\Princess Isabella
2009-08-29 16:08 . 2009-08-29 16:08 -------- d-----w- c:\program files\bfgclient
2009-08-28 12:10 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-28 12:09 . 2009-06-15 14:53 270848 ----a-w- c:\windows\system32\schannel.dll
2009-08-28 12:09 . 2009-06-15 14:54 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-08-28 12:09 . 2009-06-15 14:53 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-28 12:09 . 2009-06-15 14:52 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-08-28 12:09 . 2009-06-15 23:15 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-08-28 12:09 . 2009-06-15 14:53 72704 ----a-w- c:\windows\system32\secur32.dll
2009-08-28 12:09 . 2009-06-15 12:48 9728 ----a-w- c:\windows\system32\lsass.exe
2009-08-28 12:09 . 2009-06-15 15:23 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2009-08-27 10:37 . 2009-04-11 06:28 1696768 ----a-w- c:\windows\system32\gameux.dll
2009-08-22 17:07 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-09-18 09:04 . 2009-01-18 10:14 -------- d-----w- c:\programdata\WinZip
2009-09-17 14:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-17 14:51 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-17 14:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-17 14:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-09-17 14:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-09-17 14:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-17 14:51 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-17 09:50 . 2008-12-21 17:53 -------- d-----w- c:\program files\Google
2009-09-17 09:24 . 2008-12-21 17:54 77280 ----a-w- c:\users\marian\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-17 09:14 . 2008-04-30 09:38 -------- d-----w- c:\programdata\Microsoft Help
2009-09-17 09:14 . 2008-04-30 09:39 -------- d-----w- c:\program files\Microsoft Works
2009-09-17 09:08 . 2008-12-25 17:17 -------- d-----w- c:\program files\RealArcade
2009-09-01 10:33 . 2009-02-25 14:19 -------- d-----w- c:\programdata\CanonIJPLM
2009-09-01 10:26 . 2009-09-01 10:26 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_0 1005.Wdf
2009-08-31 14:28 . 2009-01-18 10:48 -------- d-----w- c:\program files\PopCap Games
2009-08-31 14:28 . 2008-12-25 17:40 -------- d-----w- c:\programdata\PopCap Games
2009-08-31 14:27 . 2009-01-05 00:18 -------- d-----w- c:\programdata\SpinTop Games
2009-08-27 16:45 . 2009-01-06 11:49 -------- d-----w- c:\program files\Oberon Media
2009-08-22 17:03 . 2009-01-02 20:37 5972 ----a-w- c:\users\marian\AppData\Local\d3d9caps.dat
2009-08-15 15:36 . 2009-08-15 15:36 -------- d-----w- c:\users\marian\AppData\Roaming\Eyeblaster
2009-08-12 13:02 . 2009-01-18 10:28 -------- d-----w- c:\programdata\FLEXnet
2009-07-30 23:16 . 2009-07-30 23:16 983936 ----a-w- c:\users\Public\MyWebTattoo.exe
2009-07-21 21:52 . 2009-07-30 08:52 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-30 08:52 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-30 08:52 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-30 08:52 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 13:54 . 2009-08-13 11:03 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-13 11:02 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-13 11:02 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-13 11:02 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-13 11:02 7680 ----a-w- c:\windows\system32\spwmp.dll
2007-09-16 06:35 . 2008-12-25 17:20 66408 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-09-16 06:35 . 2008-12-25 17:20 54112 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-09-16 06:35 . 2008-12-25 17:20 34688 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2007-09-16 06:35 . 2008-12-25 17:20 46456 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2007-09-16 06:35 . 2008-12-25 17:20 171880 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-22 22:34 . 2008-10-22 22:32 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\eg isPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-15 00:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2008-12-21 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-04-10 167936]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-04-18 167936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2008-07-16 145944]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 1848648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-04-10 147456]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-15 526896]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-06-13 6183456]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-11-21 1826816]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2009-1-18 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):24,65,0f,2e,a7,37,ca,01
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{70CC5AC4-BC5B-4279-AD8B-69DC32822290}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{CBFCEE09-B268-40D0-9B98-8253B9881C48}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{0F388B47-814E-4F3F-82B2-859760D32881}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe:BackupSvc.exe
"{0B538B91-DA99-4709-B4D4-0B6AC6ADA895}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{782B1532-616A-4555-933B-0D7A609CB435}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe:AgentSvc.exe
"{55E5AC1D-E66C-4A6D-AB6E-40A1926AA6D5}"= UDP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{5B94FB7E-4F9E-4B8F-BE1F-9FE57EAFC1EE}"= TCP:c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe:SchedulerSvc.exe
"{BA5EEAC4-BBD4-4655-BAE8-94F3EE16812F}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{D5A0E150-9516-42DF-B866-BED21BA3EFA0}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{50D7FB1E-66D8-435A-98F7-DFFA0E9B02E7}"= c:\program files\Acer Arcade Deluxe\PlayMovie\PlayMovie.exe:Acer Play Movie
"{1C65A0D9-F940-4663-9FEB-5289907DAE59}"= c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe:Acer Play Movie Resident Program
"{07B34CE5-90CF-46CF-ABCD-20CFC2ECD58A}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:Acer HomeMedia
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [4/30/2008 2:58 AM 61424]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [3/3/2008 1:11 PM 16384]
R2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [4/30/2008 2:59 AM 81504]
R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [4/30/2008 2:56 AM 24576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/25/2008 8:18 AM 210216]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/6/2008 10:42 PM 50424]
R2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [4/30/2008 2:59 AM 122368]
R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\System32\drivers\PTDUBus.sys [12/21/2008 11:07 AM 29824]
R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\System32\drivers\PTDUMdm.sys [12/21/2008 11:07 AM 41344]
R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\System32\drivers\PTDUVsp.sys [12/21/2008 11:07 AM 39936]
R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\System32\drivers\PTDUWWAN.sys [12/21/2008 11:07 AM 59776]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [4/4/2008 3:03 AM 131072]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [1/20/2008 7:23 PM 179712]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - PAVBOOT
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3771441245-2609298450-2583732049-1001.job
- c:\users\Jennifer\AppData\Local\Google\Update\Goog leUpdate.exe [2009-05-07 15:35]
2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-18 21:32]
2008-04-30 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-18 21:32]
2009-09-19 c:\windows\Tasks\User_Feed_Synchronization-{49BF4DF5-CC6B-49A1-A1C1-3FE10B5CD160}.job
- c:\windows\system32\msfeedssync.exe [2009-07-30 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1008&m=aspire_ 5735
TCP: {AEE96E37-EDAB-427C-BCC8-66EB51AA8A54} = 66.174.95.44 66.174.92.14
DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} - hxxp://www.gamehouse.com/realarcade-webgames/nightshiftlegacythejaguarseye/NightshiftJaguarsEye.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://www.gamehouse.com/realarcade-webgames/realarcade/realarcadegamesplayer.cab
FF - ProfilePath - c:\users\marian\AppData\Roaming\Mozilla\Firefox\Pr ofiles\9c257fjp.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components \qfaservices.dll
FF - component: c:\programdata\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\programdata\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/up...r={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lo...r={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-09-18 20:55
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{ 49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ***\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ***\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ***\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ***\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-09-19 20:56
ComboFix-quarantined-files.txt 2009-09-19 03:56
ComboFix2.txt 2009-09-19 00:09
Pre-Run: 48,972,787,712 bytes free
Post-Run: 48,934,899,712 bytes free
277 --- E O F --- 2009-09-18 05:39
Rusty5 is offline   Reply With Quote

Reply
Page 1 of 2 1 2


Bookmarks

Tags
Fixed:, logs, review, virus
Similar discussions...
Thread Thread Starter Forum Replies Last Post
Pending: A few logs to review weeksn [Pending] HJT Logs 13 06-12-2009 06:39 AM
Pending: Logs for review woody258 [Pending] HJT Logs 2 04-02-2009 11:32 PM
Fixed: had malware; can someone review logs? barbaram1954 [Fixed] Hijackthis! Logs 7 01-05-2009 09:39 PM
Review these logs DrD [Fixed] Hijackthis! Logs 16 01-10-2008 01:17 AM
[Resolved] Please review HJT logs elvin815 [Fixed] Hijackthis! Logs 13 05-18-2006 01:02 AM

« Help removing backdoor.tidserv | New member, big problems »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On


Site Map - Top

All times are GMT. The time now is 06:37 AM.
Powered by vBulletin
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2