Im getting popups and adware - Page 3

chiaz · 09-11-2009

I got to go off now, will compose a reply to you later. But you can turn on your anti-virus now!

chiaz · 09-11-2009

Run HijackThis again, but this time in Safe Mode.
Instructions to boot to Safe Mode can be found here:
Getting into Windows Safe Mode

Place a tick by the following entry:
O4 - HKCU\..\Run: [?????????] ??????????????e

Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.

====================

When you get back to Normal Mode,

1. Delete CFScript.txt from your desktop first.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the codebox below into it:

Code:

Folder::
c:\programdata\nivilivu
c:\programdata\zesamaga
c:\programdata\wilubore
c:\programdata\pugitefi
c:\programdata\kudepoga
c:\programdata\burivuvu
c:\programdata\pufajahe
c:\programdata\gugajere

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt in your next reply please, as well as a new HijackThis log.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*

antoinejones · 09-11-2009

By the way Im curious how the new combofix files that are in your post above got there? As i look at my previous logs those files werent there but now they are lol seems like I get something new after every restart lol. I guess the next combofix log will show more stuff Ill have to CFScript lol. Oh and another thing even with it in Safe Mode HJT still isnt getting rid of that O4 - HKCU\..\Run: [?????????] ??????????????e file. Ill be posting the logs soon

antoinejones · 09-11-2009

new logs:

ComboFix 09-09-09.09 - Tony 09/11/2009 13:10.6.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.447.148 [GMT -5:00]
Running from: c:\users\Tony\Desktop\ComboFix.exe
Command switches used :: c:\users\Tony\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton 360 *enabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\programdata\burivuvu
c:\programdata\gugajere
c:\programdata\gugajere\gugajere.dll
c:\programdata\kudepoga
c:\programdata\nivilivu
c:\programdata\pufajahe
c:\programdata\pufajahe\pufajahe.dll
c:\programdata\pugitefi
c:\programdata\wilubore
c:\programdata\zesamaga
.
((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.
2009-09-11 18:20 . 2009-09-11 18:20 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-11 18:20 . 2009-09-11 18:20 -------- d-----w- c:\users\Music\AppData\Local\temp
2009-09-11 18:20 . 2009-09-11 18:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-11 17:55 . 2009-09-11 17:55 -------- d-----w- c:\users\Tony\AppData\Local\Symantec
2009-09-09 16:46 . 2009-06-10 12:07 98816 ----a-w- c:\windows\system32\mfps.dll
2009-09-09 16:46 . 2009-06-10 12:07 2855424 ----a-w- c:\windows\system32\mf.dll
2009-09-09 16:46 . 2009-06-10 10:15 24576 ----a-w- c:\windows\system32\mfpmp.exe
2009-09-09 16:46 . 2009-06-10 10:14 52736 ----a-w- c:\windows\system32\rrinstaller.exe
2009-09-09 16:46 . 2009-06-10 08:50 2048 ----a-w- c:\windows\system32\mferror.dll
2009-09-09 16:45 . 2009-06-15 15:29 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-09-09 16:45 . 2009-06-15 15:25 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 16:45 . 2009-06-15 15:23 1233920 ----a-w- c:\windows\system32\lsasrv.dll
2009-09-09 16:45 . 2009-06-15 15:23 494592 ----a-w- c:\windows\system32\kerberos.dll
2009-09-09 16:45 . 2009-06-15 18:12 408136 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-09-09 16:45 . 2009-06-15 15:28 72704 ----a-w- c:\windows\system32\secur32.dll
2009-09-09 16:45 . 2009-06-15 15:28 272384 ----a-w- c:\windows\system32\schannel.dll
2009-09-09 16:45 . 2009-06-15 13:10 7680 ----a-w- c:\windows\system32\lsass.exe
2009-09-08 00:20 . 2009-09-08 00:20 -------- d-----w- c:\users\Tony\AppData\Roaming\Malwarebytes
2009-09-08 00:19 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 00:19 . 2009-09-08 00:19 -------- d-----w- c:\programdata\Malwarebytes
2009-09-08 00:19 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 00:19 . 2009-09-08 00:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-04 00:22 . 2009-09-04 00:22 -------- d-----w- c:\windows\system32\N360_BACKUP
2009-08-29 12:22 . 2009-08-29 12:22 -------- dc----w- c:\windows\system32\DRVSTORE
2009-08-29 12:22 . 2009-01-15 17:19 23848 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-29 12:22 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-08-29 12:22 . 2009-08-29 12:22 -------- d-----w- c:\programdata\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-08-29 12:22 . 2009-08-29 12:22 -------- d-----w- c:\users\Tony\AppData\Local\Downloaded Installations
2009-08-29 12:22 . 2009-08-29 12:21 25136 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2009-08-29 12:22 . 2009-08-29 12:22 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-29 12:22 . 2009-08-29 12:22 -------- d-----w- c:\program files\Symantec
2009-08-29 12:18 . 2009-09-09 03:35 -------- d-----w- c:\windows\system32\drivers\N360
2009-08-29 12:18 . 2009-08-29 12:19 -------- d-----w- c:\program files\Norton 360
2009-08-29 12:11 . 2009-08-29 12:11 -------- d-----w- c:\programdata\PCSettings
2009-08-29 12:07 . 2009-08-29 12:11 -------- d-----w- c:\programdata\Norton
2009-08-29 12:07 . 2009-08-29 12:07 -------- d-----w- c:\programdata\NortonInstaller
2009-08-29 12:07 . 2009-08-29 12:07 -------- d-----w- c:\program files\NortonInstaller
2009-08-29 12:04 . 2009-08-29 12:04 -------- d-----w- c:\programdata\Symantec Temporary Files
2009-08-27 08:03 . 2009-06-22 08:44 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-24 15:45 . 2009-08-24 15:45 -------- d-----w- c:\programdata\NVIDIA
2009-08-24 08:08 . 2009-08-24 08:08 5071872 ----a-w- c:\windows\system32\NlsModels0011.dll
2009-08-23 16:30 . 2009-08-23 16:30 61440 ----a-w- c:\windows\system32\winipsec.dll
2009-08-23 16:30 . 2009-08-23 16:30 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-08-23 16:30 . 2009-08-23 16:30 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2009-08-23 16:30 . 2009-08-23 16:30 272896 ----a-w- c:\windows\system32\polstore.dll
2009-08-23 16:23 . 2009-08-23 16:23 87040 ----a-w- c:\windows\system32\msoert2.dll
2009-08-23 16:23 . 2009-08-23 16:23 39424 ----a-w- c:\windows\system32\ACCTRES.dll
2009-08-23 16:23 . 2009-08-23 16:23 205824 ----a-w- c:\windows\system32\msoeacct.dll
2009-08-23 16:16 . 2009-08-23 16:16 110080 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2009-08-23 16:16 . 2009-08-23 16:16 194560 ----a-w- c:\windows\system32\WebClnt.dll
2009-08-23 16:09 . 2009-08-23 16:09 2028032 ----a-w- c:\windows\system32\win32k.sys
2009-08-23 16:02 . 2009-08-23 16:02 156160 ----a-w- c:\windows\system32\t2embed.dll
2009-08-23 16:02 . 2009-08-23 16:02 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-08-23 16:02 . 2009-08-23 16:02 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-08-23 16:02 . 2009-08-23 16:02 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-08-23 16:02 . 2009-08-23 16:02 24064 ----a-w- c:\windows\system32\lpk.dll
2009-08-23 16:02 . 2009-08-23 16:02 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-08-23 15:54 . 2009-08-23 15:54 49664 ----a-w- c:\windows\system32\csrsrv.dll
2009-08-23 15:54 . 2009-08-23 15:54 376320 ----a-w- c:\windows\system32\winsrv.dll
2009-08-23 15:41 . 2009-08-23 15:41 376832 ----a-w- c:\windows\system32\winhttp.dll
2009-08-23 15:33 . 2009-08-23 15:33 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-23 15:09 . 2009-08-23 15:09 297472 ----a-w- c:\windows\system32\gdi32.dll
2009-08-23 15:02 . 2009-08-23 15:02 211456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-08-23 14:55 . 2009-08-23 14:55 500736 ----a-w- c:\windows\system32\msdtcprx.dll
2009-08-23 14:55 . 2009-08-23 14:55 30208 ----a-w- c:\windows\system32\xolehlp.dll
2009-08-23 14:48 . 2009-08-23 14:48 156160 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-23 14:41 . 2009-08-23 14:41 36352 ----a-w- c:\windows\system32\tsgqec.dll
2009-08-23 14:41 . 2009-08-23 14:41 1871872 ----a-w- c:\windows\system32\mstscax.dll
2009-08-23 14:41 . 2009-08-23 14:41 116736 ----a-w- c:\windows\system32\aaclient.dll
2009-08-23 14:33 . 2009-08-23 14:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-23 14:33 . 2009-08-23 14:33 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-23 14:33 . 2009-08-23 14:33 1687040 ----a-w- c:\windows\system32\gameux.dll
2009-08-23 14:26 . 2009-08-23 14:26 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-08-23 14:20 . 2009-08-23 14:20 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-08-23 14:20 . 2009-08-23 14:20 1194496 ----a-w- c:\windows\system32\msxml3.dll
2009-08-23 14:13 . 2009-08-23 14:13 63488 ----a-w- c:\windows\system32\drivers\mpsdrv.sys
2009-08-23 14:13 . 2009-08-23 14:13 396800 ----a-w- c:\windows\system32\MPSSVC.dll
2009-08-23 14:13 . 2009-08-23 14:13 392192 ----a-w- c:\windows\system32\FirewallAPI.dll
2009-08-23 14:13 . 2009-08-23 14:13 86016 ----a-w- c:\windows\system32\icfupgd.dll
2009-08-23 14:13 . 2009-08-23 14:13 16896 ----a-w- c:\windows\system32\wfapigp.dll
2009-08-23 14:13 . 2009-08-23 14:13 61952 ----a-w- c:\windows\system32\cmifw.dll
2009-08-23 14:13 . 2009-08-23 14:13 23040 ----a-w- c:\windows\system32\drivers\tunnel.sys
2009-08-23 14:13 . 2009-08-23 14:13 178688 ----a-w- c:\windows\system32\iphlpsvc.dll
2009-08-23 14:13 . 2009-08-23 14:13 15360 ----a-w- c:\windows\system32\drivers\TUNMP.SYS
2009-08-23 13:41 . 2009-08-23 13:41 696832 ----a-w- c:\windows\system32\localspl.dll
2009-08-23 13:35 . 2009-08-23 13:35 88576 ----a-w- c:\windows\system32\avifil32.dll
2009-08-23 13:35 . 2009-08-23 13:35 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-08-23 13:35 . 2009-08-23 13:35 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-08-23 13:35 . 2009-08-23 13:35 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-08-23 13:35 . 2009-08-23 13:35 31232 ----a-w- c:\windows\system32\msvidc32.dll
2009-08-23 13:35 . 2009-08-23 13:35 12800 ----a-w- c:\windows\system32\msrle32.dll
2009-08-23 13:29 . 2009-08-23 13:29 104448 ----a-w- c:\windows\system32\DWWIN.EXE
2009-08-23 13:22 . 2009-08-23 13:22 2923520 ----a-w- c:\windows\explorer.exe
2009-08-23 13:03 . 2009-08-23 13:03 24064 ----a-w- c:\windows\system32\netcfg.exe
2009-08-23 12:47 . 2009-08-23 12:47 1585664 ----a-w- c:\windows\system32\setupapi.dll
2009-08-23 12:45 . 2009-08-23 12:45 6656 ----a-w- c:\windows\system32\kbd106n.dll
2009-08-23 12:33 . 2009-08-23 12:33 549888 ----a-w- c:\windows\system32\rpcss.dll
2009-08-23 12:33 . 2009-08-23 12:33 3503584 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-23 12:33 . 2009-08-23 12:33 3469280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-23 12:33 . 2009-08-23 12:33 24576 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-08-23 12:33 . 2009-08-23 12:33 654336 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-08-23 12:33 . 2009-08-23 12:33 247296 ----a-w- c:\windows\system32\wbem\WmiPrvSE.exe
2009-08-23 12:33 . 2009-08-23 12:33 130560 ----a-w- c:\windows\system32\wbem\WmiDcPrv.dll
2009-08-23 12:33 . 2009-08-23 12:33 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll
2009-08-23 12:33 . 2009-08-23 12:33 501760 ----a-w- c:\windows\system32\wbem\WmiPrvSD.dll
2009-08-23 12:33 . 2009-08-23 12:33 97280 ----a-w- c:\windows\system32\iasrecst.dll
2009-08-23 12:33 . 2009-08-23 12:33 53248 ----a-w- c:\windows\system32\iasads.dll
2009-08-23 12:33 . 2009-08-23 12:33 37888 ----a-w- c:\windows\system32\iasdatastore.dll
2009-08-23 12:33 . 2009-08-23 12:33 158720 ----a-w- c:\windows\system32\sdohlp.dll
2009-08-23 12:20 . 2009-08-23 12:20 9728 ----a-w- c:\windows\system32\LAPRXY.DLL
2009-08-23 12:20 . 2009-08-23 12:20 2048 ----a-w- c:\windows\system32\asferror.dll
2009-08-23 12:20 . 2009-08-23 12:20 223232 ----a-w- c:\windows\system32\WMASF.DLL
2009-08-23 12:15 . 2009-08-23 12:15 25600 ----a-w- c:\windows\system32\amxread.dll
2009-08-23 12:15 . 2009-08-23 12:15 14848 ----a-w- c:\windows\system32\apilogen.dll
2009-08-23 12:08 . 2009-08-23 12:08 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-23 12:05 . 2009-08-23 12:05 37376 ----a-w- c:\windows\system32\printcom.dll
2009-08-23 12:05 . 2009-08-23 12:05 441856 ----a-w- c:\windows\system32\win32spl.dll
2009-08-23 12:01 . 2009-08-23 12:01 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys
2009-08-23 12:01 . 2009-08-23 12:01 14848 ----a-w- c:\windows\system32\wshrm.dll
2009-08-23 11:59 . 2009-08-23 11:59 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-23 11:59 . 2009-08-23 11:59 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-23 11:59 . 2009-08-23 11:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-23 11:59 . 2009-08-23 11:59 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-23 11:57 . 2009-08-23 11:57 11776 ----a-w- c:\windows\system32\sbunattend.exe
2009-08-23 11:48 . 2009-08-23 11:48 290304 ----a-w- c:\windows\system32\drivers\srv.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-09-05 14:40 . 2009-08-12 11:42 -------- d-----w- c:\programdata\diyidubo
2009-09-05 14:40 . 2009-08-11 23:42 -------- d-----w- c:\programdata\difimayu
2009-09-05 14:40 . 2009-08-11 23:42 -------- d-----w- c:\programdata\ropizave
2009-09-05 14:40 . 2009-08-12 11:42 -------- d-----w- c:\programdata\tagesipi
2009-08-29 13:11 . 2006-12-26 12:55 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-29 12:22 . 2009-08-29 12:22 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-29 12:22 . 2009-08-29 12:22 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-29 12:18 . 2006-12-26 12:55 -------- d-----w- c:\programdata\Symantec
2009-08-24 08:08 . 2009-08-24 08:08 3102720 ----a-w- c:\windows\system32\NlsData0045.dll
2009-08-23 16:53 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-23 16:52 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2009-08-23 12:45 . 2009-08-23 12:45 260096 ----a-w- c:\windows\system32\dpx.dll
2009-08-23 12:09 . 2009-08-23 12:09 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-23 12:09 . 2009-08-23 12:09 827392 ----a-w- c:\windows\system32\wininet.dll
2009-08-23 12:08 . 2009-08-23 12:08 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-23 12:08 . 2009-08-23 12:08 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-23 12:08 . 2009-08-23 12:08 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-14 17:16 . 2009-09-09 16:47 213592 ----a-w- c:\windows\system32\drivers\netio.sys
2009-08-14 16:42 . 2009-09-09 16:47 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-08-14 16:40 . 2009-09-09 16:47 103936 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:40 . 2009-09-09 16:47 15360 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:25 . 2009-09-09 16:47 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:25 . 2009-09-09 16:47 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:25 . 2009-09-09 16:47 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:25 . 2009-09-09 16:47 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:25 . 2009-09-09 16:47 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:25 . 2009-09-09 16:47 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:25 . 2009-09-09 16:47 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 14:24 . 2009-09-09 16:47 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 14:23 . 2009-09-09 16:47 22016 ----a-w- c:\windows\system32\netiougc.exe
2009-08-09 02:29 . 2009-08-08 11:37 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-08-09 02:26 . 2009-08-08 11:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-11 19:32 . 2009-09-09 16:47 502272 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:32 . 2009-09-09 16:47 297984 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:32 . 2009-09-09 16:47 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:32 . 2009-09-09 16:47 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2009-07-11 19:32 . 2009-09-09 16:47 47104 ----a-w- c:\windows\system32\wlanapi.dll
2009-07-11 19:26 . 2009-09-09 16:47 123904 ----a-w- c:\windows\system32\L2SecHC.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-09-10_18.11.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-26 13:04 . 2009-09-11 18:04 42784 c:\windows\System32\WDI\ShutdownPerformanceDiagnos tics_SystemData.bin
+ 2006-11-02 13:02 . 2009-09-11 17:44 60952 c:\windows\System32\WDI\BootPerformanceDiagnostics _SystemData.bin
+ 2007-07-02 02:06 . 2009-09-11 11:49 16384 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
- 2007-07-02 02:06 . 2009-09-10 12:19 16384 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
+ 2007-07-02 02:06 . 2009-09-11 11:49 98304 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-07-02 02:06 . 2009-09-10 12:19 98304 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-07-02 02:06 . 2009-09-11 11:49 16384 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
- 2007-07-02 02:06 . 2009-09-10 12:19 16384 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
+ 2007-07-02 02:35 . 2009-09-11 17:44 8486 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-857884917-759742797-3485681705-1000_UserData.bin
+ 2006-11-02 10:33 . 2009-09-11 18:07 626738 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-09-10 16:56 626738 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-09-11 18:07 107508 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-09-10 16:56 107508 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"????r"="" [?]
"?????????"="??????????????e" [?]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 700416]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2006-11-02 2159104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-02 1004136]
"Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-11-23 319488]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2006-12-13 3166208]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2006-12-04 1261568]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-11-17 453120]
"PCMService"="c:\acer\Empowering Technology\eMode\PCM\PCMService.exe" [2006-11-25 151552]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-20 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-06-20 92704]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-11-09 3784704]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2006-12-26 528384]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{294C820B-769C-45F8-9085-23141B98D6A3}"= UDP:c:\acer\Empowering Technology\eMode\PCM\PCMService.exe:CyberLink PowerCinema Resident Program
"{D7E57710-B00B-42E3-BAB9-FF15A039A970}"= TCP:c:\acer\Empowering Technology\eMode\PCM\PCMService.exe:CyberLink PowerCinema Resident Program
"{61A20DFF-D7ED-4B5D-A92B-3667356E14C9}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{97702059-5105-4897-8112-B6C99225E271}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|S vc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile]
"EnableFirewall"= 0 (0x0)
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\030000 0.086\SYMEFA.SYS [2009-08-29 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.08 6\BHDrvx86.sys [2009-08-29 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000. 086\ccHPx86.sys [2009-08-29 482352]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090910. 003\IDSvix86.sys [2009-07-11 293424]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe [2009-08-29 115560]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-28 102448]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\N360\0300000.08 6\SYMNDISV.SYS [2009-08-29 39984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.us.acer.yahoo.com
uLocal Page = \blank.htm
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*Yahoo!
.
************************************************** ************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 13:20
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N 360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ***\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-09-11 13:24
ComboFix-quarantined-files.txt 2009-09-11 18:23
ComboFix2.txt 2009-09-10 18:15
ComboFix3.txt 2009-09-09 16:26
ComboFix4.txt 2009-09-09 04:21
ComboFix5.txt 2009-09-11 18:09
Pre-Run: 57,289,830,400 bytes free
Post-Run: 57,259,503,616 bytes free
308 --- E O F --- 2009-09-10 08:01
--------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:02 PM, on 9/11/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16890)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\eMode\PCM\PCMService.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EX E
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Users\Tony\Desktop\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.134\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Windows\system32\SysMonitor.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [PCMService] "C:\Acer\Empowering Technology\eMode\PCM\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [?????????] ??????????????e
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Get 2 FREE Audiobooks.lnk = C:\Users\Tony\AppData\Local\Temp\HelpInstaller_Sta rtUp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Acer\Empowering Technology\eMode\PCM\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Acer\Empowering Technology\eMode\PCM\Kernel\TV\CLSched.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
--
End of file - 6448 bytes

chiaz · 09-12-2009

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

=========================

Now download Dr. Web to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
PC Hell: How to Start Windows in Safe Mode

Doubleclick the drweb-cureit.exe file. It will then suggest to run an expressscan -- this you should allow.
After this (Dr.Web writes "Select object for Scanning" at the Bottom-left), you click Options->Change settings.
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Choose the "Actions"-tab, and choose "Rename" under all the Malware-issues.
Back at the main window, you should now mark the drives that you want to scan (a red dot shows which drives have been chosen).

Click the green arrow at the right, and the scan will start. The first time Dr.Web finds something, you click "Yes to All", and it will after this automatically fix what is found.
After the scan: Close Dr.Web. Click Start->search, find the following file: CureIt.log, and copy the last lines of this log into the thread (starting with: Scan statistics).

antoinejones · 09-12-2009

drweb actually says "you can preform an expressscan but a full scan is recommended" But Ill do the express scan anyway, I can always go back and do full scan if needed

antoinejones · 09-12-2009

also express scan is already highlighted:

After this (Dr.Web writes "Select object for Scanning" at the Bottom-left), you click Options->Change settings.
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Choose the "Actions"-tab, and choose "Rename" under all the Malware-issues.
Back at the main window, you should now mark the drives that you want to scan (a red dot shows which drives have been chosen).

and it doesnt give me any of those options when i click express scan only thing it shows is what express scan scans it doesnt allow me to check box my C: drive, select file for scanning never shows up, neither does any options or tabs for me to check the other things, so i just clicked on the scan icon and after a few secs it said "Drweb has detected a problem and needs to shut down (or restart) windows to prevent damage to your computer so it restarted it

09-11-2009	#15
chiaz Senior Security Analyst Join Date: Jun 2006 Location: Singapore Posts: 5,176 PC Experience: PC Guru	Re: Im getting popups and adware I got to go off now, will compose a reply to you later. But you can turn on your anti-virus now!

09-11-2009	#16
chiaz Senior Security Analyst Join Date: Jun 2006 Location: Singapore Posts: 5,176 PC Experience: PC Guru	Re: Im getting popups and adware Run HijackThis again, but this time in Safe Mode. Instructions to boot to Safe Mode can be found here: Getting into Windows Safe Mode Place a tick by the following entry: O4 - HKCU\..\Run: [?????????] ??????????????e Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer. ==================== When you get back to Normal Mode, 1. Delete CFScript.txt from your desktop first. 2. Close any open browsers. 3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open notepad and copy/paste the text in the codebox below into it: Code: Folder:: c:\programdata\nivilivu c:\programdata\zesamaga c:\programdata\wilubore c:\programdata\pugitefi c:\programdata\kudepoga c:\programdata\burivuvu c:\programdata\pufajahe c:\programdata\gugajere Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop. Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt Please copy and paste the ComboFix.txt in your next reply please, as well as a new HijackThis log. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.

09-11-2009	#17
antoinejones Elite Member Join Date: Dec 2005 Posts: 409	Re: Im getting popups and adware By the way Im curious how the new combofix files that are in your post above got there? As i look at my previous logs those files werent there but now they are lol seems like I get something new after every restart lol. I guess the next combofix log will show more stuff Ill have to CFScript lol. Oh and another thing even with it in Safe Mode HJT still isnt getting rid of that O4 - HKCU\..\Run: [?????????] ??????????????e file. Ill be posting the logs soon

09-11-2009	#18
antoinejones Elite Member Join Date: Dec 2005 Posts: 409	Re: Im getting popups and adware new logs: ComboFix 09-09-09.09 - Tony 09/11/2009 13:10.6.1 - NTFSx86 Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.447.148 [GMT -5:00] Running from: c:\users\Tony\Desktop\ComboFix.exe Command switches used :: c:\users\Tony\Desktop\CFScript.txt AV: Norton 360 On-access scanning disabled (Updated) {E10A9785-9598-4754-B552-92431C1C35F8} FW: Norton 360 disabled {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} SP: Norton 360 enabled (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A} SP: Windows Defender disabled (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\programdata\burivuvu c:\programdata\gugajere c:\programdata\gugajere\gugajere.dll c:\programdata\kudepoga c:\programdata\nivilivu c:\programdata\pufajahe c:\programdata\pufajahe\pufajahe.dll c:\programdata\pugitefi c:\programdata\wilubore c:\programdata\zesamaga . ((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 ))))))))))))))))))))))))))))))) . 2009-09-11 18:20 . 2009-09-11 18:20 -------- d-----w- c:\users\Public\AppData\Local\temp 2009-09-11 18:20 . 2009-09-11 18:20 -------- d-----w- c:\users\Music\AppData\Local\temp 2009-09-11 18:20 . 2009-09-11 18:20 -------- d-----w- c:\users\Default\AppData\Local\temp 2009-09-11 17:55 . 2009-09-11 17:55 -------- d-----w- c:\users\Tony\AppData\Local\Symantec 2009-09-09 16:46 . 2009-06-10 12:07 98816 ----a-w- c:\windows\system32\mfps.dll 2009-09-09 16:46 . 2009-06-10 12:07 2855424 ----a-w- c:\windows\system32\mf.dll 2009-09-09 16:46 . 2009-06-10 10:15 24576 ----a-w- c:\windows\system32\mfpmp.exe 2009-09-09 16:46 . 2009-06-10 10:14 52736 ----a-w- c:\windows\system32\rrinstaller.exe 2009-09-09 16:46 . 2009-06-10 08:50 2048 ----a-w- c:\windows\system32\mferror.dll 2009-09-09 16:45 . 2009-06-15 15:29 175104 ----a-w- c:\windows\system32\wdigest.dll 2009-09-09 16:45 . 2009-06-15 15:25 216576 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-09 16:45 . 2009-06-15 15:23 1233920 ----a-w- c:\windows\system32\lsasrv.dll 2009-09-09 16:45 . 2009-06-15 15:23 494592 ----a-w- c:\windows\system32\kerberos.dll 2009-09-09 16:45 . 2009-06-15 18:12 408136 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2009-09-09 16:45 . 2009-06-15 15:28 72704 ----a-w- c:\windows\system32\secur32.dll 2009-09-09 16:45 . 2009-06-15 15:28 272384 ----a-w- c:\windows\system32\schannel.dll 2009-09-09 16:45 . 2009-06-15 13:10 7680 ----a-w- c:\windows\system32\lsass.exe 2009-09-08 00:20 . 2009-09-08 00:20 -------- d-----w- c:\users\Tony\AppData\Roaming\Malwarebytes 2009-09-08 00:19 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-08 00:19 . 2009-09-08 00:19 -------- d-----w- c:\programdata\Malwarebytes 2009-09-08 00:19 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-08 00:19 . 2009-09-08 00:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-04 00:22 . 2009-09-04 00:22 -------- d-----w- c:\windows\system32\N360_BACKUP 2009-08-29 12:22 . 2009-08-29 12:22 -------- dc----w- c:\windows\system32\DRVSTORE 2009-08-29 12:22 . 2009-01-15 17:19 23848 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2009-08-29 12:22 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll 2009-08-29 12:22 . 2009-08-29 12:22 -------- d-----w- c:\programdata\{7B6BA59A-FB0E-4499-8536-A7420338BF3B} 2009-08-29 12:22 . 2009-08-29 12:22 -------- d-----w- c:\users\Tony\AppData\Local\Downloaded Installations 2009-08-29 12:22 . 2009-08-29 12:21 25136 ----a-r- c:\windows\system32\drivers\SymIMV.sys 2009-08-29 12:22 . 2009-08-29 12:22 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS 2009-08-29 12:22 . 2009-08-29 12:22 -------- d-----w- c:\program files\Symantec 2009-08-29 12:18 . 2009-09-09 03:35 -------- d-----w- c:\windows\system32\drivers\N360 2009-08-29 12:18 . 2009-08-29 12:19 -------- d-----w- c:\program files\Norton 360 2009-08-29 12:11 . 2009-08-29 12:11 -------- d-----w- c:\programdata\PCSettings 2009-08-29 12:07 . 2009-08-29 12:11 -------- d-----w- c:\programdata\Norton 2009-08-29 12:07 . 2009-08-29 12:07 -------- d-----w- c:\programdata\NortonInstaller 2009-08-29 12:07 . 2009-08-29 12:07 -------- d-----w- c:\program files\NortonInstaller 2009-08-29 12:04 . 2009-08-29 12:04 -------- d-----w- c:\programdata\Symantec Temporary Files 2009-08-27 08:03 . 2009-06-22 08:44 2048 ----a-w- c:\windows\system32\tzres.dll 2009-08-24 15:45 . 2009-08-24 15:45 -------- d-----w- c:\programdata\NVIDIA 2009-08-24 08:08 . 2009-08-24 08:08 5071872 ----a-w- c:\windows\system32\NlsModels0011.dll 2009-08-23 16:30 . 2009-08-23 16:30 61440 ----a-w- c:\windows\system32\winipsec.dll 2009-08-23 16:30 . 2009-08-23 16:30 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL 2009-08-23 16:30 . 2009-08-23 16:30 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll 2009-08-23 16:30 . 2009-08-23 16:30 272896 ----a-w- c:\windows\system32\polstore.dll 2009-08-23 16:23 . 2009-08-23 16:23 87040 ----a-w- c:\windows\system32\msoert2.dll 2009-08-23 16:23 . 2009-08-23 16:23 39424 ----a-w- c:\windows\system32\ACCTRES.dll 2009-08-23 16:23 . 2009-08-23 16:23 205824 ----a-w- c:\windows\system32\msoeacct.dll 2009-08-23 16:16 . 2009-08-23 16:16 110080 ----a-w- c:\windows\system32\drivers\mrxdav.sys 2009-08-23 16:16 . 2009-08-23 16:16 194560 ----a-w- c:\windows\system32\WebClnt.dll 2009-08-23 16:09 . 2009-08-23 16:09 2028032 ----a-w- c:\windows\system32\win32k.sys 2009-08-23 16:02 . 2009-08-23 16:02 156160 ----a-w- c:\windows\system32\t2embed.dll 2009-08-23 16:02 . 2009-08-23 16:02 34304 ----a-w- c:\windows\system32\atmlib.dll 2009-08-23 16:02 . 2009-08-23 16:02 289792 ----a-w- c:\windows\system32\atmfd.dll 2009-08-23 16:02 . 2009-08-23 16:02 72704 ----a-w- c:\windows\system32\fontsub.dll 2009-08-23 16:02 . 2009-08-23 16:02 24064 ----a-w- c:\windows\system32\lpk.dll 2009-08-23 16:02 . 2009-08-23 16:02 10240 ----a-w- c:\windows\system32\dciman32.dll 2009-08-23 15:54 . 2009-08-23 15:54 49664 ----a-w- c:\windows\system32\csrsrv.dll 2009-08-23 15:54 . 2009-08-23 15:54 376320 ----a-w- c:\windows\system32\winsrv.dll 2009-08-23 15:41 . 2009-08-23 15:41 376832 ----a-w- c:\windows\system32\winhttp.dll 2009-08-23 15:33 . 2009-08-23 15:33 71680 ----a-w- c:\windows\system32\atl.dll 2009-08-23 15:09 . 2009-08-23 15:09 297472 ----a-w- c:\windows\system32\gdi32.dll 2009-08-23 15:02 . 2009-08-23 15:02 211456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys 2009-08-23 14:55 . 2009-08-23 14:55 500736 ----a-w- c:\windows\system32\msdtcprx.dll 2009-08-23 14:55 . 2009-08-23 14:55 30208 ----a-w- c:\windows\system32\xolehlp.dll 2009-08-23 14:48 . 2009-08-23 14:48 156160 ----a-w- c:\windows\system32\wkssvc.dll 2009-08-23 14:41 . 2009-08-23 14:41 36352 ----a-w- c:\windows\system32\tsgqec.dll 2009-08-23 14:41 . 2009-08-23 14:41 1871872 ----a-w- c:\windows\system32\mstscax.dll 2009-08-23 14:41 . 2009-08-23 14:41 116736 ----a-w- c:\windows\system32\aaclient.dll 2009-08-23 14:33 . 2009-08-23 14:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll 2009-08-23 14:33 . 2009-08-23 14:33 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll 2009-08-23 14:33 . 2009-08-23 14:33 1687040 ----a-w- c:\windows\system32\gameux.dll 2009-08-23 14:26 . 2009-08-23 14:26 303616 ----a-w- c:\windows\system32\wmpeffects.dll 2009-08-23 14:20 . 2009-08-23 14:20 2048 ----a-w- c:\windows\system32\msxml3r.dll 2009-08-23 14:20 . 2009-08-23 14:20 1194496 ----a-w- c:\windows\system32\msxml3.dll 2009-08-23 14:13 . 2009-08-23 14:13 63488 ----a-w- c:\windows\system32\drivers\mpsdrv.sys 2009-08-23 14:13 . 2009-08-23 14:13 396800 ----a-w- c:\windows\system32\MPSSVC.dll 2009-08-23 14:13 . 2009-08-23 14:13 392192 ----a-w- c:\windows\system32\FirewallAPI.dll 2009-08-23 14:13 . 2009-08-23 14:13 86016 ----a-w- c:\windows\system32\icfupgd.dll 2009-08-23 14:13 . 2009-08-23 14:13 16896 ----a-w- c:\windows\system32\wfapigp.dll 2009-08-23 14:13 . 2009-08-23 14:13 61952 ----a-w- c:\windows\system32\cmifw.dll 2009-08-23 14:13 . 2009-08-23 14:13 23040 ----a-w- c:\windows\system32\drivers\tunnel.sys 2009-08-23 14:13 . 2009-08-23 14:13 178688 ----a-w- c:\windows\system32\iphlpsvc.dll 2009-08-23 14:13 . 2009-08-23 14:13 15360 ----a-w- c:\windows\system32\drivers\TUNMP.SYS 2009-08-23 13:41 . 2009-08-23 13:41 696832 ----a-w- c:\windows\system32\localspl.dll 2009-08-23 13:35 . 2009-08-23 13:35 88576 ----a-w- c:\windows\system32\avifil32.dll 2009-08-23 13:35 . 2009-08-23 13:35 82944 ----a-w- c:\windows\system32\mciavi32.dll 2009-08-23 13:35 . 2009-08-23 13:35 65024 ----a-w- c:\windows\system32\avicap32.dll 2009-08-23 13:35 . 2009-08-23 13:35 123904 ----a-w- c:\windows\system32\msvfw32.dll 2009-08-23 13:35 . 2009-08-23 13:35 31232 ----a-w- c:\windows\system32\msvidc32.dll 2009-08-23 13:35 . 2009-08-23 13:35 12800 ----a-w- c:\windows\system32\msrle32.dll 2009-08-23 13:29 . 2009-08-23 13:29 104448 ----a-w- c:\windows\system32\DWWIN.EXE 2009-08-23 13:22 . 2009-08-23 13:22 2923520 ----a-w- c:\windows\explorer.exe 2009-08-23 13:03 . 2009-08-23 13:03 24064 ----a-w- c:\windows\system32\netcfg.exe 2009-08-23 12:47 . 2009-08-23 12:47 1585664 ----a-w- c:\windows\system32\setupapi.dll 2009-08-23 12:45 . 2009-08-23 12:45 6656 ----a-w- c:\windows\system32\kbd106n.dll 2009-08-23 12:33 . 2009-08-23 12:33 549888 ----a-w- c:\windows\system32\rpcss.dll 2009-08-23 12:33 . 2009-08-23 12:33 3503584 ----a-w- c:\windows\system32\ntkrnlpa.exe 2009-08-23 12:33 . 2009-08-23 12:33 3469280 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-08-23 12:33 . 2009-08-23 12:33 24576 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll 2009-08-23 12:33 . 2009-08-23 12:33 654336 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe 2009-08-23 12:33 . 2009-08-23 12:33 247296 ----a-w- c:\windows\system32\wbem\WmiPrvSE.exe 2009-08-23 12:33 . 2009-08-23 12:33 130560 ----a-w- c:\windows\system32\wbem\WmiDcPrv.dll 2009-08-23 12:33 . 2009-08-23 12:33 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll 2009-08-23 12:33 . 2009-08-23 12:33 501760 ----a-w- c:\windows\system32\wbem\WmiPrvSD.dll 2009-08-23 12:33 . 2009-08-23 12:33 97280 ----a-w- c:\windows\system32\iasrecst.dll 2009-08-23 12:33 . 2009-08-23 12:33 53248 ----a-w- c:\windows\system32\iasads.dll 2009-08-23 12:33 . 2009-08-23 12:33 37888 ----a-w- c:\windows\system32\iasdatastore.dll 2009-08-23 12:33 . 2009-08-23 12:33 158720 ----a-w- c:\windows\system32\sdohlp.dll 2009-08-23 12:20 . 2009-08-23 12:20 9728 ----a-w- c:\windows\system32\LAPRXY.DLL 2009-08-23 12:20 . 2009-08-23 12:20 2048 ----a-w- c:\windows\system32\asferror.dll 2009-08-23 12:20 . 2009-08-23 12:20 223232 ----a-w- c:\windows\system32\WMASF.DLL 2009-08-23 12:15 . 2009-08-23 12:15 25600 ----a-w- c:\windows\system32\amxread.dll 2009-08-23 12:15 . 2009-08-23 12:15 14848 ----a-w- c:\windows\system32\apilogen.dll 2009-08-23 12:08 . 2009-08-23 12:08 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-08-23 12:05 . 2009-08-23 12:05 37376 ----a-w- c:\windows\system32\printcom.dll 2009-08-23 12:05 . 2009-08-23 12:05 441856 ----a-w- c:\windows\system32\win32spl.dll 2009-08-23 12:01 . 2009-08-23 12:01 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys 2009-08-23 12:01 . 2009-08-23 12:01 14848 ----a-w- c:\windows\system32\wshrm.dll 2009-08-23 11:59 . 2009-08-23 11:59 8147968 ----a-w- c:\windows\system32\wmploc.DLL 2009-08-23 11:59 . 2009-08-23 11:59 7680 ----a-w- c:\windows\system32\spwmp.dll 2009-08-23 11:59 . 2009-08-23 11:59 4096 ----a-w- c:\windows\system32\dxmasf.dll 2009-08-23 11:59 . 2009-08-23 11:59 313344 ----a-w- c:\windows\system32\wmpdxm.dll 2009-08-23 11:57 . 2009-08-23 11:57 11776 ----a-w- c:\windows\system32\sbunattend.exe 2009-08-23 11:48 . 2009-08-23 11:48 290304 ----a-w- c:\windows\system32\drivers\srv.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-09-05 14:40 . 2009-08-12 11:42 -------- d-----w- c:\programdata\diyidubo 2009-09-05 14:40 . 2009-08-11 23:42 -------- d-----w- c:\programdata\difimayu 2009-09-05 14:40 . 2009-08-11 23:42 -------- d-----w- c:\programdata\ropizave 2009-09-05 14:40 . 2009-08-12 11:42 -------- d-----w- c:\programdata\tagesipi 2009-08-29 13:11 . 2006-12-26 12:55 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-08-29 12:22 . 2009-08-29 12:22 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF 2009-08-29 12:22 . 2009-08-29 12:22 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT 2009-08-29 12:18 . 2006-12-26 12:55 -------- d-----w- c:\programdata\Symantec 2009-08-24 08:08 . 2009-08-24 08:08 3102720 ----a-w- c:\windows\system32\NlsData0045.dll 2009-08-23 16:53 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2009-08-23 16:52 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar 2009-08-23 12:45 . 2009-08-23 12:45 260096 ----a-w- c:\windows\system32\dpx.dll 2009-08-23 12:09 . 2009-08-23 12:09 72704 ----a-w- c:\windows\system32\admparse.dll 2009-08-23 12:09 . 2009-08-23 12:09 827392 ----a-w- c:\windows\system32\wininet.dll 2009-08-23 12:08 . 2009-08-23 12:08 48128 ----a-w- c:\windows\system32\mshtmler.dll 2009-08-23 12:08 . 2009-08-23 12:08 26624 ----a-w- c:\windows\system32\ieUnatt.exe 2009-08-23 12:08 . 2009-08-23 12:08 56320 ----a-w- c:\windows\system32\iesetup.dll 2009-08-14 17:16 . 2009-09-09 16:47 213592 ----a-w- c:\windows\system32\drivers\netio.sys 2009-08-14 16:42 . 2009-09-09 16:47 167424 ----a-w- c:\windows\system32\tcpipcfg.dll 2009-08-14 16:40 . 2009-09-09 16:47 103936 ----a-w- c:\windows\system32\netiohlp.dll 2009-08-14 16:40 . 2009-09-09 16:47 15360 ----a-w- c:\windows\system32\netevent.dll 2009-08-14 14:25 . 2009-09-09 16:47 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE 2009-08-14 14:25 . 2009-09-09 16:47 17920 ----a-w- c:\windows\system32\ROUTE.EXE 2009-08-14 14:25 . 2009-09-09 16:47 11264 ----a-w- c:\windows\system32\MRINFO.EXE 2009-08-14 14:25 . 2009-09-09 16:47 27136 ----a-w- c:\windows\system32\NETSTAT.EXE 2009-08-14 14:25 . 2009-09-09 16:47 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE 2009-08-14 14:25 . 2009-09-09 16:47 19968 ----a-w- c:\windows\system32\ARP.EXE 2009-08-14 14:25 . 2009-09-09 16:47 10240 ----a-w- c:\windows\system32\finger.exe 2009-08-14 14:24 . 2009-09-09 16:47 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys 2009-08-14 14:23 . 2009-09-09 16:47 22016 ----a-w- c:\windows\system32\netiougc.exe 2009-08-09 02:29 . 2009-08-08 11:37 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2009-08-09 02:26 . 2009-08-08 11:37 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-07-11 19:32 . 2009-09-09 16:47 502272 ----a-w- c:\windows\system32\wlansvc.dll 2009-07-11 19:32 . 2009-09-09 16:47 297984 ----a-w- c:\windows\system32\wlansec.dll 2009-07-11 19:32 . 2009-09-09 16:47 290816 ----a-w- c:\windows\system32\wlanmsm.dll 2009-07-11 19:32 . 2009-09-09 16:47 67584 ----a-w- c:\windows\system32\wlanhlp.dll 2009-07-11 19:32 . 2009-09-09 16:47 47104 ----a-w- c:\windows\system32\wlanapi.dll 2009-07-11 19:26 . 2009-09-09 16:47 123904 ----a-w- c:\windows\system32\L2SecHC.dll . ((((((((((((((((((((((((((((( SnapShot_2009-09-10_18.11.16 ))))))))))))))))))))))))))))))))))))))))) . + 2006-12-26 13:04 . 2009-09-11 18:04 42784 c:\windows\System32\WDI\ShutdownPerformanceDiagnos tics_SystemData.bin + 2006-11-02 13:02 . 2009-09-11 17:44 60952 c:\windows\System32\WDI\BootPerformanceDiagnostics _SystemData.bin + 2007-07-02 02:06 . 2009-09-11 11:49 16384 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat - 2007-07-02 02:06 . 2009-09-10 12:19 16384 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat + 2007-07-02 02:06 . 2009-09-11 11:49 98304 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat - 2007-07-02 02:06 . 2009-09-10 12:19 98304 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat + 2007-07-02 02:06 . 2009-09-11 11:49 16384 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at - 2007-07-02 02:06 . 2009-09-10 12:19 16384 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at + 2007-07-02 02:35 . 2009-09-11 17:44 8486 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-857884917-759742797-3485681705-1000_UserData.bin + 2006-11-02 10:33 . 2009-09-11 18:07 626738 c:\windows\System32\perfh009.dat - 2006-11-02 10:33 . 2009-09-10 16:56 626738 c:\windows\System32\perfh009.dat + 2006-11-02 10:33 . 2009-09-11 18:07 107508 c:\windows\System32\perfc009.dat - 2006-11-02 10:33 . 2009-09-10 16:56 107508 c:\windows\System32\perfc009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "????r"="" [?] "?????????"="??????????????e" [?] "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 700416] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728] "WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2006-11-02 2159104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-02 1004136] "Acer Empowering Technology Monitor"="c:\windows\system32\SysMonitor.exe" [2006-11-23 319488] "Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2006-12-13 3166208] "Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2006-12-04 1261568] "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-11-17 453120] "PCMService"="c:\acer\Empowering Technology\eMode\PCM\PCMService.exe" [2006-11-25 151552] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-20 13535776] "NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-06-20 92704] "RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-11-09 3784704] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2006-12-26 528384] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\SymEFA.sys] @="FSFilter Activity Monitor" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\DomainProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules] "{294C820B-769C-45F8-9085-23141B98D6A3}"= UDP:c:\acer\Empowering Technology\eMode\PCM\PCMService.exe:CyberLink PowerCinema Resident Program "{D7E57710-B00B-42E3-BAB9-FF15A039A970}"= TCP:c:\acer\Empowering Technology\eMode\PCM\PCMService.exe:CyberLink PowerCinema Resident Program "{61A20DFF-D7ED-4B5D-A92B-3667356E14C9}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire "{97702059-5105-4897-8112-B6C99225E271}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire [HKLM\~\services\sharedaccess\parameters\firewallpo licy\PublicProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722\|UDP:%SystemRoot%\system32\svchost.exe\|S vc=DFSR:Allow inbound TCP traffic\| [HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile] "EnableFirewall"= 0 (0x0) S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\030000 0.086\SYMEFA.SYS [2009-08-29 310320] S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.08 6\BHDrvx86.sys [2009-08-29 258608] S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000. 086\ccHPx86.sys [2009-08-29 482352] S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090910. 003\IDSvix86.sys [2009-07-11 293424] S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe [2009-08-29 115560] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-28 102448] S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\N360\0300000.08 6\SYMNDISV.SYS [2009-08-29 39984] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc . . ------- Supplementary Scan ------- . uStart Page = hxxp://en.us.acer.yahoo.com uLocal Page = \blank.htm uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://en.us.acer.yahoo.com uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/Yahoo! . *********************************************** ******************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-11 13:20 Windows 6.0.6000 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************** ******************** [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N 360] "ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.134\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl *\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 . Completion time: 2009-09-11 13:24 ComboFix-quarantined-files.txt 2009-09-11 18:23 ComboFix2.txt 2009-09-10 18:15 ComboFix3.txt 2009-09-09 16:26 ComboFix4.txt 2009-09-09 04:21 ComboFix5.txt 2009-09-11 18:09 Pre-Run: 57,289,830,400 bytes free Post-Run: 57,259,503,616 bytes free 308 --- E O F --- 2009-09-10 08:01 -------------------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:31:02 PM, on 9/11/2009 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16890) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\RtHDVCpl.exe C:\Windows\System32\SysMonitor.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\Acer\Empowering Technology\eMode\PCM\PCMService.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Windows\System32\rundll32.exe C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EX E C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\taskeng.exe C:\Users\Tony\Desktop\HiJackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O1 - Hosts: ::1 localhost O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.134\IPSBHO.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Windows\system32\SysMonitor.exe O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe O4 - HKLM\..\Run: [PCMService] "C:\Acer\Empowering Technology\eMode\PCM\PCMService.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter O4 - HKCU\..\Run: [?????????] ??????????????e O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0 O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - Startup: Get 2 FREE Audiobooks.lnk = C:\Users\Tony\AppData\Local\Temp\HelpInstaller_Sta rtUp.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Empowering Technology Launcher.lnk = ? O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Acer\Empowering Technology\eMode\PCM\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Acer\Empowering Technology\eMode\PCM\Kernel\TV\CLSched.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- End of file - 6448 bytes

09-12-2009	#19
chiaz Senior Security Analyst Join Date: Jun 2006 Location: Singapore Posts: 5,176 PC Experience: PC Guru	Re: Im getting popups and adware Please download JavaRa to your desktop and unzip it to its own folder Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions. Accept any prompts. Open JavaRa.exe again and select Search For Updates. Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer. ========================= Now download Dr. Web to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode. For additional help in booting into Safe Mode, see the following site: PC Hell: How to Start Windows in Safe Mode Doubleclick the drweb-cureit.exe file. It will then suggest to run an expressscan -- this you should allow. After this (Dr.Web writes "Select object for Scanning" at the Bottom-left), you click Options->Change settings. Choose the "Scan"-tab, remove the mark at "Heuristic analysis". Choose the "Actions"-tab, and choose "Rename" under all the Malware-issues. Back at the main window, you should now mark the drives that you want to scan (a red dot shows which drives have been chosen). Click the green arrow at the right, and the scan will start. The first time Dr.Web finds something, you click "Yes to All", and it will after this automatically fix what is found. After the scan: Close Dr.Web. Click Start->search, find the following file: CureIt.log, and copy the last lines of this log into the thread (starting with: Scan statistics).

09-12-2009	#20
antoinejones Elite Member Join Date: Dec 2005 Posts: 409	Re: Im getting popups and adware drweb actually says "you can preform an expressscan but a full scan is recommended" But Ill do the express scan anyway, I can always go back and do full scan if needed

09-12-2009	#21
antoinejones Elite Member Join Date: Dec 2005 Posts: 409	Re: Im getting popups and adware also express scan is already highlighted: After this (Dr.Web writes "Select object for Scanning" at the Bottom-left), you click Options->Change settings. Choose the "Scan"-tab, remove the mark at "Heuristic analysis". Choose the "Actions"-tab, and choose "Rename" under all the Malware-issues. Back at the main window, you should now mark the drives that you want to scan (a red dot shows which drives have been chosen). and it doesnt give me any of those options when i click express scan only thing it shows is what express scan scans it doesnt allow me to check box my C: drive, select file for scanning never shows up, neither does any options or tabs for me to check the other things, so i just clicked on the scan icon and after a few secs it said "Drweb has detected a problem and needs to shut down (or restart) windows to prevent damage to your computer so it restarted it

Similar discussions...
Thread	Thread Starter	Forum	Replies	Last Post
Popups. Need help please!	LifeIsABeach2191	[Fixed] Hijackthis! Logs	16	04-06-2009 11:58 AM
Pending: popups and more	pooky	[Pending] HJT Logs	2	04-02-2009 11:52 PM
Fixed: ad popups- help	Marye	[Fixed] Hijackthis! Logs	12	01-16-2009 01:17 AM
Fixed: Please Help. I can't get rid of popups.	bcrow79	[Fixed] Hijackthis! Logs	9	01-10-2009 09:57 PM
[Fixed] Please Help- Adware/ Popups	jcs626	[Fixed] Hijackthis! Logs	7	08-25-2007 03:48 PM

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode