We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Check on Hijack Log Please
Comments
-
Did you UNINSTALL Bitdefender?
Open notepad and copy/paste the text in RED below
File::
c:\users\Russell Kirk\AppData\Roaming\wklnhst.dat
c:\users\All Users\ezsidmv.dat
c:\programdata\ezsidmv.dat
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
Then run a COMPLETE scan with KASPERSKY ONLINE SCAN
~ Needs to be run using internet explorer. Post the COMPLETE log it produces
(Im expecting it to find shed loads of nasties):idea:0 -
Thanks RIK, got him working on that now. At present he still can't get online as it has killed his internet connection, but I've told him to do the Combofix bit first and then report back.
Apparently the program he thinks that is still problematic is 'Acer enet Management' which handles the internet connection. No idea whether that is a required program or not.No free lunch, and no free laptop
0 -
If he cant for some reason then run a FULL scan with Malwarebytes:idea:0
-
Here are the new Combofix and HJT logs: plus his comments, if of assistance. No internet conection yet, see note at end.
I'm getting him to run MBAM again now.
PS: there appear to be traces of BitDefender remaining, although he says he has removed it.
I can't create a restore point through the system properties box, but combofix creates one each time i run it. While running combofix a box comes up saying "execute processes remotely has stopped working", thought I'd mention it. A few of the problems have gone away, I no longer get some error messages when I log in, but quite a bit is still not working. Here's the next combofix log:
ComboFix 09-04-04.01 - Russell Kirk 2009-04-09 17:13:36.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.1045 [GMT 1:00]
Running from: c:\users\Russell Kirk\Desktop\ComboFix.exe
Command switches used :: c:\users\Russell Kirk\Documents\CFScript.txt
AV: BitDefender Antivirus *On-access scanning enabled* (Outdated)
* Created a new restore point
FILE ::
c:\programdata\ezsidmv.dat
c:\users\All Users\ezsidmv.dat
c:\users\Russell Kirk\AppData\Roaming\wklnhst.dat
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\programdata\ezsidmv.dat
c:\users\Russell Kirk\AppData\Roaming\wklnhst.dat
.
((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.
2009-04-09 13:02 . 2009-04-09 13:02 <DIR> d
c:\program files\Malwarebytes' Anti-Malware
2009-04-09 13:02 . 2009-04-06 15:32 38,496 --a
c:\windows\System32\drivers\mbamswissarmy.sys
2009-04-09 13:02 . 2009-04-06 15:32 15,504 --a
c:\windows\System32\drivers\mbam.sys
2009-04-08 19:48 . 2009-04-08 19:48 <DIR> d
c:\program files\Trend Micro
2009-04-08 17:28 . 2009-04-08 17:28 0 --a
c:\windows\System32\commonpriv.log.lock
2009-04-08 17:26 . 2009-04-08 17:26 23,832 --a
c:\windows\System32\drivers\avgfwd6x.sys
2009-04-08 14:12 . 2009-04-09 16:40 <DIR> d
c:\users\All Users\Spybot - Search & Destroy
2009-04-08 14:12 . 2009-04-09 16:40 <DIR> d
c:\programdata\Spybot - Search & Destroy
2009-04-08 14:12 . 2009-04-09 16:39 <DIR> d
c:\program files\Spybot - Search & Destroy
2009-04-07 19:20 . 2009-04-07 19:20 <DIR> d
c:\users\Russell Kirk\AppData\Roaming\Malwarebytes
2009-04-07 19:20 . 2009-04-07 19:20 <DIR> d
c:\users\All Users\Malwarebytes
2009-04-07 19:20 . 2009-04-07 19:20 <DIR> d
c:\programdata\Malwarebytes
2009-04-06 20:06 . 2009-02-13 11:31 55,640 --a
c:\windows\System32\drivers\avgntflt.sys
2009-03-29 11:24 . 2009-03-29 11:24 0 --ah
c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-03-27 20:34 . 2009-03-27 20:34 <DIR> d
c:\users\Russell Kirk\Program Files
2009-03-27 15:11 . 2009-04-09 11:09 <DIR> d
c:\users\Russell Kirk\AppData\Roaming\DNA
2009-03-27 15:11 . 2009-03-27 15:11 <DIR> d
c:\program files\DNA
2009-03-11 17:36 . 2009-03-11 17:36 286,944,121 --a
c:\windows\MEMORY.DMP
2009-03-11 17:19 . 2009-02-09 04:10 2,033,152 --a
c:\windows\System32\win32k.sys
2009-03-11 15:27 . 2008-12-16 04:29 8,147,456 --a
c:\windows\System32\wmploc.DLL
2009-03-11 15:27 . 2008-11-27 05:43 268,288 --a
c:\windows\System32\schannel.dll
2009-03-11 15:27 . 2008-12-16 06:31 7,680 --a
c:\windows\System32\spwmp.dll
2009-03-11 15:27 . 2008-12-16 06:31 4,096 --a
c:\windows\System32\msdxm.ocx
2009-03-11 15:27 . 2008-12-16 06:31 4,096 --a
c:\windows\System32\dxmasf.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 11:58
d
w c:\programdata\avg8
2009-04-09 10:17
d
w c:\program files\Common Files\BitDefender
2009-04-07 12:23
d
w c:\users\Russell Kirk\AppData\Roaming\skypePM
2009-04-06 03:03
d
w c:\users\Russell Kirk\AppData\Roaming\Skype
2009-04-05 22:38 81,984 ----a-w c:\windows\System32\bdod.bin
2009-03-29 18:42
d
w c:\users\Russell Kirk\AppData\Roaming\LimeWire
2009-02-24 14:19
d
w c:\programdata\Microsoft Help
2009-02-20 00:05
d
w c:\program files\Google
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
2008-10-06 17:05 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-10-06 17:05 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-10-06 17:05 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-04-09_13.35.55.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-04-09 12:35:38 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-04-09 16:10:03 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-04-09 12:10:26 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-04-09 16:10:08 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-04-09 16:10:08 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.L!!!
- 2009-04-09 12:14:36 105,852 ----a-w c:\windows\System32\perfc009.dat
+ 2009-04-09 16:13:59 105,852 ----a-w c:\windows\System32\perfc009.dat
- 2009-04-09 12:14:36 600,378 ----a-w c:\windows\System32\perfh009.dat
+ 2009-04-09 16:13:59 600,378 ----a-w c:\windows\System32\perfh009.dat
- 2009-04-09 12:10:29 12,780 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2425303480-3797535062-2661754929-1000_UserData.bin
+ 2009-04-09 16:10:08 12,780 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2425303480-3797535062-2661754929-1000_UserData.bin
- 2009-04-09 12:10:28 82,320 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-04-09 16:10:08 82,328 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-04-09 12:10:27 63,534 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-04-09 16:10:07 63,542 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-04-08 18:21:55 235,122 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-04-09 15:36:30 239,152 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 10:00 39472 --a
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-20 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-03-11 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-11 8534560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-11 88608]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2008-01-24 102400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-02-25 518656]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-10-10 1286144]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-11-22 178712]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-01-02 707080]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2008-01-22 200704]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-25 45056]
"WarReg_PopUp"="c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe" [2008-01-29 303104]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-24 c:\windows\RtHDVCpl.exe]
c:\users\Russell Kirk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-11-08 376832]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-03-13 535336]
SETAUDIO.EXE [2008-04-04 20480]
SETRES.EXE [2008-04-04 20480]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{72123FFE-BB08-48F2-B7AF-257B2DDBCA8D}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{33A26CA1-D20E-48B1-8009-39DBF7D59ADC}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{419F4AE7-FEA0-457C-A110-0CCF57166A2E}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{51AE317D-CA38-483D-AC9E-4BDDE83DDAF8}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{E47BB8AF-CC1C-43AE-A5FF-1F405554A95E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B948D066-090D-4853-B422-CA46B337C418}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4DA41CE6-C4CE-4E04-81AF-E89CA060233B}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{E18B17A2-2D1A-47ED-B80C-52A04B2DBCFC}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{F3035340-19A5-4F29-A094-DA6B05DD58E4}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"{7C0F8F2D-276D-4781-8301-48534F54A713}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2082FBC3-895C-4138-B054-1B70DAC70A18}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{69752926-9D17-45F3-A44F-DFB4B689B900}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{346C0A9A-BC49-43AF-933E-CC6109F5A26E}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{C9359863-FBC0-497E-B50B-8298B44B0CF5}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{8B1DB6AD-270A-471C-B1DE-311242E644D3}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{23284BD6-24AD-450D-8B79-3125F4725B98}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{113E3BDC-7141-4194-917F-870324E54FDA}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{C8B949EE-AC28-460D-AD89-E69D009348F9}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{61D83EF3-9675-43DE-82BE-7EC0605E480A}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{DF6EC7C6-D716-47E0-A7F1-35BB69A72937}c:\\program files\\microsoft games\\halo trial\\halo.exe"= UDP:c:\program files\microsoft games\halo trial\halo.exe:Halo
"UDP Query User{C5800D63-FF38-4124-BCCD-905890241B77}c:\\program files\\microsoft games\\halo trial\\halo.exe"= TCP:c:\program files\microsoft games\halo trial\halo.exe:Halo
"TCP Query User{564C0EB8-AAEF-4805-9AB0-84A15D48B8C4}c:\\program files\\microsoft games\\halo trial\\halo.exe"= UDP:c:\program files\microsoft games\halo trial\halo.exe:Halo
"UDP Query User{9E51D6AB-A369-4D73-BDEA-F918DFBD09CC}c:\\program files\\microsoft games\\halo trial\\halo.exe"= TCP:c:\program files\microsoft games\halo trial\halo.exe:Halo
"{94AFF9B8-C9E0-4F9A-A2A2-0B3960BFFF94}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{2F9C4504-05CA-4DC5-9784-FB166B56CFF2}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{8A7EE298-83ED-405E-BF6A-3A1D4D8AB714}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{BF9724D3-C404-497B-97F9-2CBF7A22C3AC}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{53DD62CE-7DFD-4AED-8DCC-1092541CF10D}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{0F24F718-A861-4B15-A762-6BA662BFC1CE}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{8028FE34-BD5D-4419-B64E-72A9AADD3DC4}c:\\program files\\thq\\dawn of war\\w40k.exe"= UDP:c:\program files\thq\dawn of war\w40k.exe:W40K
"UDP Query User{F4059CEB-8401-4832-B19C-B69A4D5CDD80}c:\\program files\\thq\\dawn of war\\w40k.exe"= TCP:c:\program files\thq\dawn of war\w40k.exe:W40K
"TCP Query User{7730648D-AA48-4E1F-8724-B1ED2BC7B00E}c:\\program files\\thq\\dawn of war\\w40k.exe"= UDP:c:\program files\thq\dawn of war\w40k.exe:W40K
"UDP Query User{935A9073-6693-4E72-8230-ECCD4D4DFADB}c:\\program files\\thq\\dawn of war\\w40k.exe"= TCP:c:\program files\thq\dawn of war\w40k.exe:W40K
"TCP Query User{DC104820-DA8C-4C77-8F35-36C7BAE3E7B2}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{4D19C6BE-6C7B-4E4D-B9C2-58B980A60B22}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{E84075E4-A5B0-4108-8196-6B49ABA1E00C}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{1A02F889-8E93-44E7-809D-464C846C62C2}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{CDB8F33A-D9FA-47CE-B10E-D2C0D5FAFAE7}c:\\program files\\thq\\dawn of war - dark crusade\\darkcrusade.exe"= UDP:c:\program files\thq\dawn of war - dark crusade\darkcrusade.exe:DarkCrusade
"UDP Query User{21C1CF67-024E-4856-AEDB-04AEF60048C1}c:\\program files\\thq\\dawn of war - dark crusade\\darkcrusade.exe"= TCP:c:\program files\thq\dawn of war - dark crusade\darkcrusade.exe:DarkCrusade
"TCP Query User{099CBC28-0FB1-4329-B108-BDE091D2A784}c:\\program files\\bullfrog\\dungeon keeper 2\\dkii.exe"= UDP:c:\program files\bullfrog\dungeon keeper 2\dkii.exe:DKII
"UDP Query User{559AECDD-F940-44D3-9B7F-6763C9928FE8}c:\\program files\\bullfrog\\dungeon keeper 2\\dkii.exe"= TCP:c:\program files\bullfrog\dungeon keeper 2\dkii.exe:DKII
"{D6A9597F-57FA-4E50-A652-C428C5AC11B5}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{2FB1DD2C-C391-4D55-AE45-3502B34903DF}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{4E6252A8-484D-4C70-B226-B66CD07DC8D4}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{3FDBD09E-EAF8-420B-8A96-747DD3FD056E}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{70494B3E-C129-4CCC-830C-34523A2FD1E2}c:\\users\\russell kirk\\program files\\dna\\btdna.exe"= UDP:c:\users\russell kirk\program files\dna\btdna.exe:btdna.exe
"UDP Query User{7767A7E1-03D5-4621-B5F2-8C6EF0856194}c:\\users\\russell kirk\\program files\\dna\\btdna.exe"= TCP:c:\users\russell kirk\program files\dna\btdna.exe:btdna.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\encryption.exe:*:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\decryption.exe:*:Enabled:decryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDSMgr.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\eDSMgr.exe:*:Enabled:eDSMgr
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x86\\eDStbmngr.exe"= c:\acer\Empowering Technology\eDataSecurity\x86\eDStbmngr.exe:*:Enabled:eDStbmngr
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\encryption.exe:*:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\decryption.exe:*:Enabled:decryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDSMgr.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\eDSMgr.exe:*:Enabled:eDSMgr
"c:\\Acer\\Empowering Technology\\eDataSecurity\\x64\\eDStbmngr.exe"= c:\acer\Empowering Technology\eDataSecurity\x64\eDStbmngr.exe:*:Enabled:eDStbmngr
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2008-05-27 01:14:28 41456]
R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2008-03-13 51200]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-04-08 1153368]
R3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [2008-03-13 43008]
S1 Avgfwfd;AVG network filter service;c:\windows\System32\drivers\avgfwd6x.sys [2009-04-08 23832]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2008-03-13 179712]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Russell Kirk\AppData\Roaming\Mozilla\Firefox\Profiles\5gj1gyrb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\users\Russell Kirk\Program Files\DNA\plugins\npbtdna.dll
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 17:15:25
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-04-09 17:17:50
ComboFix-quarantined-files.txt 2009-04-09 16:17:48
ComboFix2.txt 2009-04-09 12:37:58
Pre-Run: 58,237,210,624 bytes free
Post-Run: 57,884,602,368 bytes free
221 --- E O F --- 2009-03-14 03:04:02No free lunch, and no free laptop0 -
Here's the Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:28, on 2009-04-09
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: SETAUDIO.EXE
O4 - Global Startup: SETRES.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 8944 bytes
I tried to get the internet up and running, but it can't detect connectivity and "the dependancy group failed to start", I tried both wireless and wired, neither was successful. So i can't do the kaspersky online scan.No free lunch, and no free laptop0 -
Ive never dealt direct with the acer software so im afraid I cant help with that
Have you tried SAFE MODE WITH NETWORKING? (it might bypass the acer software):idea:0 -
Thanks, we'll give that a try, I'm waiting for the revised MBAM log first.No free lunch, and no free laptop0
-
i noticed that in the 2nd log above this post, that limewire is/was installed.
also, in the last combofix log, bittorrent and (bitcomet, a bittorrent related program) btdna are all related to bittorrent.
i'd remove bitcomet & btdna pretty sharpish0 -
RIK, here is the revised MBAM log. He still can't get a net connection (has tried safe Mode with Networking), so no way to run Kaspersky Online Scan.
He says he has deleted some more remnants of Limewire, BitTorrent and Bit Defender.
Should he remove bitcomet and btnda, if so what is best way to do this please?
MBAM log is clean, so where can we go from here-worth running Avira again do you think?
Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 6.0.6001 Service Pack 1
2009-04-09 20:15:12
mbam-log-2009-04-09 (20-15-12).txt
Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 164005
Time elapsed: 37 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)No free lunch, and no free laptop0 -
Most P2P programs are generally ok to have on your computer (As in they dont actually do any harm as such ~ what they DOWNLOAD is another matter entirely
). But I believe BitComet can create problems due to the way it works.
Try uninstalling bitcomet:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.5K Banking & Borrowing
- 253.7K Reduce Debt & Boost Income
- 454.5K Spending & Discounts
- 245.5K Work, Benefits & Business
- 601.5K Mortgages, Homes & Bills
- 177.6K Life & Family
- 259.5K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards