We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
hijackthis please check
Comments
-
Download HostsXpert
http://www.softpedia.com/get/Security/Security-Related/Hoster.shtml
and then follow the below steps.
* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click the Make Writeable? button.
* click Restore Microsoft's Hosts File and then click OK.
* Click the X to exit the program
All done will let you know how things go when i run the comp tomorrow thanks for the advice i just hope i managed it all ok :rolleyes:slowly going nuts at the world:T0 -
As requested
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:05:13, on 15/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\RPS.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\CHAMP-~1\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\VS Revo Group\Revo Uninstaller\revouninstaller.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://uk.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://uk.search.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9693 bytes
LOL back in a minute and will post the correct logslowly going nuts at the world:T0 -
erm
Im unsure if that logs for me or not but I asked for the MALWAREBYTES one:idea:0 -
Malwarebytes' Anti-Malware 1.36
Database version: 2116
Windows 6.0.6001 Service Pack 1
14/05/2009 19:41:29
mbam-log-2009-05-14 (19-41-29).txt
Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 205725
Time elapsed: 4 hour(s), 20 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
This is the last full scan i done earlier, newest one was just a quick one.slowly going nuts at the world:T0 -
Please run COMBOFIX
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be)
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe'):idea:0 -
ComboFix 09-05-14.03 - CHAMP---LOUISE 15/05/2009 0:27.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2038.507 [GMT 1:00]
Running from: c:\users\CHAMP---LOUISE\Downloads\ComboFix.exe
AV: PCguard Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
SP: PCguard Anti-Spyware *enabled* (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\GamesBar\oberontb.dll
c:\program files\Helper
c:\users\CHAMP---LOUISE\AppData\Roaming\inst.exe
c:\windows\setup.exe
c:\windows\system32\x64
.
((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 )))))))))))))))))))))))))))))))
.
2009-05-14 22:16 . 2009-05-14 22:16
d
w c:\windows\Sun
2009-05-14 16:21 . 2009-05-14 20:23
d
w c:\programdata\Spybot - Search & Destroy
2009-05-14 16:21 . 2009-05-14 20:23
d
w c:\users\All Users\Spybot - Search & Destroy
2009-05-14 16:21 . 2009-05-14 16:21
d
w c:\program files\Spybot - Search & Destroy
2009-05-14 13:57 . 2009-05-14 13:57
d
w c:\users\CHAMP---LOUISE\AppData\Local\Apple Computer
2009-05-14 12:32 . 2009-05-14 12:32
d
w c:\users\CHAMP---LOUISE\AppData\Roaming\Intel
2009-05-14 12:32 . 2009-05-14 12:32
d
w c:\users\Public\Roaming
2009-05-14 12:32 . 2009-05-14 12:32
d
w c:\users\LOUISE & MICHAEL\Roaming
2009-05-14 12:32 . 2009-05-14 12:32
d
w c:\users\Default\Roaming
2009-05-14 12:32 . 2009-05-14 12:32
d
w c:\users\CHAMP---LOUISE\Roaming
2009-05-14 12:32 . 2009-05-14 12:32
d
w c:\programdata\Roaming
2009-05-14 12:32 . 2009-05-14 12:32
d
w c:\users\All Users\Roaming
2009-05-14 12:30 . 2009-05-14 12:30
d
w c:\program files\Cisco
2009-05-14 12:30 . 2009-05-14 12:30
d
w c:\program files\Common Files\Intel
2009-05-14 12:30 . 2009-05-14 12:30
d
w c:\programdata\Intel
2009-05-14 12:30 . 2009-05-14 12:30
d
w c:\users\All Users\Intel
2009-05-14 12:26 . 2009-05-14 12:26
d
w c:\users\CHAMP---LOUISE\AppData\Local\Microsoft Help
2009-05-14 10:05 . 2009-05-14 10:05
d
w c:\program files\VS Revo Group
2009-05-14 09:24 . 2009-05-14 09:24
d
w c:\programdata\NortonInstaller
2009-05-14 09:24 . 2009-05-14 09:24
d
w c:\users\All Users\NortonInstaller
2009-05-14 08:52 . 2009-05-14 08:52
d
w c:\program files\Bonjour
2009-05-14 08:51 . 2009-05-14 08:52
d
w c:\program files\QuickTime
2009-05-12 19:23 . 2009-05-12 19:23
d
w c:\program files\Trend Micro
2009-05-12 17:21 . 2009-05-12 17:21
d
w C:\Malwarebytes' Anti-Malware
2009-05-12 16:44 . 2007-05-30 12:10 10872 ----a-w c:\windows\system32\drivers\AvgAsCln.sys
2009-05-12 16:44 . 2009-05-12 16:44
d
w c:\programdata\Grisoft
2009-05-12 16:44 . 2009-05-12 16:44
d
w c:\users\All Users\Grisoft
2009-04-19 18:30 . 2009-02-13 08:49 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-04-19 18:30 . 2009-02-13 08:49 72704 ----a-w c:\windows\system32\secur32.dll
2009-04-19 18:30 . 2009-03-17 03:38 13824 ----a-w c:\windows\system32\apilogen.dll
2009-04-19 18:30 . 2009-03-17 03:38 24064 ----a-w c:\windows\system32\amxread.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-14 23:27 . 2008-01-19 15:38
d
w c:\program files\GamesBar
2009-05-14 13:57 . 2008-01-17 18:27 70104 ----a-w c:\users\CHAMP---LOUISE\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-14 12:30 . 2007-08-13 23:08
d
w c:\program files\Intel
2009-05-14 12:24 . 2007-08-14 00:18
d
w c:\program files\Microsoft Works
2009-05-14 09:25 . 2007-08-14 00:25
d
w c:\program files\Common Files\Symantec Shared
2009-05-14 08:50 . 2008-02-21 22:19
d
w c:\program files\Common Files\Apple
2009-05-13 17:24 . 2008-12-12 14:41 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-13 17:24 . 2008-01-29 17:45
d
w c:\program files\Java
2009-05-13 16:12 . 2006-11-02 11:18
d
w c:\program files\Windows Mail
2009-04-06 21:57 . 2009-04-06 21:57
d
w c:\program files\CCleaner
2009-04-06 14:32 . 2009-04-06 12:14 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2009-04-06 12:14 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 12:14 . 2009-04-06 12:14
d
w c:\program files\Malwarebytes' Anti-Malware
2009-03-19 22:58 . 2008-01-18 19:56 344 ----a-w c:\users\CHAMP---LOUISE\AppData\Roaming\wklnhst.dat
2009-03-13 18:32 . 2009-03-13 18:32 680 ----a-w c:\users\CHAMP---LOUISE\AppData\Local\d3d9caps.dat
2009-03-11 19:03 . 2008-04-08 13:13 47360 ----a-w c:\users\CHAMP---LOUISE\AppData\Roaming\pcouffin.sys
2009-03-11 18:34 . 2009-03-11 17:41 94208 ----a-w c:\users\CHAMP---LOUISE\AppData\Roaming\ezplay.sys
2009-03-11 17:41 . 2009-03-11 17:41 94208 ----a-w c:\windows\system32\drivers\ezplay.sys
2009-03-08 11:34 . 2009-04-02 12:07 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2009-04-02 12:07 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2009-04-02 12:07 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2009-04-02 12:07 109056 ----a-w c:\windows\system32\iesysprep.dll
2009-03-08 11:33 . 2009-04-02 12:07 109568 ----a-w c:\windows\system32\PDMSetup.exe
2009-03-08 11:33 . 2009-04-02 12:07 132608 ----a-w c:\windows\system32\ieUnatt.exe
2009-03-08 11:33 . 2009-04-02 12:07 107520 ----a-w c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-04-02 12:07 107008 ----a-w c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-04-02 12:07 103936 ----a-w c:\windows\system32\SetDepNx.exe
2009-03-08 11:33 . 2009-04-02 12:07 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2009-04-02 12:08 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2009-04-02 12:07 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:32 . 2009-04-02 12:07 66560 ----a-w c:\windows\system32\wextract.exe
2009-03-08 11:32 . 2009-04-02 12:07 169472 ----a-w c:\windows\system32\iexpress.exe
2009-03-08 11:31 . 2009-04-02 12:07 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2009-04-02 12:08 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2009-04-02 12:07 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2009-04-02 12:07 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-03 04:46 . 2009-04-19 18:31 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-19 18:31 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-19 18:31 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-19 18:31 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-19 18:31 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-19 18:31 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-19 18:31 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 04:37 . 2009-04-19 18:31 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 03:04 . 2009-04-19 18:31 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-19 18:31 17408 ----a-w c:\windows\system32\iashost.exe
2009-02-25 13:50 . 2009-02-25 13:00 53192 ----a-w c:\windows\system32\drivers\rp_skt32.sys
2009-02-25 13:44 . 2009-02-25 13:16 6921812 ----a-w C:\PPCleanDeleteAtReboot.bat
2008-08-30 00:28 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-05-16 213936]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-06-26 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-26 8433664]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-06-11 1286144]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-25 45056]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2007-07-31 707080]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 2061552]
"PCguard"="c:\program files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 310000]
"-FreedomNeedsReboot"="c:\program files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 13552]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-05-10 4468736]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-05-07 1826816]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Acer VCM.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Acer VCM.lnk
backup=c:\windows\pss\Acer VCM.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^Users^CHAMP---LOUISE^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Orion.lnk]
path=c:\users\CHAMP---LOUISE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Orion.lnk
backup=c:\windows\pss\Orion.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{8451B11E-A98D-4AA1-93C4-2A77CA5275F7}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{4327829C-53E2-4708-B1F6-50A583BF5E6F}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{CB57721A-FAFE-4224-8FE6-1202ADE9551F}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{B7781F29-D92A-4D7F-9F1D-46E06BFD4728}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4A1AEB95-DD02-4F65-B38D-D311A5CF3166}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{1B217417-4619-4B4B-8A4B-4934A24FEDC8}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{8F88980E-C9D4-4CE5-8688-A1D503FF4B7A}"= c:\program files\Acer\Acer VCM\VC.exe:Acer VCM
"{7996CFA7-66B2-4DA7-9C29-6986BB117FDD}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{9CE7AD0D-1122-49B6-B8DE-50B017B2EB97}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{FF5B2291-C0FC-4D96-98B8-DCC982E3078B}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"{2CCDE5CD-260A-4B5D-A1DD-FEC70D70AC1C}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{DFDBF8D4-9CD9-4CEF-92AE-F1069C62D0B8}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{56057D38-6568-421D-AB5E-65476BDBFE1B}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{A4B95A4C-C05B-4E08-B0D3-82DAB80197B2}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{4B37F756-BC14-4F56-8E80-96B6573FC68C}c:\\program files\\babelgum\\babelgum.exe"= UDP:c:\program files\babelgum\babelgum.exe:Babelgum
"UDP Query User{083EA5A4-7FB0-4A74-A19E-D171881450DA}c:\\program files\\babelgum\\babelgum.exe"= TCP:c:\program files\babelgum\babelgum.exe:Babelgum
"TCP Query User{5CA3A54A-F93E-4D56-8B65-EBECE1D7D566}c:\\windows\\system32\\ftp.exe"= UDP:c:\windows\system32\ftp.exe:File Transfer Program
"UDP Query User{868B9A53-436E-4337-95D0-4E01CE133692}c:\\windows\\system32\\ftp.exe"= TCP:c:\windows\system32\ftp.exe:File Transfer Program
"{16B15D1C-C6E2-47A0-8029-6146B7A20D01}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{0E6A1F25-9E15-4F3A-AE6B-B8D4F615B244}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{6115F0A0-362E-47A0-8A1C-BEFC5E35BCB3}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{495ADD24-0978-4448-96F6-885CF5C92188}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{82724138-BDDE-4B84-9562-93589CC24F0E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{653E5C6E-2534-4F44-9843-CED629CCE080}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{436424C4-9589-49CD-B73A-A38031F29102}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{1C38C3D0-8F8F-438E-8350-2B252B711D3F}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{F7236B29-33A0-4593-BDB5-52783883C842}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{AF9B5226-9726-43FD-A4E5-AE01E30307E7}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java(TM) Platform SE binary
"TCP Query User{9BACAE6D-3986-4254-8048-772AE9AA93C0}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{70BBD265-53A7-45B6-850F-985B7CB3205B}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{BA30015B-5E69-4E93-AD3D-0B0F2420AA46}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BAE34D23-165B-4504-B4D6-A36ACCD92299}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\encryption.exe:*:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\decryption.exe:*:Enabled:decryption
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [09/03/2008 23:19 41456]
R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [14/08/2007 01:54 50688]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [14/05/2009 17:21 1153368]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [17/11/2008 07:40 3668480]
R3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [13/08/2007 23:49 43008]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [13/08/2007 23:49 179712]
S3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\System32\drivers\netr73.sys [12/11/2007 11:03 468480]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\windows\System32\dllhost.exe [02/11/2006 09:50 7168]
S3 WSVD;WSVD;c:\windows\System32\drivers\WSVD.sys [27/02/2008 00:31 80744]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db46cb42-c5fb-11dc-986d-f50d6083582f}]
\shell\AutoRun\command - E:\setupSNK.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-05-14 c:\windows\Tasks\User_Feed_Synchronization-{6C928055-B837-47B3-B111-ECF4D40A487C}.job
- c:\windows\system32\msfeedssync.exe [2009-04-02 11:31]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-eRecoveryService - (no file)
.
Supplementary Scan
.
uStart Page = hxxp://www.virginmedia.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\CHAMP---LOUISE\AppData\Roaming\Mozilla\Firefox\Profiles\gtxa5f2b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.virginmedia.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-15 00:32
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-05-14 0:33
ComboFix-quarantined-files.txt 2009-05-14 23:33
Pre-Run: 9,596,755,968 bytes free
Post-Run: 9,759,072,256 bytes free
258 --- E O F --- 2009-05-14 12:33slowly going nuts at the world:T0 -
Combofix found a few nasties which its removed. I cant see anything else in the log save that you use LIMEWIRE which is dodgy at the best of times
TICK these in hijack and FIX them (if theyre still there, which they shouldnt be after restoring the HOSTS file back to how it should be) ~
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
If you havnt already UPDATE and use the IMMUNISE feature in spybot (MUST read 'zero unprotected') then run a scan.
The fact that malwarebytes took 4hours 20 mins is a concern unless your drives are really full?
Download CCLEANER (Make sure you click 'DOWNLOAD LATEST VERSION' ~ make sure YAHOO TOOLBAR is unticked on installation)
http://www.filehippo.com/download_ccleaner/
Run the CLEANER scan (UNTICK 'cookies')
Then run the REGISTRY scan (Backup the registry when it asks)
Id suggest a scan with 'kaspersky'. But it will probably take 10 hours or more based on how long malwarebytes took ~
run a KASPERSKY ONLINE SCAN (click to scan 'MY COMPUTER')
http://www.kaspersky.co.uk/virusscanner
Please post the complete log it creates:idea:0 -
LIMEWIRE Gone a long time ago but some remnants remained
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
cant get rid of this even after host programe(could i have done it wrong) hijack refers me to lspfix but it's still their after.
If you havnt already UPDATE and use the IMMUNISE feature in spybot (MUST read 'zero unprotected') then run a scan. done
The fact that malwarebytes took 4hours 20 mins is a concern unless your drives are really full? Possible error on my part their was a disk in the drive.Done another scan (without disc in drive lol) full scan 2hr 6min
Download CCLEANER (Make sure you click 'DOWNLOAD LATEST VERSION' ~ make sure YAHOO TOOLBAR is unticked on installation)
http://www.filehippo.com/download_ccleaner/
Run the CLEANER scan (UNTICK 'cookies')
Then run the REGISTRY scan (Backup the registry when it asks)Already have this and have run it(it was my first port of call)
run a KASPERSKY ONLINE SCAN (click to scan 'MY COMPUTER')
http://www.kaspersky.co.uk/virusscanner
Please post the complete log it creates Running now
Thanks for your help computer is running allot better already hasn't froze all day so i must be doing something right:rotfl: Just need to keep fingers crossed the scan is not to bad.slowly going nuts at the world:T0 -
oh dear help! what do i do now?
KASPERSKY ONLINE SCANNER 7.0 REPORT .pagetitle !! font-size:20px; color:#FFFFFF; font-family: Arial, Geneva, sans-serif; } .text !! font-size:11px; font-family: Arial, Geneva, sans-serif; } TD !! font-size:11px; font-family: Arial, Geneva, sans-serif; } Friday, May 15, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, May 15, 2009 17:33:35
Records in database: 2179809
Scan settings Scan using the following database extended Scan archives yes Scan mail databases yes Scan area My Computer C:\
\
F:\ Scan statistics Files scanned 141657 Threat name 1 Infected objects 2 Suspicious objects 0 Duration of the scan 02:52:30
File name Threat name Threats count C:\Users\CHAMP---LOUISE\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\320245dd-6d06dfaa Infected: Exploit.Java.ByteVerify 1 C:\Users\CHAMP---LOUISE\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\590ac148-7de49348 Infected: Exploit.Java.ByteVerify 1 The selected area was scanned.slowly going nuts at the world:T0 -
Open notepad and copy/paste the text in RED below
File::
C:\Users\CHAMP---LOUISE\AppData\LocalLow\Sun\Java\Deployment\cache\ 6.0\29\320245dd-6d06dfaa
C:\Users\CHAMP---LOUISE\AppData\LocalLow\Sun\Java\Deployment\cache\ 6.0\8\590ac148-7de49348
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.1K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.2K Spending & Discounts
- 245.1K Work, Benefits & Business
- 600.8K Mortgages, Homes & Bills
- 177.5K Life & Family
- 258.9K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards