We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Hijack this log
Comments
-
Guys
I've left malwarebytes running a full scan. I'll post the log when I get home tonight.
Regarding your comments about the system being out of date. Yes, a bit odd. I always install MS updates, the last one being early July. And the Malwarebytes, I downloaded yesterday from a recent link on the sticky.
Just because you downloaded malwarebytes doesnt mean its up to date with its database. With ALL security programs that use databases, you need to UPDATE before running:idea:0 -
You can used spybot search&destroy WORK!0
-
Sorry Rik. I assumed MWB would try and self update so I didn't bother checking it was up to date. Anyway, it wasn't. I've updated now and run a full scan. Just a few remnants pasted below that I've now deleted.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4309
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18928
13/07/2010 18:57:16
mbam-log-2010-07-13 (18-57-16).txt
Scan type: Full scan (C:\|)
Objects scanned: 298265
Time elapsed: 1 hour(s), 5 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
Files Infected:
(No malicious items detected)
Laptop running fine now. I don't seem to be able to update Vista though. I get a code 80072EFE and a message "An error ocurred while checking for new updates for your computer."Apparently I'm 10 years old on MSE. Happy birthday to me...etc0 -
Dont attempt updating until the computers clean of infection (Which im pretty sure its not)
Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download:idea:0 -
Done Rik. See below.
ComboFix 10-07-12.06 - Steve 13/07/2010 20:02:06.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3001.1707 [GMT 1:00]
Running from: c:\users\Steve\Downloads\qwerty.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
ADS - Windows: deleted 24 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\Steve\AppData\Local\{02BA8E6E-7857-4007-B464-55FCDCAADFBF}
c:\users\Steve\AppData\Local\{02BA8E6E-7857-4007-B464-55FCDCAADFBF}\chrome.manifest
c:\users\Steve\AppData\Local\{02BA8E6E-7857-4007-B464-55FCDCAADFBF}\chrome\content\_cfg.js
c:\users\Steve\AppData\Local\{02BA8E6E-7857-4007-B464-55FCDCAADFBF}\chrome\content\overlay.xul
c:\users\Steve\AppData\Local\{02BA8E6E-7857-4007-B464-55FCDCAADFBF}\install.rdf
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.3.inf
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2010-06-13 to 2010-07-13 )))))))))))))))))))))))))))))))
.
2010-07-13 19:11 . 2010-07-13 19:11
d
w- c:\users\Steve\AppData\Local\temp
2010-07-13 19:11 . 2010-07-13 19:11
d
w- c:\users\Default\AppData\Local\temp
2010-07-12 20:24 . 2010-07-12 20:24 388096 ----a-r- c:\users\Steve\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-12 20:24 . 2010-07-12 20:24
d
w- c:\program files\Trend Micro
2010-07-12 19:59 . 2010-07-12 19:59
d
w- c:\users\Steve\AppData\Roaming\Malwarebytes
2010-07-12 19:59 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-12 19:59 . 2010-07-12 19:59
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-07-12 19:59 . 2010-07-12 19:59
d
w- c:\programdata\Malwarebytes
2010-07-12 19:59 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-12 18:41 . 2010-07-12 19:57 680 ----a-w- c:\users\Steve\AppData\Local\d3d9caps.dat
2010-07-12 18:21 . 2010-07-12 18:21 2716 ----a-w- c:\users\Steve\AppData\Local\itiyupad.dll
2010-07-12 18:07 . 2010-07-12 18:07 2716 ----a-w- c:\users\Steve\AppData\Local\uciyojoq.dll
2010-07-12 17:57 . 2010-07-12 17:57 2716 ----a-w- c:\users\Steve\AppData\Local\omifasocu.dll
2010-07-12 16:19 . 2010-07-12 16:19 2716 ----a-w- c:\users\Steve\AppData\Local\arovotuketox.dll
2010-07-12 16:11 . 2010-07-12 16:11 2716 ----a-w- c:\users\Steve\AppData\Local\atomozoloce.dll
2010-07-12 15:49 . 2010-07-12 15:49 2716 ----a-w- c:\users\Steve\AppData\Local\onitukixuyoy.dll
2010-07-12 14:46 . 2010-07-12 14:46 2716 ----a-w- c:\users\Steve\AppData\Local\itubeqov.dll
2010-07-12 13:43 . 2010-07-12 13:43 2716 ----a-w- c:\users\Steve\AppData\Local\utebaxix.dll
2010-07-12 12:43 . 2010-07-12 12:43
dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-07-12 12:40 . 2010-07-12 12:40 120 ----a-w- c:\users\Steve\AppData\Local\Hcijogotob.dat
2010-07-12 12:40 . 2010-07-12 12:40 0 ----a-w- c:\users\Steve\AppData\Local\Jnayifinoh.bin
2010-07-12 12:37 . 2010-07-12 20:08
d
w- c:\users\Steve\AppData\Local\wqdstteec
2010-07-01 19:28 . 2010-04-14 17:47 293376 ----a-w- c:\windows\system32\psisdecd.dll
2010-07-01 19:27 . 2010-04-14 17:46 428544 ----a-w- c:\windows\system32\EncDec.dll
2010-06-26 22:34 . 2009-11-08 09:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-26 22:34 . 2009-11-08 09:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-26 22:34 . 2009-11-08 09:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-26 22:34 . 2009-11-08 09:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-26 22:34 . 2009-11-08 09:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-24 19:47 . 2010-04-16 16:05 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-24 19:47 . 2010-04-16 14:17 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-13 19:00 . 2010-02-07 08:08 12 ----a-w- c:\windows\bthservsdp.dat
2010-07-13 18:59 . 2009-11-01 17:40
d
w- c:\users\Steve\AppData\Roaming\LimeWire
2010-07-13 18:48 . 2009-11-01 18:07
d
w- c:\program files\Ask.com
2010-06-26 22:36 . 2009-07-14 18:56
d
w- c:\program files\Microsoft.NET
2010-06-11 19:06 . 2009-09-30 19:10 1 ----a-w- c:\users\Steve\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-10 02:28 . 2006-11-02 11:18
d
w- c:\program files\Windows Mail
2010-06-10 02:12 . 2009-07-14 18:55
d
w- c:\programdata\Microsoft Help
2010-06-09 21:36 . 2010-06-09 21:36
d
w- c:\program files\QuickTime
2010-06-04 16:09 . 2010-02-26 17:18
d
w- c:\program files\Microsoft Silverlight
2010-06-03 20:07 . 2010-06-03 19:43
d
w- c:\program files\Rail Simulator Demo
2010-06-03 19:46 . 2010-06-03 19:46
d
w- c:\program files\AGEIA Technologies
2010-06-03 19:45 . 2009-10-02 17:14
d
w- c:\program files\Common Files\Wise Installation Wizard
2010-06-03 19:40 . 2010-06-03 19:40
d
w- c:\program files\Railsim
2010-06-03 19:37 . 2010-06-03 19:37
d
w- c:\program files\freezip
2010-05-26 16:16 . 2010-06-09 21:25 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:25 . 2010-06-09 21:25 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-15 15:25 . 2009-07-14 18:53
d
w- c:\program files\Google
2010-05-04 05:59 . 2010-06-09 21:24 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-09 21:24 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-09 21:24 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-09 21:24 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 13:53 . 2010-06-09 21:24 2036224 ----a-w- c:\windows\system32\win32k.sys
2010-04-23 13:55 . 2010-05-25 18:35 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-16 16:10 . 2010-06-09 21:25 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-04-16 16:05 . 2010-06-24 19:47 459776 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-04-16 16:05 . 2010-06-24 19:47 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-04-16 16:05 . 2010-06-24 19:47 2153984 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-04-16 16:05 . 2010-06-24 19:47 541696 ----a-w- c:\windows\AppPatch\AcLayers.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2009-05-14 22:02 120104 ----a-w- c:\program files\EgisTec\MyWinLocker 3\x86\PSDProtect.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-02-11 6724128]
"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2009-06-23 703008]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-05 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-05 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-05 154136]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-01-09 1418536]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-06-16 1131016]
"avast!"="c:\progra~1\AVASTS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
c:\users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-30 503808]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-8-14 727592]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-2-4 495432]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=c:\windows\pss\DataViz Inc Messenger.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^Users^Steve^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Orion.lnk]
path=c:\users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Orion.lnk
backup=c:\windows\pss\Orion.lnk.Startup
backupExtension=.Startup
[HKLM\~\startupfolder\C:^Users^Steve^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcadeDeluxeAgent]
2009-05-05 11:12 156968
w- c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2009-05-05 11:12 206120
w- c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2009-01-29 22:20 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EgisTecLiveUpdate]
2009-05-13 18:39 199464 ----a-w- c:\program files\EgisTec Egis Software Update\EgisUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 14:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 09:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-06 17:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mwlDaemon]
2009-05-14 22:03 345384 ----a-w- c:\program files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]
2009-05-04 13:43 173288
w- c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-21 18:06 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe]
2007-09-13 15:47 2846720 ----a-w- c:\program files\Tunebite\tunebite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1139142561-2729520356-3100012642-1000]
"EnableNotificationsRef"=dword:00000001
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-04 133104]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-06-17 50432]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-09-15 7408]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-12-02 64288]
S1 aswSP;avast! Self Protection; [x]
S1 DPMemGridVista;Physical Memory I/O for GridVista;c:\program files\GridVista\DPMemGridVista.sys [2008-10-01 10504]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [2008-12-04 19504]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [2008-12-04 16432]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [2008-12-04 59952]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-09-15 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-09-15 74480]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
S2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2009-04-14 75048]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2009-06-23 723488]
S2 MWLService;MyWinLocker Service;c:\program files\EgisTec\MyWinLocker 3\x86\\MWLService.exe [2009-05-14 305448]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-06-17 144640]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-01-15 49664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
bthsvcs REG_MULTI_SZ BthServ
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9C450606-ED24-4958-92BA-B8940C99D441}]
2009-03-04 15:32 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
2010-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-04 13:44]
2010-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-04 13:44]
2010-07-13 c:\windows\Tasks\User_Feed_Synchronization-{92BB3C91-7AAB-484E-BF16-F9BD42FB552D}.job
- c:\windows\system32\msfeedssync.exe [2010-06-09 04:30]
.
.
Supplementary Scan
.
uStart Page = hxxp://google.co.uk/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&m=aspire_5332&r=2v350709c235l03c4zqm5t47m2x226
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-13 20:11
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-07-13 20:14:32
ComboFix-quarantined-files.txt 2010-07-13 19:14
Pre-Run: 73,303,511,040 bytes free
Post-Run: 73,249,280,000 bytes free
- - End Of File - - D0AAAC303F664BB531E90FB79E2897AFApparently I'm 10 years old on MSE. Happy birthday to me...etc0 -
Open notepad and copy/paste the text in RED below
File::
c:\users\Steve\AppData\Local\itiyupad.dll
c:\users\Steve\AppData\Local\uciyojoq.dll
c:\users\Steve\AppData\Local\omifasocu.dll
c:\users\Steve\AppData\Local\arovotuketox.dll
c:\users\Steve\AppData\Local\atomozoloce.dll
c:\users\Steve\AppData\Local\onitukixuyoy.dll
c:\users\Steve\AppData\Local\itubeqov.dll
c:\users\Steve\AppData\Local\utebaxix.dll
c:\users\Steve\AppData\Local\Hcijogotob.dat
c:\users\Steve\AppData\Local\Jnayifinoh.bin
c:\users\Steve\AppData\Local\wqdstteec
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
:idea:0 -
Done RiK
ComboFix 10-07-12.06 - Steve 13/07/2010 20:53:02.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3001.1737 [GMT 1:00]
Running from: c:\users\Steve\Downloads\qwerty.exe
Command switches used :: c:\users\Steve\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FILE ::
"c:\users\Steve\AppData\Local\arovotuketox.dll"
"c:\users\Steve\AppData\Local\atomozoloce.dll"
"c:\users\Steve\AppData\Local\Hcijogotob.dat"
"c:\users\Steve\AppData\Local\itiyupad.dll"
"c:\users\Steve\AppData\Local\itubeqov.dll"
"c:\users\Steve\AppData\Local\Jnayifinoh.bin"
"c:\users\Steve\AppData\Local\omifasocu.dll"
"c:\users\Steve\AppData\Local\onitukixuyoy.dll"
"c:\users\Steve\AppData\Local\uciyojoq.dll"
"c:\users\Steve\AppData\Local\utebaxix.dll"
"c:\users\Steve\AppData\Local\wqdstteec"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\Steve\AppData\Local\arovotuketox.dll
c:\users\Steve\AppData\Local\atomozoloce.dll
c:\users\Steve\AppData\Local\Hcijogotob.dat
c:\users\Steve\AppData\Local\itiyupad.dll
c:\users\Steve\AppData\Local\itubeqov.dll
c:\users\Steve\AppData\Local\Jnayifinoh.bin
c:\users\Steve\AppData\Local\omifasocu.dll
c:\users\Steve\AppData\Local\onitukixuyoy.dll
c:\users\Steve\AppData\Local\Temp\jna1273519342329992530.dll
c:\users\Steve\AppData\Local\uciyojoq.dll
c:\users\Steve\AppData\Local\utebaxix.dll
.
((((((((((((((((((((((((( Files Created from 2010-06-13 to 2010-07-13 )))))))))))))))))))))))))))))))
.
2010-07-13 19:59 . 2010-07-13 19:59
d
w- c:\users\Public\AppData\Local\temp
2010-07-13 19:59 . 2010-07-13 19:59
d
w- c:\users\Default\AppData\Local\temp
2010-07-13 19:49 . 2010-07-13 19:49
d
w- C:\32788R22FWJFW
2010-07-13 19:39 . 2010-07-13 19:39
d
w- c:\windows\system32\x64
2010-07-13 19:36 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2010-07-13 19:36 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2010-07-13 19:36 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
2010-07-13 19:36 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
2010-07-13 19:14 . 2010-07-13 20:01
d
w- c:\users\Steve\AppData\Local\temp
2010-07-12 20:24 . 2010-07-12 20:24
d
w- c:\program files\Trend Micro
2010-07-12 19:59 . 2010-07-12 19:59
d
w- c:\users\Steve\AppData\Roaming\Malwarebytes
2010-07-12 19:59 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-12 19:59 . 2010-07-12 19:59
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-07-12 19:59 . 2010-07-12 19:59
d
w- c:\programdata\Malwarebytes
2010-07-12 19:59 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-12 18:41 . 2010-07-12 19:57 680 ----a-w- c:\users\Steve\AppData\Local\d3d9caps.dat
2010-07-12 12:43 . 2010-07-12 12:43
dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-07-12 12:37 . 2010-07-12 20:08
d
w- c:\users\Steve\AppData\Local\wqdstteec
2010-07-01 19:28 . 2010-04-14 17:47 293376 ----a-w- c:\windows\system32\psisdecd.dll
2010-07-01 19:27 . 2010-04-14 17:46 428544 ----a-w- c:\windows\system32\EncDec.dll
2010-06-26 22:34 . 2009-11-08 09:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-26 22:34 . 2009-11-08 09:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-26 22:34 . 2009-11-08 09:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-26 22:34 . 2009-11-08 09:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-26 22:34 . 2009-11-08 09:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-24 19:47 . 2010-04-16 16:05 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-24 19:47 . 2010-04-16 14:17 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-13 20:04 . 2009-11-01 17:40
d
w- c:\users\Steve\AppData\Roaming\LimeWire
2010-07-13 20:00 . 2010-02-07 08:08 12 ----a-w- c:\windows\bthservsdp.dat
2010-07-13 19:31 . 2006-11-02 11:18
d
w- c:\program files\Windows Mail
2010-07-13 19:30 . 2009-07-14 18:55
d
w- c:\programdata\Microsoft Help
2010-07-13 18:48 . 2009-11-01 18:07
d
w- c:\program files\Ask.com
2010-07-12 20:24 . 2010-07-12 20:24 388096 ----a-r- c:\users\Steve\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-26 22:36 . 2009-07-14 18:56
d
w- c:\program files\Microsoft.NET
2010-06-11 19:06 . 2009-09-30 19:10 1 ----a-w- c:\users\Steve\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-09 21:36 . 2010-06-09 21:36
d
w- c:\program files\QuickTime
2010-06-04 16:09 . 2010-02-26 17:18
d
w- c:\program files\Microsoft Silverlight
2010-06-03 20:07 . 2010-06-03 19:43
d
w- c:\program files\Rail Simulator Demo
2010-06-03 19:46 . 2010-06-03 19:46
d
w- c:\program files\AGEIA Technologies
2010-06-03 19:45 . 2009-10-02 17:14
d
w- c:\program files\Common Files\Wise Installation Wizard
2010-06-03 19:40 . 2010-06-03 19:40
d
w- c:\program files\Railsim
2010-06-03 19:37 . 2010-06-03 19:37
d
w- c:\program files\freezip
2010-05-26 16:16 . 2010-06-09 21:25 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:25 . 2010-06-09 21:25 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-15 15:25 . 2009-07-14 18:53
d
w- c:\program files\Google
2010-05-04 05:59 . 2010-06-09 21:24 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-09 21:24 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-09 21:24 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-09 21:24 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 13:53 . 2010-06-09 21:24 2036224 ----a-w- c:\windows\system32\win32k.sys
2010-04-23 13:55 . 2010-05-25 18:35 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-21 17:36 . 2010-04-21 17:36 8198680 ----a-w- c:\windows\system32\TVWSetup.exe
2010-04-21 17:36 . 2009-07-25 23:28 948760 ----a-w- c:\windows\system32\igxpun.exe
2010-04-21 17:36 . 2010-04-21 17:36 136216 ----a-w- c:\windows\system32\igfxtray.exe
2010-04-21 17:36 . 2010-04-21 17:36 266776 ----a-w- c:\windows\system32\igfxsrvc.exe
2010-04-21 17:36 . 2010-04-21 17:36 169496 ----a-w- c:\windows\system32\igfxpers.exe
2010-04-21 17:36 . 2010-04-21 17:36 179224 ----a-w- c:\windows\system32\igfxext.exe
2010-04-21 17:36 . 2010-04-21 17:36 171032 ----a-w- c:\windows\system32\hkcmd.exe
2010-04-21 17:35 . 2010-04-21 17:35 3154968 ----a-w- c:\windows\system32\GfxUI.exe
2010-04-21 17:25 . 2010-04-21 17:25 81920 ----a-w- c:\windows\system32\igfxCoIn_v2119.dll
2010-04-21 17:10 . 2009-07-15 01:38 4960768 ----a-w- c:\windows\system32\igdumd32.dll
2010-04-21 17:10 . 2010-04-21 17:10 8746496 ----a-w- c:\windows\system32\drivers\igdkmd32.sys
2010-04-21 17:08 . 2010-04-21 17:08 982240 ----a-w- c:\windows\system32\igkrng500.bin
2010-04-21 17:08 . 2010-04-21 17:08 92356 ----a-w- c:\windows\system32\igfcg500m.bin
2010-04-21 17:08 . 2010-04-21 17:08 439308 ----a-w- c:\windows\system32\igcompkrng500.bin
2010-04-21 17:06 . 2009-07-15 01:38 571904 ----a-w- c:\windows\system32\igdumdx32.dll
2010-04-21 17:00 . 2010-04-21 17:00 4348416 ----a-w- c:\windows\system32\igd10umd32.dll
2010-04-21 16:45 . 2010-04-21 16:45 11034624 ----a-w- c:\windows\system32\ig4icd32.dll
2010-04-21 16:33 . 2009-07-15 01:38 261120 ----a-w- c:\windows\system32\igfxTMM.dll
2010-04-21 16:33 . 2010-04-21 16:33 194560 ----a-w- c:\windows\system32\igfxpph.dll
2010-04-21 16:33 . 2010-04-21 16:33 23552 ----a-w- c:\windows\system32\igfxexps.dll
2010-04-21 16:33 . 2010-04-21 16:33 57344 ----a-w- c:\windows\system32\igfxsrvc.dll
2010-04-21 16:33 . 2010-04-21 16:33 130048 ----a-w- c:\windows\system32\igfxdo.dll
2010-04-21 16:32 . 2010-04-21 16:32 94720 ----a-w- c:\windows\system32\hccutils.dll
2010-04-21 16:32 . 2010-04-21 16:32 120320 ----a-w- c:\windows\system32\gfxSrvc.dll
2010-04-21 16:32 . 2010-04-21 16:32 4096 ----a-w- c:\windows\system32\IGFXDEVLib.dll
2010-04-21 16:32 . 2009-07-15 01:38 227328 ----a-w- c:\windows\system32\igfxdev.dll
2010-04-21 16:32 . 2010-04-21 16:32 828928 ----a-w- c:\windows\system32\igfxress.dll
2010-04-21 16:22 . 2010-04-21 16:22 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2010-04-21 16:22 . 2010-04-21 16:22 208896 ----a-w- c:\windows\system32\iglhsip32.dll
2010-04-21 16:22 . 2010-04-21 16:22 143360 ----a-w- c:\windows\system32\iglhcp32.dll
2010-04-16 16:10 . 2010-06-09 21:25 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-04-16 16:05 . 2010-06-24 19:47 459776 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-04-16 16:05 . 2010-06-24 19:47 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-04-16 16:05 . 2010-06-24 19:47 2153984 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-04-16 16:05 . 2010-06-24 19:47 541696 ----a-w- c:\windows\AppPatch\AcLayers.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2009-05-14 22:02 120104 ----a-w- c:\program files\EgisTec\MyWinLocker 3\x86\PSDProtect.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-02-11 6724128]
"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2009-06-23 703008]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-01-09 1418536]
"LManager"="c:\program files\Launch Manager\LManager.exe" [2009-06-16 1131016]
"avast!"="c:\progra~1\AVASTS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-21 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-21 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-21 169496]
c:\users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-30 503808]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-8-14 727592]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-2-4 495432]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^DataViz Inc Messenger.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk
backup=c:\windows\pss\DataViz Inc Messenger.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^Users^Steve^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Orion.lnk]
path=c:\users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Orion.lnk
backup=c:\windows\pss\Orion.lnk.Startup
backupExtension=.Startup
[HKLM\~\startupfolder\C:^Users^Steve^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=c:\users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=c:\windows\pss\palmOne Registration.lnk.Startup
backupExtension=.Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcadeDeluxeAgent]
2009-05-05 11:12 156968
w- c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2009-05-05 11:12 206120
w- c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2009-01-29 22:20 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EgisTecLiveUpdate]
2009-05-13 18:39 199464 ----a-w- c:\program files\EgisTec Egis Software Update\EgisUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 11:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 14:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-08-20 09:54 150016 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-06 17:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mwlDaemon]
2009-05-14 22:03 345384 ----a-w- c:\program files\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]
2009-05-04 13:43 173288
w- c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-21 18:06 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe]
2007-09-13 15:47 2846720 ----a-w- c:\program files\Tunebite\tunebite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1139142561-2729520356-3100012642-1000]
"EnableNotificationsRef"=dword:00000001
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-10-04 133104]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]
R3 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-06-17 50432]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-09-15 7408]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-12-02 64288]
S1 aswSP;avast! Self Protection; [x]
S1 DPMemGridVista;Physical Memory I/O for GridVista;c:\program files\GridVista\DPMemGridVista.sys [2008-10-01 10504]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [2008-12-04 19504]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [2008-12-04 16432]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [2008-12-04 59952]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-09-15 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-09-15 74480]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
S2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2009-04-14 75048]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2009-06-23 723488]
S2 MWLService;MyWinLocker Service;c:\program files\EgisTec\MyWinLocker 3\x86\\MWLService.exe [2009-05-14 305448]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-06-17 144640]
S3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x86.sys [2009-01-15 49664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
getPlusHelper REG_MULTI_SZ getPlusHelper
bthsvcs REG_MULTI_SZ BthServ
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9C450606-ED24-4958-92BA-B8940C99D441}]
2009-03-04 15:32 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
2010-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-04 13:44]
2010-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-04 13:44]
2010-07-13 c:\windows\Tasks\User_Feed_Synchronization-{92BB3C91-7AAB-484E-BF16-F9BD42FB552D}.job
- c:\windows\system32\msfeedssync.exe [2010-06-09 04:30]
.
.
Supplementary Scan
.
uStart Page = hxxp://google.co.uk/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&m=aspire_5332&r=2v350709c235l03c4zqm5t47m2x226
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.3/GarminAxControl.CAB
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-13 21:01
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
DLLs Loaded Under Running Processes
- - - - - - - > 'Explorer.exe'(3912)
c:\program files\EgisTec\MyWinLocker 3\x86\psdprotect.dll
c:\program files\EgisTec\MyWinLocker 3\x86\sysenv.dll
c:\windows\system32\btmmhook.dll
c:\program files\palmOne\PqiIcon.dll
c:\windows\system32\btncopy.dll
.
Other Running Processes
.
c:\program files\Avast Software\Avast4\aswUpdSv.exe
c:\program files\Avast Software\Avast4\ashServ.exe
c:\program files\EgisTec\MyWinLocker 3\x86\MWLService.exe
c:\program files\Avast Software\Avast4\ashMaiSv.exe
c:\program files\Avast Software\Avast4\ashWebSv.exe
c:\users\Steve\AppData\Local\Temp\RtkBtMnt.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Avast Software\Avast4\ashDisp.exe
c:\windows\system32\igfxext.exe
c:\windows\ehome\ehmsas.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-07-13 21:09:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-13 20:09
ComboFix2.txt 2010-07-13 19:14
Pre-Run: 75,167,924,224 bytes free
Post-Run: 75,093,680,128 bytes free
- - End Of File - - D6EC69FE5298F9547E6021C257BA9A91Apparently I'm 10 years old on MSE. Happy birthday to me...etc0 -
Log looks clean ~ but theres no guarantee your machine is completely free of nasties
Ideally you should format the drive and reinstall windows (Entirely up to you)
Avast is out of date and needs upgrading to Avast 5
You also need the latest service pack
Im going to ask for one last scan (assuming you dont format the drive)
Download and run the FREE version of DR WEB
http://www.freedrweb.com/download+cureit/gr/
Turn your anti virus OFF
Click CANCEL to the 'Would you like to read purchase terms now?' message
Click START click OK
It will auto QUICK scan
After that set to scan the WHOLE computer and press the 'play' icon
***DO NOT UPGRADE TO FULL VERSION***:idea:0 -
Scan complete and Dr Web has found no further nasties.
I'll keep running for a while and if I see no further problems I'll probably risk not formatting. Windows update works as well now.
You're a star Rik. Thanks for all your help.Apparently I'm 10 years old on MSE. Happy birthday to me...etc0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.5K Banking & Borrowing
- 254.1K Reduce Debt & Boost Income
- 455K Spending & Discounts
- 246.6K Work, Benefits & Business
- 602.9K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards