jaybb Posted July 16, 2008 Report Share Posted July 16, 2008 Hi Guys... My anti-virus scan found 1 threat, exploit.HTML.agent.h and many infected files, but i can't removed it. so i decided to do a system restore and after system restore, my anti-virus is dead.Come accross this site while looking for more information. Great to know that there are people out there that will help.Below is the log file, and while running Hijackthis, i have encounter problems. i printed the screen and added to the attachment hereLogfile of HijackThis v1.99.1Scan saved at 11:27:44 PM, on 16/7/2008Platform: Unknown Windows (WinNT 6.00.1905 SP1)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Running processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exeC:\Windows\RtHDVCpl.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Acer\Empowering Technology\eAudio\eAudio.exeC:\Windows\BR040286.exeC:\Program Files\Winamp\winampa.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\Acer\Acer VCM\AcerVCM.exeC:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exeC:\Users\acer\AppData\Local\Temp\RtkBtMnt.exeC:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXEC:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXEC:\Acer\Empowering Technology\eRecovery\ERAGENT.EXEC:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Acer\Acer VCM\acp2HID.exeC:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exeC:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exeC:\Program Files\Opera\opera.exeC:\Windows\System32\mobsync.exeC:\Users\acer\Desktop\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.sg.acer.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.sg.acer.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO1 - Hosts: ::1 localhostO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exeO4 - HKLM\..\Run: [skytel] Skytel.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exeO4 - HKLM\..\Run: [bisonInst0402] C:\Windows\BR040286.exeO4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCANO4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRunO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialogO4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytrayO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - Startup: Orion.lnk = C:\Convesoft\Orion\Messenger.exeO4 - Global Startup: Acer VCM.lnk = ?O4 - Global Startup: Bluetooth.lnk = ?O4 - Global Startup: Empowering Technology Launcher.lnk = ?O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htmO8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dllO10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dllO10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dllO10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dllO10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dllO11 - Options group: [iNTERNATIONAL] International*O13 - Gopher Prefix: O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLLO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLLO18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dllO20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dllO23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exeO23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exeO23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exeO23 - Service: IntelĀ® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exeO23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exeO23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exeO23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exeO23 - Service: Raw Socket Service (RS_Service) - Acer Inc. - C:\Program Files\Acer\Acer VCM\RS_Service.exeO23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exeO23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeO23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exeO23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing) Link to post Share on other sites
jaybb Posted July 16, 2008 Author Report Share Posted July 16, 2008 I did a reverse to the system restore and my anti virus start working again. the same virus appear on the scan, exploit.HTML.Agent.H. Nevertheless, this is the new hijackthis log.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:10:12 AM, on 17/7/2008Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\system32\igfxsrvc.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exeC:\Windows\RtHDVCpl.exeC:\Users\acer\AppData\Local\Temp\RtkBtMnt.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Acer\Empowering Technology\eAudio\eAudio.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Launch Manager\LManager.exeC:\Windows\BR040286.exeC:\Program Files\Winamp\winampa.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Windows\system32\igfxext.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\Acer\Acer VCM\AcerVCM.exeC:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exeC:\Windows\system32\wbem\unsecapp.exeC:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXEC:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXEC:\Acer\Empowering Technology\eRecovery\ERAGENT.EXEC:\Program Files\PC Tools AntiVirus\PCTAV.exeC:\Program Files\Synaptics\SynTP\SynTPHelper.exeC:\Program Files\Acer\Acer VCM\acp2HID.exeC:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exeC:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exeC:\Program Files\Opera\opera.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.sg.acer.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.sg.acer.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO1 - Hosts: ::1 localhostO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exeO4 - HKLM\..\Run: [skytel] Skytel.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exeO4 - HKLM\..\Run: [bisonInst0402] C:\Windows\BR040286.exeO4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCANO4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRunO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialogO4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytrayO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O4 - Startup: Orion.lnk = C:\Convesoft\Orion\Messenger.exeO4 - Global Startup: Acer VCM.lnk = ?O4 - Global Startup: Bluetooth.lnk = ?O4 - Global Startup: Empowering Technology Launcher.lnk = ?O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htmO8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO13 - Gopher Prefix: O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exeO23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exeO23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exeO23 - Service: IntelĀ® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exeO23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exeO23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exeO23 - Service: Raw Socket Service (RS_Service) - Acer Inc. - C:\Program Files\Acer\Acer VCM\RS_Service.exeO23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeO23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe--End of file - 9067 bytes Link to post Share on other sites
Andro1d Posted July 16, 2008 Report Share Posted July 16, 2008 Hello and Welcome to the forums. I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today. Step 1Please download the OTMoveIt2 by OldTimer. Save it to your desktop. Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):[kill explorer]C:\Users\acer\AppData\Local\Temp\RtkBtMnt.exeC:\Windows\BR040286.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BisonInst0402EmptyTemp[start explorer] Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.Click the red Moveit! button.A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.Close OTMoveIt2If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.Step 2Please download Deckard's System Scanner (DSS) to your desktop.Close all applications and windows.Double-click on dss.exe to run it, and follow the prompts.When the scan is complete, a text file will open - Main.txtCopy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt into your thread.An additional text file, Extra.txt,will also be available (by default) in the following FOLDER, C:\Deckard\System Scanner.Please go to that folder and also copy the contents of Extra.txt to your post as well.Note: Some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Link to post Share on other sites
jaybb Posted July 17, 2008 Author Report Share Posted July 17, 2008 Hi MoNsTeReNeRgY22 , Glad that you will be helping me... thanks!! below are the resultsLog from Step 1Explorer killed successfullyC:\Users\acer\AppData\Local\Temp\RtkBtMnt.exe moved successfully.File move failed. C:\Windows\BR040286.exe scheduled to be moved on reboot.< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BisonInst0402 >Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BisonInst0402\\ not found.< EmptyTemp >File delete failed. C:\Users\acer\AppData\Local\Temp\~DF8E9F.tmp scheduled to be deleted on reboot.File delete failed. C:\Users\acer\AppData\Local\Temp\~DF8EC0.tmp scheduled to be deleted on reboot.File delete failed. C:\Users\acer\AppData\Local\Temp\~DF91D4.tmp scheduled to be deleted on reboot.File delete failed. C:\Users\acer\AppData\Local\Temp\~DF9315.tmp scheduled to be deleted on reboot.Temp folders emptied.IE temp folders emptied.Explorer started successfullyOTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07172008_120923Log from Step 2Deckard's System Scanner v20071014.68Run by acer on 2008-07-17 12:14:22Computer is in Normal Mode.---------------------------------------------------------------------------------- Last 5 Restore Point(s) --35: 2008-07-16 16:47:30 UTC - RP101 - Restore Operation34: 2008-07-16 14:23:04 UTC - RP100 - Restore Operation33: 2008-07-14 10:17:40 UTC - RP99 - Windows Update32: 2008-07-13 09:11:10 UTC - RP98 - Removed Orion31: 2008-07-10 07:48:42 UTC - RP97 - Windows Update-- First Restore Point -- 1: 2008-06-25 05:23:43 UTC - RP63 - Removed Acer Crystal Eye WebcamBacked up registry hives.Performed disk cleanup.-- HijackThis (run as acer.exe) ------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:16:07 PM, on 17/7/2008Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exeC:\Windows\RtHDVCpl.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Acer\Empowering Technology\eAudio\eAudio.exeC:\Users\acer\AppData\Local\Temp\RtkBtMnt.exeC:\Program Files\Launch Manager\LManager.exeC:\Windows\BR040286.exeC:\Program Files\Winamp\winampa.exeC:\Program Files\PC Tools AntiVirus\PCTAV.exeC:\Windows\system32\wbem\unsecapp.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Windows\system32\igfxext.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\Acer\Acer VCM\AcerVCM.exeC:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exeC:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXEC:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXEC:\Acer\Empowering Technology\eRecovery\ERAGENT.EXEC:\Program Files\Acer\Acer VCM\acp2HID.exeC:\Program Files\PC Connectivity Solution\Transports\NclIrSrv.exeC:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Synaptics\SynTP\SynTPHelper.exeC:\Users\acer\Desktop\dss.exeC:\Windows\system32\DllHost.exeC:\PROGRA~1\TRENDM~1\HIJACK~1\acer.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.sg.acer.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.sg.acer.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO1 - Hosts: ::1 localhostO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exeO4 - HKLM\..\Run: [skytel] Skytel.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exeO4 - HKLM\..\Run: [bisonInst0402] C:\Windows\BR040286.exeO4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCANO4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRunO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialogO4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytrayO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O4 - Startup: Orion.lnk = C:\Convesoft\Orion\Messenger.exeO4 - Global Startup: Acer VCM.lnk = ?O4 - Global Startup: Bluetooth.lnk = ?O4 - Global Startup: Empowering Technology Launcher.lnk = ?O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htmO8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htmO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO13 - Gopher Prefix: O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dllO23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exeO23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exeO23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exeO23 - Service: IntelĀ® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exeO23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exeO23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exeO23 - Service: Raw Socket Service (RS_Service) - Acer Inc. - C:\Program Files\Acer\Acer VCM\RS_Service.exeO23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeO23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe--End of file - 9138 bytes-- File Associations -----------------------------------------------------------All associations okay.-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------R2 eRecoveryService (eRecovery Service) - c:\acer\empowering technology\erecovery\erecoveryservice.exe <Not Verified; Acer Inc.; eRecoveryService>R2 eSettingsService (eSettings Service) - c:\acer\empowering technology\esettings\service\capuserv.exe <Not Verified; ; Service>R2 MobilityService - c:\acer\mobility center\mobilityservice.exe -p <Not Verified; ; app>R2 o2flash (O2Micro Flash Memory Card Service) - "c:\program files\o2micro oz128 driver\o2flash.exe" <Not Verified; O2Micro International; O2 MS1/MP1 Service>R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>R2 RS_Service (Raw Socket Service) - c:\program files\acer\acer vcm\rs_service.exe <Not Verified; Acer Inc.; Acer Video Conference Manager>R2 WMIService (ePower Service) - c:\acer\empowering technology\epower\epowersvc.exe <Not Verified; acer; Acer ePower Management>R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>-- Device Manager: Disabled ----------------------------------------------------Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}Description: Microsoft ISATAP AdapterDevice ID: ROOT\*ISATAP000Manufacturer: MicrosoftName: Microsoft ISATAP AdapterPNP Device ID: ROOT\*ISATAP000Service: tunnel-- Scheduled Tasks -------------------------------------------------------------2008-07-16 15:35:32 416 --ah----- C:\Windows\Tasks\User_Feed_Synchronization-{52E9A177-A590-4754-A459-8C7D81B46D56}.job-- Files created between 2008-06-17 and 2008-07-17 -----------------------------2008-07-17 00:57:05 0 d-------- C:\Program Files\Trend Micro2008-07-08 11:12:01 0 d-------- C:\Users\All Users\Yahoo! Companion2008-07-07 20:50:51 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller2008-07-07 20:50:43 0 d-------- C:\Program Files\Windows Live2008-07-07 20:50:18 0 d-------- C:\Users\All Users\WLInstaller2008-07-03 15:39:43 0 d-------- C:\Program Files\EA SPORTS2008-07-01 17:28:35 0 d-------- C:\Program Files\Common Files\PX Storage Engine2008-07-01 17:28:31 0 d-------- C:\Program Files\DivX2008-07-01 17:06:37 0 d-------- C:\SISSigner2008-07-01 16:58:21 0 d-------- C:\Users\All Users\PC Suite2008-07-01 16:57:41 0 d-------- C:\Program Files\Common Files\PCSuite2008-07-01 16:57:40 0 d-------- C:\Program Files\Common Files\Nokia2008-07-01 16:57:33 0 d-------- C:\Program Files\DIFX2008-07-01 16:57:06 0 d------c- C:\Windows\system32\DRVSTORE2008-07-01 16:56:54 0 d-------- C:\Program Files\PC Connectivity Solution2008-07-01 16:55:54 0 d-------- C:\Program Files\Nokia2008-07-01 16:55:21 0 d-------- C:\Users\All Users\Installations2008-07-01 11:44:59 0 d-------- C:\Program Files\MSECache2008-07-01 11:44:01 0 d-------- C:\Program Files\Java2008-07-01 11:44:00 0 d-------- C:\Program Files\Common Files\Java2008-07-01 11:40:53 0 d-------- C:\Users\All Users\Spybot - Search & Destroy2008-07-01 11:39:41 0 d-------- C:\Program Files\Softland2008-07-01 11:27:56 0 d-a------ C:\Users\All Users\TEMP2008-07-01 11:27:39 0 d-------- C:\Program Files\Common Files\PC Tools2008-07-01 11:27:35 0 d-------- C:\Users\All Users\PC Tools2008-07-01 11:27:35 0 d-------- C:\Program Files\PC Tools AntiVirus2008-07-01 11:27:07 0 d-------- C:\Program Files\CCleaner2008-07-01 11:21:47 0 d-------- C:\Program Files\Common Files\L&H2008-07-01 11:21:09 0 d-------- C:\Program Files\Microsoft ActiveSync2008-07-01 11:19:53 0 d-------- C:\Windows\PCHEALTH2008-07-01 11:19:53 0 d-------- C:\Program Files\Microsoft.NET2008-07-01 00:19:57 0 d-------- C:\Program Files\Winamp2008-06-30 23:38:15 0 d-------- C:\Program Files\Opera2008-06-30 23:26:44 0 d-------- C:\Users\All Users\Motive2008-06-25 13:41:46 0 d-------- C:\Windows\BUVC_AP2008-06-25 13:28:07 0 d-------- C:\Windows\BisonC072008-06-25 13:27:30 0 d-------- C:\Windows\Options2008-06-25 13:27:30 53248 --a------ C:\Windows\BR040286.exe <Not Verified; Bison Inc.; Bison Inc. Pcam>2008-06-25 13:27:30 57856 --a------ C:\Windows\BR040264.exe <Not Verified; Bison Inc.; Bison Inc. Pcam>-- Find3M Report ---------------------------------------------------------------2008-07-17 12:11:02 12 --a------ C:\Windows\bthservsdp.dat2008-07-16 20:30:58 0 d-------- C:\Program Files\Launch Manager2008-07-10 15:55:12 0 d-------- C:\Program Files\Windows Mail2008-07-07 20:50:51 0 d-------- C:\Program Files\Common Files2008-07-03 20:29:13 0 d-------- C:\Users\acer\AppData\Roaming\temp2008-07-03 15:49:52 0 dr-h----- C:\Users\acer\AppData\Roaming\SecuROM2008-07-02 12:16:58 0 d--hs---- C:\Users\acer\AppData\Roaming\.#2008-07-01 17:00:45 0 d-------- C:\Users\acer\AppData\Roaming\PC Suite2008-07-01 17:00:30 0 d-------- C:\Users\acer\AppData\Roaming\Nokia2008-07-01 16:44:44 0 d-------- C:\Users\acer\AppData\Roaming\Adobe2008-07-01 11:38:43 0 d-------- C:\Program Files\Microsoft Works2008-07-01 11:27:56 0 d-------- C:\Users\acer\AppData\Roaming\PC Tools2008-07-01 11:27:12 0 d-------- C:\Program Files\Yahoo!2008-07-01 00:21:36 0 d-------- C:\Users\acer\AppData\Roaming\Winamp2008-06-30 23:38:24 0 d-------- C:\Users\acer\AppData\Roaming\Opera2008-06-25 13:41:46 0 d--h----- C:\Program Files\InstallShield Installation Information2008-06-25 13:24:12 0 d-------- C:\Users\acer\AppData\Roaming\InstallShield2008-06-06 16:14:59 0 d-------- C:\Users\acer\AppData\Roaming\CyberLink2008-06-06 15:14:07 0 -rahs---- C:\MSDOS.SYS2008-06-06 15:14:07 0 -rahs---- C:\IO.SYS2008-06-06 15:06:57 0 d-------- C:\Program Files\MSXML 4.02008-06-06 15:04:20 0 d-------- C:\Program Files\Acer Inc2008-06-06 14:50:52 0 d-------- C:\Program Files\Common Files\InstallShield2008-06-06 14:50:10 0 d-------- C:\Users\acer\AppData\Roaming\Acer2008-06-06 14:49:58 0 d-------- C:\Program Files\Acer2008-06-06 14:41:14 0 d-------- C:\Program Files\O2Micro Oz128 Driver2008-06-06 14:40:30 0 d-------- C:\Program Files\Synaptics2008-06-06 14:38:08 0 d-------- C:\Program Files\Realtek2008-06-06 14:38:07 315392 --a------ C:\Windows\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>2008-06-06 14:30:28 0 d-------- C:\Program Files\Acer Arcade Deluxe2008-06-06 14:25:58 0 d-------- C:\Program Files\WIDCOMM2008-06-06 14:25:00 0 d-------- C:\Users\acer\AppData\Roaming\Macromedia2008-06-06 14:24:04 0 d-------- C:\Users\acer\AppData\Roaming\Identities-- Registry Dump ---------------------------------------------------------------*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [21/01/2008 10:23 AM]"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [04/10/2007 06:44 AM]"Adobe Reader Speed Launcher"="c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [08/03/2007 07:38 PM]"IgfxTray"="C:\Windows\system32\igfxtray.exe" [29/08/2007 04:43 AM]"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [29/08/2007 04:43 AM]"Persistence"="C:\Windows\system32\igfxpers.exe" [29/08/2007 04:43 AM]"PlayMovie"="C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [22/01/2008 11:14 AM]"RtHDVCpl"="RtHDVCpl.exe" [08/01/2008 08:25 AM C:\Windows\RtHDVCpl.exe]"Skytel"="Skytel.exe" [21/11/2007 10:15 AM C:\Windows\SkyTel.exe]"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [19/01/2008 03:31 AM]"eAudio"="C:\Acer\Empowering Technology\eAudio\eAudio.exe" [10/10/2007 06:41 AM]"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [08/01/2008 08:32 AM]"eRecoveryService"="" []"BisonInst0402"="C:\Windows\BR040286.exe" [08/05/2007 08:48 PM]"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [02/04/2008 02:49 AM]"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [05/03/2008 09:37 AM][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [21/01/2008 10:23 AM]"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43 AM]"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [26/03/2008 06:41 PM]"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [16/04/2008 12:53 PM]"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34 AM][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"=2 (0x2)"EnableUIADesktopToggle"=0 (0x0)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]@="Driver"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]@="Driver"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]@="Volume shadow copy"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]@="IEEE 1394 Bus host controllers"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]@="SBP2 IEEE 1394 Devices"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]@="SecurityDevices"[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvcLocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnumbthsvcs BthServ[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]C:\Windows\system32\unregmp2.exe /ShowWMP[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI-- End of Deckard's System Scanner: finished at 2008-07-17 12:17:19 ------------ Link to post Share on other sites
Andro1d Posted July 17, 2008 Report Share Posted July 17, 2008 Hello again,Please download Malwarebytes' Anti-Malware from Here or HereDouble Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Full Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Link to post Share on other sites
jaybb Posted July 17, 2008 Author Report Share Posted July 17, 2008 The scan shows that there is no malicious items detected, is the virus cleared?? Below is the report. Malwarebytes' Anti-Malware 1.20Database version: 960Windows 6.0.6001 Service Pack 12:14:54 PM 17/7/2008mbam-log-7-17-2008 (14-14-54).txtScan type: Full Scan (C:\|D:\|E:\|)Objects scanned: 131992Time elapsed: 15 minute(s), 41 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites
Andro1d Posted July 19, 2008 Report Share Posted July 19, 2008 Nice job your log looks clean!Please use the following suggestions to help prevent reinfection.Also, you may delete any tools I had you download during the cleaning process.Reset System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. You will lose all previous Restore Points which are likely to be infected. Now we need to make a new Restore Point for your PC, please do the following:Click StartRight click My Computer and select PropertiesClick the System Restore tabCheck "Turn off System Restore" and click "Apply". It will then ask you if you want to turn off System Restore, select YesPlease give a moment as it will delete the old Restore pointsThen uncheck "Turn off System Restore" which will create a new Restore pointClick OKThe following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again. As a note, all of the tools and utilities mentioned are either free or have free versions available.SpywareBlaster - Great prevention tool to keep malware from installing on your system.**Tutorial on installing & using this product can be found HERE**SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.**Tutorial on installing & using this product can be found HERE**IE-SpyAd - Puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.**Tutorial on installing & using this product can be found HERE**ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out malware that like to reside in the temp folders.Firewall A firewall is very important, in order to protect your computer from hackers. I notice that you don't have one installed! Therefore I recommend Comodo, Online Armor, or Outpost.**Tutorial on Firewalls can be found HERE**It is important to run only one of each type of protection program in resident mode at a time since conflicts can make them less effective. This would mean only one resident antivirus, firewall and scanning type of anti-spyware. Programs like SpywareBlaster and IE-Spyads do not conflict with any of these since they don't have a real time scanning engine that would conflict.Windows Updates - It is highly recommended to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.It is also highly recommended to stay on top of your updates at all times, for Windows and all the above mentioned applications. This will ensure that you stay protected at the maximum level possible.Finally, I strongly recommend How did I get infected in the first place? (by Tony Klein)Good luck and safe surfing Link to post Share on other sites
jaybb Posted July 20, 2008 Author Report Share Posted July 20, 2008 Thanks Buddy... Appreciate all the help!!! Link to post Share on other sites
Andro1d Posted July 20, 2008 Report Share Posted July 20, 2008 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. Link to post Share on other sites
Recommended Posts