1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

FAKEAV.SM2 not found by NOD32, not removed completely by HouseCall

Discussion in 'Virus & Other Malware Removal' started by sunny2026, Jan 2, 2011.

Thread Status:
Not open for further replies.
  1. sunny2026

    sunny2026 Thread Starter

    Joined:
    Jan 2, 2011
    Messages:
    2
    Hello,

    I am in need of your assistance, please! Hopefully before I have to call my boss tomorrow and tell him I cannot access our online company software to run my on-site repair calls tomorrow. :(

    SYSTEM: Windows XP HOME, SP3, Acer Aspire One 1 GB Netbook
    Limited info on internet about this threat, I suspect it is one of those "between updates" releases?

    I cannot get to the internet, except via the Administrator account via safe mode with networking...but at least I have THAT ability.

    NOD32 was up-to-date at the time of the infection last night..
    Windows was also up-to-date as of Friday.

    NOD32 noticed a virus last night and flagged me that a website I clicked on during a search could harm my computer, but it let the bug get me anyway.

    Overnight scan in safe mode (9 hours) under admin found nothing according to NOD32.
    Microsoft Malicious Software Tool (December version, January not out yet) found nothing.

    Trend Micro House Call found FAKEAV.SM2 masquerading as jh1.exe in Local Settings/Temp and
    jxhia.exe and jxhib.exe in Windows/ while in Administrator account Safe Mode with Networking, and deleted them. However, when I log into my own profile, even under Safe Mode, the virus is still there.
    Restarting or cold-booting the computer, even with my internet router unplugged, puts jh1.exe back in, and House Call again finds it and removes it again in Admin safe mode.

    House Call will NOT run in my profile under Safe Mode with networking at all, because it requires internet access, and I cannot get to the internet under my own profile via Safe Mode with Networking.

    Hijackthis will not run in normal mode...as soon as it opens, it is shut down by the virus. Same thing with DDS and GERM (even renamed), in fact the virus states that each program I try to run is "infected" and cannot start (when in normal mode).

    There is a system checkpoint under System Restore for 7:30 am yesterday morning (prior to the infection), if the clock is correct. I am hesitant to run it, because I have been told this approach often does not remove viruses and can make matters worse if it is a rootkit. Not sure I can get it to run with these other issues in the way.

    The only logs I am able to get are while running in safe mode, and GERM says it wont find anything if run in safe mode and an RK isn't running there.

    I suspect a rootkit, but TrendMicro Rootkit Buster cannot run even in admin mode because TMCOMM services either failed to start or are disabled. Not sure if that is because I use XP HOME which I have been told does not have networking, or if there is something else going on.

    My HIJACKTHIS logs for Admin safe mode and my own profile in safe mode are different sizes, and I have found some of the different lines, but not sure how to go about deleting (?) the lines I found.

    ** I do not know how to back up the registry**

    These are the lines in HijackThis that I THINK are the important ones under my personal profile.
    (only cfmon.exe is the same HKCU in both files, and Sansa, Cute Reminder and Yahoo are legitimate)
    But I suspect my problem is with the 3 programs in the TEMP area that House Call is not removing and NOD can't find: Jh0.exe, Jh1.exe, and the garbled name (no clue what mgcibijb is either).

    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CuteReminder] C:\Program Files\CuteReminder\CuteReminder.exe
    O4 - HKCU\..\Run: [JCFSE7V7Z1] C:\DOCUME~1\Crystal\LOCALS~1\Temp\Jh0.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Crystal\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
    O4 - HKCU\..\Run: [JP595IR86O] C:\DOCUME~1\Crystal\LOCALS~1\Temp\Jh1.exe
    O4 - HKCU\..\Run: [mgcibijb] C:\DOCUME~1\Crystal\LOCALS~1\Temp\frvldmqtt\jngubwflajb.exe

    Full HIJACKTHIS log for my problem profile is this:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 3:34:47 PM, on 1/2/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17093)
    Boot mode: Safe mode with network support
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.exe
    C:\Documents and Settings\Crystal\Desktop\av tools\av tools\hijackthis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0409&m=aspire_one
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.matchdoctor.com/profile_videonaut_friend.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0409&m=aspire_one
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0409&m=aspire_one
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8074
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\csrss.exe
    O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: eSnipBHO - {B530A9A4-1722-4D16-AAD6-AA85E3AD2ADE} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
    O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [PLFSetL] C:\WINDOWS\PLFSetL.exe
    O4 - HKLM\..\Run: [snp2uvc] rundll32.exe C:\WINDOWS\system32\csnp2uvc.dll,ResetCIDS
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [TrayServer] C:\Program Files\MAGIX\Movie_Edit_Pro_12\TrayServer.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Habits] C:\Program Files\Positive Habits Application\Habits.exe
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CuteReminder] C:\Program Files\CuteReminder\CuteReminder.exe
    O4 - HKCU\..\Run: [JCFSE7V7Z1] C:\DOCUME~1\Crystal\LOCALS~1\Temp\Jh0.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Crystal\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
    O4 - HKCU\..\Run: [JP595IR86O] C:\DOCUME~1\Crystal\LOCALS~1\Temp\Jh1.exe
    O4 - HKCU\..\Run: [mgcibijb] C:\DOCUME~1\Crystal\LOCALS~1\Temp\frvldmqtt\jngubwflajb.exe
    O4 - Startup: Seagate Product Registration.lnk = C:\Documents and Settings\Crystal\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe
    O4 - Global Startup: Acer VCM.lnk = ?
    O8 - Extra context menu item: Download with mediAvatar YouTube Video Converter - C:\Program Files\mediAvatar\YouTube Video Converter\upod_link.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
    O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files\ICQ7.2\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ7.2 - {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - C:\Program Files\ICQ7.2\ICQ.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.xpert.adecco.com
    O15 - Trusted Zone: http://www.screencast.com
    O15 - Trusted Zone: www.smartech-csi.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.32,93.188.160.102
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.32,93.188.160.102
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.32,93.188.160.102
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\Skype4com.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate1c9e101954ae32) (gupdate1c9e101954ae32) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files\Acer\Acer VCM\RS_Service.exe
    O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
    O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    --
    End of file - 10843 bytes


    DDS.txt is this:


    DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
    Run by Crystal at 15:37:43.59 on Sun 01/02/2011
    Internet Explorer: 7.0.5730.13
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.770 [GMT -6:00]
    AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    ============== Running Processes ===============
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.exe
    C:\Documents and Settings\Crystal\Desktop\av tools\av tools\dds.scr
    ============== Pseudo HJT Report ===============
    uStart Page = hxxp://www.matchdoctor.com/profile_videonaut_friend.html
    uSearch Page =
    uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0409&m=aspire_one
    uSearch Bar =
    mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0409&m=aspire_one
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0409&m=aspire_one
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:8074
    mSearchAssistant =
    mWinlogon: Shell=Explorer.exe c:\windows\config\csrss.exe
    BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagItBHO.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: {B530A9A4-1722-4D16-AAD6-AA85E3AD2ADE} - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll
    TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
    uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [CuteReminder] c:\program files\cutereminder\CuteReminder.exe
    uRun: [JCFSE7V7Z1] c:\docume~1\crystal\locals~1\temp\Jh0.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [SansaDispatch] c:\documents and settings\crystal\application data\sandisk\sansa updater\SansaDispatch.exe
    uRun: [JP595IR86O] c:\docume~1\crystal\locals~1\temp\Jh1.exe
    uRun: [mgcibijb] c:\docume~1\crystal\locals~1\temp\frvldmqtt\jngubwflajb.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [LManager] c:\progra~1\launch~1\LManager.exe
    mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [PLFSetL] c:\windows\PLFSetL.exe
    mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
    mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
    mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [TrayServer] c:\program files\magix\movie_edit_pro_12\TrayServer.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Habits] c:\program files\positive habits application\Habits.exe
    StartupFolder: c:\docume~1\crystal\startm~1\programs\startup\seagat~1.lnk - c:\documents and settings\crystal\application data\leadertech\powerregister\Seagate Product Registration.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acervc~1.lnk - c:\program files\acer\acer vcm\AcerVCM.exe
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: Download with mediAvatar YouTube Video Converter - c:\program files\mediavatar\youtube video converter\upod_link.HTM
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {72EFBFE4-C74F-4187-AEFD-73EA3BE968D6} - c:\program files\icq7.2\ICQ.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    Trusted Zone: adecco.com\*.xpert
    Trusted Zone: screencast.com\www
    Trusted Zone: smartech-csi.com\www
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    TCP: NameServer = 93.188.164.32,93.188.160.102
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\windows\system32\Skype4com.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    ================= FIREFOX ===================
    FF - ProfilePath - c:\docume~1\crystal\applic~1\mozilla\firefox\profiles\ytqp3irh.default\
    FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Google Gears: {000a9d1c-beef-4f90-9363-039d445309b8} - c:\program files\google\google gears\Firefox
    FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-2-6 93336]
    S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
    S2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]
    S2 gupdate1c9e101954ae32;Google Update Service (gupdate1c9e101954ae32);c:\program files\google\update\GoogleUpdate.exe [2009-5-30 133104]
    S2 RS_Service;Raw Socket Service;c:\program files\acer\acer vcm\RS_Service.exe [2009-1-16 237568]
    S2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-4-27 93960]
    S2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [2009-1-16 14336]
    S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2009-4-12 1527900]
    S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-10-19 16968]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
    S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-1-16 160256]
    S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
    S3 UPnPService;UPnPService;c:\program files\common files\magix shared\upnpservice\UPnPService.exe [2009-4-12 544768]
    S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2011-1-1 25704]
    S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2011-1-1 25704]
    S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2011-1-1 25704]
    S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2011-1-1 25704]
    S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2011-1-1 25704]
    =============== Created Last 30 ================
    2011-01-02 13:59:50 102400 ----a-w- c:\windows\RegBootClean.exe
    2011-01-02 13:33:34 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-01-02 04:56:30 297472 ----a-w- c:\windows\system32\sshnas21.dll
    2011-01-02 04:28:22 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(5).sys
    2011-01-02 04:28:02 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(4).sys
    2011-01-02 04:27:43 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(3).sys
    2011-01-02 04:27:24 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(2).sys
    2011-01-02 04:26:50 25704 ----a-w- c:\windows\system32\drivers\WsAudio_DeviceS(1).sys
    2010-12-26 23:23:11 -------- d-----w- c:\program files\Positive Habits Application
    2010-12-18 17:15:37 -------- d-----w- c:\docume~1\crystal\applic~1\SanDisk
    2010-12-17 01:19:41 -------- d-----w- c:\docume~1\crystal\locals~1\applic~1\Thunderbird
    2010-12-15 22:03:15 -------- d-----w- c:\program files\Windows Media Connect 2
    2010-12-11 11:36:25 -------- d-----w- c:\program files\Digital Physiognomy
    ==================== Find3M ====================
    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:34:12 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:34:11 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-11-06 00:34:11 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-06 00:34:11 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-11-03 12:25:53 389120 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    2010-08-05 22:56:58 7474910 ----a-w- c:\program files\NatureIllusionStudioStandardEdition.exe
    2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
    2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
    2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
    ============= FINISH: 15:39:21.26 ===============

    My attach.txt is, uh, attached... :)

    I have a lot of GiveAway Of The Day programs installed, so even though just reloading my Acer OS with one button would be the easiest to just blow it all away, I would lose an awful lot of legally free programs, and over 200 filters/folders in my outlook express mail. :(

    Thank you for your help on this holiday weekend.
    You do a great service for us!

    Sincerely,
    Sunny
     

    Attached Files:

  2. sunny2026

    sunny2026 Thread Starter

    Joined:
    Jan 2, 2011
    Messages:
    2
    I found this virus mentioned on Trend Micro, but their solution did not match anything in my system registry.

    I do not know what the fix actually was, only that a friend took my computer and said he spent the day running a lot of scans with various programs in safe mode, in Admin, then in my profile in safe mode, and finally in my normal mode account, and then repeated the process to make sure everything was caught.

    He said there were several rootkit agents, droppers, trojans, dowloaders, fake alerts, and I am upset that NOD32 let me down. A friend of mine uses it, and he goes on torrent sites and sites filled with viruses, and says his computer is clean (he ran a few programs to see if what happened to me, also happened to him), and me, who does not go to sites like that get hit on an innocent search engine link.

    Not sure how Nod messed me up, but it sure let a lot of cr*p in... 21 infected files! Not good.

    Oh, well, I am fixed... thanks.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/972250

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice