1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

It must be a virus right?

Discussion in 'Virus & Other Malware Removal' started by maggie88ca, Dec 19, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. maggie88ca

    maggie88ca Thread Starter

    Joined:
    Nov 19, 2006
    Messages:
    160
    I'll try to describe the problem as best I can and hope someone can help me find a solution. About a week ago I noticed that I can no longer use my desktop's built in 5 in-one card reader. When I put a memory card in it does nothing and when I check my computer it no longer shows drive letters for those slots. After I noticed this I tried to do a system restore but thats when I noticed that doesn't work either. When I go to access system restore I get an error message similar to

    C:\windows\system32\rstrui.exe is not a valid win32 application

    When I reboot in safe mode system restore works but it only lists restore points with dates in the last 10 days which is about when the problems started.

    Any help would be greatly appreciated.

    Thanks in advance.
     
  2. maggie88ca

    maggie88ca Thread Starter

    Joined:
    Nov 19, 2006
    Messages:
    160
    Here is my HJT log...


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:27:32 AM, on 19/12/2011
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.19170)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    C:\Acer\Empowering Technology\SysMonitor.exe
    C:\Windows\System32\wpcumi.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\ehome\ehmsas.exe
    C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2guard.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.ca.acer.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\IPS\IPSBHO.DLL
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\coIEPlg.dll
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
    O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
    O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
    O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-18\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O16 - DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} (Cisco Systems WebVPN Relay Loader) - https://mytdsb.on.ca/+CSCOL+/relayp.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - http://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} (Java Plug-in 1.6.0_15) -
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-ca.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
    O23 - Service: Emsisoft Anti-Malware 6.0 - Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\Emsisoft Anti-Malware\a2service.exe
    O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
    O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
    O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: IntelDHSvcConf - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
    O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
    O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
    O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
    O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
    O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

    --
    End of file - 9251 bytes
     
  3. maggie88ca

    maggie88ca Thread Starter

    Joined:
    Nov 19, 2006
    Messages:
    160
    bump

    Any help would be greatly appreciated.

    Thanks.
     
  4. maggie88ca

    maggie88ca Thread Starter

    Joined:
    Nov 19, 2006
    Messages:
    160
    Sorry to bump again its been 2 days can someone take a look at the HJT log or point in the right direction.

    Thanks.
     
  5. maggie88ca

    maggie88ca Thread Starter

    Joined:
    Nov 19, 2006
    Messages:
    160
    Can anyone offer any help?
     
  6. Larusso

    Larusso

    Joined:
    Aug 9, 2011
    Messages:
    808
    Hy
    my name is Daniel and I will be assisting you with your Malware related problems.

    Before we move on, please read the following points carefully.
    • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
    • Perform everything in the correct order. Sometimes one step requires the previous one.
    • If you have any problems while you are following my instructions, Stop there and tell me the exact nature of your problem.
    • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
    • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
    • If I don't hear from you within 3 days from this initial or any subsequent post, I will have to unsubscribe from this thread and move on to assist someone else.
    • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
    • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.



    [​IMG]
    Download DDS and save it to your desktop from here or here or here.
    Disable any script blocker, and then double click dds to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop.
    Please post both in your next reply




    Please download Gmer from here and save it to your Desktop.
    • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


      [​IMG]
      Click the image to enlarge it


    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



    Please post in your next reply
    dds.txt
    attach.txt
    ark.txt
     
  7. maggie88ca

    maggie88ca Thread Starter

    Joined:
    Nov 19, 2006
    Messages:
    160
    Hi Daniel thanks very much for your help here are the scan results.


    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-5-2 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-5-2 744568]
    R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\emsisoft anti-malware\a2ddax86.sys [2011-10-7 17904]
    R1 a2injectiondriver;a2injectiondriver;c:\program files\emsisoft anti-malware\a2dix86.sys [2011-10-7 34768]
    R1 a2util;a-squared Malware-IDS utility driver;c:\program files\emsisoft anti-malware\a2util32.sys [2011-10-7 11776]
    R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20111221.003\BHDrvx86.sys [2011-12-21 819320]
    R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20111228.001\IDSvix86.sys [2011-12-28 368248]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-5-2 136312]
    R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1206000.01d\symtdiv.sys [2011-5-2 331384]
    R2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-10-7 2998832]
    R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
    R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-4-30 21504]
    R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-5-2 130008]
    R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
    R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
    R3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2011-10-7 51632]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-9 106104]
    R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-9-18 5504]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 IntelDHSvcConf;IntelDHSvcConf;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-11-18 36312]
    S3 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-11-18 174552]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2007-9-18 80744]
    .
    =============== Created Last 30 ================
    .
    2011-12-22 02:15:42 -------- d-----w- c:\program files\common files\Windows Live
    2011-12-19 14:27:00 388096 ----a-r- c:\users\ken\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-12-18 19:04:09 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-18 19:04:09 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-12-18 19:04:06 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-18 19:04:04 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-12-18 19:04:02 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2011-12-18 19:03:26 49152 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-18 19:03:06 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-09 17:00:03 -------- d-----w- c:\users\ken\appdata\roaming\EurekaLog
    2011-12-05 23:03:33 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
    .
    ==================== Find3M ====================
    .
    2011-12-22 07:19:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-11-25 16:47:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-03 06:22:04 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-03 06:17:38 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-03 06:17:23 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-11-03 06:17:08 71680 ----a-w- c:\windows\system32\iesetup.dll
    2011-11-03 06:17:08 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2011-11-03 05:22:43 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-03 04:45:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-11-03 04:43:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    .
    ============= FINISH: 11:47:23.65 ===============








    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista&#8482; Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 18/09/2007 6:05:04 PM
    System Uptime: 29/12/2011 10:51:55 AM (25 hours ago)
    .
    Motherboard: Acer | | FG965M
    Processor: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz | Socket 775 |

    2400/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 228 GiB total, 53.951 GiB free.
    D: is FIXED (NTFS) - 228 GiB total, 52.664 GiB free.
    E: is CDROM ()
    K: is FIXED (NTFS) - 932 GiB total, 417.302 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0170
    Manufacturer: Microsoft
    Name: Microsoft 6to4 Adapter
    PNP Device ID: ROOT\*6TO4MP\0170
    Service: tunnel
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0240
    Manufacturer: Microsoft
    Name: Microsoft 6to4 Adapter #4
    PNP Device ID: ROOT\*6TO4MP\0240
    Service: tunnel
    .
    ==== System Restore Points ===================
    .
    RP1502: 22/12/2011 2:15:31 AM - Removed Java(TM) 6 Update 30
    RP1503: 22/12/2011 2:18:57 AM - Installed Java(TM) 6 Update 30
    RP1504: 23/12/2011 8:29:21 AM - Scheduled Checkpoint
    RP1505: 25/12/2011 12:15:01 AM - Scheduled Checkpoint
    RP1506: 26/12/2011 12:00:08 AM - Scheduled Checkpoint
    RP1507: 28/12/2011 12:00:12 AM - Scheduled Checkpoint
    RP1508: 28/12/2011 12:38:44 PM - Scheduled Checkpoint
    RP1509: 29/12/2011 11:52:06 AM - Scheduled Checkpoint
    RP1510: 30/12/2011 12:00:08 AM - Scheduled Checkpoint
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    aaa
    Acer Assist
    Acer eDataSecurity Management
    Acer Empowering Technology
    Acer ePerformance Management
    Acer Picture Slide DVD
    Acer Plug and Record
    Acer Registration
    Acer Tour
    Acer Zone Main Page
    Acrobat.com
    Ad-Aware
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Photoshop CS6
    Adobe Reader X (10.1.1)
    Adobe Shockwave Player 11.6
    Any Video Converter 2.6.7
    µTorrent
    Canon Camera Access Library
    Canon Camera Support Core Library
    Canon Camera Window DC_DV 5 for ZoomBrowser EX
    Canon Camera Window DC_DV 6 for ZoomBrowser EX
    Canon Camera Window MC 6 for ZoomBrowser EX
    Canon G.726 WMP-Decoder
    Canon MovieEdit Task for ZoomBrowser EX
    Canon RAW Image Task for ZoomBrowser EX
    Canon RemoteCapture Task for ZoomBrowser EX
    Canon Utilities EOS Utility
    Canon Utilities PhotoStitch
    Canon Utilities PhotoStitch 3.1
    Canon Utilities RAW Image Converter
    Canon Utilities RemoteCapture 2.2
    Canon Utilities ZoomBrowser EX
    CCleaner
    D3DX10
    Digital Photo Navigator 1.5
    DivX Setup
    DVD Flick 1.3.0.7
    Emsisoft Anti-Malware
    EPSON Printer Software
    eSobi v2
    FileMaker Pro 5.5
    HiJackThis
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    IEP Writer 2008-9
    ImgBurn
    Intel(R) Management Engine Interface
    Intel(R) Matrix Storage Manager
    Intel(R) Viiv(TM) Software
    Java Auto Updater
    Java(TM) 6 Update 30
    LightScribe 1.4.136.1
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft_VC80_CRT_x86
    Microsoft_VC90_CRT_x86
    MSRedist
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML4SP2
    Norton Internet Security
    Norton Utilities
    NTI Backup NOW! 4.7
    NTI CD & DVD-Maker
    Paint.NET v3.20
    PDF Settings CS6
    PowerCinema NE for Everio
    QuickTax 2007
    Realtek High Definition Audio Driver
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Groove 2007 (KB2552997)
    Security Update for Microsoft Office InfoPath 2007 (KB2510061)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit

    Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit

    Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit

    Edition
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Soap 3.0 Toolkit
    Spelling Dictionaries Support For Adobe Reader 9
    Spybot - Search & Destroy
    SpywareBlaster 4.4
    swMSM
    Symantec Technical Support Advanced Chat Controls
    Symantec Technical Support Web Controls
    UFile 2008
    UFile 2009
    UFile 2010
    UFile Updater 2008
    UFile Updater 2009
    UFile Updater 2010
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 (KB2583910)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2596560)
    VC80CRTRedist - 8.0.50727.4053
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VLC media player 1.1.5
    WinRAR archiver
    .
    ==== Event Viewer Messages From Past Week ========
    .
    29/12/2011 10:53:57 AM, Error: Service Control Manager [7026] - The

    following boot-start or system-start driver(s) failed to load: i8042prt
    29/12/2011 10:52:46 AM, Error: netbt [4321] - The name "WORKGROUP :1d"

    could not be registered on the interface with IP address 192.168.1.128. The

    computer with the IP address 192.168.1.1 did not allow the name to be claimed

    by this computer.
    29/12/2011 10:52:31 AM, Error: Microsoft-Windows-PrintSpooler [19] - The

    print spooler failed to share printer Send To OneNote 2007 with shared

    resource name Send To OneNote 2007. Error 2114. The printer cannot be used by

    others on the network.
    29/12/2011 10:52:31 AM, Error: Microsoft-Windows-PrintSpooler [19] - The

    print spooler failed to share printer Epson Stylus Photo R200 (M) with shared

    resource name Epson Stylus Photo R200 (M). Error 2114. The printer cannot be

    used by others on the network.
    25/12/2011 8:32:31 AM, Error: Microsoft-Windows-PrintSpooler [6161] - The

    document http://sports.upperdeck.com/collectorszone/collectionprint.aspx,

    owned by Ken, failed to print on printer Epson Stylus Photo R200 (M). Try to

    print the document again, or restart the print spooler. Data type: NT EMF

    1.008. Size of the spool file in bytes: 13021224. Number of bytes printed:

    2641040. Total number of pages in the document: 24. Number of pages printed:

    1. Client computer: \\KEN-PC. Win32 error code returned by the print

    processor: 0. The operation completed successfully.
    .
    ==== End Of File ===========================






    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-12-30 12:16:30
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.V56O
    Running: vb85qq8s.exe; Driver: C:\Users\Ken\AppData\Local\Temp\kxtdqpow.sys


    ---- System - GMER 1.0.15 ----

    SSDT 87EAEB60 ZwAlertResumeThread
    SSDT 87EAEC40 ZwAlertThread
    SSDT 93552E78 ZwAllocateVirtualMemory
    SSDT 87DCA668 ZwAlpcConnectPort
    SSDT 87EAE308 ZwAssignProcessToJobObject
    SSDT 87EAE8B0 ZwCreateMutant
    SSDT 934D1E38 ZwCreateSymbolicLinkObject
    SSDT 93880D28 ZwCreateThread
    SSDT 87EAE3E8 ZwDebugActiveProcess
    SSDT 93880A70 ZwDuplicateObject
    SSDT 93552CD8 ZwFreeVirtualMemory
    SSDT 87EAE9A0 ZwImpersonateAnonymousToken
    SSDT 87EAEA80 ZwImpersonateThread
    SSDT 87DCA5F0 ZwLoadDriver
    SSDT 93552BD8 ZwMapViewOfSection
    SSDT 87EAE7D0 ZwOpenEvent
    SSDT 93880C10 ZwOpenProcess
    SSDT 93552F48 ZwOpenProcessToken
    SSDT 87EAE610 ZwOpenSection
    SSDT 93880B40 ZwOpenThread
    SSDT 87EAE218 ZwProtectVirtualMemory
    SSDT 87EAED20 ZwResumeThread
    SSDT 93552928 ZwSetContextThread
    SSDT 93552A08 ZwSetInformationProcess
    SSDT 87EAE4C8 ZwSetSystemInformation
    SSDT 87EAE6F0 ZwSuspendProcess
    SSDT 87EAEE00 ZwSuspendThread
    SSDT 87EF0B50 ZwTerminateProcess
    SSDT 87EAEEE0 ZwTerminateThread
    SSDT 93552AF8 ZwUnmapViewOfSection
    SSDT 93552DA8 ZwWriteVirtualMemory
    SSDT 934D1F28 ZwCreateThreadEx

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Files - GMER 1.0.15 ----

    File C:\Users\Ken\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\651LN76F\google_ca[1].htm 0 bytes

    ---- EOF - GMER 1.0.15 ----
     
  8. Larusso

    Larusso

    Joined:
    Aug 9, 2011
    Messages:
    808
    Please re-run DDS and post the dds.txt

    Please,
    • double-click on a Logfile to open it.
    • Right click with your mouse or touchpad.
    • Chose Select All from the shortcut menu.
    • Right click again, then chose Copy from the shortcut menu.
    • Go the window where you are typing your new topic. Select an area after the text.
    • Right click and select Paste from the shortcut menu.
     
  9. maggie88ca

    maggie88ca Thread Starter

    Joined:
    Nov 19, 2006
    Messages:
    160
    Here is the new dds.txt.....


    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.19170
    Run by Ken at 18:54:54 on 2011-12-30
    Microsoft® Windows Vista&#8482; Home Premium 6.0.6002.2.1252.2.1033.18.2030.858 [GMT -5:00]
    .
    AV: Emsisoft Anti-Malware *Disabled/Updated* {0ADC9F7D-20C1-240F-01E2-43466EBA893A}
    AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
    SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    SP: Emsisoft Anti-Malware *Disabled/Updated* {B1BD7E99-06FB-2B81-3B52-7834153DC387}
    FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Ati2evxx.exe
    C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
    C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
    C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
    C:\Windows\system32\DllHost.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
    C:\Acer\Empowering Technology\SysMonitor.exe
    C:\Windows\System32\wpcumi.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Emsisoft Anti-Malware\a2service.exe
    C:\Windows\system32\conime.exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://google.com/
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mStart Page = hxxp://en.ca.acer.yahoo.com
    mSearchAssistant =
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
    mRun: [CCUTRAYICON] FactoryMode
    mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
    mRun: [Acer Empowering Technology Monitor] c:\acer\empowering technology\SysMonitor.exe
    mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    dRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    LSP: c:\windows\system32\wpclsp.dll
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} - hxxps://mytdsb.on.ca/+CSCOL+/relayp.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://www.walmartphotocentre.ca/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/VistaMSNPUplden-ca.cab
    TCP: DhcpNameServer = 64.71.255.198 192.168.1.1
    TCP: Interfaces\{1D0D20EF-F343-4599-90AE-C33E1ABA64E9} : DhcpNameServer = 64.71.255.198 192.168.1.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\quicktax 2007\ic2007pp.dll
    Notify: igfxcui - igfxdev.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-5-2 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-5-2 744568]
    R1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\emsisoft anti-malware\a2ddax86.sys [2011-10-7 17904]
    R1 a2injectiondriver;a2injectiondriver;c:\program files\emsisoft anti-malware\a2dix86.sys [2011-10-7 34768]
    R1 a2util;a-squared Malware-IDS utility driver;c:\program files\emsisoft anti-malware\a2util32.sys [2011-10-7 11776]
    R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20111221.003\BHDrvx86.sys [2011-12-21 819320]
    R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20111228.001\IDSvix86.sys [2011-12-28 368248]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-5-2 136312]
    R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1206000.01d\symtdiv.sys [2011-5-2 331384]
    R2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-10-7 2998832]
    R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
    R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-4-30 21504]
    R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-5-2 130008]
    R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
    R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
    R3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2011-10-7 51632]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-9 106104]
    R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-9-18 5504]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 IntelDHSvcConf;IntelDHSvcConf;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-11-18 36312]
    S3 MCLServiceATL;Intel(R) Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-11-18 174552]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2007-9-18 80744]
    .
    =============== Created Last 30 ================
    .
    2011-12-22 02:15:42 -------- d-----w- c:\program files\common files\Windows Live
    2011-12-19 14:27:00 388096 ----a-r- c:\users\ken\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-12-18 19:04:09 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-18 19:04:09 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-12-18 19:04:06 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-18 19:04:04 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-12-18 19:04:02 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2011-12-18 19:03:26 49152 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-18 19:03:06 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-09 17:00:03 -------- d-----w- c:\users\ken\appdata\roaming\EurekaLog
    2011-12-05 23:03:33 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
    .
    ==================== Find3M ====================
    .
    2011-12-22 07:19:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-11-25 16:47:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-03 06:22:04 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-03 06:17:38 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-03 06:17:23 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-11-03 06:17:08 71680 ----a-w- c:\windows\system32\iesetup.dll
    2011-11-03 06:17:08 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2011-11-03 05:22:43 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-03 04:45:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-11-03 04:43:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    .
    ============= FINISH: 18:55:58.09 ===============
     
  10. Larusso

    Larusso

    Joined:
    Aug 9, 2011
    Messages:
    808
    Nothing in this log.

    Please download SystemLook from one of the links below and save it to your Desktop.

    Download Mirror #1
    Download Mirror #2


    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:

      Code:
      :filefind
      rstrui.exe
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found at on your Desktop entitled SystemLook.txt



    Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

    Download TDSSKiller.exe and save it to your desktop
    • Execute TDSSKiller.exe by doubleclicking on it.
    • Press Start Scan
    • If Malicious objects are found, do NOT select Cure. Change the action to Skip, and save the log.
    • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

    Please post the contents of that log in your next reply.



    Please post in your next reply
    systemlook.txt
    TDSSKiller Log
     
  11. maggie88ca

    maggie88ca Thread Starter

    Joined:
    Nov 19, 2006
    Messages:
    160
    Here is the systemlook log....

    The tdsskiller said no threats found and did not produce a log


    SystemLook 30.07.11 by jpshortstuff
    Log created at 21:20 on 30/12/2011 by Ken
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "rstrui.exe"
    C:\Windows\System32\rstrui.exe --a---- 318464 bytes [21:50 30/04/2008] [07:33 19/01/2008] 95D5AC5CCBE10E8B4B8A0DF41022568D
    C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6000.16386_none_44a90debb653ed55\rstrui.exe --a---- 313856 bytes [12:36 02/11/2006] [12:36 02/11/2006] 50B14996FB626212301AAFB77941CF4A
    C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6000.16646_none_44d4534db6337506\rstrui.exe --a---- 313856 bytes [21:34 08/04/2008] [06:38 29/02/2008] 6EBDE0B1572ACDAB62F5110DABCA14BB
    C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6000.20782_none_452eaf40cf751f38\rstrui.exe --a---- 313856 bytes [21:34 08/04/2008] [04:05 29/02/2008] 983814E45C230F4B1DD227AB723DF7FD
    C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6001.18000_none_46dfcfe7b33efe29\rstrui.exe --a---- 318464 bytes [21:50 30/04/2008] [07:33 19/01/2008] 95D5AC5CCBE10E8B4B8A0DF41022568D
    C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6001.18027_none_46d13215b348e76c\rstrui.exe --a---- 318464 bytes [21:34 08/04/2008] [04:12 29/02/2008] 18630EEF1648A8DC84088CEDA6F9E660
    C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6001.22125_none_4758ce4ccc685488\rstrui.exe --a---- 318464 bytes [21:34 08/04/2008] [04:06 29/02/2008] 805FEE9A47DE1A33BCA99D124089B4EF
    C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6002.18005_none_48cb48f3b060c975\rstrui.exe --a---- 318464 bytes [21:50 30/04/2008] [07:33 19/01/2008] 95D5AC5CCBE10E8B4B8A0DF41022568D

    -= EOF =-
     
  12. Larusso

    Larusso

    Joined:
    Aug 9, 2011
    Messages:
    808
    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT- Save ComboFix.exe to your Desktop

    ====================================================


    Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to this topic How to disable your security applications


    ====================================================


    Double click on combofix.exe & follow the prompts.


    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

    *Note - if after running ComboFix you see a message similar to 'registry key marked for deletion..' rebooting the machine will resolve that.



    Please post in your next reply
    Combofix.txt
     
  13. maggie88ca

    maggie88ca Thread Starter

    Joined:
    Nov 19, 2006
    Messages:
    160
    Here is the combofix log....



    ComboFix 11-12-31.03 - Ken 31/12/2011 12:57:00.2.4 - x86
    Microsoft® Windows Vista&#8482; Home Premium 6.0.6002.2.1252.2.1033.18.2030.1261 [GMT -5:00]
    Running from: c:\users\Ken\Desktop\ComboFix.exe
    AV: Emsisoft Anti-Malware *Disabled/Updated* {0ADC9F7D-20C1-240F-01E2-43466EBA893A}
    AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    SP: Emsisoft Anti-Malware *Disabled/Updated* {B1BD7E99-06FB-2B81-3B52-7834153DC387}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
    SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Ken\AppData\Roaming\EurekaLog
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-31 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-31 18:05 . 2011-12-31 18:06 -------- d-----w- c:\users\Ken\AppData\Local\temp
    2011-12-31 18:05 . 2011-12-31 18:05 -------- d-----w- c:\users\TEMP\AppData\Local\temp
    2011-12-31 18:05 . 2011-12-31 18:05 -------- d-----w- c:\users\Public\AppData\Local\temp
    2011-12-31 18:05 . 2011-12-31 18:05 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-31 18:05 . 2011-12-31 18:05 -------- d-----w- c:\users\Patricia\AppData\Local\temp
    2011-12-31 18:05 . 2011-12-31 18:05 -------- d-----w- c:\users\Ethan\AppData\Local\temp
    2011-12-22 02:15 . 2011-12-22 02:17 -------- d-----w- c:\program files\Common Files\Windows Live
    2011-12-19 14:27 . 2011-12-19 14:27 388096 ----a-r- c:\users\Ken\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-12-18 19:04 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-18 19:04 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-12-18 19:04 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-18 19:04 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-12-18 19:04 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-12-18 19:03 . 2011-10-25 15:56 49152 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-18 19:03 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-05 23:03 . 2011-12-05 23:03 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-22 07:19 . 2010-06-18 04:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-11-25 16:47 . 2011-07-13 14:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CCUTRAYICON"="FactoryMode" [X]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 4390912]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
    "NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-02-07 464168]
    "Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2007-01-24 319488]
    "WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]
    .
    c:\users\Patricia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2011-06-06 16:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-09-05 17:04 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
    2011-09-03 23:15 444856 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS6ServiceManager]
    2011-09-28 17:17 1039872 ----a-w- c:\program files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]
    2007-11-01 22:13 151552 ------w- c:\program files\CyberLink\PCM4Everio\EverioService.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
    2011-08-31 22:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NortonUtilities]
    2009-09-14 15:53 279912 ----a-w- c:\program files\Norton Utilities 14\RMTray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
    2010-02-19 18:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 IntelDHSvcConf;IntelDHSvcConf;c:\program files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [2006-11-18 36312]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2006-09-19 80744]
    S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\SYMDS.SYS [2011-01-27 340088]
    S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\SYMEFA.SYS [2011-03-15 744568]
    S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\Emsisoft Anti-Malware\a2ddax86.sys [2011-05-19 17904]
    S1 a2injectiondriver;a2injectiondriver;c:\program files\Emsisoft Anti-Malware\a2dix86.sys [2011-11-02 34768]
    S1 a2util;a-squared Malware-IDS utility driver;c:\program files\Emsisoft Anti-Malware\a2util32.sys [2010-05-05 11776]
    S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20111221.003\BHDrvx86.sys [2011-12-10 819320]
    S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20111228.001\IDSvix86.sys [2011-12-16 368248]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\Ironx86.SYS [2011-01-27 136312]
    S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1206000.01D\SYMTDIV.SYS [2011-03-22 331384]
    S2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [2011-12-30 2998832]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
    S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe [2011-04-17 130008]
    S2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\DRIVERS\nmsgopro.sys [2006-09-27 28672]
    S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 7424]
    S3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys [2011-11-02 51632]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-09 106104]
    S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-09-18 5504]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-31 c:\windows\Tasks\User_Feed_Synchronization-{6E24A8D3-E15F-43CF-853F-931743C1DCA6}.job
    - c:\windows\system32\msfeedssync.exe [2011-12-18 04:44]
    .
    2011-12-31 c:\windows\Tasks\User_Feed_Synchronization-{84334BDD-028C-40D2-9A5A-48A49060FC94}.job
    - c:\windows\system32\msfeedssync.exe [2011-12-18 04:44]
    .
    2011-12-31 c:\windows\Tasks\User_Feed_Synchronization-{AB567C4A-1A16-42C9-9CE0-AB64B4D5940F}.job
    - c:\windows\system32\msfeedssync.exe [2011-12-18 04:44]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mStart Page = hxxp://en.ca.acer.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    LSP: c:\windows\system32\wpclsp.dll
    TCP: DhcpNameServer = 64.71.255.198 192.168.1.1
    Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-31 13:05
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    detected NTDLL code modification:
    ZwOpenFile
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(4820)
    c:\windows\system32\MsnChatHook.dll
    c:\windows\system32\ShowErrMsg.dll
    c:\windows\system32\sysenv.dll
    c:\windows\system32\BatchCrypto.dll
    c:\windows\system32\CryptoAPI.dll
    c:\windows\system32\keyManager.dll
    c:\windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\MSVCP80.dll
    c:\program files\Microsoft Office\Office12\GrooveNew.DLL
    c:\windows\system32\msutb.dll
    c:\windows\system32\taskschd.dll
    .
    Completion time: 2011-12-31 13:08:59
    ComboFix-quarantined-files.txt 2011-12-31 18:08
    ComboFix2.txt 2010-11-28 17:46
    ComboFix3.txt 2010-03-10 20:49
    .
    Pre-Run: 56,494,346,240 bytes free
    Post-Run: 56,858,124,288 bytes free
    .
    - - End Of File - - 7FDD3578BE91AD8728BBF40533FEB447
     
  14. Larusso

    Larusso

    Joined:
    Aug 9, 2011
    Messages:
    808
    Open notepad and copy/paste the text in the Code-box below into it:

    Code:
    FCopy::
    C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6000.16386_none_44a90debb653ed55\rstrui.exe | C:\Windows\System32\rstrui.exe
    
    ClearJavaCache::
    
    
    • Save this as CFScript.txt, in the same location as ComboFix.exe.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe.
    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



    Please post in your next reply
    Combofix.txt
     
  15. maggie88ca

    maggie88ca Thread Starter

    Joined:
    Nov 19, 2006
    Messages:
    160
    Here is the new combofix log.....



    ComboFix 11-12-31.03 - Ken 02/01/2012 14:01:47.3.4 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2030.941 [GMT -5:00]
    Running from: c:\users\Ken\Desktop\ComboFix.exe
    Command switches used :: c:\users\Ken\Desktop\CFScript.txt
    AV: Emsisoft Anti-Malware *Disabled/Updated* {0ADC9F7D-20C1-240F-01E2-43466EBA893A}
    AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    SP: Emsisoft Anti-Malware *Disabled/Updated* {B1BD7E99-06FB-2B81-3B52-7834153DC387}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
    SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-02 to 2012-01-02 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-02 19:09 . 2012-01-02 19:10 -------- d-----w- c:\users\Ken\AppData\Local\temp
    2012-01-02 19:09 . 2012-01-02 19:09 -------- d-----w- c:\users\TEMP\AppData\Local\temp
    2012-01-02 19:09 . 2012-01-02 19:09 -------- d-----w- c:\users\Public\AppData\Local\temp
    2012-01-02 19:09 . 2012-01-02 19:09 -------- d-----w- c:\users\Patricia\AppData\Local\temp
    2012-01-02 19:09 . 2012-01-02 19:09 -------- d-----w- c:\users\Ethan\AppData\Local\temp
    2012-01-02 19:09 . 2012-01-02 19:09 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-22 02:15 . 2011-12-22 02:17 -------- d-----w- c:\program files\Common Files\Windows Live
    2011-12-19 14:27 . 2011-12-19 14:27 388096 ----a-r- c:\users\Ken\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-12-18 19:04 . 2011-10-27 08:01 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-18 19:04 . 2011-10-27 08:01 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-12-18 19:04 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-18 19:04 . 2011-11-23 13:37 2043904 ----a-w- c:\windows\system32\win32k.sys
    2011-12-18 19:04 . 2011-11-08 12:10 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-12-18 19:03 . 2011-10-25 15:56 49152 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-18 19:03 . 2011-11-08 14:42 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-05 23:03 . 2011-12-05 23:03 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-22 07:19 . 2010-06-18 04:08 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-11-25 16:47 . 2011-07-13 14:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CCUTRAYICON"="FactoryMode" [X]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 4390912]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
    "NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-02-07 464168]
    "Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2007-01-24 319488]
    "WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]
    .
    c:\users\Patricia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2011-06-06 16:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-09-05 17:04 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
    2011-09-03 23:15 444856 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS6ServiceManager]
    2011-09-28 17:17 1039872 ----a-w- c:\program files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EverioService]
    2007-11-01 22:13 151552 ------w- c:\program files\CyberLink\PCM4Everio\EverioService.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
    2011-08-31 22:00 1047208 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NortonUtilities]
    2009-09-14 15:53 279912 ----a-w- c:\program files\Norton Utilities 14\RMTray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 20:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
    2010-02-19 18:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 IntelDHSvcConf;IntelDHSvcConf;c:\program files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [2006-11-18 36312]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2006-09-19 80744]
    S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1206000.01D\SYMDS.SYS [2011-01-27 340088]
    S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1206000.01D\SYMEFA.SYS [2011-03-15 744568]
    S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\Emsisoft Anti-Malware\a2ddax86.sys [2011-05-19 17904]
    S1 a2injectiondriver;a2injectiondriver;c:\program files\Emsisoft Anti-Malware\a2dix86.sys [2011-11-02 34768]
    S1 a2util;a-squared Malware-IDS utility driver;c:\program files\Emsisoft Anti-Malware\a2util32.sys [2010-05-05 11776]
    S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20111221.003\BHDrvx86.sys [2011-12-10 819320]
    S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20111228.001\IDSvix86.sys [2011-12-16 368248]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1206000.01D\Ironx86.SYS [2011-01-27 136312]
    S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\NIS\1206000.01D\SYMTDIV.SYS [2011-03-22 331384]
    S2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [2011-12-30 2998832]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    S2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
    S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe [2011-04-17 130008]
    S2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\DRIVERS\nmsgopro.sys [2006-09-27 28672]
    S2 nmsunidr;UniDriver for NMS;c:\windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 7424]
    S3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys [2011-11-02 51632]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-11-09 106104]
    S3 IntelDH;IntelDH Driver;c:\windows\system32\Drivers\IntelDH.sys [2007-09-18 5504]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-02 c:\windows\Tasks\User_Feed_Synchronization-{6E24A8D3-E15F-43CF-853F-931743C1DCA6}.job
    - c:\windows\system32\msfeedssync.exe [2011-12-18 04:44]
    .
    2012-01-02 c:\windows\Tasks\User_Feed_Synchronization-{84334BDD-028C-40D2-9A5A-48A49060FC94}.job
    - c:\windows\system32\msfeedssync.exe [2011-12-18 04:44]
    .
    2012-01-02 c:\windows\Tasks\User_Feed_Synchronization-{AB567C4A-1A16-42C9-9CE0-AB64B4D5940F}.job
    - c:\windows\system32\msfeedssync.exe [2011-12-18 04:44]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mStart Page = hxxp://en.ca.acer.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    LSP: c:\windows\system32\wpclsp.dll
    TCP: DhcpNameServer = 64.71.255.198 192.168.1.1
    Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-02 14:09
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    detected NTDLL code modification:
    ZwOpenFile
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NIS]
    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.6.0.29\diMaster.dll\" /prefetch:1"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(6464)
    c:\windows\system32\MsnChatHook.dll
    c:\windows\system32\ShowErrMsg.dll
    c:\windows\system32\sysenv.dll
    c:\windows\system32\BatchCrypto.dll
    c:\windows\system32\CryptoAPI.dll
    c:\windows\system32\keyManager.dll
    c:\windows\system32\cscapi.dll
    c:\windows\System32\msxml3.dll
    c:\windows\ehome\ehSSO.dll
    .
    Completion time: 2012-01-02 14:12:42
    ComboFix-quarantined-files.txt 2012-01-02 19:12
    ComboFix2.txt 2011-12-31 18:09
    ComboFix3.txt 2010-11-28 17:46
    ComboFix4.txt 2010-03-10 20:49
    .
    Pre-Run: 60,340,621,312 bytes free
    Post-Run: 60,334,227,456 bytes free
    .
    - - End Of File - - 55B9F156F7AAFF203F5A72EA8AB05542
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1031910

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice