View Full Version : Can't Remove Malware
germantechnology
2008-10-29, 12:09
Thank you for Spybot, it came heavily recommended to me, unfortunately I have a couple of problems that Spybot uncovered.
I am new to computers and I hope you can bear with me.
I have done a scan and the results show that I have an Adware alert (3 entries Malware) and Antispyware bot (yes I fell for it) 3 entries MalwareC.
I have tried to remove these items but I get a message that I need to be an Administrator. I am the sole user of computer and run it as an Administrator.
I hit ok, and am then told problems can't be fixed as they could be in use in memory, but might be solved after restart and rescan. I have done this and had the same result.
Prior to all of this, Antispybot had been uninstalled.
I have changed my banking and other personal details since last scan.
Is my computer safe at the moment?
Would really appreciate your help.
Hello germantechnology
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your personal data before starting any clean up procedure.
Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.
Double click it to install
Follow the prompts.
By default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
germantechnology
2008-10-29, 21:12
Thank you for Spybot, it came heavily recommended to me, unfortunately I have a couple of problems that Spybot uncovered.
I am new to computers and I hope you can bear with me.
I have done a scan and the results show that I have an Adware alert (3 entries Malware) and Antispyware bot (yes I fell for it) 3 entries MalwareC.
I have tried to remove these items but I get a message that I need to be an Administrator. I am the sole user of computer and run it as an Administrator.
I hit ok, and am then told problems can't be fixed as they could be in use in memory, but might be solved after restart and rescan. I have done this and had the same result.
Prior to all of this, Antispybot (Grrrrr) had been uninstalled.
I have changed my banking and other personal details since last scan.
Is my computer safe at the moment?
Would really appreciate your help.
cheere, Bob.
germantechnology,
I replied to your post at 7:24 this morning. Please reply to this post only by using the Post Reply button and DO NOT START A NEW THREAD
Please read BEFORE YOU POST and then download and install Hijackthis per my instructions and post a Hijackthis log.
germantechnology
2008-10-30, 07:06
Hi Ken, thanks so much for your help. Below is hopefully what you require.
Have not got around to completing profile as just joined and posting was the first thing I did. Greetings from Melbourne, Australia.
Thanks again mate,
Cheers, Bob.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:35 PM, on 30/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Users\Robert\AppData\Local\Temp\RtkBtMnt.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.au.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: SETAUDIO.EXE
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1223895038212&h=8e753786b2b1fd44579cdfa772af1dfd/&filename=jinstall-6u7-windows-i586-jc.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 10715 bytes
Hello Bob,
I am not seeing anything bad on your log not to say something could be hidding.
Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.
*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
**Note** Go to Options> Cookies and any you want to keep move them to The Keep window
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
germantechnology
2008-10-30, 11:43
Hi Ken, thanks again. Here is all the info.
Cheers, bob.
Malwarebytes' Anti-Malware 1.30
Database version: 1338
Windows 6.0.6001 Service Pack 1
30/10/2008 8:33:54 PM
mbam-log-2008-10-30 (20-33-54).txt
Scan type: Quick Scan
Objects scanned: 43939
Time elapsed: 2 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 81
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Users\Robert\AppData\Roaming\AntispywareBot (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10 (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
Files Infected:
C:\Users\Robert\AppData\Roaming\AntispywareBot\DataBaseNew.ref (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\0.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\0.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\1.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\1.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\10.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\10.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\11.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\11.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\12.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\12.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\13.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\13.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\14.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\14.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\15.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\15.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\16.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\16.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\17.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\17.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\18.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\18.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\19.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\19.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\2.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\2.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\20.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\20.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\21.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\21.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\22.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\22.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\23.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\23.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\24.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\24.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\25.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\25.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\26.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\26.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\27.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\27.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\28.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\28.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\29.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\29.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\3.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\3.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\30.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\30.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\31.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\31.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\32.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\32.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\33.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\33.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\34.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\34.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\35.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\35.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\36.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\36.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\37.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\37.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\38.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\38.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\39.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\39.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\4.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\4.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\5.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\5.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\6.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\6.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\7.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\7.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\8.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\8.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\9.qit (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
C:\Users\Robert\AppData\Roaming\AntispywareBot\Quarantine\29-10-2008-17-47-10\9.qnf (Rogue.AntiSpywareBot) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:07 PM, on 30/10/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Users\Robert\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Windows\system32\igfxext.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.au.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: SETAUDIO.EXE
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 10558 bytes
germantechnology
2008-10-30, 12:39
Hello again Ken, to my very untrained eye it looks like quite quite a few things have been found and deleted, to kill a bit of time incase you logged on, I ran spybot and am told there is still malware as per previous. I have tried to cut and paste text as well as screen shot from spybot here, but have had no joy. I have not asked spybot to remove entries.
all the best,
Bob.
Hi,
You can remove these with HJT
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
What I would do is to run Spybot Search and Destroy and let it clean everything it finds, REBOOT and run it again, it may take a few scans to remove it all. If the 3rd scan is still picking things up it can't remove then let me know and we can dig deeper
Your HJT log looks fine
germantechnology
2008-10-30, 13:02
Thanks Ken, not sure what you mean by RO- HKLM.......
Will run spybot a few times.
Thanks again. Will let you know.
Cheers,
Bob.
Sorry about that, need my coffee :)
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
germantechnology
2008-10-30, 13:38
Hi Ken,
Have ran Spybot and have the all clear! You Beauty! Thank you so much for your help.
I have only had a computer for a couple of months and I have learn't a hell of a lot from you.
Happy days, thanks so much again.
Kind regards,
Bob.
That's great Bob, glad all is well :bigthumb:
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken