View Full Version : malware fiasco...
eschwets
2011-02-07, 06:40
Thanks so much for being available to help us forlorn wretches...
To give you background, I gave my wife a B&N nook for christmas and had all sorts of problems downloading books from our local library. Eventually, I had to uninstall Norton AV which I had used for quite a long time. I immediately started using windows defender/firewall, but as you can see, within several hours on Feb 1st all sorts of stuff started happening.
I've used Malware bytes, spybot, and AVG and still have AVG and spybot running (teatime is still on as a reminder to myself). I also found and removed rootkit.win32.tdss.tdl4 with the aid of tdss killer. I have several startup programs blocked with windows startup control. More importantly, I doubt that I am totally clean even with all of my work. Thanks for being available!
Here are my logs:
DDS (Ver_10-12-12.02) - NTFSx86
Run by Eric at 23:15:23.55 on Sun 02/06/2011
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.5.0_12
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.707 [GMT -5:00]
AV: AVG Internet Security 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Internet Security 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
============== Running Processes ===============
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\ehome\ehmsas.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\servicing\TrustedInstaller.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Users\Eric\Desktop\New Folder\dds.scr
============== Pseudo HJT Report ===============
uSearch Bar = Preserve
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:65091
uWinlogon: Shell=explorer.exe,
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_0
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Comrade.exe] c:\program files\gamespy\comrade\Comrade.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
mRun: [hpqSRMon]
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [454D5A46_0] c:\windows\temp\bmfdrgfs.exe
dRun: [Metropolis] rundll32.exe c:\windows\system32\sshnas21.dll,GetHandle
StartupFolder: c:\users\eric\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: ameritrade.com
Trusted Zone: gallery.com
Trusted Zone: kodakgallery.com
Trusted Zone: microsoft.com
Trusted Zone: ofoto.com
Trusted Zone: tdameritrade.com
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://download.autodesk.com/esd/mapguide/SP1/ENG/mgaxctrl.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://games.ca.zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
============= SERVICES / DRIVERS ===============
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-7-12 54112]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2010-11-22 3226632]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-2-3 1153368]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]
R3 rt70x86;Linksys Home Wireless-G USB Adaptor Driver;c:\windows\system32\drivers\netr70.sys [2009-2-26 299520]
=============== Created Last 30 ================
2011-02-07 03:48:03 -------- d-----w- C:\PerfLogs
2011-02-07 03:46:24 -------- d-----w- c:\windows\nvtmpinst
2011-02-06 19:38:14 -------- d--h--w- C:\$AVG
2011-02-06 19:06:53 -------- d-----w- c:\users\eric\appdata\roaming\AVG10
2011-02-06 19:04:26 -------- d--h--w- c:\progra~2\Common Files
2011-02-06 19:00:18 -------- d-----w- c:\windows\system32\drivers\AVG
2011-02-06 19:00:18 -------- d-----w- c:\progra~2\AVG10
2011-02-06 18:59:40 -------- d-----w- c:\program files\AVG
2011-02-06 18:38:40 -------- d-----w- c:\progra~2\MFAData
2011-02-06 03:09:23 -------- d-----w- c:\users\eric\appdata\roaming\Malwarebytes
2011-02-06 03:09:18 -------- d-----w- c:\progra~2\Malwarebytes
2011-02-06 03:09:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-04 02:11:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-04 02:11:38 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-02-04 01:28:18 512 ----a-w- c:\users\eric\appdata\roaming\net.vbs
2011-02-04 01:28:18 1050 ----a-w- c:\users\eric\appdata\roaming\net.bat
2011-02-04 00:31:15 -------- d-----w- c:\users\eric\appdata\roaming\Uniblue
2011-02-04 00:30:50 -------- d-----w- c:\users\eric\appdata\local\PackageAware
2011-02-01 16:39:04 -------- d-----w- c:\progra~2\boost_interprocess
2011-02-01 16:38:53 166 ----a-w- c:\windows\system32\delme.bat
2011-02-01 16:38:07 -------- d-----w- c:\program files\Yontoo Layers Client
2011-02-01 16:38:03 -------- d-----w- c:\progra~2\Tarma Installer
2011-02-01 16:37:42 -------- d-----w- c:\users\eric\appdata\roaming\Vuaqe
2011-02-01 16:37:42 -------- d-----w- c:\users\eric\appdata\roaming\Ceruit
2011-02-01 16:37:40 -------- d-----w- c:\progra~2\WSTB
2011-02-01 16:37:34 -------- d-----w- c:\progra~2\cAjAdAc15400
2011-02-01 07:15:28 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{04d55a04-bd50-4abb-83ab-da68cd801a4d}\mpengine.dll
2011-01-20 21:03:21 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-16 17:49:05 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-15 21:08:10 -------- d-----w- c:\users\eric\.idlerc
2011-01-15 20:39:47 -------- d-----w- C:\Python26
==================== Find3M ====================
2011-02-06 23:03:20 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2011-02-06 23:03:18 82432 ----a-w- c:\windows\system32\axaltocm.dll
============= FINISH: 23:17:10.86 ===============
shelf life
2011-02-11, 02:29
hi,
your post is a few days old. If you still need help post back
removed rootkit.win32.tdss.tdl4
my rootkit disclaimer:
You had a rootkit on your machine. They hide malicious files and components from traditional antivirus/antimalware software. Rootkits bury themselves deep in the operating system. Special software is needed to detect and remove them. Even if symptoms are gone and logs are clean its still not a 100% guarantee that your machine is clean once a rootkit has been detected and removed. You should consider a reformat/reinstall of Windows.
The best source for information on how to do this would be the computer manufacturers website.
eschwets
2011-02-11, 06:28
Thanks for offering to help! I obviously haven't fixed my problem as the computer is randomly restarting and more importantly the new DSS log looks horrible....
I also received this message from spybot on last startup--for now I haven't answered to allow or deny.
Category: session manager Change: value deleted Entry Boot Execute
Old data: autocheck autochk*\c:\progra~1\avg\avg10\avgchsvx.exe /sync\c:\progra~1avg\avg10\avgrsx.exe.sync /restart
DDS (Ver_10-12-12.02) - NTFSx86
Run by Eric at 23:15:23.55 on Sun 02/06/2011
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.5.0_12
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.707 [GMT -5:00]
AV: AVG Internet Security 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Internet Security 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
============== Running Processes ===============
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\ehome\ehmsas.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\servicing\TrustedInstaller.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Users\Eric\Desktop\New Folder\dds.scr
============== Pseudo HJT Report ===============
uSearch Bar = Preserve
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:65091
uWinlogon: Shell=explorer.exe,
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_0
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Comrade.exe] c:\program files\gamespy\comrade\Comrade.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
mRun: [hpqSRMon]
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [454D5A46_0] c:\windows\temp\bmfdrgfs.exe
dRun: [Metropolis] rundll32.exe c:\windows\system32\sshnas21.dll,GetHandle
StartupFolder: c:\users\eric\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: ameritrade.com
Trusted Zone: gallery.com
Trusted Zone: kodakgallery.com
Trusted Zone: microsoft.com
Trusted Zone: ofoto.com
Trusted Zone: tdameritrade.com
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://download.autodesk.com/esd/mapguide/SP1/ENG/mgaxctrl.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://games.ca.zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
============= SERVICES / DRIVERS ===============
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-7-12 54112]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2010-11-22 3226632]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-2-3 1153368]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]
R3 rt70x86;Linksys Home Wireless-G USB Adaptor Driver;c:\windows\system32\drivers\netr70.sys [2009-2-26 299520]
=============== Created Last 30 ================
2011-02-07 03:48:03 -------- d-----w- C:\PerfLogs
2011-02-07 03:46:24 -------- d-----w- c:\windows\nvtmpinst
2011-02-06 19:38:14 -------- d--h--w- C:\$AVG
2011-02-06 19:06:53 -------- d-----w- c:\users\eric\appdata\roaming\AVG10
2011-02-06 19:04:26 -------- d--h--w- c:\progra~2\Common Files
2011-02-06 19:00:18 -------- d-----w- c:\windows\system32\drivers\AVG
2011-02-06 19:00:18 -------- d-----w- c:\progra~2\AVG10
2011-02-06 18:59:40 -------- d-----w- c:\program files\AVG
2011-02-06 18:38:40 -------- d-----w- c:\progra~2\MFAData
2011-02-06 03:09:23 -------- d-----w- c:\users\eric\appdata\roaming\Malwarebytes
2011-02-06 03:09:18 -------- d-----w- c:\progra~2\Malwarebytes
2011-02-06 03:09:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-04 02:11:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-04 02:11:38 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-02-04 01:28:18 512 ----a-w- c:\users\eric\appdata\roaming\net.vbs
2011-02-04 01:28:18 1050 ----a-w- c:\users\eric\appdata\roaming\net.bat
2011-02-04 00:31:15 -------- d-----w- c:\users\eric\appdata\roaming\Uniblue
2011-02-04 00:30:50 -------- d-----w- c:\users\eric\appdata\local\PackageAware
2011-02-01 16:39:04 -------- d-----w- c:\progra~2\boost_interprocess
2011-02-01 16:38:53 166 ----a-w- c:\windows\system32\delme.bat
2011-02-01 16:38:07 -------- d-----w- c:\program files\Yontoo Layers Client
2011-02-01 16:38:03 -------- d-----w- c:\progra~2\Tarma Installer
2011-02-01 16:37:42 -------- d-----w- c:\users\eric\appdata\roaming\Vuaqe
2011-02-01 16:37:42 -------- d-----w- c:\users\eric\appdata\roaming\Ceruit
2011-02-01 16:37:40 -------- d-----w- c:\progra~2\WSTB
2011-02-01 16:37:34 -------- d-----w- c:\progra~2\cAjAdAc15400
2011-02-01 07:15:28 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{04d55a04-bd50-4abb-83ab-da68cd801a4d}\mpengine.dll
2011-01-20 21:03:21 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-16 17:49:05 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-15 21:08:10 -------- d-----w- c:\users\eric\.idlerc
2011-01-15 20:39:47 -------- d-----w- C:\Python26
==================== Find3M ====================
2011-02-06 23:03:20 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2011-02-06 23:03:18 82432 ----a-w- c:\windows\system32\axaltocm.dll
============= FINISH: 23:17:10.86 ===============
eschwets
2011-02-11, 06:32
ignore the above. that was the old dds file
New one:
DDS (Ver_10-12-12.02) - NTFSx86
Run by Eric at 23:10:07.12 on Thu 02/10/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.5.0_12
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.949 [GMT -5:00]
AV: AVG Internet Security 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Internet Security 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
============== Running Processes ===============
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgfws.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\AVG\AVG10\avgam.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\wsqmcons.exe
C:\Users\Eric\Desktop\New Folder\dds.scr
============== Pseudo HJT Report ===============
uSearch Bar = Preserve
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:65091
uWinlogon: Shell=explorer.exe,
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Comrade.exe] c:\program files\gamespy\comrade\Comrade.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
mRun: [hpqSRMon]
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [454D5A46_0] c:\windows\temp\bmfdrgfs.exe
dRun: [Metropolis] rundll32.exe c:\windows\system32\sshnas21.dll,GetHandle
StartupFolder: c:\users\eric\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: ameritrade.com
Trusted Zone: gallery.com
Trusted Zone: kodakgallery.com
Trusted Zone: microsoft.com
Trusted Zone: ofoto.com
Trusted Zone: tdameritrade.com
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://download.autodesk.com/esd/mapguide/SP1/ENG/mgaxctrl.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://games.ca.zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
============= SERVICES / DRIVERS ===============
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-7-12 54112]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2010-11-22 3226632]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-2-3 1153368]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]
R3 rt70x86;Linksys Home Wireless-G USB Adaptor Driver;c:\windows\system32\drivers\netr70.sys [2009-2-26 299520]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2011-02-09 08:00:35 231936 ----a-w- c:\windows\system32\msshsq.dll
2011-02-08 23:48:36 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-08 23:48:36 292352 ----a-w- c:\windows\system32\atmfd.dll
2011-02-08 08:08:15 80896 ----a-w- c:\windows\system32\MSNP.ax
2011-02-08 08:08:15 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-02-08 08:08:12 428544 ----a-w- c:\windows\system32\EncDec.dll
2011-02-08 08:08:12 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-02-08 08:08:12 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-02-08 08:03:06 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-02-08 08:03:06 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-02-08 08:03:06 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-02-08 08:03:06 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-02-08 08:03:06 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-02-07 18:06:50 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-02-07 18:06:48 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-02-07 18:06:45 1314816 ----a-w- c:\windows\system32\quartz.dll
2011-02-07 18:06:29 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2011-02-07 18:06:28 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2011-02-07 18:04:56 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2011-02-07 18:04:47 157184 ----a-w- c:\windows\system32\t2embed.dll
2011-02-07 18:04:41 1169408 ----a-w- c:\windows\system32\sdclt.exe
2011-02-07 18:04:32 10926592 ----a-w- c:\program files\movie maker\MOVIEMK.dll
2011-02-07 18:04:30 150016 ----a-w- c:\program files\movie maker\MOVIEMK.exe
2011-02-07 18:04:24 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2011-02-07 18:04:18 954752 ----a-w- c:\windows\system32\mfc40.dll
2011-02-07 18:04:18 954288 ----a-w- c:\windows\system32\mfc40u.dll
2011-02-07 18:04:12 36352 ----a-w- c:\windows\system32\rtutils.dll
2011-02-07 18:03:45 866816 ----a-w- c:\windows\system32\wmpmde.dll
2011-02-07 18:03:41 603648 ----a-w- c:\windows\system32\schedsvc.dll
2011-02-07 18:03:40 357376 ----a-w- c:\windows\system32\taskschd.dll
2011-02-07 18:03:40 345088 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-02-07 18:03:40 171520 ----a-w- c:\windows\system32\taskeng.exe
2011-02-07 18:03:39 270336 ----a-w- c:\windows\system32\taskcomp.dll
2011-02-07 18:03:27 81920 ----a-w- c:\windows\system32\consent.exe
2011-02-07 18:03:18 72704 ----a-w- c:\windows\system32\fontsub.dll
2011-02-07 18:03:07 1257472 ----a-w- c:\windows\system32\msxml3.dll
2011-02-07 18:02:49 147456 ----a-w- c:\windows\system32\Faultrep.dll
2011-02-07 18:02:49 125952 ----a-w- c:\windows\system32\wersvc.dll
2011-02-07 18:02:47 565248 ----a-w- c:\windows\system32\emdmgmt.dll
2011-02-07 18:02:46 625152 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-02-07 18:02:46 45056 ----a-w- c:\windows\system32\dataclen.dll
2011-02-07 18:02:46 36864 ----a-w- c:\windows\system32\cdd.dll
2011-02-07 18:02:46 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2011-02-07 18:02:26 2048 ----a-w- c:\windows\system32\tzres.dll
2011-02-07 18:01:11 90112 ----a-w- c:\windows\system32\wshext.dll
2011-02-07 18:01:11 135168 ----a-w- c:\windows\system32\wshom.ocx
2011-02-07 18:01:10 180224 ----a-w- c:\windows\system32\scrobj.dll
2011-02-07 18:01:10 172032 ----a-w- c:\windows\system32\scrrun.dll
2011-02-07 18:01:10 155648 ----a-w- c:\windows\system32\wscript.exe
2011-02-07 18:01:10 135168 ----a-w- c:\windows\system32\cscript.exe
2011-02-07 18:00:59 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-02-07 18:00:55 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-02-07 17:57:04 531968 ----a-w- c:\windows\system32\comctl32.dll
2011-02-07 03:48:03 -------- d-----w- C:\PerfLogs
2011-02-07 03:46:24 -------- d-----w- c:\windows\nvtmpinst
2011-02-06 19:38:14 -------- d--h--w- C:\$AVG
2011-02-06 19:06:53 -------- d-----w- c:\users\eric\appdata\roaming\AVG10
2011-02-06 19:04:26 -------- d--h--w- c:\progra~2\Common Files
2011-02-06 19:00:18 -------- d-----w- c:\windows\system32\drivers\AVG
2011-02-06 19:00:18 -------- d-----w- c:\progra~2\AVG10
2011-02-06 18:59:40 -------- d-----w- c:\program files\AVG
2011-02-06 18:38:40 -------- d-----w- c:\progra~2\MFAData
2011-02-06 03:09:23 -------- d-----w- c:\users\eric\appdata\roaming\Malwarebytes
2011-02-06 03:09:18 -------- d-----w- c:\progra~2\Malwarebytes
2011-02-06 03:09:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-04 02:11:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-04 02:11:38 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-02-04 01:28:18 512 ----a-w- c:\users\eric\appdata\roaming\net.vbs
2011-02-04 01:28:18 1050 ----a-w- c:\users\eric\appdata\roaming\net.bat
2011-02-04 00:31:15 -------- d-----w- c:\users\eric\appdata\roaming\Uniblue
2011-02-04 00:30:50 -------- d-----w- c:\users\eric\appdata\local\PackageAware
2011-02-01 16:39:04 -------- d-----w- c:\progra~2\boost_interprocess
2011-02-01 16:38:53 166 ----a-w- c:\windows\system32\delme.bat
2011-02-01 16:38:07 -------- d-----w- c:\program files\Yontoo Layers Client
2011-02-01 16:38:03 -------- d-----w- c:\progra~2\Tarma Installer
2011-02-01 16:37:42 -------- d-----w- c:\users\eric\appdata\roaming\Vuaqe
2011-02-01 16:37:42 -------- d-----w- c:\users\eric\appdata\roaming\Ceruit
2011-02-01 16:37:40 -------- d-----w- c:\progra~2\WSTB
2011-02-01 16:37:34 -------- d-----w- c:\progra~2\cAjAdAc15400
2011-02-01 07:15:28 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{04d55a04-bd50-4abb-83ab-da68cd801a4d}\mpengine.dll
2011-01-20 21:03:21 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-16 17:49:05 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-15 21:08:10 -------- d-----w- c:\users\eric\.idlerc
2011-01-15 20:39:47 -------- d-----w- C:\Python26
==================== Find3M ====================
2011-02-06 23:03:20 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2011-02-06 23:03:18 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-12-31 13:25:17 2038784 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 14:57:35 409600 ----a-w- c:\windows\system32\odbc32.dll
2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-12-18 04:47:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
============= FINISH: 23:10:55.20 ===============
shelf life
2011-02-12, 01:52
We will get another download to use as a check for malware. Its called combofix. There is a guide to read first. Read through the guide then apply the directions on your own machine:
Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
eschwets
2011-02-12, 04:55
Thanks for the help.
I had a combofix issue, as even though I temporarily disabled AVG it required me to completely uninstall it prior to running. I'm disconnecting this computer from the internet until I hear back.
n ComboFix 11-02-11.01 - Eric 02/11/2011 20:58:05.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.1074 [GMT -5:00]
Running from: c:\users\Eric\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1604154607-4238787789-190567681-1000\$RHBM81O\cclitesetupui.exe
c:\programdata\boost_interprocess\20110131232943.875948
c:\users\Eric\AppData\Local\{1C1795CF-7134-4E52-BB6F-343468E837C6}
c:\users\Eric\AppData\Local\{1C1795CF-7134-4E52-BB6F-343468E837C6}\chrome.manifest
c:\users\Eric\AppData\Local\{1C1795CF-7134-4E52-BB6F-343468E837C6}\chrome\content\_cfg.js
c:\users\Eric\AppData\Local\{1C1795CF-7134-4E52-BB6F-343468E837C6}\chrome\content\overlay.xul
c:\users\Eric\AppData\Local\{1C1795CF-7134-4E52-BB6F-343468E837C6}\install.rdf
c:\users\Eric\AppData\Roaming\lovely.ini
c:\users\Eric\AppData\Roaming\net.bat
c:\users\Eric\AppData\Roaming\net.vbs
c:\users\Eric\msn plugin.exe
c:\windows\system32\config\systemprofile\AppData\Roaming\lovely.ini
c:\windows\system32\config\systemprofile\AppData\Roaming\net.bat
c:\windows\system32\config\systemprofile\AppData\Roaming\net.vbs
c:\windows\system32\delme.bat
.
((((((((((((((((((((((((( Files Created from 2011-01-12 to 2011-02-12 )))))))))))))))))))))))))))))))
.
2011-02-12 02:06 . 2011-02-12 02:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-09 08:00 . 2010-09-20 09:25 231936 ----a-w- c:\windows\system32\msshsq.dll
2011-02-08 23:48 . 2011-01-08 07:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-08 23:48 . 2011-01-08 05:57 292352 ----a-w- c:\windows\system32\atmfd.dll
2011-02-08 08:08 . 2010-04-14 17:46 80896 ----a-w- c:\windows\system32\MSNP.ax
2011-02-08 08:08 . 2010-04-14 17:45 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-02-08 08:08 . 2010-04-14 17:47 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-02-08 08:08 . 2010-04-14 17:47 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-02-08 08:08 . 2010-04-14 17:46 428544 ----a-w- c:\windows\system32\EncDec.dll
2011-02-08 08:03 . 2009-11-08 15:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-02-08 08:03 . 2009-11-08 15:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-02-08 08:03 . 2009-11-08 15:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-02-08 08:03 . 2009-11-08 15:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-02-08 08:03 . 2009-11-08 15:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-02-07 18:06 . 2010-08-26 16:01 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-02-07 18:06 . 2010-08-26 14:11 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-02-07 18:06 . 2010-04-16 16:10 1314816 ----a-w- c:\windows\system32\quartz.dll
2011-02-07 18:06 . 2010-09-10 16:35 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2011-02-07 18:06 . 2010-09-10 16:37 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2011-02-07 18:04 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-02-07 18:04 . 2010-08-26 16:07 157184 ----a-w- c:\windows\system32\t2embed.dll
2011-02-07 18:04 . 2010-12-14 15:49 1169408 ----a-w- c:\windows\system32\sdclt.exe
2011-02-07 18:04 . 2010-06-17 17:15 10926592 ----a-w- c:\program files\Movie Maker\MOVIEMK.dll
2011-02-07 18:04 . 2010-06-17 15:49 150016 ----a-w- c:\program files\Movie Maker\MOVIEMK.exe
2011-02-07 18:04 . 2010-04-05 16:08 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2011-02-07 18:04 . 2010-08-31 15:41 954752 ----a-w- c:\windows\system32\mfc40.dll
2011-02-07 18:04 . 2010-08-31 15:41 954288 ----a-w- c:\windows\system32\mfc40u.dll
2011-02-07 18:04 . 2010-06-18 16:43 36352 ----a-w- c:\windows\system32\rtutils.dll
2011-02-07 18:03 . 2010-08-20 15:21 866816 ----a-w- c:\windows\system32\wmpmde.dll
2011-02-07 18:03 . 2010-11-06 11:09 603648 ----a-w- c:\windows\system32\schedsvc.dll
2011-02-07 18:03 . 2010-11-06 11:10 345088 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-02-07 18:03 . 2010-11-06 11:10 357376 ----a-w- c:\windows\system32\taskschd.dll
2011-02-07 18:03 . 2010-11-05 00:53 171520 ----a-w- c:\windows\system32\taskeng.exe
2011-02-07 18:03 . 2010-11-06 11:10 270336 ----a-w- c:\windows\system32\taskcomp.dll
2011-02-07 18:03 . 2010-10-18 14:01 81920 ----a-w- c:\windows\system32\consent.exe
2011-02-07 18:03 . 2010-06-16 15:12 72704 ----a-w- c:\windows\system32\fontsub.dll
2011-02-07 18:03 . 2010-06-11 15:30 1257472 ----a-w- c:\windows\system32\msxml3.dll
2011-02-07 18:02 . 2008-09-18 04:56 125952 ----a-w- c:\windows\system32\wersvc.dll
2011-02-07 18:02 . 2008-09-18 04:56 147456 ----a-w- c:\windows\system32\Faultrep.dll
2011-02-07 18:02 . 2008-06-26 03:29 565248 ----a-w- c:\windows\system32\emdmgmt.dll
2011-02-07 18:02 . 2008-08-02 03:26 36864 ----a-w- c:\windows\system32\cdd.dll
2011-02-07 18:02 . 2008-08-02 01:01 625152 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-02-07 18:02 . 2008-06-26 03:29 45056 ----a-w- c:\windows\system32\dataclen.dll
2011-02-07 18:02 . 2008-05-20 02:07 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2011-02-07 18:02 . 2010-10-28 12:56 2048 ----a-w- c:\windows\system32\tzres.dll
2011-02-07 18:01 . 2008-05-08 21:59 90112 ----a-w- c:\windows\system32\wshext.dll
2011-02-07 18:01 . 2008-05-08 21:58 135168 ----a-w- c:\windows\system32\wshom.ocx
2011-02-07 18:01 . 2008-05-08 21:59 180224 ----a-w- c:\windows\system32\scrobj.dll
2011-02-07 18:01 . 2008-05-08 21:59 172032 ----a-w- c:\windows\system32\scrrun.dll
2011-02-07 18:01 . 2008-05-08 21:59 155648 ----a-w- c:\windows\system32\wscript.exe
2011-02-07 18:01 . 2008-05-08 21:58 135168 ----a-w- c:\windows\system32\cscript.exe
2011-02-07 18:00 . 2010-06-16 15:59 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-02-07 18:00 . 2010-05-27 19:16 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-02-07 17:57 . 2010-08-31 15:40 531968 ----a-w- c:\windows\system32\comctl32.dll
2011-02-07 03:48 . 2011-02-07 03:48 -------- d-----w- C:\PerfLogs
2011-02-07 03:46 . 2011-02-07 03:54 -------- d-----w- c:\windows\nvtmpinst
2011-02-06 22:27 . 2011-02-06 22:27 -------- d-----w- c:\program files\ERUNT
2011-02-06 19:38 . 2011-02-06 19:38 -------- d-----w- C:\$AVG
2011-02-06 19:06 . 2011-02-06 19:06 -------- d-----w- c:\users\Eric\AppData\Roaming\AVG10
2011-02-06 19:04 . 2011-02-06 19:04 -------- d--h--w- c:\programdata\Common Files
2011-02-06 19:00 . 2011-02-12 01:49 -------- d-----w- c:\programdata\AVG10
2011-02-06 18:59 . 2011-02-06 18:59 -------- d-----w- c:\program files\AVG
2011-02-06 18:38 . 2011-02-06 18:59 -------- d-----w- c:\programdata\MFAData
2011-02-06 03:09 . 2011-02-06 03:09 -------- d-----w- c:\users\Eric\AppData\Roaming\Malwarebytes
2011-02-06 03:09 . 2011-02-06 03:09 -------- d-----w- c:\programdata\Malwarebytes
2011-02-06 03:09 . 2011-02-06 19:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-04 02:11 . 2011-02-04 02:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-02-04 02:11 . 2011-02-04 02:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-04 00:52 . 2011-02-04 00:52 -------- d-----w- c:\windows\Sun
2011-02-04 00:31 . 2011-02-04 00:31 -------- d-----w- c:\users\Eric\AppData\Roaming\Uniblue
2011-02-04 00:30 . 2011-02-04 00:30 -------- d-----w- c:\users\Eric\AppData\Local\PackageAware
2011-02-01 16:40 . 2011-02-01 16:40 0 ----a-w- c:\windows\system32\config\systemprofile\AppData\Local\Cdiqoge.bin
2011-02-01 16:40 . 2011-02-01 16:40 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\{56DEA8B7-3F26-4322-BCDB-E924A4A5DDC6}
2011-02-01 16:39 . 2011-02-12 02:05 -------- d-----w- c:\programdata\boost_interprocess
2011-02-01 16:38 . 2011-02-01 16:38 -------- d-----w- c:\program files\Yontoo Layers Client
2011-02-01 16:38 . 2011-02-01 16:38 -------- d-----w- c:\programdata\Tarma Installer
2011-02-01 16:37 . 2011-02-06 03:17 -------- d-----w- c:\users\Eric\AppData\Roaming\Ceruit
2011-02-01 16:37 . 2011-02-06 01:17 -------- d-----w- c:\users\Eric\AppData\Roaming\Vuaqe
2011-02-01 16:37 . 2011-02-06 18:32 -------- d-----w- c:\programdata\WSTB
2011-02-01 16:37 . 2011-02-06 18:32 -------- d-----w- c:\programdata\cAjAdAc15400
2011-02-01 15:48 . 2011-02-01 15:48 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Apple Computer
2011-02-01 15:48 . 2011-02-01 15:48 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Roaming\Apple Computer
2011-02-01 07:15 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{04D55A04-BD50-4ABB-83AB-DA68CD801A4D}\mpengine.dll
2011-01-20 21:03 . 2011-01-20 21:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-16 17:49 . 2010-10-19 15:41 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-15 21:08 . 2011-01-15 21:08 -------- d-----w- c:\users\Eric\.idlerc
2011-01-15 20:39 . 2011-01-15 21:45 -------- d-----w- C:\Python26
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-06 23:03 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2011-02-06 23:03 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-12-09 14:13 . 2010-12-09 14:13 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-12-20 18:09 191488 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Comrade.exe"="c:\program files\GameSpy\Comrade\Comrade.exe" [2008-12-09 800256]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-11-17 453120]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2006-12-13 3166208]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2006-12-04 1261568]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-26 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-26 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-26 81920]
c:\users\Eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2006-1-6 528384]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-2-20 282624]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 rt70x86;Linksys Home Wireless-G USB Adaptor Driver;c:\windows\system32\DRIVERS\netr70.sys [2009-02-26 299520]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2011-02-12 c:\windows\Tasks\User_Feed_Synchronization-{EA194482-568A-4BA4-A3E7-8A3CACCA71C7}.job
- c:\windows\system32\msfeedssync.exe [2011-02-08 04:47]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:65091
Trusted Zone: ameritrade.com
Trusted Zone: gallery.com
Trusted Zone: kodakgallery.com
Trusted Zone: microsoft.com
Trusted Zone: ofoto.com
Trusted Zone: tdameritrade.com
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-hpqSRMon - (no file)
HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
HKU-Default-Run-Metropolis - c:\windows\system32\sshnas21.dll
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe
MSConfigStartUp-cftmon - c:\windows\system32\ixud.exe
MSConfigStartUp-conhost - c:\users\Eric\AppData\Roaming\Microsoft\conhost.exe
MSConfigStartUp-Kxucasewi - c:\windows\system32\config\systemprofile\AppData\Local\uqilicomeposu.dll
MSConfigStartUp-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
MSConfigStartUp-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe
MSConfigStartUp-Run key name - c:\users\Eric\AppData\Roaming\Sys32Disp.exe.exe
MSConfigStartUp-Rvahisayiko - c:\users\Eric\AppData\Local\msprys.dll
MSConfigStartUp-Symantec PIF AlertEng - c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-11 21:06
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1604154607-4238787789-190567681-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-02-11 21:08:55
ComboFix-quarantined-files.txt 2011-02-12 02:08
Pre-Run: 77,065,146,368 bytes free
Post-Run: 77,077,827,584 bytes free
- - End Of File - - 0D994E6AF4ADC05F04262281160E8F2A
shelf life
2011-02-12, 17:21
ok thanks for the info. Can you rescan and post a new DDS log for me.
eschwets
2011-02-12, 21:04
Here's the new scan. I hope it helps!
I was interested to see all the new files under created last 30. These happened after combofix was run. I haven't restarted the computer since then.
DDS (Ver_10-12-12.02) - NTFSx86
Run by Eric at 13:46:32.52 on Sat 02/12/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.5.0_12
MicrosoftÆ Windows Vistaô Home Premium 6.0.6001.1.1252.1.1033.18.2047.1566 [GMT -5:00]
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\wsqmcons.exe
C:\Windows\explorer.exe
C:\Windows\System32\mobsync.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Eric\Desktop\New Folder\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:65091
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Comrade.exe] c:\program files\gamespy\comrade\Comrade.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\users\eric\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: ameritrade.com
Trusted Zone: gallery.com
Trusted Zone: kodakgallery.com
Trusted Zone: microsoft.com
Trusted Zone: ofoto.com
Trusted Zone: tdameritrade.com
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://download.autodesk.com/esd/mapguide/SP1/ENG/mgaxctrl.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://games.ca.zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
============= SERVICES / DRIVERS ===============
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-2-3 1153368]
R3 rt70x86;Linksys Home Wireless-G USB Adaptor Driver;c:\windows\system32\drivers\netr70.sys [2009-2-26 299520]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2011-02-12 02:11:56 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{8c331a1c-3224-491a-b1a9-a0d3e73a46b2}\mpengine.dll
2011-02-12 02:07:07 -------- d-sh--w- C:\$RECYCLE.BIN
2011-02-12 01:54:14 98816 ----a-w- c:\windows\sed.exe
2011-02-12 01:54:14 89088 ----a-w- c:\windows\MBR.exe
2011-02-12 01:54:14 256512 ----a-w- c:\windows\PEV.exe
2011-02-12 01:54:14 161792 ----a-w- c:\windows\SWREG.exe
2011-02-09 08:00:35 231936 ----a-w- c:\windows\system32\msshsq.dll
2011-02-08 23:48:36 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-08 23:48:36 292352 ----a-w- c:\windows\system32\atmfd.dll
2011-02-08 08:08:15 80896 ----a-w- c:\windows\system32\MSNP.ax
2011-02-08 08:08:15 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-02-08 08:08:12 428544 ----a-w- c:\windows\system32\EncDec.dll
2011-02-08 08:08:12 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-02-08 08:08:12 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-02-08 08:03:06 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2011-02-08 08:03:06 49472 ----a-w- c:\windows\system32\netfxperf.dll
2011-02-08 08:03:06 297808 ----a-w- c:\windows\system32\mscoree.dll
2011-02-08 08:03:06 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2011-02-08 08:03:06 1130824 ----a-w- c:\windows\system32\dfshim.dll
2011-02-07 18:06:50 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-02-07 18:06:48 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-02-07 18:06:45 1314816 ----a-w- c:\windows\system32\quartz.dll
2011-02-07 18:06:29 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2011-02-07 18:06:28 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2011-02-07 18:04:56 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2011-02-07 18:04:47 157184 ----a-w- c:\windows\system32\t2embed.dll
2011-02-07 18:04:41 1169408 ----a-w- c:\windows\system32\sdclt.exe
2011-02-07 18:04:32 10926592 ----a-w- c:\program files\movie maker\MOVIEMK.dll
2011-02-07 18:04:30 150016 ----a-w- c:\program files\movie maker\MOVIEMK.exe
2011-02-07 18:04:24 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2011-02-07 18:04:18 954752 ----a-w- c:\windows\system32\mfc40.dll
2011-02-07 18:04:18 954288 ----a-w- c:\windows\system32\mfc40u.dll
2011-02-07 18:04:12 36352 ----a-w- c:\windows\system32\rtutils.dll
2011-02-07 18:03:45 866816 ----a-w- c:\windows\system32\wmpmde.dll
2011-02-07 18:03:41 603648 ----a-w- c:\windows\system32\schedsvc.dll
2011-02-07 18:03:40 357376 ----a-w- c:\windows\system32\taskschd.dll
2011-02-07 18:03:40 345088 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-02-07 18:03:40 171520 ----a-w- c:\windows\system32\taskeng.exe
2011-02-07 18:03:39 270336 ----a-w- c:\windows\system32\taskcomp.dll
2011-02-07 18:03:27 81920 ----a-w- c:\windows\system32\consent.exe
2011-02-07 18:03:18 72704 ----a-w- c:\windows\system32\fontsub.dll
2011-02-07 18:03:07 1257472 ----a-w- c:\windows\system32\msxml3.dll
2011-02-07 18:02:49 147456 ----a-w- c:\windows\system32\Faultrep.dll
2011-02-07 18:02:49 125952 ----a-w- c:\windows\system32\wersvc.dll
2011-02-07 18:02:47 565248 ----a-w- c:\windows\system32\emdmgmt.dll
2011-02-07 18:02:46 625152 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-02-07 18:02:46 45056 ----a-w- c:\windows\system32\dataclen.dll
2011-02-07 18:02:46 36864 ----a-w- c:\windows\system32\cdd.dll
2011-02-07 18:02:46 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2011-02-07 18:02:26 2048 ----a-w- c:\windows\system32\tzres.dll
2011-02-07 18:01:11 90112 ----a-w- c:\windows\system32\wshext.dll
2011-02-07 18:01:11 135168 ----a-w- c:\windows\system32\wshom.ocx
2011-02-07 18:01:10 180224 ----a-w- c:\windows\system32\scrobj.dll
2011-02-07 18:01:10 172032 ----a-w- c:\windows\system32\scrrun.dll
2011-02-07 18:01:10 155648 ----a-w- c:\windows\system32\wscript.exe
2011-02-07 18:01:10 135168 ----a-w- c:\windows\system32\cscript.exe
2011-02-07 18:00:59 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-02-07 18:00:55 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-02-07 17:57:04 531968 ----a-w- c:\windows\system32\comctl32.dll
2011-02-07 03:48:03 -------- d-----w- C:\PerfLogs
2011-02-07 03:46:24 -------- d-----w- c:\windows\nvtmpinst
2011-02-06 19:38:14 -------- d-----w- C:\$AVG
2011-02-06 19:06:53 -------- d-----w- c:\users\eric\appdata\roaming\AVG10
2011-02-06 19:04:26 -------- d--h--w- c:\progra~2\Common Files
2011-02-06 19:00:18 -------- d-----w- c:\progra~2\AVG10
2011-02-06 18:59:40 -------- d-----w- c:\program files\AVG
2011-02-06 18:38:40 -------- d-----w- c:\progra~2\MFAData
2011-02-06 03:09:23 -------- d-----w- c:\users\eric\appdata\roaming\Malwarebytes
2011-02-06 03:09:18 -------- d-----w- c:\progra~2\Malwarebytes
2011-02-06 03:09:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-04 02:11:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-04 02:11:38 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-02-04 00:31:15 -------- d-----w- c:\users\eric\appdata\roaming\Uniblue
2011-02-04 00:30:50 -------- d-----w- c:\users\eric\appdata\local\PackageAware
2011-02-01 16:39:04 -------- d-----w- c:\progra~2\boost_interprocess
2011-02-01 16:38:07 -------- d-----w- c:\program files\Yontoo Layers Client
2011-02-01 16:38:03 -------- d-----w- c:\progra~2\Tarma Installer
2011-02-01 16:37:42 -------- d-----w- c:\users\eric\appdata\roaming\Vuaqe
2011-02-01 16:37:42 -------- d-----w- c:\users\eric\appdata\roaming\Ceruit
2011-02-01 16:37:40 -------- d-----w- c:\progra~2\WSTB
2011-02-01 16:37:34 -------- d-----w- c:\progra~2\cAjAdAc15400
2011-01-20 21:03:21 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-16 17:49:05 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-15 21:08:10 -------- d-----w- c:\users\eric\.idlerc
2011-01-15 20:39:47 -------- d-----w- C:\Python26
==================== Find3M ====================
2011-02-06 23:03:20 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2011-02-06 23:03:18 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-12-31 13:25:17 2038784 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 14:57:35 409600 ----a-w- c:\windows\system32\odbc32.dll
2010-12-18 06:27:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-18 06:22:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-18 06:22:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-18 06:22:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-12-18 06:22:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-12-18 05:25:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-18 04:48:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-12-18 04:47:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
============= FINISH: 13:46:53.21 ===============
shelf life
2011-02-13, 03:03
That looks ok as far as malware goes. First I would disable Spybots Tea Timer if active, how:
1.Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
then:
Open Internet Explorer and at the top click on tools>internet options>connections tab>LAN settings and uncheck 'use a proxy server' click ok.
Re-enable tea timer. You can remove combofix like this:
start>run and type in combofix /uninstall
click ok or enter
note the space after the x and before the /
eschwets
2011-02-13, 03:57
Thanks. I had turned teatimer off when downloading and running combofix. My IE Lan setting is "automatically detect settings"
When I turned teatimer back on I had several windows popup. I allowed all of the changes (assuming they were due to combofix (I hope...)
Any additional advice?
I'll leave this computer disconnected again until I hear back, but I did write this to you on the problem one.
I'm planning to re-download AVG again and run AVG/spybot combo--any thoughts?
Thanks again
shelf life
2011-02-13, 15:39
Combofix isnt really to be used like AVG or Spybot as a on demand scanner. My first stop would be to get a AV installed and updated. AVG or another. I use this (http://www.microsoft.com/security_essentials/) or this (http://www.cloudantivirus.com/en/) on my Windows machines. Because I like the simply GUI. I dont get caught up in ratings or opinions.
If all is good on your end. some tips for you:
10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.
No software can think for you. Help yourself. In no special order:
1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update (http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us) frequently or use the Windows auto-update feature. (http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx) Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here. (http://secunia.com/vulnerability_scanning/online/)
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.malwarevault.com/signs.html)that you may have malware on your computer.
3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.
4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks (http://www.fraud.org/tips/internet/phishing.htm).
5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.
6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?
7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.
8) Install and understand the *limitations* of a software firewall.
9) A tool (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's. Or see a slide show Here (http://threatpost.com/en_us/slideshow/How%20to%20configure%20Internet%20Explorer%20for%20secure%20surfing) and do it yourself. How to harden FireFox. (http://threatpost.com/en_us/slideshow/How-to-configure-Mozilla-Firefox-for-secure-surfing?utm_source=Second+Sidebar&utm_medium=Featured+Slideshows&utm_campaign=Configure+Mozilla+Firefox) for safer surfing.
10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Can you really trust the source of the file?
More info/tips with pictures, links below
Happy Safe Surfing.