gwebsysgaurd infection!

**stab4fun** · 2009-12-20, 06:48

i was able to stop,not remove, the infection with the revo hunter tool nw i can acess the internet yay!

im pretty much new to eveything- i read completely the "read first" post

i installed the highjackthis and erunt

heres the highjack log. when i ran this program this window poped up:

for some reason you system denied write acess to the host file. if any highjacked domains arre in this file, highjackthis may NOT be able to fix this. if that happens you need to edit the file yourself. to do this, click start...bla, bla, directions, bla.... for vista simply right click highjack icon and choose un as admin.- i have vista and this option does not exist on my machine :(

highjack log
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:47:52 PM, on 12/19/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18349)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\BESTBU~1\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\Explorer.exe
C:\Program Files\McAfee Security Scan\1.0.150\McUICnt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Windows\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=15450&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=...&m=aspire_5735
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=...&m=aspire_5735
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKCU\..\Run: [dekoyukimo] Rundll32.exe "C:\ProgramData\jesepige\jesepige.dll",s
O4 - HKCU\..\Run: [tovososoz] Rundll32.exe "c:\progra~2\biravoja\biravoja.dll",a
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P10 /q c:\users\BESTBU~1\appdata\local\temp\TEMPOR~1\Content.SH! c:\users\BESTBU~1\appdata\local\temp\TEMPOR~1.SH! c:\users\BESTBU~1\appdata\local\temp\History\History.SH! c:\users\BESTBU~1\appdata\local\temp\History.SH! c:\users\BESTBU~1\appdata\local\temp\Cookies.SH! (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P10 /q c:\users\BESTBU~1\appdata\local\temp\TEMPOR~1\Content.SH! c:\users\BESTBU~1\appdata\local\temp\TEMPOR~1.SH! c:\users\BESTBU~1\appdata\local\temp\History\History.SH! c:\users\BESTBU~1\appdata\local\temp\History.SH! c:\users\BESTBU~1\appdata\local\temp\Cookies.SH! (User 'Default user')
O4 - Global Startup: McAfee Security Scan.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/reso...PUplden-us.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: DfLogon - LogonDll.dll (file missing)
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: McAfee Application Installer Cleanup (0326101238992634) (0326101238992634mcinstcleanup) - Unknown owner - C:\Windows\TEMP\032610~1.EXE (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 11023 bytes

**Blade81** · 2009-12-23, 16:35

Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. Post them back to your topic.

**stab4fun** · 2009-12-23, 23:09

dds...

DDS (Ver_09-12-01.01) - NTFSx86
Run by bestbuy 372 at 14:03:22.10 on Wed 12/23/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1976.793 [GMT -8:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Users\BESTBU~1\AppData\Local\Temp\RtkBtMnt.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Windows\WindowsMobile\wmdSync.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\svchost.exe -k netsvcs
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\VS Revo Group\Revo Uninstaller\revouninstaller.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\DllHost.exe
C:\Users\bestbuy 372\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=15450&l=dis
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0908&m=aspire_5735
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0908&m=aspire_5735
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [dekoyukimo] Rundll32.exe "c:\programdata\jesepige\jesepige.dll",s
uRun: [tovososoz] Rundll32.exe "c:\progra~2\biravoja\biravoja.dll",a
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [ePower_DMC] c:\program files\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
dRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p10 /q c:\users\bestbu~1\appdata\local\temp\tempor~1\content.sh! c:\users\bestbu~1\appdata\local\temp\tempor~1.sh! c:\users\bestbu~1\appdata\local\temp\history\history.sh! c:\users\bestbu~1\appdata\local\temp\history.sh! c:\users\bestbu~1\appdata\local\temp\Cookies.SH!
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: DfLogon - LogonDll.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-30 201320]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-4-30 24576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-1 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-30 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-4-30 144704]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-6 50424]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-4 131072]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-12-19 1153368]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-30 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-30 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-30 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-30 40488]
S2 0168891261605269mcinstcleanup;McAfee Application Installer Cleanup (0168891261605269);c:\windows\temp\016889~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\016889~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-20 179712]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-30 33832]

=============== Created Last 30 ================

2009-12-23 21:52:55 0 d-----w- c:\programdata\hokitoke
2009-12-23 21:52:53 0 d-----w- c:\programdata\votabale
2009-12-23 21:52:53 0 d-----w- c:\programdata\mefeneti
2009-12-20 17:18:06 0 d-----w- c:\programdata\pehumeni
2009-12-20 17:18:02 0 d-----w- c:\programdata\sovanavo
2009-12-20 17:18:02 0 d-----w- c:\programdata\nuwemuno
2009-12-20 17:17:59 0 d-----w- c:\programdata\rivuyuki
2009-12-20 04:54:32 0 d-----w- c:\program files\TrendMicro
2009-12-20 04:15:43 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-20 04:15:43 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-20 01:37:57 0 d-----w- c:\programdata\vosoleda
2009-12-20 01:37:56 0 d-----w- c:\programdata\tesutefa
2009-12-20 01:37:56 0 d-----w- c:\programdata\tavimega
2009-12-20 01:37:56 0 d-----w- c:\programdata\litunude
2009-12-20 01:37:56 0 d-----w- c:\programdata\firupifo
2009-12-19 10:04:39 0 d-----w- c:\programdata\tunesega
2009-12-19 10:04:39 0 d-----w- c:\programdata\fivajubu
2009-12-19 10:04:39 0 d-----w- c:\programdata\biravoja
2009-12-18 22:04:24 0 d-----w- c:\programdata\zayiveva
2009-12-18 22:04:24 0 d-----w- c:\programdata\yelosuso
2009-12-18 22:04:24 0 d-----w- c:\programdata\ligijowe
2009-12-18 10:04:35 0 d-----w- c:\programdata\zeholuva
2009-12-18 10:04:35 0 d-----w- c:\programdata\medemaba
2009-12-18 10:04:35 0 d-----w- c:\programdata\jesepige
2009-12-18 10:04:01 0 d-----w- c:\programdata\wiheledo
2009-12-18 10:04:01 0 d-----w- c:\programdata\tetahezi
2009-12-18 10:04:01 0 d-----w- c:\programdata\fibetehe
2009-12-18 10:04:01 0 d-----w- c:\programdata\dizepopi
2009-12-17 22:03:54 0 d-----w- c:\programdata\sayawoha
2009-12-17 22:03:54 0 d-----w- c:\programdata\gizokoro
2009-12-17 21:58:25 0 d-----w- c:\programdata\vohelipe
2009-12-17 21:58:25 0 d-----w- c:\programdata\siruboma
2009-12-17 21:58:25 0 d-----w- c:\programdata\lemutuja
2009-12-17 21:53:01 0 d-----w- c:\programdata\McAfee Security Scan
2009-12-17 21:53:00 0 d-----w- c:\program files\McAfee Security Scan
2009-12-16 06:36:42 0 d-----w- c:\program files\Ask.com
2009-12-12 11:03:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-12 11:02:56 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-12 11:02:54 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-08 18:41:36 378368 ----a-w- c:\windows\system32\winhttp.dll
2009-12-08 18:41:25 281600 ----a-w- c:\windows\system32\raschap.dll
2009-12-08 18:41:25 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-03 19:06:52 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-03 04:59:57 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-12-03 04:59:56 1257472 ----a-w- c:\windows\system32\msxml3.dll

==================== Find3M ====================

2009-11-03 04:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-27 13:20:19 833024 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 13:16:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-27 10:55:39 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-01 08:37:03 110 ----a-w- c:\users\bestbu~1\appdata\roaming\wklnhst.dat
2009-05-27 00:28:58 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-05-27 00:28:58 51200 ----a-w- c:\windows\inf\infpub.dat
2009-05-27 00:28:56 86016 ----a-w- c:\windows\inf\infstor.dat
2008-09-05 21:06:04 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-09-05 21:02:19 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 14:05:41.86 ===============

attach......

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 9/5/2008 1:15:19 PM
System Uptime: 12/23/2009 1:20:59 PM (1 hours ago)

Motherboard: Acer | | CathedralPeak
Processor: Intel(R) Pentium(R) Dual CPU T3200 @ 2.00GHz | U2E1 | 1000/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 70 GiB total, 35.353 GiB free.
D: is FIXED (NTFS) - 70 GiB total, 14.544 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description:
Device ID: ROOT\*ISATAP\0000
Manufacturer: Microsoft
Name:
PNP Device ID: ROOT\*ISATAP\0000
Service: tunnel

==== System Restore Points ===================

==== Installed Programs ======================

Acer Assist
Acer eDataSecurity Management
Acer Empowering Technology
Acer ePower Management
Acer eSettings Management
Acer GridVista
Acer Mobility Center Plug-In
Acer Registration
Acer ScreenSaver
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.0
Agere Systems HDA Modem
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Canon MP Navigator EX 1.0
Canon MX310 series
Canon RAW Codec
CCleaner (remove only)
ERUNT 1.1j
Geek Squad 24 Hour Computer Support
Glary Utilities 2.15.0.738
GoToMeeting 4.1.0.366
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ieSpell
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 7
Launch Manager
LightScribe 1.4.142.1
Marvell Miniport Driver
McAfee Security Scan
McAfee SecurityCenter
Microsoft .NET Framework 3.5 SP1
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007 Trial
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Streets and Trips 2005 with USB GPS
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NTI Backup Now 5
NTI Backup Now Standard
NTI Media Maker 8
OpenOffice.org 3.0
PhotoNow!
PowerDirector
QuickTime
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Revo Uninstaller 1.85
Spybot - Search & Destroy
Symetric Property Analyzer
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
WinRAR archiver

==== End Of File ===========================

**Blade81** · 2009-12-24, 11:38

Hi again

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

**stab4fun** · 2009-12-26, 22:22

combo fix log......
ComboFix 09-12-25.05 - bestbuy 372 12/26/2009 12:35:40.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1976.906 [GMT -8:00]
Running from: c:\users\bestbuy 372\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2573565793-415974233-320718214-1001
c:\$recycle.bin\S-1-5-21-2573565793-415974233-320718214-500
c:\progra~2\biravoja\biravoja.dll
c:\programdata\jesepige\jesepige.dll
c:\users\bestbuy 372\AppData\Local\fkfgli
c:\users\bestbuy 372\AppData\Local\fkfgli\bkdvsysguard.exe
c:\users\bestbuy 372\AppData\Local\lwgqom
c:\users\bestbuy 372\AppData\Local\lwgqom\gwebsysguard.exe
c:\users\bestbuy 372\AppData\Roaming\.#
c:\windows\Tasks\abibykaz.job
c:\windows\Tasks\celgzcpz.job
c:\windows\Tasks\okcuvban.job

.
((((((((((((((((((((((((( Files Created from 2009-11-26 to 2009-12-26 )))))))))))))))))))))))))))))))
.

2009-12-26 20:47 . 2009-12-26 20:47 -------- d-----w- c:\users\Experience\AppData\Local\temp
2009-12-26 20:10 . 2009-12-26 20:10 -------- d-----w- c:\programdata\fapumoke
2009-12-26 20:10 . 2009-12-26 20:10 -------- d-----w- c:\programdata\hamehalu
2009-12-26 20:10 . 2009-12-26 20:10 -------- d-----w- c:\programdata\zuvararo
2009-12-26 20:10 . 2009-12-26 20:10 -------- d-----w- c:\programdata\yeyozoda
2009-12-26 20:10 . 2009-12-26 20:10 -------- d-----w- c:\programdata\kuvimulo
2009-12-23 21:52 . 2009-12-26 20:10 -------- d-----w- c:\programdata\hokitoke
2009-12-23 21:52 . 2009-12-23 21:52 -------- d-----w- c:\programdata\votabale
2009-12-23 21:52 . 2009-12-23 21:52 -------- d-----w- c:\programdata\mefeneti
2009-12-20 17:18 . 2009-12-20 17:18 -------- d-----w- c:\programdata\pehumeni
2009-12-20 17:18 . 2009-12-20 17:18 -------- d-----w- c:\programdata\sovanavo
2009-12-20 17:18 . 2009-12-20 17:18 -------- d-----w- c:\programdata\nuwemuno
2009-12-20 17:17 . 2009-12-23 21:53 -------- d-----w- c:\programdata\rivuyuki
2009-12-20 05:35 . 2009-12-20 05:35 -------- d-----w- c:\program files\ERUNT
2009-12-20 04:54 . 2009-12-20 04:54 388096 ----a-r- c:\users\bestbuy 372\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-20 04:54 . 2009-12-20 04:54 -------- d-----w- c:\program files\TrendMicro
2009-12-20 04:15 . 2009-12-25 03:38 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-20 04:15 . 2009-12-20 04:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-20 01:37 . 2009-12-20 17:18 -------- d-----w- c:\programdata\vosoleda
2009-12-20 01:37 . 2009-12-20 01:37 -------- d-----w- c:\programdata\tesutefa
2009-12-20 01:37 . 2009-12-20 01:37 -------- d-----w- c:\programdata\tavimega
2009-12-20 01:37 . 2009-12-20 01:37 -------- d-----w- c:\programdata\litunude
2009-12-20 01:37 . 2009-12-20 01:37 -------- d-----w- c:\programdata\firupifo
2009-12-19 10:04 . 2009-12-26 20:46 -------- d-----w- c:\programdata\biravoja
2009-12-19 10:04 . 2009-12-20 01:37 -------- d-----w- c:\programdata\fivajubu
2009-12-19 10:04 . 2009-12-19 10:04 -------- d-----w- c:\programdata\tunesega
2009-12-18 22:04 . 2009-12-18 22:04 -------- d-----w- c:\programdata\zayiveva
2009-12-18 22:04 . 2009-12-18 22:04 -------- d-----w- c:\programdata\yelosuso
2009-12-18 22:04 . 2009-12-18 22:04 -------- d-----w- c:\programdata\ligijowe
2009-12-18 10:04 . 2009-12-26 20:46 -------- d-----w- c:\programdata\jesepige
2009-12-18 10:04 . 2009-12-18 10:04 -------- d-----w- c:\programdata\zeholuva
2009-12-18 10:04 . 2009-12-18 10:04 -------- d-----w- c:\programdata\medemaba
2009-12-18 10:04 . 2009-12-18 10:04 -------- d-----w- c:\programdata\wiheledo
2009-12-18 10:04 . 2009-12-18 10:04 -------- d-----w- c:\programdata\tetahezi
2009-12-18 10:04 . 2009-12-18 10:04 -------- d-----w- c:\programdata\fibetehe
2009-12-18 10:04 . 2009-12-18 10:04 -------- d-----w- c:\programdata\dizepopi
2009-12-17 22:03 . 2009-12-17 22:03 -------- d-----w- c:\programdata\sayawoha
2009-12-17 22:03 . 2009-12-17 22:03 -------- d-----w- c:\programdata\gizokoro
2009-12-17 21:58 . 2009-12-18 10:04 -------- d-----w- c:\programdata\vohelipe
2009-12-17 21:58 . 2009-12-18 10:04 -------- d-----w- c:\programdata\siruboma
2009-12-17 21:58 . 2009-12-18 10:04 -------- d-----w- c:\programdata\lemutuja
2009-12-17 21:53 . 2009-12-17 21:53 -------- d-----w- c:\programdata\McAfee Security Scan
2009-12-17 21:53 . 2009-12-17 21:53 -------- d-----w- c:\program files\McAfee Security Scan
2009-12-17 21:16 . 2009-12-17 21:27 -------- d-----w- c:\users\bestbuy 372\AppData\Local\eencvi
2009-12-16 06:36 . 2009-12-16 06:36 -------- d-----w- c:\program files\Ask.com
2009-12-12 11:03 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-12 11:02 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-12 11:02 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-08 18:41 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
2009-12-08 18:41 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-08 18:41 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
2009-12-03 19:06 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-03 04:59 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-12-03 04:59 . 2009-08-10 11:00 1257472 ----a-w- c:\windows\system32\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-16 21:54 . 2008-12-05 01:28 -------- d-----w- c:\program files\QuickTime
2009-12-16 21:54 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-11-21 02:15 . 2008-12-10 20:23 1 ----a-w- c:\users\bestbuy 372\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-04 02:48 . 2008-10-05 11:06 75528 ----a-w- c:\users\bestbuy 372\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-04 01:44 . 2008-12-04 23:19 -------- d-----w- c:\program files\Java
2009-11-03 04:42 . 2009-10-03 00:48 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-28 15:14 . 2009-10-28 14:51 -------- d-----w- c:\users\bestbuy 372\AppData\Roaming\GetRightToGo
2009-10-28 15:08 . 2008-04-30 09:38 -------- d-----w- c:\programdata\Microsoft Help
2009-10-28 15:06 . 2008-04-30 09:39 -------- d-----w- c:\program files\Microsoft Works
2009-10-28 15:05 . 2009-10-28 15:05 -------- d-----w- c:\program files\Microsoft.NET
2009-10-27 13:20 . 2009-12-08 18:43 833024 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 13:16 . 2009-12-08 18:43 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-27 10:55 . 2009-12-08 18:43 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-01 08:37 . 2008-10-05 14:52 110 ----a-w- c:\users\bestbuy 372\AppData\Roaming\wklnhst.dat
2008-09-05 21:02 . 2008-09-05 21:00 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-11-19 1196936]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-11-19 02:40 1196936 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-11-19 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-15 00:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-07-25 809480]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-15 526896]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [3/3/2008 12:11 PM 16384]
R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [4/30/2008 1:56 AM 24576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/1/2008 2:11 PM 93320]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/6/2008 9:42 PM 50424]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [4/4/2008 2:03 AM 131072]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [12/19/2009 8:15 PM 1153368]
S2 0168891261605269mcinstcleanup;McAfee Application Installer Cleanup (0168891261605269);c:\windows\TEMP\016889~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\016889~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [1/20/2008 6:23 PM 179712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15450&l=dis
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0908&m=aspire_5735
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: internet
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-dekoyukimo - c:\programdata\jesepige\jesepige.dll
HKCU-Run-tovososoz - c:\progra~2\biravoja\biravoja.dll
Notify-DfLogon - LogonDll.dll

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3688)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\windows\system32\rundll32.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\mcafee\msc\mcuimgr.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2009-12-26 12:56:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-26 20:56

Pre-Run: 36,666,105,856 bytes free
Post-Run: 36,648,001,536 bytes free

- - End Of File - - AFCF179972D743065762957F526C0BA8

**stab4fun** · 2009-12-26, 22:25

dds....

DDS (Ver_09-12-01.01) - NTFSx86
Run by bestbuy 372 at 13:23:32.78 on Sat 12/26/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1976.996 [GMT -8:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Windows\system32\rundll32.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\svchost.exe -k netsvcs
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Windows\Explorer.exe
C:\Windows\system32\msiexec.exe
C:\Program Files\VS Revo Group\Revo Uninstaller\revouninstaller.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\BESTBU~1\AppData\Local\Temp\Temporary Internet Files\Content.IE5\0J3JY207\dds[1].scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=15450&l=dis
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0908&m=aspire_5735
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [ePower_DMC] c:\program files\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-30 201320]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-4-30 24576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-1 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-30 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-4-30 144704]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-6 50424]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-4 131072]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-12-19 1153368]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-30 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-30 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-30 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-30 40488]
S2 0168891261605269mcinstcleanup;McAfee Application Installer Cleanup (0168891261605269);c:\windows\temp\016889~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\016889~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-20 179712]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-30 33832]

=============== Created Last 30 ================

2009-12-26 21:16:45 0 d-----w- c:\program files\TrendMicro
2009-12-26 20:50:13 0 d-----w- C:\$RECYCLE.BIN
2009-12-26 20:33:43 77312 ----a-w- c:\windows\MBR.exe
2009-12-26 20:33:40 98816 ----a-w- c:\windows\sed.exe
2009-12-26 20:33:40 261632 ----a-w- c:\windows\PEV.exe
2009-12-26 20:33:40 161792 ----a-w- c:\windows\SWREG.exe
2009-12-26 20:10:35 0 d-----w- c:\programdata\fapumoke
2009-12-26 20:10:34 0 d-----w- c:\programdata\hamehalu
2009-12-26 20:10:30 0 d-----w- c:\programdata\zuvararo
2009-12-26 20:10:30 0 d-----w- c:\programdata\yeyozoda
2009-12-26 20:10:30 0 d-----w- c:\programdata\kuvimulo
2009-12-23 21:52:55 0 d-----w- c:\programdata\hokitoke
2009-12-23 21:52:53 0 d-----w- c:\programdata\votabale
2009-12-23 21:52:53 0 d-----w- c:\programdata\mefeneti
2009-12-20 17:18:06 0 d-----w- c:\programdata\pehumeni
2009-12-20 17:18:02 0 d-----w- c:\programdata\sovanavo
2009-12-20 17:18:02 0 d-----w- c:\programdata\nuwemuno
2009-12-20 17:17:59 0 d-----w- c:\programdata\rivuyuki
2009-12-20 04:15:43 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-20 04:15:43 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-20 01:37:57 0 d-----w- c:\programdata\vosoleda
2009-12-20 01:37:56 0 d-----w- c:\programdata\tesutefa
2009-12-20 01:37:56 0 d-----w- c:\programdata\tavimega
2009-12-20 01:37:56 0 d-----w- c:\programdata\litunude
2009-12-20 01:37:56 0 d-----w- c:\programdata\firupifo
2009-12-19 10:04:39 0 d-----w- c:\programdata\tunesega
2009-12-19 10:04:39 0 d-----w- c:\programdata\fivajubu
2009-12-19 10:04:39 0 d-----w- c:\programdata\biravoja
2009-12-18 22:04:24 0 d-----w- c:\programdata\zayiveva
2009-12-18 22:04:24 0 d-----w- c:\programdata\yelosuso
2009-12-18 22:04:24 0 d-----w- c:\programdata\ligijowe
2009-12-18 10:04:35 0 d-----w- c:\programdata\zeholuva
2009-12-18 10:04:35 0 d-----w- c:\programdata\medemaba
2009-12-18 10:04:35 0 d-----w- c:\programdata\jesepige
2009-12-18 10:04:01 0 d-----w- c:\programdata\wiheledo
2009-12-18 10:04:01 0 d-----w- c:\programdata\tetahezi
2009-12-18 10:04:01 0 d-----w- c:\programdata\fibetehe
2009-12-18 10:04:01 0 d-----w- c:\programdata\dizepopi
2009-12-17 22:03:54 0 d-----w- c:\programdata\sayawoha
2009-12-17 22:03:54 0 d-----w- c:\programdata\gizokoro
2009-12-17 21:58:25 0 d-----w- c:\programdata\vohelipe
2009-12-17 21:58:25 0 d-----w- c:\programdata\siruboma
2009-12-17 21:58:25 0 d-----w- c:\programdata\lemutuja
2009-12-17 21:53:01 0 d-----w- c:\programdata\McAfee Security Scan
2009-12-17 21:53:00 0 d-----w- c:\program files\McAfee Security Scan
2009-12-16 06:36:42 0 d-----w- c:\program files\Ask.com
2009-12-12 11:03:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-12 11:02:56 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-12 11:02:54 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-08 18:41:36 378368 ----a-w- c:\windows\system32\winhttp.dll
2009-12-08 18:41:25 281600 ----a-w- c:\windows\system32\raschap.dll
2009-12-08 18:41:25 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-03 19:06:52 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-03 04:59:57 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-12-03 04:59:56 1257472 ----a-w- c:\windows\system32\msxml3.dll

==================== Find3M ====================

2009-11-03 04:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-27 13:20:19 833024 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 13:16:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-27 10:55:39 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-01 08:37:03 110 ----a-w- c:\users\bestbu~1\appdata\roaming\wklnhst.dat
2009-05-27 00:28:58 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-05-27 00:28:58 51200 ----a-w- c:\windows\inf\infpub.dat
2009-05-27 00:28:56 86016 ----a-w- c:\windows\inf\infstor.dat
2008-09-05 21:06:04 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-09-05 21:02:19 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 13:24:20.52 ===============

**Blade81** · 2009-12-26, 22:56

Hi again,

Uninstall Ask Toolbar if not installed on purpose.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Folder::
c:\programdata\fapumoke
c:\programdata\hamehalu
c:\programdata\zuvararo
c:\programdata\yeyozoda
c:\programdata\kuvimulo
c:\programdata\hokitoke
c:\programdata\votabale
c:\programdata\mefeneti
c:\programdata\pehumeni
c:\programdata\sovanavo
c:\programdata\nuwemuno
c:\programdata\rivuyuki
c:\programdata\vosoleda
c:\programdata\tesutefa
c:\programdata\tavimega
c:\programdata\litunude
c:\programdata\firupifo
c:\programdata\biravoja
c:\programdata\fivajubu
c:\programdata\tunesega
c:\programdata\zayiveva
c:\programdata\yelosuso
c:\programdata\ligijowe
c:\programdata\jesepige
c:\programdata\zeholuva
c:\programdata\medemaba
c:\programdata\wiheledo
c:\programdata\tetahezi
c:\programdata\fibetehe
c:\programdata\dizepopi
c:\programdata\sayawoha
c:\programdata\gizokoro
c:\programdata\vohelipe
c:\programdata\siruboma
c:\programdata\lemutuja
DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Uninstall old Adobe Reader versions and get the latest one (9.2) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Check here to see if your Flash is up-to-date (do it separately with each of your browsers). If not, uninstall vulnerable versions by following instructions here. Fresh version can be obtained here.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 17.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

**stab4fun** · 2009-12-27, 06:11

ComboFix 09-12-25.05 - bestbuy 372 12/26/2009 16:28:35.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1976.1089 [GMT -8:00]
Running from: c:\users\bestbuy 372\Desktop\ComboFix.exe
Command switches used :: c:\users\bestbuy 372\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\biravoja
c:\programdata\dizepopi
c:\programdata\dizepopi\dizepopi.dll
c:\programdata\fapumoke
c:\programdata\fapumoke\fapumoke.dll
c:\programdata\fibetehe
c:\programdata\fibetehe\fibetehe.dll
c:\programdata\firupifo
c:\programdata\firupifo\firupifo.dll
c:\programdata\fivajubu
c:\programdata\gizokoro
c:\programdata\gizokoro\gizokoro.dll
c:\programdata\hamehalu
c:\programdata\hamehalu\hamehalu.dll
c:\programdata\hokitoke
c:\programdata\jesepige
c:\programdata\kuvimulo
c:\programdata\kuvimulo\kuvimulo.exe
c:\programdata\lemutuja
c:\programdata\lemutuja\lemutuja.dll.tmp
c:\programdata\ligijowe
c:\programdata\ligijowe\ligijowe.dll
c:\programdata\litunude
c:\programdata\litunude\litunude.exe
c:\programdata\medemaba
c:\programdata\medemaba\medemaba.dll
c:\programdata\mefeneti
c:\programdata\mefeneti\mefeneti.dll
c:\programdata\nuwemuno
c:\programdata\nuwemuno\nuwemuno.dll
c:\programdata\pehumeni
c:\programdata\pehumeni\pehumeni.dll
c:\programdata\rivuyuki
c:\programdata\sayawoha
c:\programdata\sayawoha\sayawoha.dll
c:\programdata\siruboma
c:\programdata\siruboma\siruboma.dll.tmp
c:\programdata\sovanavo
c:\programdata\sovanavo\sovanavo.dll
c:\programdata\tavimega
c:\programdata\tavimega\tavimega.dll
c:\programdata\tesutefa
c:\programdata\tesutefa\tesutefa.dll
c:\programdata\tetahezi
c:\programdata\tetahezi\tetahezi.dll
c:\programdata\tunesega
c:\programdata\tunesega\tunesega.dll
c:\programdata\vohelipe
c:\programdata\vohelipe\vohelipe.dll.tmp
c:\programdata\vosoleda
c:\programdata\votabale
c:\programdata\votabale\votabale.dll
c:\programdata\wiheledo
c:\programdata\wiheledo\wiheledo.dll
c:\programdata\yelosuso
c:\programdata\yelosuso\yelosuso.dll
c:\programdata\yeyozoda
c:\programdata\yeyozoda\yeyozoda.dll
c:\programdata\zayiveva
c:\programdata\zayiveva\zayiveva.dll
c:\programdata\zeholuva
c:\programdata\zeholuva\zeholuva.dll
c:\programdata\zuvararo
c:\programdata\zuvararo\zuvararo.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.

2009-12-27 00:40 . 2009-12-27 00:41 -------- d-----w- c:\users\bestbuy 372\AppData\Local\temp
2009-12-27 00:40 . 2009-12-27 00:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-27 00:25 . 2009-12-27 00:26 -------- d-----w- C:\32788R22FWJFW
2009-12-27 00:20 . 2009-12-27 00:20 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-27 00:13 . 2009-12-27 00:14 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-26 21:16 . 2009-12-26 21:16 388096 ----a-r- c:\users\bestbuy 372\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-26 21:16 . 2009-12-26 21:16 -------- d-----w- c:\program files\TrendMicro
2009-12-20 05:35 . 2009-12-20 05:35 -------- d-----w- c:\program files\ERUNT
2009-12-20 04:15 . 2009-12-25 03:38 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-20 04:15 . 2009-12-20 04:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-17 21:53 . 2009-12-17 21:53 -------- d-----w- c:\programdata\McAfee Security Scan
2009-12-17 21:53 . 2009-12-17 21:53 -------- d-----w- c:\program files\McAfee Security Scan
2009-12-17 21:16 . 2009-12-17 21:27 -------- d-----w- c:\users\bestbuy 372\AppData\Local\eencvi
2009-12-16 06:36 . 2009-12-16 06:36 -------- d-----w- c:\program files\Ask.com
2009-12-12 11:03 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-12 11:02 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-12 11:02 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-08 18:41 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
2009-12-08 18:41 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-08 18:41 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
2009-12-03 19:06 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-03 04:59 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-12-03 04:59 . 2009-08-10 11:00 1257472 ----a-w- c:\windows\system32\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 23:27 . 2008-12-06 12:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-26 23:27 . 2008-12-04 23:19 -------- d-----w- c:\program files\Java
2009-12-16 21:54 . 2008-12-05 01:28 -------- d-----w- c:\program files\QuickTime
2009-12-16 21:54 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-11-21 02:15 . 2008-12-10 20:23 1 ----a-w- c:\users\bestbuy 372\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-04 02:48 . 2008-10-05 11:06 75528 ----a-w- c:\users\bestbuy 372\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-03 04:42 . 2009-10-03 00:48 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-28 15:14 . 2009-10-28 14:51 -------- d-----w- c:\users\bestbuy 372\AppData\Roaming\GetRightToGo
2009-10-28 15:08 . 2008-04-30 09:38 -------- d-----w- c:\programdata\Microsoft Help
2009-10-28 15:06 . 2008-04-30 09:39 -------- d-----w- c:\program files\Microsoft Works
2009-10-28 15:05 . 2009-10-28 15:05 -------- d-----w- c:\program files\Microsoft.NET
2009-10-27 13:20 . 2009-12-08 18:43 833024 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 13:16 . 2009-12-08 18:43 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-27 10:55 . 2009-12-08 18:43 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-01 08:37 . 2008-10-05 14:52 110 ----a-w- c:\users\bestbuy 372\AppData\Roaming\wklnhst.dat
2008-09-05 21:02 . 2008-09-05 21:00 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-15 00:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-16 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-16 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-16 145944]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-07-25 809480]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-15 526896]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-26 149280]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [3/3/2008 12:11 PM 16384]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/1/2008 2:11 PM 93320]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/6/2008 9:42 PM 50424]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [12/19/2009 8:15 PM 1153368]
S2 0168891261605269mcinstcleanup;McAfee Application Installer Cleanup (0168891261605269);c:\windows\TEMP\016889~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\016889~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [4/30/2008 1:56 AM 24576]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [4/4/2008 2:03 AM 131072]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [1/20/2008 6:23 PM 179712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15450&l=dis
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0908&m=aspire_5735
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: internet
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-26 16:40
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-12-26 16:46:16
ComboFix-quarantined-files.txt 2009-12-27 00:46
ComboFix2.txt 2009-12-26 20:56

Pre-Run: 34,931,671,040 bytes free
Post-Run: 34,948,268,032 bytes free

- - End Of File - - A0F34756EC8108952B210ED2D618C4B3

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 9/5/2008 1:15:19 PM
System Uptime: 12/23/2009 1:20:59 PM (1 hours ago)

Motherboard: Acer | | CathedralPeak
Processor: Intel(R) Pentium(R) Dual CPU T3200 @ 2.00GHz | U2E1 | 1000/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 70 GiB total, 35.353 GiB free.
D: is FIXED (NTFS) - 70 GiB total, 14.544 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description:
Device ID: ROOT\*ISATAP\0000
Manufacturer: Microsoft
Name:
PNP Device ID: ROOT\*ISATAP\0000
Service: tunnel

==== System Restore Points ===================

==== Installed Programs ======================

Acer Assist
Acer eDataSecurity Management
Acer Empowering Technology
Acer ePower Management
Acer eSettings Management
Acer GridVista
Acer Mobility Center Plug-In
Acer Registration
Acer ScreenSaver
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.0
Agere Systems HDA Modem
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Canon MP Navigator EX 1.0
Canon MX310 series
Canon RAW Codec
CCleaner (remove only)
ERUNT 1.1j
Geek Squad 24 Hour Computer Support
Glary Utilities 2.15.0.738
GoToMeeting 4.1.0.366
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ieSpell
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 7
Launch Manager
LightScribe 1.4.142.1
Marvell Miniport Driver
McAfee Security Scan
McAfee SecurityCenter
Microsoft .NET Framework 3.5 SP1
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007 Trial
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Streets and Trips 2005 with USB GPS
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NTI Backup Now 5
NTI Backup Now Standard
NTI Media Maker 8
OpenOffice.org 3.0
PhotoNow!
PowerDirector
QuickTime
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
Revo Uninstaller 1.85
Spybot - Search & Destroy
Symetric Property Analyzer
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
WinRAR archiver

==== End Of File ===========================

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, December 26, 2009
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, December 27, 2009 00:38:14
Records in database: 3410090
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 112427
Threats found: 4
Infected objects found: 6
Suspicious objects found: 0
Scan duration: 02:54:23

File name / Threat / Threats count
C:\Qoobox\Quarantine\C\ProgramData\kuvimulo\kuvimulo.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.ggk 1
C:\Qoobox\Quarantine\C\ProgramData\litunude\litunude.exe.vir Infected: Trojan.Win32.Vilsel.ptv 1
C:\Qoobox\Quarantine\C\ProgramData\pehumeni\pehumeni.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\ProgramData\tavimega\tavimega.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\ProgramData\zuvararo\zuvararo.dll.vir Infected: Packed.Win32.TDSS.aa 1
C:\Qoobox\Quarantine\C\Users\bestbuy 372\AppData\Local\fkfgli\bkdvsysguard.exe.vir Infected: Trojan.Win32.FraudPack.afwz 1

Selected area has been scanned.

**Blade81** · 2009-12-27, 12:05

Hi,

Delete c:\users\bestbuy 372\AppData\Local\eencvi folder too. How's the system running now?

**stab4fun** · 2009-12-28, 22:19

seems to be working well. my homepage is still ask.com but im sure i can just change it back to google.

thanks alot for the help

Thread: gwebsysgaurd infection!

Thread Tools

Display

gwebsysgaurd infection!

Posting Permissions