Serious System Error PLEASE HELP

Acer / 5520
February 21, 2009 at 04:03:55
Specs: Windows XP, Intel Core
Hi, I really hope you can help me.
I went away recently and allowed my brother to use my laptop while i was gone. He went on a lot of porn and admits it. Now when i turn it on i can't even get to my desktop, when its starting up and it say's 'Welcome', a woman's voice can be heard saying "Serious system error" then something i can't quite hear, i think she says something about a virus. Then the windows security application comes up and reels off all the things its detected, things like tracking cookies and system errors from porn sites. It's alerts are syaing some are critical. Thing is, i'm using avast antivirus, so the windows one is out of date. Therefore it will not clean up the virus. My brother said that one of the video's he went to watch came up with a notice from windows that said 'allow' or 'cancel', needless to say he clicked allow, this was when the problems started happening. My brother then cancelled that window but was able to continue browsing. He ran a test on avast and the outcome was ok. I don't know whether Avast isn't as thorough but when i come to use my copmuter now all i get is the windows security and a brown background. Please can you help, any suggestions or even identify the virus?
Thanks i'd really appreciate any help.

See More: Serious System Error PLEASE HELP

Report •


#1
February 21, 2009 at 08:25:59
Run the following scans and post their logs.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
February 22, 2009 at 15:18:10
Hi there!
Thanks so much for the help, just want to make sure you're being serious? I don't mean to sound rude... Also is there such thing as a free fix to this problem? I'm guessing you either use, or have something to do with MalwareBytes? It's just I'm in England and I don't know if its worth me paying $24.99 for something i don't know about.. Also if all of these viruses and trackers etc on my computer i don't really feel safe paying for something! I'm sorry to sound so rude i really do appreciate your reply.

Report •

#3
February 22, 2009 at 15:46:03
Malwarebytes and any tool we use is free and I'm not associated with any program builders.

Report •

Related Solutions

#4
February 22, 2009 at 16:33:38
Great, thanks so much!
I'm just downloading it all now. Changed the name and I'm closely following your instructions!

Report •

#5
February 22, 2009 at 16:59:00
Malwarebytes' Anti-Malware 1.34
Database version: 1795
Windows 6.0.6001 Service Pack 1

23/02/2009 00:47:54
mbam-log-2009-02-23 (00-47-54).txt

Scan type: Quick Scan
Objects scanned: 53559
Time elapsed: 2 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 12
Files Infected: 37

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\sp.tieadvbho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d032570a-5f63-4812-a094-87d007c23012} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\privacy components (Rogue.Privacycomponents) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\agent.exe (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Users\Joel\AppData\Roaming\Privacy components (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\Users\Joel\AppData\Roaming\Privacy components\dbases (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\Users\Joel\AppData\Roaming\Privacy components\keys (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\Users\Joel\AppData\Roaming\Privacy components\temp (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Privacy components (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\faq (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\faq\images (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\sounds (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\tools (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\tools\sc (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\tools\sp (Rogue.Privacycomponents) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Privacy components\agent.exe (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\Users\Joel\AppData\Roaming\Privacy components\dbases\cg.dat (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\Users\Joel\AppData\Roaming\Privacy components\dbases\mw.dat (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\Users\Joel\AppData\Roaming\Privacy components\dbases\rd.dat (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\Users\Joel\AppData\Roaming\Privacy components\dbases\sc.dat (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\Users\Joel\AppData\Roaming\Privacy components\dbases\sm.dat (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\Users\Joel\AppData\Roaming\Privacy components\dbases\sp.dat (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\Users\Joel\AppData\Roaming\Privacy components\keys\cg.key (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\Users\Joel\AppData\Roaming\Privacy components\keys\rd.key (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\Users\Joel\AppData\Roaming\Privacy components\keys\sc.key (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\Users\Joel\AppData\Roaming\Privacy components\keys\sp.key (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\Users\Joel\AppData\Roaming\Privacy components\temp\settings.ini (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\Users\Joel\AppData\Roaming\Privacy components\temp\spfilter (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Privacy components\Privacy components.lnk (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\pc.exe (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\uninstall.exe (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\faq\guide.html (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\faq\images\gimg1.jpg (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\faq\images\gimg10.jpg (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\faq\images\gimg2.jpg (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\faq\images\gimg3.jpg (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\faq\images\gimg4.jpg (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\faq\images\gimg5.jpg (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\faq\images\gimg6.jpg (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\faq\images\gimg7.jpg (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\faq\images\gimg8.jpg (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\faq\images\gimg9.jpg (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\sounds\1.mp3 (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\sounds\3.mp3 (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\tools\sc\ca.crt (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\tools\sc\libeay32.dll (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\tools\sc\libssl32.dll (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\tools\sc\OemWin2k.inf (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\tools\sc\openvpn.exe (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\tools\sc\tap0801.sys (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\tools\sc\tapinstall.exe (Rogue.Privacycomponents) -> Quarantined and deleted successfully.
C:\Program Files\Privacy components\tools\sp\sp.dll (Rogue.Privacycomponents) -> Quarantined and deleted successfully.


Report •

#6
February 22, 2009 at 17:05:37
It says not to post HijackThis logs unless it's an expert..

Report •

#7
February 22, 2009 at 17:17:44
Please post your Hijack This log.

Report •

#8
February 22, 2009 at 17:46:23
It would be most difficult for you to be infected through the forum although I suppose it is slightly possible.

As you can see I requested the Hijack This log in my first response but you did not post it, however you did post the Malwarebytes log. The Hijack This log provides info to determine how to proceed with the disinfection of you computer.


Report •

#9
February 22, 2009 at 17:53:06
Ok i do trust you but first i just want to know what you will do with this information. Also what you have done with the other log i have posted?
Also one more thing. I downloaded Spyware Doctor but haven't paid for it, however the scan is indicating this threat is still present after i used Malwarebytes... http://www.pctools.com/mrc/infectio...
I suppose this is something that HijackThis will sort?
P.S on the actual Spyware Doctor file this info is present for the particular threat it has picked up...

HKEY_USERS\S-1-5-21-1827514273-4073627200-1545148197-1000|Software\Microsoft\WindowsNT\CurrentVersion\Winlogon, Shell

Additionally there are other codes like it, if you need them please ask!


Report •

#10
February 22, 2009 at 17:55:45
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:02:01, on 23/02/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Users\Joel\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Steam\steam.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Registry Mechanic\RMTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
D:\Music\tools.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ALaunch] C:\Acer\ALaunch\AlaunchClient.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RMTray.exe /H
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls...
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9585 bytes


Report •

#11
February 22, 2009 at 18:27:00
Sorry about this, also the same PC Tools app. came with something called Registry Mechanic. A quick scan on that engine has come up with 190 'value's missing or invalid'
Probably irrelevant but thought i'd check.

Report •

#12
February 22, 2009 at 18:43:13
I would not waste any money on Spyware Doctor.

Viewing the Malwarebytes logs gives us a better understanding of the what we are dealing with as far as type and variant of the malware.

The next scan requires that you go offline and disable your antivirus and realtime antispyware. It will not work properly with them running and may cause the computer to lock up if they are run improperly. If this happens just restart the computer (may be slow to restart).

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Avast antivirus, Spybot, Windows defender, Spyware Doctor and any other realtime antispyware that you may have.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.


Report •

#13
February 22, 2009 at 19:03:32
I'm trying to run the CombiFix but it keeps beeping and telling me that avast is somehow still running. I have disabled the anti-virus system but can't totally shut off avast itself, its saying access denied when i try to shut it down on task manager. Should i run the combifix?

Report •

#14
February 22, 2009 at 19:37:12
Did you do this:

Right click on the avast! icon in system tray and choose (Stop On-Access Protection)

Then follow the directions at this link.

http://imbacore.blogspot.com/2008/08/how-avast-antivirus-can-be-temporarily.html


Report •

#15
February 23, 2009 at 03:37:53
I have done all of the things it asks and on processes in task manager it says no avast process is active, however the warning beep and window still pops up, saying that it has detected avast antivirus scanner active.. Should i continue with the Combi Fix?

Report •

#16
February 23, 2009 at 03:49:35
I've found two avast apps running in 'services'. I again can't stop service as it is saying access denied.

Report •

#17
February 23, 2009 at 14:34:17
Is there anything i can do? Or should i commence with the Combo Fix?

Report •

#18
February 23, 2009 at 14:38:32
Go ahead and run Combofix once you have as much of Avast turn off as possible. If it hangs, wait 10 minutes then restart the computer.

Report •

#19
February 23, 2009 at 15:09:02
Just ran Combo Fix. A few things popped up that i was not sure about, worried me a bit as Spy Bot alerts were popping up asking if i should allow change or allow deletion... Should i have allowed all? Here's the log anywho..

ComboFix 09-02-21.01 - Joel 2009-02-23 22:47:30.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.1135 [GMT 0:00]
Running from: d:\desktop\Anti-Virus\toolb.exe
AV: avast! antivirus 4.8.1229 [VPS 081122-0] *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Joel\AppData\Roaming\.#
c:\users\Joel\AppData\Roaming\.#\MBX@15E8@1D42990.###
c:\users\Joel\AppData\Roaming\.#\MBX@15E8@1D429C0.###
c:\users\Joel\AppData\Roaming\.#\MBX@15E8@1D429F0.###
c:\users\Joel\AppData\Roaming\.#\MBX@16C8@1762990.###
c:\users\Joel\AppData\Roaming\.#\MBX@16C8@17629C0.###
c:\users\Joel\AppData\Roaming\.#\MBX@16C8@17629F0.###
c:\windows\system32\x64

.
((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-23 00:43 . 2009-02-23 00:43 <DIR> d-------- c:\users\Joel\AppData\Roaming\Malwarebytes
2009-02-23 00:43 . 2009-02-23 00:43 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-23 00:43 . 2009-02-23 00:43 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-23 00:43 . 2009-02-23 00:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-23 00:43 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-23 00:43 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-02-23 00:14 . 2009-02-23 00:35 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2009-02-23 00:14 . 2009-02-23 00:35 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2009-02-23 00:14 . 2009-02-23 00:14 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-22 23:32 . 2009-02-22 23:32 <DIR> d-------- c:\users\Joel\AppData\Roaming\PC Tools
2009-02-22 23:32 . 2009-02-22 23:41 <DIR> d-------- c:\program files\Spyware Doctor
2009-02-22 23:32 . 2004-08-04 08:00 506,368 --a------ c:\windows\System32\msxml.dll
2009-02-22 23:32 . 2008-08-25 12:36 81,288 --a------ c:\windows\System32\drivers\iksyssec.sys
2009-02-22 23:32 . 2008-08-25 12:36 66,952 --a------ c:\windows\System32\drivers\iksysflt.sys
2009-02-22 23:32 . 2008-08-25 12:36 40,840 --a------ c:\windows\System32\drivers\ikfilesec.sys
2009-02-22 23:32 . 2008-06-02 16:19 29,576 --a------ c:\windows\System32\drivers\kcom.sys
2009-02-15 22:27 . 2008-12-05 04:32 428,544 --a------ c:\windows\System32\EncDec.dll
2009-02-15 22:27 . 2008-12-05 04:32 293,376 --a------ c:\windows\System32\psisdecd.dll
2009-02-15 22:27 . 2008-12-05 04:31 217,088 --a------ c:\windows\System32\psisrndr.ax
2009-02-15 22:27 . 2008-12-05 04:31 177,664 --a------ c:\windows\System32\mpg2splt.ax
2009-02-15 22:27 . 2008-12-05 04:31 80,896 --a------ c:\windows\System32\MSNP.ax
2009-02-10 19:33 . 2009-01-15 03:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-10 19:33 . 2009-01-15 06:11 827,392 --a------ c:\windows\System32\wininet.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 22:44 --------- d---a-w c:\programdata\TEMP
2009-02-23 22:29 --------- d-----w c:\program files\Steam
2009-02-22 23:21 --------- d-----w c:\programdata\Google Updater
2009-02-19 20:22 --------- d---a-w c:\programdata\Sports Interactive
2009-02-11 22:51 --------- d-----w c:\program files\Windows Mail
2009-02-08 22:21 --------- d-----w c:\program files\Common Files\Steam
2009-01-10 16:23 --------- d-----w c:\program files\Google
2009-01-10 13:53 --------- d-----w c:\users\Joel\AppData\Roaming\Sports Interactive
2009-01-02 00:04 --------- d-----w c:\program files\Glory of the Roman Empire
2009-01-01 23:59 --------- d-----w c:\programdata\Media Center Programs
2009-01-01 23:42 --------- d--h--w c:\program files\Zero G Registry
2009-01-01 23:42 --------- d-----w c:\program files\Sports Interactive
2008-12-27 12:40 --------- d-----w c:\program files\Yahoo!
2008-12-26 18:58 --------- d-----w c:\program files\Logitech
2008-12-26 18:56 --------- d-----w c:\program files\Acer GameZone
2008-12-26 13:07 18,048 ----a-w c:\windows\system32\drivers\lirsgt.sys
2008-12-26 13:07 165,376 ----a-w c:\windows\system32\drivers\atksgt.sys
2008-12-26 01:04 --------- d-----w c:\program files\Labtec
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 --a------ c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-10 39408]
"Steam"="c:\program files\Steam\Steam.exe" [2009-01-12 1410296]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"RegistryMechanic"="c:\program files\Registry Mechanic\RMTray.exe" [2008-07-03 812952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-05 525360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-01-04 768520]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2008-01-22 200704]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-21 159744]
"WarReg_PopUp"="c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe" [2008-01-29 303104]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-10-10 1286144]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-03 c:\windows\RtHDVCpl.exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-03-17 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="c:\program files\Privacy components\pc.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C5B1CD09-35CC-4D9D-910F-30A2B4256F5B}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{3D70CD11-27D2-41BF-BAB4-651077BDAF56}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{A238014B-BF30-41D3-AE4D-0F500B557941}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{60F16F4A-A7F9-4D8D-8974-CFFE311C491A}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{C4B80C91-9C2C-46E5-A91F-C22FF4F61623}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{EC7497D2-AF6C-4167-818E-D50564CC524E}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{5F700C27-A44C-4BA2-B120-BF43E6D65881}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"{74E4E885-15ED-452F-AF8B-005AB41EF289}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{1556CC37-D283-4037-9FEA-B353B36B2FEC}"= UDP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{8E49F0DB-1403-4260-ABDF-53B30D378AD0}"= TCP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{B7138B6D-2618-4DDE-9CD5-A13E57591FD7}"= UDP:c:\program files\Steam\SteamApps\common\football manager 2009\fm.exe:Football Manager 2009
"{A26F73DC-F7B0-4DDD-9428-193E47907F6C}"= TCP:c:\program files\Steam\SteamApps\common\football manager 2009\fm.exe:Football Manager 2009

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [2008-11-12 111184]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\[u]0[/u]00.fcl [2008-07-26 19:03:55 41456]
R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2008-03-17 51200]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [2008-11-12 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [2008-11-12 51792]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-02-23 1153368]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [2008-03-17 32256]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2008-03-17 180736]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-22 356920]
S3 WSVD;WSVD;c:\windows\System32\drivers\WSVD.sys [2008-11-12 75776]
.
Contents of the 'Scheduled Tasks' folder

2009-02-22 c:\windows\Tasks\User_Feed_Synchronization-{C9E6FE47-52D2-4588-9C9B-7660799BCAE2}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ALaunch - c:\acer\ALaunch\AlaunchClient.exe
HKLM-Run-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
HKLM-Run-LogitechVideoRepair - c:\program files\Logitech\Video\ISStart.exe
HKLM-Run-eRecoveryService - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://en.uk.acer.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 22:49:00
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000002C001AE77EFF625C14 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2009-02-23 22:49:57
ComboFix-quarantined-files.txt 2009-02-23 22:49:55

Pre-Run: 38,800,584,704 bytes free
Post-Run: 38,819,917,824 bytes free

161 --- E O F --- 2009-02-23 22:34:24


Report •

#20
February 23, 2009 at 15:25:56
I did another scan on Malware and on Spyware Doctor.
The scan from Malware got a RogueAntiSpywareSYSGUARD, it was in Privacy Components - an infected file. Here's the log from the scan.

Malwarebytes' Anti-Malware 1.34
Database version: 1795
Windows 6.0.6001 Service Pack 1

23/02/2009 23:20:12
mbam-log-2009-02-23 (23-20-12).txt

Scan type: Quick Scan
Objects scanned: 54952
Time elapsed: 3 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Users\Joel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Privacy components (Rogue.PrivacyComponents) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)


The scan from Spyware Doctor came up with 4 threats and 36 infections. Tracking Cookies, Trojan Generic and the RogueAntispyware. Just wondering why the other things aren't picking all this up?


Report •

#21
February 23, 2009 at 15:45:02
If you did not turn off spybot and windows defender when you ran Combofix all the baddies were reinstalled, Combofix needs to be ran by the directions again, then run this script.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\program files\Privacy components\pc.exe

Folder::
c:\program files\Privacy components

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Shell"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run". Post the log that is produced.


Report •

#22
February 23, 2009 at 16:17:29
This is the new scan on Combo Fix log:

ComboFix 09-02-21.01 - Joel 2009-02-24 0:04:30.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.1170 [GMT 0:00]
Running from: d:\desktop\Anti-Virus\toolb.exe
AV: avast! antivirus 4.8.1229 [VPS 081122-0] *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-23 00:43 . 2009-02-23 00:43 <DIR> d-------- c:\users\Joel\AppData\Roaming\Malwarebytes
2009-02-23 00:43 . 2009-02-23 00:43 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-23 00:43 . 2009-02-23 00:43 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-23 00:43 . 2009-02-23 00:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-23 00:43 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-23 00:43 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-02-23 00:14 . 2009-02-23 00:35 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2009-02-23 00:14 . 2009-02-23 00:35 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2009-02-23 00:14 . 2009-02-23 00:14 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-22 23:32 . 2009-02-22 23:32 <DIR> d-------- c:\users\Joel\AppData\Roaming\PC Tools
2009-02-22 23:32 . 2009-02-23 23:42 <DIR> d-------- c:\program files\Spyware Doctor
2009-02-22 23:32 . 2004-08-04 08:00 506,368 --a------ c:\windows\System32\msxml.dll
2009-02-22 23:32 . 2008-08-25 12:36 81,288 --a------ c:\windows\System32\drivers\iksyssec.sys
2009-02-22 23:32 . 2008-08-25 12:36 66,952 --a------ c:\windows\System32\drivers\iksysflt.sys
2009-02-22 23:32 . 2008-08-25 12:36 40,840 --a------ c:\windows\System32\drivers\ikfilesec.sys
2009-02-22 23:32 . 2008-06-02 16:19 29,576 --a------ c:\windows\System32\drivers\kcom.sys
2009-02-15 22:27 . 2008-12-05 04:32 428,544 --a------ c:\windows\System32\EncDec.dll
2009-02-15 22:27 . 2008-12-05 04:32 293,376 --a------ c:\windows\System32\psisdecd.dll
2009-02-15 22:27 . 2008-12-05 04:31 217,088 --a------ c:\windows\System32\psisrndr.ax
2009-02-15 22:27 . 2008-12-05 04:31 177,664 --a------ c:\windows\System32\mpg2splt.ax
2009-02-15 22:27 . 2008-12-05 04:31 80,896 --a------ c:\windows\System32\MSNP.ax
2009-02-10 19:33 . 2009-01-15 03:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-10 19:33 . 2009-01-15 06:11 827,392 --a------ c:\windows\System32\wininet.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 00:01 --------- d---a-w c:\programdata\TEMP
2009-02-23 23:05 --------- d-----w c:\program files\Steam
2009-02-22 23:21 --------- d-----w c:\programdata\Google Updater
2009-02-19 20:22 --------- d---a-w c:\programdata\Sports Interactive
2009-02-11 22:51 --------- d-----w c:\program files\Windows Mail
2009-02-08 22:21 --------- d-----w c:\program files\Common Files\Steam
2009-01-10 16:23 --------- d-----w c:\program files\Google
2009-01-10 13:53 --------- d-----w c:\users\Joel\AppData\Roaming\Sports Interactive
2009-01-02 00:04 --------- d-----w c:\program files\Glory of the Roman Empire
2009-01-01 23:59 --------- d-----w c:\programdata\Media Center Programs
2009-01-01 23:42 --------- d--h--w c:\program files\Zero G Registry
2009-01-01 23:42 --------- d-----w c:\program files\Sports Interactive
2008-12-27 12:40 --------- d-----w c:\program files\Yahoo!
2008-12-26 18:58 --------- d-----w c:\program files\Logitech
2008-12-26 18:56 --------- d-----w c:\program files\Acer GameZone
2008-12-26 13:07 18,048 ----a-w c:\windows\system32\drivers\lirsgt.sys
2008-12-26 13:07 165,376 ----a-w c:\windows\system32\drivers\atksgt.sys
2008-12-26 01:04 --------- d-----w c:\program files\Labtec
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((( SnapShot@2009-02-23_22.49.18.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-23 22:28:31 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-02-23 23:04:20 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-02-23 22:28:31 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-02-23 23:04:20 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-02-23 22:49:03 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-23 23:05:58 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-23 23:05:58 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2009-02-23 22:30:04 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-23 23:05:53 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-23 23:05:53 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-02-23 22:28:31 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-23 23:13:49 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-23 22:28:31 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-23 23:13:49 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-23 22:28:31 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-23 23:13:49 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-23 22:35:07 105,852 ----a-w c:\windows\System32\perfc009.dat
+ 2009-02-23 23:17:08 105,852 ----a-w c:\windows\System32\perfc009.dat
- 2009-02-23 22:35:07 600,378 ----a-w c:\windows\System32\perfh009.dat
+ 2009-02-23 23:17:08 600,378 ----a-w c:\windows\System32\perfh009.dat
- 2009-02-23 22:30:10 7,016 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1827514273-4073627200-1545148197-1000_UserData.bin
+ 2009-02-23 23:06:12 7,032 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1827514273-4073627200-1545148197-1000_UserData.bin
- 2009-02-23 22:30:10 86,214 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-23 23:06:12 86,230 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-23 22:30:09 58,070 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-23 23:06:11 58,134 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 --a------ c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-10 39408]
"Steam"="c:\program files\Steam\Steam.exe" [2009-01-12 1410296]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"RegistryMechanic"="c:\program files\Registry Mechanic\RMTray.exe" [2008-07-03 812952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-05 525360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-01-04 768520]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2008-01-22 200704]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-21 159744]
"WarReg_PopUp"="c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe" [2008-01-29 303104]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-10-10 1286144]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"ALaunch"="c:\acer\ALaunch\AlaunchClient.exe" [BU]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-03 c:\windows\RtHDVCpl.exe]
"eRecoveryService"="" [BU]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-03-17 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="c:\program files\Privacy components\pc.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C5B1CD09-35CC-4D9D-910F-30A2B4256F5B}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{3D70CD11-27D2-41BF-BAB4-651077BDAF56}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{A238014B-BF30-41D3-AE4D-0F500B557941}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{60F16F4A-A7F9-4D8D-8974-CFFE311C491A}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{C4B80C91-9C2C-46E5-A91F-C22FF4F61623}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{EC7497D2-AF6C-4167-818E-D50564CC524E}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{5F700C27-A44C-4BA2-B120-BF43E6D65881}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"{74E4E885-15ED-452F-AF8B-005AB41EF289}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{1556CC37-D283-4037-9FEA-B353B36B2FEC}"= UDP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{8E49F0DB-1403-4260-ABDF-53B30D378AD0}"= TCP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{B7138B6D-2618-4DDE-9CD5-A13E57591FD7}"= UDP:c:\program files\Steam\SteamApps\common\football manager 2009\fm.exe:Football Manager 2009
"{A26F73DC-F7B0-4DDD-9428-193E47907F6C}"= TCP:c:\program files\Steam\SteamApps\common\football manager 2009\fm.exe:Football Manager 2009

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [2008-11-12 111184]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\[u]0[/u]00.fcl [2008-07-26 19:03:55 41456]
R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2008-03-17 51200]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [2008-11-12 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [2008-11-12 51792]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-02-23 1153368]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [2008-03-17 32256]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2008-03-17 180736]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-22 356920]
S3 WSVD;WSVD;c:\windows\System32\drivers\WSVD.sys [2008-11-12 75776]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-02-24 c:\windows\Tasks\User_Feed_Synchronization-{C9E6FE47-52D2-4588-9C9B-7660799BCAE2}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://en.uk.acer.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 00:05:48
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5896)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\acer\Empowering Technology\EPOWER\SysHook.dll
c:\windows\System32\NaturalLanguage6.dll
.
Completion time: 2009-02-24 0:06:48
ComboFix-quarantined-files.txt 2009-02-24 00:06:46
ComboFix2.txt 2009-02-23 22:49:58

Pre-Run: 38,567,378,944 bytes free
Post-Run: 38,537,895,936 bytes free

184 --- E O F --- 2009-02-23 22:34:24

Just going to run the new script!


Report •

#23
February 23, 2009 at 16:39:28
ComboFix 09-02-21.01 - Joel 2009-02-24 0:25:52.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2037.1167 [GMT 0:00]
Running from: d:\desktop\Anti-Virus\toolb.exe
Command switches used :: d:\desktop\Anti-Virus\CFScript.txt
AV: avast! antivirus 4.8.1229 [VPS 081122-0] *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\program files\Privacy components\pc.exe
.

((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-23 00:43 . 2009-02-23 00:43 <DIR> d-------- c:\users\Joel\AppData\Roaming\Malwarebytes
2009-02-23 00:43 . 2009-02-23 00:43 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-23 00:43 . 2009-02-23 00:43 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-23 00:43 . 2009-02-23 00:43 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-23 00:43 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-23 00:43 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-02-23 00:14 . 2009-02-23 00:35 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2009-02-23 00:14 . 2009-02-23 00:35 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2009-02-23 00:14 . 2009-02-23 00:14 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-22 23:32 . 2009-02-22 23:32 <DIR> d-------- c:\users\Joel\AppData\Roaming\PC Tools
2009-02-22 23:32 . 2009-02-23 23:42 <DIR> d-------- c:\program files\Spyware Doctor
2009-02-22 23:32 . 2004-08-04 08:00 506,368 --a------ c:\windows\System32\msxml.dll
2009-02-22 23:32 . 2008-08-25 12:36 81,288 --a------ c:\windows\System32\drivers\iksyssec.sys
2009-02-22 23:32 . 2008-08-25 12:36 66,952 --a------ c:\windows\System32\drivers\iksysflt.sys
2009-02-22 23:32 . 2008-08-25 12:36 40,840 --a------ c:\windows\System32\drivers\ikfilesec.sys
2009-02-22 23:32 . 2008-06-02 16:19 29,576 --a------ c:\windows\System32\drivers\kcom.sys
2009-02-15 22:27 . 2008-12-05 04:32 428,544 --a------ c:\windows\System32\EncDec.dll
2009-02-15 22:27 . 2008-12-05 04:32 293,376 --a------ c:\windows\System32\psisdecd.dll
2009-02-15 22:27 . 2008-12-05 04:31 217,088 --a------ c:\windows\System32\psisrndr.ax
2009-02-15 22:27 . 2008-12-05 04:31 177,664 --a------ c:\windows\System32\mpg2splt.ax
2009-02-15 22:27 . 2008-12-05 04:31 80,896 --a------ c:\windows\System32\MSNP.ax
2009-02-10 19:33 . 2009-01-15 03:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-10 19:33 . 2009-01-15 06:11 827,392 --a------ c:\windows\System32\wininet.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 00:29 --------- d---a-w c:\programdata\TEMP
2009-02-24 00:28 --------- d-----w c:\program files\Steam
2009-02-24 00:21 --------- d-----w c:\programdata\Google Updater
2009-02-19 20:22 --------- d---a-w c:\programdata\Sports Interactive
2009-02-11 22:51 --------- d-----w c:\program files\Windows Mail
2009-02-08 22:21 --------- d-----w c:\program files\Common Files\Steam
2009-02-05 21:06 51,792 ----a-w c:\windows\system32\drivers\aswMonFlt.sys
2009-01-10 16:23 --------- d-----w c:\program files\Google
2009-01-10 13:53 --------- d-----w c:\users\Joel\AppData\Roaming\Sports Interactive
2009-01-02 00:04 --------- d-----w c:\program files\Glory of the Roman Empire
2009-01-01 23:59 --------- d-----w c:\programdata\Media Center Programs
2009-01-01 23:42 --------- d--h--w c:\program files\Zero G Registry
2009-01-01 23:42 --------- d-----w c:\program files\Sports Interactive
2008-12-27 12:40 --------- d-----w c:\program files\Yahoo!
2008-12-26 18:58 --------- d-----w c:\program files\Logitech
2008-12-26 18:56 --------- d-----w c:\program files\Acer GameZone
2008-12-26 13:07 18,048 ----a-w c:\windows\system32\drivers\lirsgt.sys
2008-12-26 13:07 165,376 ----a-w c:\windows\system32\drivers\atksgt.sys
2008-12-26 01:04 --------- d-----w c:\program files\Labtec
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((( SnapShot@2009-02-23_22.49.18.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-23 22:28:31 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-02-24 00:27:33 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-02-23 22:28:31 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-02-24 00:27:33 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-02-23 22:49:03 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-24 00:27:58 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-24 00:27:58 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2009-02-23 22:30:04 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-24 00:27:58 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-24 00:27:58 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-11-26 17:21:30 1,236,208 ----a-w c:\windows\System32\aswBoot.exe
+ 2009-02-05 21:11:35 1,256,296 ----a-w c:\windows\System32\aswBoot.exe
- 2008-11-26 17:15:10 97,480 ----a-w c:\windows\System32\AvastSS.scr
+ 2009-02-05 21:04:45 97,480 ----a-w c:\windows\System32\AvastSS.scr
- 2009-02-23 22:28:31 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-24 00:28:29 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-23 22:28:31 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-24 00:28:29 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-23 22:28:31 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-24 00:28:29 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-26 17:17:25 20,560 ----a-w c:\windows\System32\drivers\aswFsBlk.sys
+ 2009-02-05 21:07:12 20,560 ----a-w c:\windows\System32\drivers\aswFsBlk.sys
- 2008-11-26 17:16:29 23,152 ----a-w c:\windows\System32\drivers\aswRdr.sys
+ 2009-02-05 21:06:10 23,152 ----a-w c:\windows\System32\drivers\aswRdr.sys
- 2008-11-26 17:17:36 111,184 ----a-w c:\windows\System32\drivers\aswSP.sys
+ 2009-02-05 21:07:23 114,768 ----a-w c:\windows\System32\drivers\aswSP.sys
- 2008-11-26 17:16:38 50,864 ----a-w c:\windows\System32\drivers\aswTdi.sys
+ 2009-02-05 21:06:20 51,376 ----a-w c:\windows\System32\drivers\aswTdi.sys
- 2009-02-23 22:35:07 105,852 ----a-w c:\windows\System32\perfc009.dat
+ 2009-02-24 00:15:10 105,852 ----a-w c:\windows\System32\perfc009.dat
- 2009-02-23 22:35:07 600,378 ----a-w c:\windows\System32\perfh009.dat
+ 2009-02-24 00:15:10 600,378 ----a-w c:\windows\System32\perfh009.dat
- 2009-02-23 22:30:10 7,016 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1827514273-4073627200-1545148197-1000_UserData.bin
+ 2009-02-24 00:29:26 7,200 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1827514273-4073627200-1545148197-1000_UserData.bin
- 2009-02-23 22:30:10 86,214 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-24 00:29:26 86,246 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-23 22:30:09 58,070 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-24 00:29:25 58,454 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 --a------ c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-10 39408]
"Steam"="c:\program files\Steam\Steam.exe" [2009-01-12 1410296]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"RegistryMechanic"="c:\program files\Registry Mechanic\RMTray.exe" [2008-07-03 812952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-05 525360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-01-04 768520]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2008-01-22 200704]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-21 159744]
"WarReg_PopUp"="c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe" [2008-01-29 303104]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-10-10 1286144]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"ALaunch"="c:\acer\ALaunch\AlaunchClient.exe" [BU]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-03 c:\windows\RtHDVCpl.exe]
"eRecoveryService"="" [BU]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-03-17 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C5B1CD09-35CC-4D9D-910F-30A2B4256F5B}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{3D70CD11-27D2-41BF-BAB4-651077BDAF56}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{A238014B-BF30-41D3-AE4D-0F500B557941}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{60F16F4A-A7F9-4D8D-8974-CFFE311C491A}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{C4B80C91-9C2C-46E5-A91F-C22FF4F61623}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{EC7497D2-AF6C-4167-818E-D50564CC524E}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{5F700C27-A44C-4BA2-B120-BF43E6D65881}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"{74E4E885-15ED-452F-AF8B-005AB41EF289}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{1556CC37-D283-4037-9FEA-B353B36B2FEC}"= UDP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{8E49F0DB-1403-4260-ABDF-53B30D378AD0}"= TCP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{B7138B6D-2618-4DDE-9CD5-A13E57591FD7}"= UDP:c:\program files\Steam\SteamApps\common\football manager 2009\fm.exe:Football Manager 2009
"{A26F73DC-F7B0-4DDD-9428-193E47907F6C}"= TCP:c:\program files\Steam\SteamApps\common\football manager 2009\fm.exe:Football Manager 2009

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [2008-11-12 114768]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\[u]0[/u]00.fcl [2008-07-26 19:03:55 41456]
R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [2008-03-17 51200]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [2008-11-12 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [2008-11-12 51792]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-02-23 1153368]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [2008-03-17 32256]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2008-03-17 180736]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-22 356920]
S3 WSVD;WSVD;c:\windows\System32\drivers\WSVD.sys [2008-11-12 75776]
.
Contents of the 'Scheduled Tasks' folder

2009-02-24 c:\windows\Tasks\User_Feed_Synchronization-{C9E6FE47-52D2-4588-9C9B-7660799BCAE2}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://en.uk.acer.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 00:30:12
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4476)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\acer\Empowering Technology\EPOWER\SysHook.dll
.
r Running Proce
.
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\System32\drivers\XAudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\System32\wbem\unsecapp.exe
c:\users\Joel\AppData\Local\Temp\RtkBtMnt.exe
c:\windows\System32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\windows\System32\wbem\unsecapp.exe
c:\acer\Empowering Technology\ePower\ePower_DMC.exe
c:\program files\Apoint2K\ApntEx.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-02-24 0:32:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-24 00:31:59
ComboFix2.txt 2009-02-24 00:06:49
ComboFix3.txt 2009-02-23 22:49:58

Pre-Run: 38,492,536,832 bytes free
Post-Run: 38,366,138,368 bytes free

229 --- E O F --- 2009-02-23 22:34:24

There's the latest Combo Fix log...


Report •

#24
February 24, 2009 at 15:09:48
Any more pointers buddy?

Report •

#25
February 24, 2009 at 17:39:33
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#26
February 25, 2009 at 14:49:15
I've gone on system and it hasn't got a system restore tab... If i click on system protection it comes up with a window where i can uncheck a tick next to Acer (C:)(system).

If i uncheck that it tells me it will delete all retore points and no new ones will be saved... Is that ok?


Report •

#27
February 25, 2009 at 14:51:33
Also should i delete all the quarantined items in my MalwareBytes?

Report •

#28
February 25, 2009 at 18:49:07
Yes that is ok.

Report •

#29
February 25, 2009 at 19:48:04
Ok, the log shows yuour laptop is infected by ROGUE SPYWARE, rogue spywares are fake security programs that mostly appeare as VIRUS REMOVE 2008< VIRUS RESPONSE LAB, MS ANTI SPYWARE 2009 , XP ANTIVIRUS 2008 or even with more bunch of diffrent names, u should download and run SUPER ANTI SPYWARE, it dose remove ROGUE SPYWARES
http://darfuns.com/download-super-a...
ok u can also try a manual method to remove fake security programs of rogue spwyares
http://darfuns.com/xp-antivirus2008...
Good Luck

Report •

#30
February 26, 2009 at 17:25:24
Jabuck - when i try and do the online scan it prompts me to install active x. I agree but windows blocks it.. What should i do?

Report •

#31
February 26, 2009 at 18:28:39
You should be able to click on a yellow bar across your screen when prompted to install active x, if windows is blocking it, that lets you allow the active x install.

If that is not an option try this scanner.

Please run Esets online scanner from this link:

ESET

1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( I want to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.


Report •

#32
February 27, 2009 at 12:56:00
They both say its not allowed because Windows can't verify the server... Sorry to keep going on at you!

Report •

#33
February 27, 2009 at 14:12:11
Go to start> control panel> internet options> tools> security> click "default level"> apply>ok. Then click the advanced tab> restore defaults>apply>ok.

Try one of the online scanners again.


Report •

#34
March 15, 2009 at 18:22:29
Ok guys ive got one for you.

Mine boots up with the voice and then the fake system scan but guess what a black screen and no windows.I can access internet explorer thro a microsoft link on the fake scan and thats it.

Now what (CRY)


Report •

#35
March 15, 2009 at 18:52:56
Ok i managed to get my windows back i ran mallware spyware as said then i rebooted and got a blue screen.

I got to that point by using smitfraud which opened up a DOS window that ran a system 32 clean. It didnt solve the problem but at least it got me my desktop back so i can actually run some applications.

Absolutely nightmare.


Report •

#36
March 15, 2009 at 19:27:01
Further to this had an issue where the desktop blue screened after using the spyware.

Safe mode worked but wouldnt connect to the internet only by alt tabing and loggin off and on again did i the once get some icons back on windows. Managed to downlload and run Combo Fix which idenfified 2 files whch were rediculous that i had to write down.

C:\windows\system32\drnes\gaopdxwtsvceouihunrngnyttofxeqoeyipgisys.

the other i cant face typing.......

This i assume is the trojan anyway i have been going at this for 2.30 hrs now and have to say its the worse virus ive ever had.

Currently on stage 13 of the above however have blue screen with still no windows icons.


Report •


Ask Question