MN_JohnC

Hi Gringo, The problem seems to be solved. My searches no longer seem to be hijacked. Thank you! ComboFix 12-11-28.02 - JohnC 11/28/2012 20:55:23.1.1 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1789.808 [GMT -6:00] Running from: c:\malware nov 2012\ComboFix.exe AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892} FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9} SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\system32\html c:\windows\system32\html\calendar.html c:\windows\system32\html\calendarbottom.html c:\windows\system32\html\calendartop.html c:\windows\system32\html\crystalexportdialog.htm c:\windows\system32\html\crystalprinthost.html c:\windows\system32\images c:\windows\system32\images\toolbar\calendar.gif c:\windows\system32\images\toolbar\crlogo.gif c:\windows\system32\images\toolbar\export.gif c:\windows\system32\images\toolbar\export_over.gif c:\windows\system32\images\toolbar\exportd.gif c:\windows\system32\images\toolbar\First.gif c:\windows\system32\images\toolbar\first_over.gif c:\windows\system32\images\toolbar\Firstd.gif c:\windows\system32\images\toolbar\gotopage.gif c:\windows\system32\images\toolbar\gotopage_over.gif c:\windows\system32\images\toolbar\gotopaged.gif c:\windows\system32\images\toolbar\grouptree.gif c:\windows\system32\images\toolbar\grouptree_over.gif c:\windows\system32\images\toolbar\grouptreed.gif c:\windows\system32\images\toolbar\grouptreepressed.gif c:\windows\system32\images\toolbar\Last.gif c:\windows\system32\images\toolbar\last_over.gif c:\windows\system32\images\toolbar\Lastd.gif c:\windows\system32\images\toolbar\Next.gif c:\windows\system32\images\toolbar\next_over.gif c:\windows\system32\images\toolbar\Nextd.gif c:\windows\system32\images\toolbar\Prev.gif c:\windows\system32\images\toolbar\prev_over.gif c:\windows\system32\images\toolbar\Prevd.gif c:\windows\system32\images\toolbar\print.gif c:\windows\system32\images\toolbar\print_over.gif c:\windows\system32\images\toolbar\printd.gif c:\windows\system32\images\toolbar\Refresh.gif c:\windows\system32\images\toolbar\refresh_over.gif c:\windows\system32\images\toolbar\refreshd.gif c:\windows\system32\images\toolbar\Search.gif c:\windows\system32\images\toolbar\search_over.gif c:\windows\system32\images\toolbar\searchd.gif c:\windows\system32\images\toolbar\up.gif c:\windows\system32\images\toolbar\up_over.gif c:\windows\system32\images\toolbar\upd.gif c:\windows\system32\images\tree\begindots.gif c:\windows\system32\images\tree\beginminus.gif c:\windows\system32\images\tree\beginplus.gif c:\windows\system32\images\tree\blank.gif c:\windows\system32\images\tree\blankdots.gif c:\windows\system32\images\tree\dots.gif c:\windows\system32\images\tree\lastdots.gif c:\windows\system32\images\tree\lastminus.gif c:\windows\system32\images\tree\lastplus.gif c:\windows\system32\images\tree\Magnify.gif c:\windows\system32\images\tree\minus.gif c:\windows\system32\images\tree\minusbox.gif c:\windows\system32\images\tree\plus.gif c:\windows\system32\images\tree\plusbox.gif c:\windows\system32\images\tree\singleminus.gif c:\windows\system32\images\tree\singleplus.gif . . ((((((((((((((((((((((((( Files Created from 2012-10-28 to 2012-11-29 ))))))))))))))))))))))))))))))) . . 2012-11-29 03:13 . 2012-11-29 03:13 -------- d-----w- c:\users\JohnC\AppData\Local\temp 2012-11-29 03:13 . 2012-11-29 03:13 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-11-26 02:48 . 2012-11-29 02:43 -------- d-----w- C:\Malware Nov 2012 2012-11-25 16:41 . 2012-11-25 16:41 -------- d-----w- c:\users\JohnC\AppData\Roaming\Malwarebytes 2012-11-25 16:41 . 2012-11-25 16:41 -------- d-----w- c:\programdata\Malwarebytes 2012-11-25 16:41 . 2012-11-25 16:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-11-25 16:41 . 2012-09-30 01:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-11-25 16:04 . 2012-11-25 16:04 522958588 ----a-w- C:\Backup Reg.reg 2012-11-16 05:05 . 2012-11-25 18:19 -------- d-----w- c:\users\JohnC\AppData\Roaming\System 2012-11-13 18:52 . 2012-09-25 16:19 75776 ----a-w- c:\windows\system32\synceng.dll 2012-11-13 18:51 . 2012-10-12 14:29 2047488 ----a-w- c:\windows\system32\win32k.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-11-14 13:21 . 2012-04-12 00:58 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-11-14 13:21 . 2011-05-15 21:20 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-09-13 13:28 . 2012-10-10 11:30 2048 ----a-w- c:\windows\system32\tzres.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP] @="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}" [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}] 2008-01-03 08:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856] "gSyncit"="c:\program files\Fieldston Software\gSyncit\gsyncit.exe" [2011-11-03 165088] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="RtHDVCpl.exe" [2006-12-01 4186112] "LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2007-01-09 483328] "eDSMSNfix"="c:\acer\Empowering Technology\eDSMSNfix.exe" [2007-02-08 13312] "Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296] "Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568] "Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-08-13 2245984] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440] "HP Software Update"="d:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800] "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-01-03 521776] "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-09-12 1278648] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-08-28 59280] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008] "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-09-10 421776] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - d:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\System32\eNetHook.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "mixer2"=wdmaud.drv . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder] 2007-01-17 16:01 151552 ----a-w- c:\acer\AcerTour\Reminder.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam] 2007-05-17 21:45 279912 ----a-w- c:\program files\Microsoft LifeCam\LifeExp.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut] 2007-12-14 16:36 50472 ------w- d:\program files\CyberLink\PowerDVD8\PowerDVD8\Language\Language.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCRemote] 2008-11-18 17:25 226576 ----a-w- c:\program files\Pinnacle\Shared Files\Programs\Remote\remoterm.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8] 2008-03-21 01:23 83240 ------w- d:\program files\CyberLink\PowerDVD8\PowerDVD8\PDVD8Serv.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX1000] 2007-04-10 21:46 709992 ----a-w- c:\windows\vVX1000.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . --- Other Services/Drivers In Memory --- . *Deregistered* - mfeavfk01 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . . ------- Supplementary Scan ------- . uStart Page = about:blank uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://en.us.acer.yahoo.com uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 192.168.0.1 . - - - - ORPHANS REMOVED - - - - . HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe HKCU-Run-Appigo Sync - c:\program files\Appigo Sync\Appigo Sync.exe HKCU-Run-MobileDocuments - c:\program files\Common Files\Apple\Internet Services\ubd.exe HKLM-Run-ALaunch - c:\acer\ALaunch\AlaunchClient.exe HKLM-Run-Acer Tour - (no file) HKLM-Run-SetPanel - c:\acer\APanel\APanel.cmd HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe MSConfigStartUp-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe MSConfigStartUp-TomTomHOME - c:\program files\TomTom HOME 2\TomTomHOMERunner.exe AddRemove-KB2463332_DTS9 - c:\windows\DTS9_KB2463332_ENU\Hotfix.exe AddRemove-KB2463332_NS9 - c:\windows\NS9_KB2463332_ENU\Hotfix.exe AddRemove-KB2463332_OLAP9 - c:\windows\OLAP9_KB2463332_ENU\Hotfix.exe AddRemove-{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA} - c:\program files\InstallShield Installation Information\{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}\Setup.exeUNINSTALL . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-11-28 21:13 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(704) c:\windows\system32\eNetHook.dll . - - - - - - - > 'lsass.exe'(740) c:\windows\system32\eNetHook.dll . Completion time: 2012-11-28 21:17:16 ComboFix-quarantined-files.txt 2012-11-29 03:17 . Pre-Run: 345,675,849,728 bytes free Post-Run: 347,429,679,104 bytes free . - - End Of File - - 2518956B8EDFE3134A4DE0AB530DFB74

Hi Gringo, Here are my runs from this morning. I had to run one twice as I forgot to run as Administrator the first time. Results of screen317's Security Check version 0.99.56 Windows Vista Service Pack 2 x86 (UAC is enabled) Internet Explorer 9 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! McAfee Anti-Virus and Anti-Spyware WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` Norton Ghost Malwarebytes Anti-Malware version 1.65.1.1000 Java 6 Update 29 Java version out of Date! Adobe Reader 9 Adobe Reader out of Date! ````````Process Check: objlist.exe by Laurent```````` Malwarebytes' Anti-Malware mbamscheduler.exe SecurityCheck.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 1 % ````````````````````End of Log`````````````````````` # AdwCleaner v2.009 - Logfile created 11/28/2012 at 11:47:10 # Updated 24/11/2012 by Xplode # Operating system : Windows Vista Home Premium Service Pack 2 (32 bits) # User : JohnC - JOHNC-LAPTOP # Boot Mode : Normal # Running from : C:\Malware Nov 2012\adwcleaner.exe # Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** ***** [Registry] ***** Key Deleted : HKLM\SOFTWARE\Classes\S ***** [internet Browsers] ***** -\\ Internet Explorer v9.0.8112.16421 [OK] Registry is clean. ************************* AdwCleaner[s1].txt - [564 octets] - [28/11/2012 11:47:10] ########## EOF - C:\AdwCleaner[s1].txt - [623 octets] ########## RogueKiller V8.3.1 [Nov 26 2012] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version Started in : Normal mode User : JohnC [Admin rights] Mode : Remove -- Date : 11/28/2012 12:06:27 ¤¤¤ Bad processes : 2 ¤¤¤ [sUSP PATH] RtHDVCpl.exe -- C:\Windows\RtHDVCpl.exe -> KILLED [TermProc] [][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\JohnC\AppData\Local\Microsoft_Corporation\Microsoft Help\uaxkyiurq.dll -> KILLED [TermProc] ¤¤¤ Registry Entries : 6 ¤¤¤ [RUN][NOTFOUND] HKCU\[...]\Run : Microsoft Help (rundll32.exe "C:\Users\JohnC\AppData\Local\Microsoft_Corporation\Microsoft Help\uaxkyiurq.dll",DllRegisterServerW) -> DELETED [TASK][RESIDUE] SR : C:\Windows\System32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation -> DELETED [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0) [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0) ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts 127.0.0.1 localhost ::1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD5000BEVT-11ZAT0 ATA Device +++++ --- User --- [MBR] d9243b9853710f5847b2c5382ce5570c [bSP] 17cf821f0894ea9aea943bdfa43ee29c : Acer tatooed MBR Code Partition table: 0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 456000 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 933890048 | Size: 20937 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[2]_D_11282012_02d1206.txt >> RKreport[1]_S_11282012_02d1203.txt ; RKreport[2]_D_11282012_02d1206.txt 2nd run - rebooted computer and ran as Administrator this time (forgot to do that the first time) RogueKiller V8.3.1 [Nov 26 2012] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version Started in : Normal mode User : JohnC [Admin rights] Mode : Remove -- Date : 11/28/2012 12:33:42 ¤¤¤ Bad processes : 1 ¤¤¤ [sUSP PATH] RtHDVCpl.exe -- C:\Windows\RtHDVCpl.exe -> KILLED [TermProc] ¤¤¤ Registry Entries : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts 127.0.0.1 localhost ::1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD5000BEVT-11ZAT0 ATA Device +++++ --- User --- [MBR] d9243b9853710f5847b2c5382ce5570c [bSP] 17cf821f0894ea9aea943bdfa43ee29c : Acer tatooed MBR Code Partition table: 0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 456000 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 933890048 | Size: 20937 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[4]_D_11282012_02d1233.txt >> RKreport[1]_S_11282012_02d1203.txt ; RKreport[2]_D_11282012_02d1206.txt ; RKreport[3]_S_11282012_02d1225.txt ; RKreport[4]_D_11282012_02d1233.txt

HI, I've attached the logs as I believe I should (the top header of the logs doesn't seem to match with the instructions on the pinned message). Please let me know how to proceed to remove this malware. MN_JohnC Rkill.txt attach.txt dds.txt 1st text upload.txt