Jump to content

Infected (again!)


Recommended Posts

Hi guys,

My machine has recently started acting quite strangely. I have Firefox installed (it's not been installed long) and it keeps opening broswer windows every few minutes. Whenever the machine starts it will tend to open around 50, and then just one every few minutes.

I then restarted it and it kept telling me that windows activiation was not genuine, or something along those lines - and it would just log me straight back out. Again I restarted the computer, but this time it wouldn't turn on. However, I now have it working again and am on it.

Initially Malwarebytes was telling me I had svchost - to my limited knowledge that's a trojan - so I looked up a fix online. Downloaded Combofx, used that and the scan then came up with nothing afterwards. Spybot also reports there are no infected items.

However, I am still getting the browser pop ups and I daren't restart again incase I get the activation message.

Also, on initial startup I get a few error messages telling me 'Roxtraymm app has stopped working' or something along those lines, although that doesn't appear to affect the machine in any way once I get rid of the message.

Here are my Attach and DDS log reports:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft® Windows Vista™ Home Basic

Boot Device: \Device\HarddiskVolume2

Install Date: 09/03/2009 22:04:39

System Uptime: 19/01/2012 15:01:49 (0 hours ago)

.

Motherboard: Acer | | CathedralPeak

Processor: Pentium® Dual-Core CPU T4200 @ 2.00GHz | U2E1 | 1200/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 70 GiB total, 11.762 GiB free.

D: is FIXED (NTFS) - 70 GiB total, 69.547 GiB free.

E: is CDROM ()

F: is CDROM (UDF)

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP589: 16/01/2012 15:30:48 - Scheduled Checkpoint

RP590: 18/01/2012 01:49:34 - Scheduled Checkpoint

.

==== Installed Programs ======================

.

Acer Arcade Deluxe

Acer eDataSecurity Management

Acer Empowering Technology

Acer ePower Management

Acer eRecovery Management

Acer eSettings Management

Acer GridVista

Acer Mobility Center Plug-In

Acer Product Registration

Acer ScreenSaver

Acrobat.com

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 9

Adobe SVG Viewer 3.0

Agere Systems HDA Modem

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ArcSoft Print Creations

ArcSoft Print Creations - Album Page

ArcSoft Print Creations - Funhouse

ArcSoft Print Creations - Greeting Card

ArcSoft Print Creations - Photo Book

ArcSoft Print Creations - Photo Calendar

ArcSoft Print Creations - Scrapbook

ArcSoft Print Creations - Slimline Card

Ask Toolbar

µTorrent

Autorun Virus Remover 3.1

BlackBerry Desktop Software 5.0

BlackBerry® Media Sync

Bonjour

C:\Program Files\Acer GameZone\GameConsole

CCScore

CyberLink PowerDirector

eSobi v2

ESSBrwr

ESSCDBK

ESScore

ESSgui

ESSini

ESSPCD

ESSPDock

ESSTOOLS

essvatgt

fflink

FM Genie Scout 11 version 1.00

FM Genie Scout 12 version 1.00

Football Manager 2012

Google Chrome

Google Desktop

Google Toolbar for Firefox

Google Toolbar for Internet Explorer

Google Update Helper

Handy Recovery 5.0

Hazard Perception Training 2003-2004

HiJackThis

Hollywood Mogul 3

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

IBM ViaVoice Command and Control Runtime 5.3 - UK English

Intel® Graphics Media Accelerator Driver

iTunes

Java Auto Updater

Java™ 6 Update 22

Junk Mail filter update

Kodak EasyShare software

Launch Manager

LightScribe 1.4.142.1

Magic ISO Maker v5.5 (build 0265)

Malwarebytes' Anti-Malware

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Groove MUI (English) 2010

Microsoft Office InfoPath MUI (English) 2010

Microsoft Office Live Add-in 1.3

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Professional Plus 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Suite Activation Assistant

Microsoft Office Word MUI (English) 2010

Microsoft Search Enhancement Pack

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Sync Framework Runtime Native v1.0 (x86)

Microsoft Sync Framework Services Native v1.0 (x86)

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Works

Mozilla Firefox 9.0.1 (x86 en-GB)

MSVCRT

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

neroxml

netbrdg

NTI Backup Now 5

NTI Backup Now Standard

NTI Media Maker 8

OfotoXMI

OGA Notifier 2.0.0048.0

Orion

PhotoNow!

QuickTime

RCT3 Soaked

Realtek High Definition Audio Driver

Realtek USB 2.0 Card Reader

RollerCoaster Tycoon® 3

Roxio Media Manager

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

SFR

SHASTA

skin0001

SKINXSDK

SlimCleaner

Spybot - Search & Destroy

staticcr

Synaptics Pointing Device Driver

System Requirements Lab

System Requirements Lab CYRI

The Movies™

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

VLC media player 1.0.1

VPRINTOL

WebEx

Windows Live Call

Windows Live Communications Platform

Windows Live Essentials

Windows Live Mail

Windows Live Messenger

Windows Live Movie Maker

Windows Live Photo Gallery

Windows Live Sign-in Assistant

Windows Live Sync

Windows Live Toolbar

Windows Live Upload Tool

Windows Live Writer

WinRAR archiver

WIRELESS

.

==== Event Viewer Messages From Past Week ========

.

19/01/2012 15:03:52, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {7160A13D-73DA-4CEA-95B9-37356478588A}. The error: "1314" Happened while starting this command: C:\Windows\system32\igfxext.exe -Embedding

19/01/2012 15:02:58, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {49BD2028-1523-11D1-AD79-00C04FD8FDFF}. The error: "1314" Happened while starting this command: C:\Windows\system32\wbem\unsecapp.exe -Embedding

19/01/2012 15:02:15, Error: EventLog [6008] - The previous system shutdown at 18:33:38 on 18/01/2012 was unexpected.

18/01/2012 17:44:24, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr sptd Tcpip tdx Wanarpv6 ws2ifsl

18/01/2012 17:44:24, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

18/01/2012 17:44:24, Error: Service Control Manager [7001] - The DHCP Client service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

18/01/2012 17:38:26, Error: EventLog [6008] - The previous system shutdown at 17:37:21 on 18/01/2012 was unexpected.

18/01/2012 17:33:35, Error: Microsoft-Windows-ResourcePublication [1002] - Element Provider\Microsoft.Base.Publication/Publication/Computer failed to publish. Ensure that both PKEY_PUBSVCS_METADATA and PKEY_PUBSVCS_TYPE are set properly on the function instance and there were no errors adding the function instance.

18/01/2012 17:33:26, Error: EventLog [6008] - The previous system shutdown at 17:31:57 on 18/01/2012 was unexpected.

18/01/2012 16:01:07, Error: Service Control Manager [7022] - The Windows Update service hung on starting.

18/01/2012 15:43:58, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

18/01/2012 15:43:53, Error: Service Control Manager [7034] - The NTI Backup Now 5 Scheduler Service service terminated unexpectedly. It has done this 1 time(s).

18/01/2012 12:34:40, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

18/01/2012 12:34:27, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}

18/01/2012 12:12:14, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.4 for the Network Card with network address 0017C46003F8 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

17/01/2012 21:52:26, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

15/01/2012 14:25:54, Error: Microsoft-Windows-DistributedCOM [10000] - Unable to start a DCOM Server: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}. The error: "1314" Happened while starting this command: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

15/01/2012 12:41:08, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr sptd Tcpip tdx Wanarpv6

15/01/2012 12:41:08, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

15/01/2012 12:41:08, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

15/01/2012 12:41:08, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.

15/01/2012 12:41:08, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

15/01/2012 12:41:08, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

15/01/2012 12:41:08, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

15/01/2012 12:41:08, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

15/01/2012 12:41:08, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

15/01/2012 12:41:08, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.

15/01/2012 12:41:08, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

15/01/2012 12:41:08, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

15/01/2012 12:41:08, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

15/01/2012 12:41:08, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

15/01/2012 12:41:08, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

15/01/2012 12:41:08, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

15/01/2012 12:41:08, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

15/01/2012 12:41:08, Error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

15/01/2012 12:41:08, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

15/01/2012 12:40:50, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

15/01/2012 12:40:16, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

15/01/2012 12:40:16, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

15/01/2012 12:40:14, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

15/01/2012 12:40:06, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

15/01/2012 12:39:14, Error: sptd [4] - Driver detected an internal error in its data structures for .

15/01/2012 12:34:52, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Roxio Hard Drive Watcher 9 service to connect.

15/01/2012 12:34:52, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the LiveShare P2P Server 9 service to connect.

15/01/2012 12:34:52, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

13/01/2012 12:30:05, Error: Service Control Manager [7024] - The SL UI Notification Service service terminated with service-specific error 3221541889 (0xC004D401).

.

==== End Of File ===========================

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 7.0.6001.18000

Run by Josh at 15:07:43 on 2012-01-19

Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.3000.1857 [GMT 0:00]

.

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Windows\system32\agrsmsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe

C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe

C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe

C:\Program Files\Acer\Empowering Technology\Service\ETService.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Acer\Mobility Center\MobilityService.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

c:\Program Files\Cyberlink\Shared files\RichVideo.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Launch Manager\LManager.exe

C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe

C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe

C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe

C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe

C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Windows\system32\igfxsrvc.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\AutorunRemover\AutorunRemover.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\Program Files\MagicDisc\MagicDisc.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Users\Josh\AppData\Local\Temp\RtkBtMnt.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Windows Live\Toolbar\wltuser.exe

C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe

C:\Program Files\Internet Explorer\iexploremgr.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wuauclt.exe

\\?\C:\Windows\system32\wbem\WMIADAP.EXE

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=0309&m=aspire_5735

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\vqumuwxn\ewmyjigc.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL

BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\program files\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mi1933~1\office14\URLREDIR.DLL

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\program files\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll

TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [ProductReg] "c:\program files\acer\wr_popup\ProductReg.exe"

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [bkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [LManager] c:\progra~1\launch~1\LManager.exe

mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe

mRun: [ePower_DMC] c:\program files\acer\empowering technology\epower\ePower_DMC.exe

mRun: [ArcadeDeluxeAgent] "c:\program files\acer arcade deluxe\acer arcade deluxe\ArcadeDeluxeAgent.exe"

mRun: [CLMLServer] "c:\program files\acer arcade deluxe\acer arcade deluxe\kernel\clml\CLMLSvc.exe"

mRun: [PlayMovie] "c:\program files\acer arcade deluxe\playmovie\PMVService.exe"

mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"

mRun: [bCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [AutorunRemover.exe] c:\program files\autorunremover\AutorunRemover.exe -Hide

StartupFolder: c:\users\josh\appdata\roaming\microsoft\windows\start menu\programs\startup\ewmyjigc.exe

StartupFolder: c:\users\josh\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\mi1933~1\office14\ONBttnIE.dll/105

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://interpub-newquay.remotemanager.co.uk/common/activex/MJPEGRender.ocx

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.26.0.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{F5BCB6EA-BAE7-49E2-810C-2946A71F05AB} : DhcpNameServer = 192.168.0.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\progra~1\google\google~1\GoogleDesktopNetwork3.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office14\GROOVEEX.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\josh\appdata\roaming\mozilla\firefox\profiles\k8hiyhsb.default\

FF - plugin: c:\progra~1\mi1933~1\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\mi1933~1\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll

.

============= SERVICES / DRIVERS ===============

.

R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]

R2 CLHNService;CLHNService;c:\program files\acer arcade deluxe\homemedia\kernel\dmp\CLHNService.exe [2009-3-9 69632]

R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2009-2-2 24576]

R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-26 45056]

R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-26 131072]

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-11-4 1153368]

R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-6-26 212992]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-6-28 30192]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]

S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\mcafee security scan\2.0.181\mcchsvc.exe" --> c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [?]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-01-19 15:05:52 197052 ----a-w- c:\program files\internet explorer\iexploremgr.exe

2012-01-18 15:56:04 -------- d-----w- C:\$RECYCLE.BIN

2012-01-18 15:40:44 98816 ----a-w- c:\windows\sed.exe

2012-01-18 15:40:44 518144 ----a-w- c:\windows\SWREG.exe

2012-01-18 15:40:44 256000 ----a-w- c:\windows\PEV.exe

2012-01-18 15:40:44 208896 ----a-w- c:\windows\MBR.exe

2012-01-18 15:40:28 -------- d-----w- C:\ComboFix

.

==================== Find3M ====================

.

2012-01-15 15:10:38 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

============= FINISH: 15:08:32.66 ===============

I really appreciate any help. Thanks guys.

I don't know what exactly NTI Backup is or how it's on my system, how would I go about checking if I have a recent backup?

Link to post
Share on other sites

  • Replies 50
  • Created
  • Last Reply

Top Posters In This Topic

Thanks for your reply;

This is the ComboFix log:

ComboFix 12-01-18.04 - Josh 18/01/2012 15:44:07.3.2 - x86

Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.3000.1426 [GMT 0:00]

Running from: c:\users\Josh\Downloads\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\Downloaded Installers

c:\program files\Downloaded Installers\{ecbff841-a2af-4c89-88fd-d3576330775f}\setup.msi

c:\program files\Internet Explorer\IEXPLOREmgr.exe

c:\users\Josh\AppData\Local\dpymvhmn.log

c:\users\Josh\AppData\Local\fxPathmm\usbobjPath.dll

c:\users\Josh\Desktop\Setup.exe

c:\users\Josh\Documents\~WRL0001.tmp

c:\windows\Explorermgr.exe

c:\windows\system32\rundll32mgr.exe

c:\windows\system32\settings.ini

c:\windows\system32\spsys.log

.

.

((((((((((((((((((((((((( Files Created from 2011-12-18 to 2012-01-18 )))))))))))))))))))))))))))))))

.

.

2012-01-18 15:53 . 2012-01-18 15:53 -------- d-----w- c:\users\Public\AppData\Local\temp

2012-01-18 15:53 . 2012-01-18 15:53 -------- d-----w- c:\users\Default\AppData\Local\temp

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-15 15:10 . 2011-06-23 18:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-12-21 07:42 . 2012-01-15 14:43 121816 ------w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2009-04-02 11:47 333192 ------w- c:\program files\AskBarDis\bar\bin\askBar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

.

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]

@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"

[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]

2008-05-15 00:05 121392 ------w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ProductReg"="c:\program files\Acer\WR_PopUp\ProductReg.exe" [2008-11-17 336264]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-28 68856]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]

"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 228869]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]

"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]

"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-15 526896]

"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]

"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-10-09 348566]

"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-10-09 369099]

"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-10-17 368978]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-02 30192]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 623050]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-01 623960]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]

"AutorunRemover.exe"="c:\program files\AutorunRemover\AutorunRemover.exe" [2011-04-22 1806848]

.

c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

ewmyjigc.exe [2012-1-18 197052]

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-11-27 776054]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 524624]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,c:\program files\vqumuwxn\ewmyjigc.exe,"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-01-18 c:\windows\Tasks\AutoKMS.job

- c:\windows\AutoKMS\AutoKMS.exe [2011-12-07 19:12]

.

2012-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 20:58]

.

2012-01-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 20:58]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=0309&m=aspire_5735

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.0.1

DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://interpub-newquay.remotemanager.co.uk/common/activex/MJPEGRender.ocx

FF - ProfilePath - c:\users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\k8hiyhsb.default\

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-usbobjPath - c:\users\Josh\AppData\Local\fxPathmm\usbobjPath.dll

AddRemove-McAfee Security Scan - c:\program files\McAfee Security Scan\uninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-01-18 15:56

Windows 6.0.6001 Service Pack 1 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2111716058-3512669174-89095203-1000\Software\G*e*n*i*e*"!\FM Genie Scout 10]

"GameDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2010\\games"

"ShortlistDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2010\\shortlists"

"ScreenshotsDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2010"

"SaveDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2010\\"

"HistoryDir"="c:\\Users\\Josh\\Desktop\\FM Genie Scout 10\\History Points"

"LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2010\\data\\updates\\update-1030\\db\\1030\\lang_db.dat"

"LastSaveGame"=""

"Language"="English"

"LoadLangDB"=dword:00000001

"CompressHistoryPoints"=dword:00000000

"HighlightedAttributes"=dword:00000000

"MinCondition"=dword:00000050

"GraphStep"=dword:00000000

"SkinName"="Steklo Black"

"LastUpdateCheck"=dword:00009e03

"HighQualityGUI"=dword:00000001

"AutomaticallyUpdateCheck"=dword:00000001

"AdvancedGeneration"=dword:00000000

"TranslateStaffSkills"=dword:00000001

"TranslatePlayerSkills"=dword:00000001

"TranslatePositions"=dword:00000001

"ShowHistory"=dword:00000001

"Version"=dword:00000074

"UniqueID"="35-8980-E21F"

"Currency"=dword:00000056

"UseProxy"=dword:00000000

"ProxyHost"=""

"ProxyPort"=""

"UseAuthentication"=dword:00000000

"UserName"=""

"UserPassword"=""

.

[HKEY_USERS\S-1-5-21-2111716058-3512669174-89095203-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11]

@Allowed: (Read) (RestrictedCode)

"GameDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2011\\games"

"ShortlistDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2011\\shortlists"

"FMPath"="c:\\Program Files\\Sports Interactive\\Football Manager 2011"

"ScreenshotsDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2011"

"SaveDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2011\\"

"HistoryDir"="c:\\FM Genie Scout 11\\History Points"

"LangDB"="c:\\FM Genie Scout 11\\lang_db.dat"

"LastSaveGame"=""

"Language"="English"

"LoadLangDB"=dword:00000001

"CompressHistoryPoints"=dword:00000000

"HighlightedAttributes"=dword:00000000

"MinCondition"=dword:00000050

"GraphStep"=dword:00000000

"SkinName"="PSV Eindhoven"

"LastUpdateCheck"=dword:00009f6e

"HighQualityGUI"=dword:00000001

"AutomaticallyUpdateCheck"=dword:00000001

"AdvancedGeneration"=dword:00000000

"TranslateStaffSkills"=dword:00000001

"TranslatePlayerSkills"=dword:00000001

"TranslatePositions"=dword:00000001

"ShowHistory"=dword:00000001

"Version"=dword:00000081

"UniqueID"="35-8980-E21F"

"UseProxy"=dword:00000000

"ProxyHost"=""

"ProxyPort"=""

"UseAuthentication"=dword:00000000

"UserName"=""

"UserPassword"=""

"Currency"=dword:00000056

"PlayerSearchFeatureNum"=dword:0000004c

"StaffSearchFeatureNum"=dword:0000000d

"ClubSearchFeatureNum"=dword:00000000

"FilterByClubFeatureNum"=dword:00000000

"CompareFeatureNum"=dword:00000000

"ShortlistFeatureNum"=dword:00000000

"ExportFeatureNum"=dword:00000000

"HistoryFeatureNum"=dword:00000000

"LanguageDBFeatureNum"=dword:0000004e

"HintsFeatureNum"=dword:00000004

"GenieReportFeatureNum"=dword:00000002

"TopFormationFeatureNum"=dword:00000000

"ScreenshotFeatureNum"=dword:00000000

"VersionOf"=dword:0000007b

.

[HKEY_USERS\S-1-5-21-2111716058-3512669174-89095203-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11g]

@Allowed: (Read) (RestrictedCode)

"PicturesNumber"=dword:00000000

.

[HKEY_USERS\S-1-5-21-2111716058-3512669174-89095203-1000\Software\G*e*n*i*e*"!\FM Genie Scout 12]

@Allowed: (Read) (RestrictedCode)

"GameDir"="c:\\FM Genie Scout 12\\games"

"ShortlistDir"="c:\\FM Genie Scout 12\\shortlists"

"FMPath"="c:\\Program Files\\SEGA\\Football Manager 2012\\"

"ScreenshotsDir"="c:\\FM Genie Scout 12"

"SaveDir"="c:\\FM Genie Scout 12\\"

"HistoryDir"="c:\\FM Genie Scout 12\\History Points"

"LangDB"="c:\\Program Files\\SEGA\\Football Manager 2012\\data\\db\\1200\\lang_db.dat"

"LastSaveGame"=""

"Language"="English"

"LoadLangDB"=dword:00000001

"CompressHistoryPoints"=dword:00000000

"HighlightedAttributes"=dword:00000000

"MinCondition"=dword:00000050

"GraphStep"=dword:00000000

"SkinName"="Steklo Black"

"LastUpdateCheck"=dword:00009fb3

"VersionOf"=dword:00000000

"HighQualityGUI"=dword:00000001

"AutomaticallyUpdateCheck"=dword:00000001

"AdvancedGeneration"=dword:00000000

"TranslateStaffSkills"=dword:00000001

"TranslatePlayerSkills"=dword:00000001

"TranslatePositions"=dword:00000001

"ShowHistory"=dword:00000001

"ShowGuidNotification"=dword:00000000

"ShowDonateNotification"=dword:00000000

"Version"=dword:000000c8

"UniqueID"="35-8980-E21F"

"UseProxy"=dword:00000000

"ProxyHost"=""

"ProxyPort"=""

"UseAuthentication"=dword:00000000

"UserName"=""

"UserPassword"=""

"PlayerSearchFeatureNum"=dword:00000001

"StaffSearchFeatureNum"=dword:00000000

"ClubSearchFeatureNum"=dword:00000000

"FilterByClubFeatureNum"=dword:00000000

"CompareFeatureNum"=dword:00000000

"ShortlistFeatureNum"=dword:00000001

"ExportFeatureNum"=dword:00000000

"HistoryFeatureNum"=dword:00000000

"LanguageDBFeatureNum"=dword:00000001

"HintsFeatureNum"=dword:00000001

"GenieReportFeatureNum"=dword:00000000

"TopFormationFeatureNum"=dword:00000000

"ScreenshotFeatureNum"=dword:00000000

"AdClicksNum"=dword:00000001

"AdImpressionsNum"=dword:00000009

"GameLoadedCounter"=dword:00000005

"Currency"=dword:00000056

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(1184)

c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll

c:\windows\System32\SysHook.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe

c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe

c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe

c:\program files\Acer\Empowering Technology\Service\ETService.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\acer\Mobility Center\MobilityService.exe

c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe

c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe

c:\program files\Cyberlink\Shared files\RichVideo.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files\Spybot - Search & Destroy\SDWinSec.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

c:\windows\RtHDVCpl.exe

c:\program files\Launch Manager\LManager.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Internet Explorer\iexplore.exe

c:\windows\system32\igfxext.exe

c:\program files\Windows Media Player\wmpnscfg.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\servicing\TrustedInstaller.exe

.

**************************************************************************

.

Completion time: 2012-01-18 16:03:50 - machine was rebooted

ComboFix-quarantined-files.txt 2012-01-18 16:03

.

Pre-Run: 11,264,266,240 bytes free

Post-Run: 12,579,913,728 bytes free

.

- - End Of File - - C89C79DEE4C58CAD1D343181C2A4CEF0

The MBAM log:

Malwarebytes' Anti-Malware 1.41

Database version: 3105

Windows 6.0.6001 Service Pack 1

22/01/2012 18:12:07

mbam-log-2012-01-22 (18-12-07).txt

Scan type: Quick Scan

Objects scanned: 97859

Time elapsed: 5 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Please update your Java right now, older versions are vulnerable to malware:

Java™ 6 Update 22<---should be 30

Go to your control panel > Java > Update

-------------------------------------------

Is this a program you installed??

"AutorunRemover.exe"="c:\program files\AutorunRemover\AutorunRemover.exe" [2011-04-22 1806848]

.--------------------------------------------

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update

    [*]Press "Scan".

    [*]It will create a log (FSS.txt) in the same directory the tool is run.

    [*]Please copy and paste the log to your reply.

-------------

Next..........

Please download and run RogueKiller.

Choose 1 to scan the system

Post back the report.

MrC

Link to post
Share on other sites

I got this warning when trying to update Java:

bin/awt.dll: Old File not found. However, a file of the same name was found. No update done since file contents do not match.

AutoRun Remover is a program I installed. I heard it was the thing to use for removing viruses off of memory sticks.

Farbar Log:

Farbar Service Scanner Version: 18-01-2012 01

Ran by Josh (administrator) on 22-01-2012 at 19:28:53

Microsoft® Windows Vista™ Home Basic Service Pack 1 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

SDRSVC Service is not running. Checking service configuration:

The start type of SDRSVC service is OK.

The ImagePath of SDRSVC service is OK.

The ServiceDll of SDRSVC service is OK.

Checking LEGACY_SDRSVC: Attention! Unable to open LEGACY_SDRSVC\0000 registry key. The key does not exist.

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

===========

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcsvc.dll

[2008-01-21 02:33] - [2008-01-21 02:33] - 0204288 ____A (Microsoft Corporation) 43A988A9C10333476CB5FB667CBD629D

C:\Windows\system32\Drivers\afd.sys

[2011-07-14 17:11] - [2011-04-21 13:16] - 0273408 ____A (Microsoft Corporation) 48EB99503533C27AC6135648E5474457

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys

[2010-08-11 07:46] - [2010-06-16 15:59] - 0898952 ____A (Microsoft Corporation) 782568AB6A43160A159B6215B70BCCE9

C:\Windows\system32\dnsrslvr.dll

[2011-04-16 00:01] - [2011-03-02 14:49] - 0086528 ____A (Microsoft Corporation) 4805D9A6D281C7A7DEFD9094DEC6AF7D

C:\Windows\system32\mpssvc.dll

[2008-01-21 02:34] - [2008-01-21 02:34] - 0393216 ____A (Microsoft Corporation) D1639BA315B0D79DEC49A4B0E1FB929B

C:\Windows\system32\bfe.dll

[2008-01-21 02:33] - [2008-01-21 02:33] - 0328704 ____A (Microsoft Corporation) 8582E233C346AEFE759833E8A30DD697

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe

[2008-01-21 02:33] - [2008-01-21 02:33] - 1054720 ____A (Microsoft Corporation) D5FB73D19C46ADE183F968E13F186B23

C:\Windows\system32\wscsvc.dll

[2008-01-21 02:33] - [2008-01-21 02:33] - 0061440 ____A (Microsoft Corporation) 683DD16B590372F2C9661D277F35E49C

C:\Windows\system32\wbem\WMIsvc.dll

[2008-01-21 02:34] - [2008-01-21 02:34] - 0161792 ____A (Microsoft Corporation) 00B79A7C984678F24CF052E5BEB3A2F5

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll

[2008-01-21 02:34] - [2008-01-21 02:34] - 0758272 ____A (Microsoft Corporation) 02ED7B4DBC2A3232A389106DA7515C3D

C:\Windows\system32\es.dll

[2009-02-02 19:54] - [2008-04-18 05:48] - 0269312 ____A (Microsoft Corporation) 3CB3343D720168B575133A0A20DC2465

C:\Windows\system32\cryptsvc.dll

[2008-01-21 02:34] - [2008-01-21 02:34] - 0128000 ____A (Microsoft Corporation) 6DE363F9F99334514C46AEC02D3E3678

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll

[2009-06-28 08:53] - [2009-03-03 04:39] - 0551424 ____A (Microsoft Corporation) 301AE00E12408650BADDC04DBC832830

**** End of log ****

RogueKiller Log:

RogueKiller V6.2.4 [01/12/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6001 Service Pack 1) 32 bits version

Started in : Normal mode

User: Josh [Admin rights]

Mode: Scan -- Date : 01/22/2012 19:29:30

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 3 ¤¤¤

[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++

--- User ---

[MBR] 0e7ffc9d423f3ea371290f7d970e5f37

[bSP] f855a88cf2a28cd34d34d75dcddbbcd6 : MBR Code unknown

Partition table:

0 - [XXXXXX] NTFS [HIDDEN!] Offset (sectors): 2048 | Size: 10485 Mo

1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 20482048 | Size: 74781 Mo

2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 166539264 | Size: 74771 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Link to post
Share on other sites

I've uninstalled it using JavaRa; this is the log:

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sun Jan 22 19:45:10 2012

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0001-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0002-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0003-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0004-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0005-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0006-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0007-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0008-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0009-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0010-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0011-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0012-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0013-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0014-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0015-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0016-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0017-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0018-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0019-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0020-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0021-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0022-ABCDEFFDCBA}. The error returned was 124.

Found and removed: JavaScript

Found and removed: JavaScript Author

Found and removed: JavaScript1.1

Found and removed: JavaScript1.1 Author

Found and removed: JavaScript1.2

Found and removed: JavaScript1.2 Author

Found and removed: Software\JavaSoft\Java2D\1.5.0_03

------------------------------------

Finished reporting.

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sun Jan 22 19:45:19 2012

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0001-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0002-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0003-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0004-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0005-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0006-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0007-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0008-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0009-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0010-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0011-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0012-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0013-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0014-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0015-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0016-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0017-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0018-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0019-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0020-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0021-ABCDEFFDCBA}. The error returned was 124.

There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0022-ABCDEFFDCBA}. The error returned was 124.

------------------------------------

Finished reporting.

Did you want me to actually install something else? I'm a little lost.

Link to post
Share on other sites

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    CAFEEFAC-0016-0013-ABCDEFFDCBA
    :regfind
    CAFEEFAC-0016-0013-ABCDEFFDCBA


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

Link to post
Share on other sites

SystemLook 30.07.11 by jpshortstuff

Log created at 20:10 on 22/01/2012 by Josh

Administrator - Elevation successful

========== filefind ==========

Searching for "CAFEEFAC-0016-0013-ABCDEFFDCBA"

No files found.

========== regfind ==========

Searching for "CAFEEFAC-0016-0013-ABCDEFFDCBA"

No data found.

-= EOF =-

Link to post
Share on other sites

Delete your copy of ComboFix and download a fresh one:

http://www.bleepingc...to-use-combofix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

Folder::

c:\program files\vqumuwxn

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Link to post
Share on other sites

Here is the log:

ComboFix 12-01-21.02 - Josh 22/01/2012 21:20:00.4.2 - x86

Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.3000.1604 [GMT 0:00]

Running from: c:\users\Josh\Desktop\ComboFix.exe

Command switches used :: c:\users\Josh\Desktop\CFScript.txt

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\vqumuwxn

c:\program files\vqumuwxn\ewmyjigc.exe

c:\users\Josh\AppData\Local\fxmqhkob.log

c:\windows\system32\spsys.log

.

.

((((((((((((((((((((((((( Files Created from 2011-12-22 to 2012-01-22 )))))))))))))))))))))))))))))))

.

.

2012-01-22 21:53 . 2012-01-22 21:53 -------- d-----w- c:\users\Public\AppData\Local\temp

2012-01-22 21:53 . 2012-01-22 21:53 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-01-22 19:41 . 2012-01-22 19:41 197052 ----a-w- c:\windows\system32\MsiExecmgr.exe

2012-01-22 19:29 . 2012-01-22 19:29 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2012-01-20 08:36 . 2012-01-22 19:40 197052 ----a-w- c:\windows\Explorermgr.exe

2012-01-19 15:14 . 2012-01-22 21:53 197052 ----a-w- c:\windows\system32\rundll32mgr.exe

2012-01-19 15:05 . 2012-01-22 21:13 197052 ----a-w- c:\program files\Internet Explorer\iexploremgr.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-22 20:32 . 2010-11-08 20:24 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-01-18 15:56 . 2011-07-15 07:34 197052 ------w- c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewmyjigc.exe

2012-01-15 15:10 . 2011-06-23 18:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-12-21 07:42 . 2012-01-15 14:43 121816 ------w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2009-04-02 11:47 333192 ------w- c:\program files\AskBarDis\bar\bin\askBar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

.

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]

@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"

[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]

2008-05-15 00:05 121392 ------w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ProductReg"="c:\program files\Acer\WR_PopUp\ProductReg.exe" [2008-11-17 336264]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-28 68856]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]

"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 228869]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]

"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]

"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-15 526896]

"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]

"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-10-09 348566]

"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-10-09 369099]

"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-10-17 368978]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-02 30192]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 623050]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-01 623960]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]

"AutorunRemover.exe"="c:\program files\AutorunRemover\AutorunRemover.exe" [2011-04-22 1806848]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

.

c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

ewmyjigc.exe [2012-1-18 197052]

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-11-27 776054]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 524624]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - TRUESIGHT

*Deregistered* - TrueSight

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-01-19 c:\windows\Tasks\AutoKMS.job

- c:\windows\AutoKMS\AutoKMS.exe [2011-12-07 19:12]

.

2012-01-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 20:58]

.

2012-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 20:58]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=0309&m=aspire_5735

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.0.1

DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://interpub-newquay.remotemanager.co.uk/common/activex/MJPEGRender.ocx

FF - ProfilePath - c:\users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\k8hiyhsb.default\

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-01-22 21:53

Windows 6.0.6001 Service Pack 1 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2111716058-3512669174-89095203-1000\Software\G*e*n*i*e*"!\FM Genie Scout 10]

"GameDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2010\\games"

"ShortlistDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2010\\shortlists"

"ScreenshotsDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2010"

"SaveDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2010\\"

"HistoryDir"="c:\\Users\\Josh\\Desktop\\FM Genie Scout 10\\History Points"

"LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2010\\data\\updates\\update-1030\\db\\1030\\lang_db.dat"

"LastSaveGame"=""

"Language"="English"

"LoadLangDB"=dword:00000001

"CompressHistoryPoints"=dword:00000000

"HighlightedAttributes"=dword:00000000

"MinCondition"=dword:00000050

"GraphStep"=dword:00000000

"SkinName"="Steklo Black"

"LastUpdateCheck"=dword:00009e03

"HighQualityGUI"=dword:00000001

"AutomaticallyUpdateCheck"=dword:00000001

"AdvancedGeneration"=dword:00000000

"TranslateStaffSkills"=dword:00000001

"TranslatePlayerSkills"=dword:00000001

"TranslatePositions"=dword:00000001

"ShowHistory"=dword:00000001

"Version"=dword:00000074

"UniqueID"="35-8980-E21F"

"Currency"=dword:00000056

"UseProxy"=dword:00000000

"ProxyHost"=""

"ProxyPort"=""

"UseAuthentication"=dword:00000000

"UserName"=""

"UserPassword"=""

.

[HKEY_USERS\S-1-5-21-2111716058-3512669174-89095203-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11]

@Allowed: (Read) (RestrictedCode)

"GameDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2011\\games"

"ShortlistDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2011\\shortlists"

"FMPath"="c:\\Program Files\\Sports Interactive\\Football Manager 2011"

"ScreenshotsDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2011"

"SaveDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2011\\"

"HistoryDir"="c:\\FM Genie Scout 11\\History Points"

"LangDB"="c:\\FM Genie Scout 11\\lang_db.dat"

"LastSaveGame"=""

"Language"="English"

"LoadLangDB"=dword:00000001

"CompressHistoryPoints"=dword:00000000

"HighlightedAttributes"=dword:00000000

"MinCondition"=dword:00000050

"GraphStep"=dword:00000000

"SkinName"="PSV Eindhoven"

"LastUpdateCheck"=dword:00009f6e

"HighQualityGUI"=dword:00000001

"AutomaticallyUpdateCheck"=dword:00000001

"AdvancedGeneration"=dword:00000000

"TranslateStaffSkills"=dword:00000001

"TranslatePlayerSkills"=dword:00000001

"TranslatePositions"=dword:00000001

"ShowHistory"=dword:00000001

"Version"=dword:00000081

"UniqueID"="35-8980-E21F"

"UseProxy"=dword:00000000

"ProxyHost"=""

"ProxyPort"=""

"UseAuthentication"=dword:00000000

"UserName"=""

"UserPassword"=""

"Currency"=dword:00000056

"PlayerSearchFeatureNum"=dword:0000004c

"StaffSearchFeatureNum"=dword:0000000d

"ClubSearchFeatureNum"=dword:00000000

"FilterByClubFeatureNum"=dword:00000000

"CompareFeatureNum"=dword:00000000

"ShortlistFeatureNum"=dword:00000000

"ExportFeatureNum"=dword:00000000

"HistoryFeatureNum"=dword:00000000

"LanguageDBFeatureNum"=dword:0000004e

"HintsFeatureNum"=dword:00000004

"GenieReportFeatureNum"=dword:00000002

"TopFormationFeatureNum"=dword:00000000

"ScreenshotFeatureNum"=dword:00000000

"VersionOf"=dword:0000007b

.

[HKEY_USERS\S-1-5-21-2111716058-3512669174-89095203-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11g]

@Allowed: (Read) (RestrictedCode)

"PicturesNumber"=dword:00000000

.

[HKEY_USERS\S-1-5-21-2111716058-3512669174-89095203-1000\Software\G*e*n*i*e*"!\FM Genie Scout 12]

@Allowed: (Read) (RestrictedCode)

"GameDir"="c:\\FM Genie Scout 12\\games"

"ShortlistDir"="c:\\FM Genie Scout 12\\shortlists"

"FMPath"="c:\\Program Files\\SEGA\\Football Manager 2012\\"

"ScreenshotsDir"="c:\\FM Genie Scout 12"

"SaveDir"="c:\\FM Genie Scout 12\\"

"HistoryDir"="c:\\FM Genie Scout 12\\History Points"

"LangDB"="c:\\Program Files\\SEGA\\Football Manager 2012\\data\\db\\1200\\lang_db.dat"

"LastSaveGame"=""

"Language"="English"

"LoadLangDB"=dword:00000001

"CompressHistoryPoints"=dword:00000000

"HighlightedAttributes"=dword:00000000

"MinCondition"=dword:00000050

"GraphStep"=dword:00000000

"SkinName"="Steklo Black"

"LastUpdateCheck"=dword:00009fb3

"VersionOf"=dword:00000000

"HighQualityGUI"=dword:00000001

"AutomaticallyUpdateCheck"=dword:00000001

"AdvancedGeneration"=dword:00000000

"TranslateStaffSkills"=dword:00000001

"TranslatePlayerSkills"=dword:00000001

"TranslatePositions"=dword:00000001

"ShowHistory"=dword:00000001

"ShowGuidNotification"=dword:00000000

"ShowDonateNotification"=dword:00000000

"Version"=dword:000000c8

"UniqueID"="35-8980-E21F"

"UseProxy"=dword:00000000

"ProxyHost"=""

"ProxyPort"=""

"UseAuthentication"=dword:00000000

"UserName"=""

"UserPassword"=""

"PlayerSearchFeatureNum"=dword:00000001

"StaffSearchFeatureNum"=dword:00000000

"ClubSearchFeatureNum"=dword:00000000

"FilterByClubFeatureNum"=dword:00000000

"CompareFeatureNum"=dword:00000000

"ShortlistFeatureNum"=dword:00000001

"ExportFeatureNum"=dword:00000000

"HistoryFeatureNum"=dword:00000000

"LanguageDBFeatureNum"=dword:00000001

"HintsFeatureNum"=dword:00000001

"GenieReportFeatureNum"=dword:00000000

"TopFormationFeatureNum"=dword:00000000

"ScreenshotFeatureNum"=dword:00000000

"AdClicksNum"=dword:00000001

"AdImpressionsNum"=dword:00000009

"GameLoadedCounter"=dword:00000005

"Currency"=dword:00000056

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Completion time: 2012-01-22 21:56:15

ComboFix-quarantined-files.txt 2012-01-22 21:55

ComboFix2.txt 2012-01-18 16:03

.

Pre-Run: 18,885,083,136 bytes free

Post-Run: 18,879,311,872 bytes free

.

- - End Of File - - 81ABFE4825271831DD11332B2CF33178

Link to post
Share on other sites

Enable hidden files:

http://www.bleepingc...-windows-vista/

Please find and upload each of these files to VirusTotal or Jotti for a free scan, let me know the results (copy back the url)

http://www.virustotal.com/

http://virusscan.jotti.org/en

c:\windows\system32\MsiExecmgr.exe

c:\windows\Explorermgr.exe

c:\windows\system32\rundll32mgr.exe

c:\program files\Internet Explorer\iexploremgr.exe

c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewmyjigc.exe

MrC

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

4. If ComboFix wants to update.....please allow it to.

File::

c:\windows\system32\MsiExecmgr.exe

c:\windows\Explorermgr.exe

c:\windows\system32\rundll32mgr.exe

c:\program files\Internet Explorer\iexploremgr.exe

c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewmyjigc.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Link to post
Share on other sites

ComboFix 12-01-23.02 - Josh 23/01/2012 15:36:23.5.2 - x86

Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.3000.1928 [GMT 0:00]

Running from: c:\users\Josh\Desktop\ComboFix.exe

Command switches used :: c:\users\Josh\Desktop\CFScript.txt

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\program files\Internet Explorer\iexploremgr.exe"

"c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewmyjigc.exe"

"c:\windows\Explorermgr.exe"

"c:\windows\system32\MsiExecmgr.exe"

"c:\windows\system32\rundll32mgr.exe"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\program files\Internet Explorer\iexploremgr.exe

c:\users\Josh\AppData\Local\fxmqhkob.log

c:\windows\Explorermgr.exe

c:\windows\system32\MsiExecmgr.exe

c:\windows\system32\rundll32mgr.exe

c:\windows\system32\spsys.log

.

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\userinit.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-12-23 to 2012-01-23 )))))))))))))))))))))))))))))))

.

.

2012-01-23 15:45 . 2012-01-23 15:45 -------- d-----w- c:\users\Public\AppData\Local\temp

2012-01-23 15:45 . 2012-01-23 15:45 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-01-22 23:13 . 2011-07-06 14:56 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys

2012-01-22 21:56 . 2012-01-23 15:46 -------- d-----w- c:\program files\vqumuwxn

2012-01-22 19:29 . 2012-01-22 19:29 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-22 20:32 . 2010-11-08 20:24 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-01-15 15:10 . 2011-06-23 18:57 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-12-21 07:42 . 2012-01-15 14:43 121816 ------w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2009-04-02 11:47 333192 ------w- c:\program files\AskBarDis\bar\bin\askBar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

.

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]

@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"

[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]

2008-05-15 00:05 121392 ------w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ProductReg"="c:\program files\Acer\WR_PopUp\ProductReg.exe" [2008-11-17 336264]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-28 68856]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]

"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 228869]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]

"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-09-10 809480]

"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-15 526896]

"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-06-11 409600]

"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-10-09 348566]

"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-10-09 369099]

"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-10-17 368978]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-02 30192]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 623050]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-01 623960]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]

"AutorunRemover.exe"="c:\program files\AutorunRemover\AutorunRemover.exe" [2011-04-22 1806848]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

.

c:\users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

ewmyjigc.exe [2012-1-23 197052]

MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2010-11-27 776054]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 524624]

McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,c:\program files\vqumuwxn\ewmyjigc.exe,"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

.

Contents of the 'Scheduled Tasks' folder

.

2012-01-23 c:\windows\Tasks\AutoKMS.job

- c:\windows\AutoKMS\AutoKMS.exe [2011-12-07 19:12]

.

2012-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 20:58]

.

2012-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 20:58]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=2&o=vb32&d=0309&m=aspire_5735

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.0.1

DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://interpub-newquay.remotemanager.co.uk/common/activex/MJPEGRender.ocx

FF - ProfilePath - c:\users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\k8hiyhsb.default\

.

.

**************************************************************************

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files:

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2111716058-3512669174-89095203-1000\Software\G*e*n*i*e*"!\FM Genie Scout 10]

"GameDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2010\\games"

"ShortlistDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2010\\shortlists"

"ScreenshotsDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2010"

"SaveDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2010\\"

"HistoryDir"="c:\\Users\\Josh\\Desktop\\FM Genie Scout 10\\History Points"

"LangDB"="c:\\Program Files\\Sports Interactive\\Football Manager 2010\\data\\updates\\update-1030\\db\\1030\\lang_db.dat"

"LastSaveGame"=""

"Language"="English"

"LoadLangDB"=dword:00000001

"CompressHistoryPoints"=dword:00000000

"HighlightedAttributes"=dword:00000000

"MinCondition"=dword:00000050

"GraphStep"=dword:00000000

"SkinName"="Steklo Black"

"LastUpdateCheck"=dword:00009e03

"HighQualityGUI"=dword:00000001

"AutomaticallyUpdateCheck"=dword:00000001

"AdvancedGeneration"=dword:00000000

"TranslateStaffSkills"=dword:00000001

"TranslatePlayerSkills"=dword:00000001

"TranslatePositions"=dword:00000001

"ShowHistory"=dword:00000001

"Version"=dword:00000074

"UniqueID"="35-8980-E21F"

"Currency"=dword:00000056

"UseProxy"=dword:00000000

"ProxyHost"=""

"ProxyPort"=""

"UseAuthentication"=dword:00000000

"UserName"=""

"UserPassword"=""

.

[HKEY_USERS\S-1-5-21-2111716058-3512669174-89095203-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11]

@Allowed: (Read) (RestrictedCode)

"GameDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2011\\games"

"ShortlistDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2011\\shortlists"

"FMPath"="c:\\Program Files\\Sports Interactive\\Football Manager 2011"

"ScreenshotsDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2011"

"SaveDir"="c:\\Users\\Josh\\Documents\\Sports Interactive\\Football Manager 2011\\"

"HistoryDir"="c:\\FM Genie Scout 11\\History Points"

"LangDB"="c:\\FM Genie Scout 11\\lang_db.dat"

"LastSaveGame"=""

"Language"="English"

"LoadLangDB"=dword:00000001

"CompressHistoryPoints"=dword:00000000

"HighlightedAttributes"=dword:00000000

"MinCondition"=dword:00000050

"GraphStep"=dword:00000000

"SkinName"="PSV Eindhoven"

"LastUpdateCheck"=dword:00009f6e

"HighQualityGUI"=dword:00000001

"AutomaticallyUpdateCheck"=dword:00000001

"AdvancedGeneration"=dword:00000000

"TranslateStaffSkills"=dword:00000001

"TranslatePlayerSkills"=dword:00000001

"TranslatePositions"=dword:00000001

"ShowHistory"=dword:00000001

"Version"=dword:00000081

"UniqueID"="35-8980-E21F"

"UseProxy"=dword:00000000

"ProxyHost"=""

"ProxyPort"=""

"UseAuthentication"=dword:00000000

"UserName"=""

"UserPassword"=""

"Currency"=dword:00000056

"PlayerSearchFeatureNum"=dword:0000004c

"StaffSearchFeatureNum"=dword:0000000d

"ClubSearchFeatureNum"=dword:00000000

"FilterByClubFeatureNum"=dword:00000000

"CompareFeatureNum"=dword:00000000

"ShortlistFeatureNum"=dword:00000000

"ExportFeatureNum"=dword:00000000

"HistoryFeatureNum"=dword:00000000

"LanguageDBFeatureNum"=dword:0000004e

"HintsFeatureNum"=dword:00000004

"GenieReportFeatureNum"=dword:00000002

"TopFormationFeatureNum"=dword:00000000

"ScreenshotFeatureNum"=dword:00000000

"VersionOf"=dword:0000007b

.

[HKEY_USERS\S-1-5-21-2111716058-3512669174-89095203-1000\Software\G*e*n*i*e*"!\FM Genie Scout 11g]

@Allowed: (Read) (RestrictedCode)

"PicturesNumber"=dword:00000000

.

[HKEY_USERS\S-1-5-21-2111716058-3512669174-89095203-1000\Software\G*e*n*i*e*"!\FM Genie Scout 12]

@Allowed: (Read) (RestrictedCode)

"GameDir"="c:\\FM Genie Scout 12\\games"

"ShortlistDir"="c:\\FM Genie Scout 12\\shortlists"

"FMPath"="c:\\Program Files\\SEGA\\Football Manager 2012\\"

"ScreenshotsDir"="c:\\FM Genie Scout 12"

"SaveDir"="c:\\FM Genie Scout 12\\"

"HistoryDir"="c:\\FM Genie Scout 12\\History Points"

"LangDB"="c:\\Program Files\\SEGA\\Football Manager 2012\\data\\db\\1200\\lang_db.dat"

"LastSaveGame"=""

"Language"="English"

"LoadLangDB"=dword:00000001

"CompressHistoryPoints"=dword:00000000

"HighlightedAttributes"=dword:00000000

"MinCondition"=dword:00000050

"GraphStep"=dword:00000000

"SkinName"="Steklo Black"

"LastUpdateCheck"=dword:00009fb3

"VersionOf"=dword:00000000

"HighQualityGUI"=dword:00000001

"AutomaticallyUpdateCheck"=dword:00000001

"AdvancedGeneration"=dword:00000000

"TranslateStaffSkills"=dword:00000001

"TranslatePlayerSkills"=dword:00000001

"TranslatePositions"=dword:00000001

"ShowHistory"=dword:00000001

"ShowGuidNotification"=dword:00000000

"ShowDonateNotification"=dword:00000000

"Version"=dword:000000c8

"UniqueID"="35-8980-E21F"

"UseProxy"=dword:00000000

"ProxyHost"=""

"ProxyPort"=""

"UseAuthentication"=dword:00000000

"UserName"=""

"UserPassword"=""

"PlayerSearchFeatureNum"=dword:00000001

"StaffSearchFeatureNum"=dword:00000000

"ClubSearchFeatureNum"=dword:00000000

"FilterByClubFeatureNum"=dword:00000000

"CompareFeatureNum"=dword:00000000

"ShortlistFeatureNum"=dword:00000001

"ExportFeatureNum"=dword:00000000

"HistoryFeatureNum"=dword:00000000

"LanguageDBFeatureNum"=dword:00000001

"HintsFeatureNum"=dword:00000001

"GenieReportFeatureNum"=dword:00000000

"TopFormationFeatureNum"=dword:00000000

"ScreenshotFeatureNum"=dword:00000000

"AdClicksNum"=dword:00000001

"AdImpressionsNum"=dword:00000009

"GameLoadedCounter"=dword:00000005

"Currency"=dword:00000056

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(5200)

c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll

c:\windows\System32\SysHook.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Microsoft\BingBar\BBSvc.EXE

c:\program files\Microsoft\BingBar\SeaPort.EXE

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe

c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe

c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe

c:\program files\Acer\Empowering Technology\Service\ETService.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\acer\Mobility Center\MobilityService.exe

c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe

c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe

c:\program files\Cyberlink\Shared files\RichVideo.exe

c:\program files\Spybot - Search & Destroy\SDWinSec.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\RtHDVCpl.exe

c:\program files\Launch Manager\LManager.exe

c:\program files\Windows Media Player\wmpnscfg.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\windows\system32\wbem\unsecapp.exe

c:\users\Josh\AppData\Local\Temp\RtkBtMnt.exe

c:\program files\Synaptics\SynTP\SynTPHelper.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\program files\Internet Explorer\iexplore.exe

c:\windows\system32\igfxext.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2012-01-23 15:54:11 - machine was rebooted

ComboFix-quarantined-files.txt 2012-01-23 15:54

ComboFix2.txt 2012-01-22 21:56

ComboFix3.txt 2012-01-18 16:03

.

Pre-Run: 18,126,987,264 bytes free

Post-Run: 18,008,629,248 bytes free

.

- - End Of File - - 7E3EAEF64C19B0F228CC3DA878843C41

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.