skylir

When clicking on results from google search I get redirected to other sites, eg. (wisdomtips.com, shoppingsteps.com, savecompare.com) or to error page.

I am lokking for help to get rid of this proplem.

I have Stopzilla. It does a scan and find a virus called Hijacker, then I go through the removal prosess but when compter restarts it comes back.

I don't have access to a Windows Install disc, or a Boot CD


Attach.zip is attached.

Here is the DDS.txt


DDS (Ver_09-10-26.01) - FAT32x86
Run by Neil at 11:41:33.85 on 03/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.109 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\WINDOWS\BUtilityBar\BisonBar.exe
C:\Acer\Empowering Technology\eLock\Monitor\LockMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Neil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\DOCUME~1\Neil\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Documents and Settings\Neil\Local Settings\Temporary Internet Files\Content.IE5\9XMK42RW\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm080YYGB&fl=0&ptb=hfzOkEhJzDfX_u60wOYhYQ&url=http://www.uk.ask.com/web&q={searchTerms}&l=zu&o=sb
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\neil\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [preload] c:\windows\RUNXMLPL.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Acer ePresentation HPD] c:\acer\empowering technology\epresentation\ePresentation.exe
mRun: [eLockMonitor] c:\acer\empowering technology\elock\monitor\LaunchMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe 0
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [BisonBar] c:\windows\butilitybar\BisonBar.exe
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\neil\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm080YYGB
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader2.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\neil\applic~1\mozilla\firefox\profiles\pl4t5jss.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.atcomet.com/b/
FF - component: c:\documents and settings\neil\application data\mozilla\firefox\profiles\pl4t5jss.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 PREVXTdi;PREVX TDI filter;c:\windows\system32\drivers\pxtdi.sys [2007-5-17 27784]
R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [2007-4-18 17664]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [2007-4-18 90112]
R2 LockServ;LockServ;c:\acer\empowering technology\elock\lockserv.exe -p --> c:\acer\empowering technology\elock\LockServ.exe -p [?]
R2 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2009-5-12 61328]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-5-6 106808]
S1 jllevziw;jllevziw;\??\c:\windows\system32\drivers\jllevziw.sys --> c:\windows\system32\drivers\jllevziw.sys [?]
S2 SDManager;SDManager;\??\c:\program files\spywaredetector\sdmanager.sys --> c:\program files\spywaredetector\SDManager.sys [?]
S3 PREVXEmulator;PREVX Emulator driver;c:\windows\system32\drivers\PxEmu.sys [2007-5-17 107784]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [2009-4-17 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [2009-4-17 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [2009-4-17 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [2009-4-17 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [2009-4-17 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [2009-4-17 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [2009-4-17 110120]

=============== Created Last 30 ================

2009-11-03 05:37:34 7232 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-30 16:26:32 0 d-----w- c:\program files\Trend Micro
2009-10-15 23:41:03 0 d-sh--w- c:\documents and settings\neil\PrivacIE
2009-10-15 23:37:01 0 d-sh--w- c:\documents and settings\neil\IETldCache
2009-10-15 23:33:42 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-10-15 23:33:41 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-15 23:33:33 0 d-----w- c:\windows\ie8updates
2009-10-15 23:33:20 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-10-15 23:32:12 0 d--h--w- c:\windows\ie8
2009-10-15 23:31:27 282 ----a-w- c:\windows\system32\drivers\uanxvcmo.dat
2009-10-14 22:29:55 118 ----a-w- c:\windows\system32\MRT.INI
2009-10-08 20:47:40 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2009-10-08 20:47:14 0 d-----w- c:\program files\STOPzilla!
2009-10-08 20:47:14 0 d-----w- c:\program files\common files\iS3
2009-10-08 20:47:13 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-10-08 20:14:18 19714 ----a-w- c:\windows\yxaledu.sys
2009-10-08 20:14:18 17412 ----a-w- c:\docume~1\alluse~1\applic~1\erobydupe.bin
2009-10-08 20:14:18 17191 ----a-w- c:\windows\jefemedodu.db
2009-10-08 20:14:18 16888 ----a-w- c:\windows\system32\xupumygy.lib
2009-10-08 20:14:18 15219 ----a-w- c:\windows\system32\gysobor._dl
2009-10-08 20:14:18 11102 ----a-w- c:\program files\common files\ewiqywo.reg
2009-10-08 20:14:18 10140 ----a-w- c:\windows\icinaw.vbs
2009-10-08 20:11:30 831 ----a-w- c:\windows\system32\critical_warning.html
2009-10-08 20:05:22 9216 ----a-w- C:\wridiint.exe
2009-10-08 20:05:20 24576 ----a-w- C:\hgxs.exe
2009-10-08 20:05:08 39936 ----a-w- C:\mkjjnwwp.exe

==================== Find3M ====================

2009-10-08 20:14:20 18296 ----a-w- c:\program files\common files\jyku.lib
2009-10-08 20:14:20 15879 ----a-w- c:\program files\common files\qasowuzihy.lib
2009-09-11 15:18:40 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 15:18:40 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 22:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 22:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-29 09:08:22 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 09:08:22 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-08-29 09:08:22 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-08-29 09:08:20 5940224 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-08-29 09:08:20 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-08-29 09:08:18 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-29 09:08:18 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-29 09:08:18 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-08-29 09:08:18 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-08-29 09:08:18 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-08-29 09:08:16 11069440 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-08-29 09:08:14 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-08-29 08:36:24 133120 ------w- c:\windows\system32\dllcache\extmgr.dll
2009-08-28 11:35:52 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 11:29:00 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-26 09:00:22 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 09:00:22 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
2009-08-06 19:24:18 327896 ----a-w- c:\windows\system32\dllcache\wucltui.dll
2009-08-06 19:24:18 209632 ----a-w- c:\windows\system32\dllcache\wuweb.dll
2009-08-06 19:24:10 35552 ----a-w- c:\windows\system32\dllcache\wups.dll
2009-08-06 19:24:06 53472 ----a-w- c:\windows\system32\dllcache\wuauclt.exe
2009-08-06 19:24:04 96480 ----a-w- c:\windows\system32\dllcache\cdm.dll
2009-08-06 19:23:54 575704 ----a-w- c:\windows\system32\dllcache\wuapi.dll
2009-08-06 19:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 19:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 19:23:46 1929952 ----a-w- c:\windows\system32\dllcache\wuaueng.dll
2009-01-20 13:36:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012020090121\index.dat

============= FINISH: 11:43:38.64 ===============

Attached Files

Attach.zip (4.5 KB, 0 views)

forhockey

Hi skylir,


Sorry for the delay in looking into your log, as we are extremely busy in this section of the forums. If you still require assistance and are not seeking help elsewhere, then please carry out my instructions.

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

** Note: Please stick with me until I declare that your system is free from malware. Even though your system may not have any symptoms of malware, it may still be infected. **

--------------------------------------------------------------

Please re-run DDS and post the resulting logs

Thanks

skylir

DDS (Ver_09-10-26.01) - FAT32x86
Run by Neil at 13:50:54.62 on 09/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.179 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Acer\Empowering Technology\eLock\LockServ.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\WINDOWS\BUtilityBar\BisonBar.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Acer\Empowering Technology\eLock\Monitor\LockMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Neil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\DOCUME~1\Neil\LOCALS~1\Temp\RtkBtMnt.exe
C:\Documents and Settings\Neil\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Neil\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Neil\My Documents\Downloads\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm080YYGB&fl=0&ptb=hfzOkEhJzDfX_u60wOYhYQ&url=http://www.uk.ask.com/web&q={searchTerms}&l=zu&o=sb
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\neil\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [preload] c:\windows\RUNXMLPL.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Acer ePresentation HPD] c:\acer\empowering technology\epresentation\ePresentation.exe
mRun: [eLockMonitor] c:\acer\empowering technology\elock\monitor\LaunchMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe 0
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [BisonBar] c:\windows\butilitybar\BisonBar.exe
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\neil\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm080YYGB
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.2.28.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader2.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\neil\applic~1\mozilla\firefox\profiles\pl4t5jss.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.atcomet.com/b/
FF - component: c:\documents and settings\neil\application data\mozilla\firefox\profiles\pl4t5jss.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 PREVXTdi;PREVX TDI filter;c:\windows\system32\drivers\pxtdi.sys [2007-5-17 27784]
R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [2007-4-18 17664]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [2007-4-18 90112]
R2 LockServ;LockServ;c:\acer\empowering technology\elock\lockserv.exe -p --> c:\acer\empowering technology\elock\LockServ.exe -p [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-5-6 106808]
S1 jllevziw;jllevziw;\??\c:\windows\system32\drivers\jllevziw.sys --> c:\windows\system32\drivers\jllevziw.sys [?]
S2 SDManager;SDManager;\??\c:\program files\spywaredetector\sdmanager.sys --> c:\program files\spywaredetector\SDManager.sys [?]
S3 PREVXEmulator;PREVX Emulator driver;c:\windows\system32\drivers\PxEmu.sys [2007-5-17 107784]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [2009-4-17 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [2009-4-17 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [2009-4-17 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [2009-4-17 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [2009-4-17 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [2009-4-17 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [2009-4-17 110120]

=============== Created Last 30 ================

2009-11-09 13:40:58 0 d--h--w- c:\windows\PIF
2009-11-05 03:21:04 6672 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-30 16:26:32 0 d-----w- c:\program files\Trend Micro
2009-10-15 23:41:03 0 d-sh--w- c:\documents and settings\neil\PrivacIE
2009-10-15 23:37:01 0 d-sh--w- c:\documents and settings\neil\IETldCache
2009-10-15 23:33:42 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-10-15 23:33:41 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-15 23:33:33 0 d-----w- c:\windows\ie8updates
2009-10-15 23:33:20 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-10-15 23:32:12 0 d--h--w- c:\windows\ie8
2009-10-15 23:31:27 282 ----a-w- c:\windows\system32\drivers\uanxvcmo.dat
2009-10-14 22:29:55 118 ----a-w- c:\windows\system32\MRT.INI

==================== Find3M ====================

2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-08 20:14:20 19714 ----a-w- c:\windows\yxaledu.sys
2009-10-08 20:14:20 18296 ----a-w- c:\program files\common files\jyku.lib
2009-10-08 20:14:20 17412 ----a-w- c:\docume~1\alluse~1\applic~1\erobydupe.bin
2009-10-08 20:14:20 15879 ----a-w- c:\program files\common files\qasowuzihy.lib
2009-10-08 20:14:20 11102 ----a-w- c:\program files\common files\ewiqywo.reg
2009-10-08 20:14:20 10140 ----a-w- c:\windows\icinaw.vbs
2009-10-08 20:05:24 9216 ----a-w- C:\wridiint.exe
2009-10-08 20:05:22 24576 ----a-w- C:\hgxs.exe
2009-10-08 20:05:10 39936 ----a-w- C:\mkjjnwwp.exe
2009-09-11 15:18:40 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 15:18:40 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 22:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 22:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-29 09:08:22 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 09:08:22 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-08-29 09:08:22 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-08-29 09:08:20 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-08-29 09:08:18 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-29 09:08:18 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-29 09:08:18 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-08-29 09:08:18 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-08-29 09:08:18 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-08-29 09:08:16 11069440 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-08-29 09:08:14 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-08-29 08:36:24 133120 ------w- c:\windows\system32\dllcache\extmgr.dll
2009-08-28 11:35:52 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 11:29:00 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-26 09:00:22 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 09:00:22 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
2009-01-20 13:36:54 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009012020090121\index.dat

============= FINISH: 13:52:51.17 ===============

skylir

I have been using google chrome to explore the internet, which dose not redirect. but the normal internet explorer still dose.

Attached Files

Attach.zip (2.7 KB, 2 views)

forhockey

Hi skylir,

Before beginning the proposed fix, read this post completely. Any questions should be kindly asked before proceeding. Ensure that there are no open browsers when carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

--------------------------------------------------------------

P2P Software

I see you have P2P software ( BitComet 1.01) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

--------------------------------------------------------------

1. Download Combofix from any of the links below. You must rename it before saving it.
   
   * IMPORTANT !!! Place combo-fix.exe on your Desktop
   
   Link 1
   Link 2
   
   
   
   
   
   
   --------------------------------------------------------------
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   You can get help on disabling your protection programs here
   
3. Double click on combo-fix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
   
   
5. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
   
   **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
   
   
   
   
   
   Click on Yes, to continue scanning for malware.
   
6. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
7. When finished, it shall produce a log for you (Located in C:\ComboFix.txt). Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   --------------------------------------------------------------
   
8. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

skylir

Hi, thank you so much for your help. Just a couple of questions.

Do I need to remove bitcomet to do before I do combifix or can I do it afterwards?

I also don't have any spyware protection now. I cancelled Stopzilla because it didn't get rid of these viruses. Do recommend that I should have spyware protection? I heard that the best spyware should be free, because it has been made by people that actually want to help, not by company's making money telling you, you have fifty million viruses "so buy our product now" but probably you don't have any.

When press on one of the links to download Combifix, once that link is open I should then close all other windows?

Thanks Skylir

forhockey

Hi skylir,

I'm recommending that you remove bitcomet as most viruses come across these file sharing program. You can remove it before or after combofix. The choice is yours.

Well you definitely need anti-virus protection, which I was going to address right after you ran ComboFix. If you don't want to spend any money on anti-virus protection I can recommend a couple of free ones for you to choose from. Once I declare your system clean then I'll recommend some anti-spyware programs and some safe practices for keeping your system clean.

Yes, once you click on the download link and save the file per my instructions you can close all the windows. If you want, you can print these instructions which will make it easier to follow along.

forhockey

Once you've completed my previous instructions and have posted the log for Combofix, then you can continue with the following..

No AntiVirus Onboard

I see no evidence of an AntiVirus program on your system. This must be resolved. Here are three very good free Antivirus products which are available:

• Avast!
• AVG
• Avira AntiVir Personal

Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan.

Note: You must only use 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable.

skylir

ComboFix Log

ComboFix 09-11-14.03 - Neil 14/11/2009 13:59..1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.186 [GMT 0:00]
Running from: c:\documents and settings\Neil\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\muqikopyxe.reg
c:\documents and settings\Neil\Application Data\iniasd.txt
c:\documents and settings\Neil\Application Data\inst.exe
c:\documents and settings\Neil\Local Settings\Application Data\xunoto.vbs
c:\documents and settings\Neil\Local Settings\Temporary Internet Files\cily.db
c:\documents and settings\Neil\Local Settings\Temporary Internet Files\dumeroxuw.sys
c:\documents and settings\Neil\Local Settings\Temporary Internet Files\qacev.db
c:\documents and settings\Neil\Local Settings\Temporary Internet Files\upigyjaj._sy
c:\documents and settings\Neil\Local Settings\Temporary Internet Files\vijatikigo.inf
C:\hgxs.exe
c:\program files\Common Files\ewiqywo.reg
c:\windows\icinaw.vbs
c:\windows\kb913800.exe
c:\windows\system32\critical_warning.html
c:\windows\system32\gasfkybqxpoeyx.dll
c:\windows\system32\gasfkycoodyuyt.dat
c:\windows\system32\gasfkydieviyus.dll
c:\windows\system32\gasfkylasrpdmr.dll
c:\windows\system32\gasfkypwakdmrf.dll
c:\windows\system32\gasfkyriqhtpru.dat
c:\windows\system32\gasfkytlmvfnmi.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\my sex world.ico
c:\windows\system32\u2g.f
c:\windows\system32\winiconmon.ico
c:\windows\system32\winiconmon.ico.bak0
C:\wridiint.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gasfkydlhatyde
-------\Service_gasfkydlhatyde


((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.

2009-11-14 14:08 . 2008-04-14 01:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-14 14:08 . 2008-04-14 01:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-13 16:01 . 2009-11-13 16:01 -------- d-----w- C:\Combo-Fix
2009-11-11 22:46 . 2009-11-11 22:46 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-11 22:46 . 2009-11-11 22:46 -------- d-----w- c:\program files\DivX
2009-11-11 22:29 . 2009-11-11 22:29 -------- d-----w- C:\FOUND.000
2009-11-11 20:11 . 2009-11-11 20:11 282 ----a-w- c:\windows\system32\drivers\ohxilzkh.dat
2009-11-11 20:11 . 2009-11-11 20:11 -------- d-----w- c:\windows\system32\MpEngineStore
2009-11-09 13:40 . 2009-11-09 13:41 -------- d--h--w- c:\windows\PIF
2009-11-06 21:40 . 2009-11-06 21:40 1924440 ----a-w- c:\documents and settings\Neil\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-10-30 16:26 . 2009-10-30 16:26 -------- d-----w- c:\program files\Trend Micro
2009-10-23 15:39 . 2009-10-23 15:39 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-16 10:16 . 2009-10-16 10:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-15 23:41 . 2009-10-15 23:41 -------- d-sh--w- c:\documents and settings\Neil\PrivacIE
2009-10-15 23:40 . 2009-10-15 23:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-15 23:37 . 2009-10-15 23:37 -------- d-sh--w- c:\documents and settings\Neil\IETldCache
2009-10-15 23:33 . 2009-08-29 09:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-10-15 23:33 . 2009-08-29 09:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-15 23:33 . 2009-10-15 23:33 -------- d-----w- c:\windows\ie8updates
2009-10-15 23:33 . 2009-08-07 09:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-10-15 23:32 . 2009-10-15 23:32 -------- d--h--w- c:\windows\ie8
2009-10-15 23:31 . 2009-10-15 23:31 282 ----a-w- c:\windows\system32\drivers\uanxvcmo.dat
2009-10-15 22:55 . 2009-10-15 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 10:18 . 2009-11-05 03:21 6672 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-31 17:42 . 2009-02-06 16:05 1 ----a-w- c:\documents and settings\Neil\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-08 20:47 . 2009-10-08 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-08 20:47 . 2009-10-08 20:47 -------- d-----w- c:\program files\Common Files\iS3
2009-10-08 20:47 . 2009-10-08 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-10-08 20:14 . 2009-10-08 20:14 19714 ----a-w- c:\windows\yxaledu.sys
2009-10-08 20:14 . 2009-10-08 20:14 19194 ----a-w- c:\documents and settings\Neil\Local Settings\Application Data\vanagawym.dat
2009-10-08 20:14 . 2009-10-08 20:14 18296 ----a-w- c:\program files\Common Files\jyku.lib
2009-10-08 20:14 . 2009-10-08 20:14 17412 ----a-w- c:\documents and settings\All Users\Application Data\erobydupe.bin
2009-10-08 20:14 . 2009-10-08 20:14 15879 ----a-w- c:\program files\Common Files\qasowuzihy.lib
2009-10-08 20:05 . 2009-10-08 20:05 39936 ----a-w- C:\mkjjnwwp.exe
2009-09-11 15:18 . 2004-08-10 04:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 22:03 . 2004-08-10 04:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 09:08 . 2006-01-09 11:02 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 09:00 . 2004-08-10 04:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-11-12 19:42 . 2008-03-23 17:27 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-11-12 19:42 . 2008-03-23 17:27 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-11-12 19:42 . 2008-03-23 17:27 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-11-12 19:42 . 2008-03-23 17:27 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-11-12 19:42 . 2008-03-23 17:27 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-25 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-11-27 1032376]
"Google Update"="c:\documents and settings\Neil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-15 133104]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2007-02-05 476728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="c:\windows\RUNXMLPL.exe" [2005-05-19 32768]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-08-08 634880]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-07-18 438272]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-06-07 208896]
"eLockMonitor"="c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe" [2006-03-31 16384]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"BisonBar"="c:\windows\BUtilityBar\BisonBar.exe" [2006-09-08 245760]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-11-27 1032376]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-17 136600]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-07-21 16261632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Neil\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2007-4-18 45056]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-5-12 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19660:TCP"= 19660:TCP:BitComet 19660 TCP
"19660:UDP"= 19660:UDP:BitComet 19660 UDP

R1 PREVXTdi;PREVX TDI filter;c:\windows\system32\drivers\pxtdi.sys [17/05/2007 22:09 27784]
R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [18/04/2007 09:10 17664]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [18/04/2007 09:10 90112]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [06/05/2007 00:37 106808]
S1 jllevziw;jllevziw;\??\c:\windows\system32\drivers\jllevziw.sys --> c:\windows\system32\drivers\jllevziw.sys [?]
S2 LockServ;LockServ;c:\acer\Empowering Technology\eLock\LockServ.exe -p --> c:\acer\Empowering Technology\eLock\LockServ.exe -p [?]
S2 SDManager;SDManager;\??\c:\program files\SpywareDetector\SDManager.sys --> c:\program files\SpywareDetector\SDManager.sys [?]
S3 PREVXEmulator;PREVX Emulator driver;c:\windows\system32\drivers\PxEmu.sys [17/05/2007 22:09 107784]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [17/04/2009 23:03 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [17/04/2009 23:03 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [17/04/2009 23:03 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [17/04/2009 23:03 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [17/04/2009 23:03 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [17/04/2009 23:03 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [17/04/2009 23:03 110120]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-595798811-1796927190-1171272016-1006Core1ca5a7898a33b13.job
- c:\documents and settings\Neil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-15 18:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm080YYGB&fl=0&ptb=hfzOkEhJzDfX_u60wOYhYQ&url=http://www.uk.ask.com/web&q={searchTerms}&l=zu&o=sb
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm080YYGB
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
FF - ProfilePath - c:\documents and settings\Neil\Application Data\Mozilla\Firefox\Profiles\pl4t5jss.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.atcomet.com/b/
FF - component: c:\documents and settings\Neil\Application Data\Mozilla\Firefox\Profiles\pl4t5jss.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-14 14:13
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3316)
c:\windows\system32\WININET.dll
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\MFC71U.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\RUNDLL32.EXE
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\acer\Empowering Technology\eLock\Monitor\LockMon.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\docume~1\Neil\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Symantec\LiveUpdate\AUpdate.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2009-11-14 14:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-14 14:17

Pre-Run: 21,264,859,136 bytes free
Post-Run: 25,155,043,328 bytes free

- - End Of File - - 0EF30C35CF86F9553312B803044C61A5

Attached Files

ComboFix.txt (16.6 KB, 3 views)

forhockey

Hi skylir,


Open notepad and copy/paste the text in the quotebox below into it:

Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.
  
  ‏

Follow the prompts, and post the resulting log, C:\ComboFix.txt


--------------------------------------------------------------

Perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log in your next reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------

Please reply back with the following logs:

C:\ComboFix.txt
Panda ActiveScan log
Update on how your system is behaving?

skylir

combofix. log

ComboFix 09-11-15.01 - Neil 15/11/2009 12:15..1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.154 [GMT 0:00]
Running from: c:\documents and settings\Neil\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Neil\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091115-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\documents and settings\All Users\Application Data\erobydupe.bin
file zipped: c:\documents and settings\Neil\Local Settings\Application Data\vanagawym.dat
file zipped: c:\program files\Common Files\jyku.lib
file zipped: c:\program files\Common Files\qasowuzihy.lib
file zipped: c:\windows\yxaledu.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\erobydupe.bin
c:\documents and settings\Neil\Local Settings\Application Data\vanagawym.dat
C:\FOUND.000
c:\found.000\FILE0000.CHK
c:\found.000\FILE0001.CHK
c:\found.000\FILE0002.CHK
c:\program files\Common Files\jyku.lib
c:\program files\Common Files\qasowuzihy.lib
c:\windows\yxaledu.sys

.
((((((((((((((((((((((((( Files Created from 2009-10-15 to 2009-11-15 )))))))))))))))))))))))))))))))
.

2009-11-14 18:35 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-14 18:35 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-14 18:35 . 2009-09-15 11:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-14 18:35 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-14 18:35 . 2009-09-15 11:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-14 18:35 . 2009-09-15 11:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-14 18:35 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-14 18:35 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-14 18:34 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-14 18:34 . 2009-11-14 18:34 -------- d-----w- c:\program files\Alwil Software
2009-11-14 14:08 . 2008-04-14 01:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-14 14:08 . 2008-04-14 01:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-14 13:57 . 2009-11-14 13:57 -------- d-----w- C:\Combo-Fix11524C
2009-11-13 16:01 . 2009-11-13 16:01 -------- d-----w- C:\Combo-Fix
2009-11-11 22:46 . 2009-11-11 22:46 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-11 22:46 . 2009-11-11 22:46 -------- d-----w- c:\program files\DivX
2009-11-11 20:11 . 2009-11-11 20:11 282 ----a-w- c:\windows\system32\drivers\ohxilzkh.dat
2009-11-11 20:11 . 2009-11-11 20:11 -------- d-----w- c:\windows\system32\MpEngineStore
2009-11-09 13:40 . 2009-11-09 13:41 -------- d--h--w- c:\windows\PIF
2009-11-06 21:40 . 2009-11-06 21:40 1924440 ----a-w- c:\documents and settings\Neil\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-10-30 16:26 . 2009-10-30 16:26 -------- d-----w- c:\program files\Trend Micro
2009-10-23 15:39 . 2009-10-23 15:39 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 10:18 . 2009-11-05 03:21 6672 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-31 17:42 . 2009-02-06 16:05 1 ----a-w- c:\documents and settings\Neil\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-15 23:31 . 2009-10-15 23:31 282 ----a-w- c:\windows\system32\drivers\uanxvcmo.dat
2009-10-15 22:55 . 2009-10-15 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-08 20:47 . 2009-10-08 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-08 20:47 . 2009-10-08 20:47 -------- d-----w- c:\program files\Common Files\iS3
2009-10-08 20:47 . 2009-10-08 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-11 15:18 . 2004-08-10 04:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 22:03 . 2004-08-10 04:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 09:08 . 2006-01-09 11:02 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 09:00 . 2004-08-10 04:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-11-12 19:42 . 2008-03-23 17:27 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-11-12 19:42 . 2008-03-23 17:27 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-11-12 19:42 . 2008-03-23 17:27 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-11-12 19:42 . 2008-03-23 17:27 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-11-12 19:42 . 2008-03-23 17:27 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-14_14.11.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-15 10:35 . 2009-11-15 10:35 16384 c:\windows\Temp\Perflib_Perfdata_874.dat
+ 2009-11-15 10:32 . 2009-11-15 10:32 16384 c:\windows\Temp\Perflib_Perfdata_31c.dat
+ 2009-11-15 10:32 . 2009-11-15 10:32 16384 c:\windows\Temp\Perflib_Perfdata_11c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-25 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-11-27 1032376]
"Google Update"="c:\documents and settings\Neil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-15 133104]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2007-02-05 476728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="c:\windows\RUNXMLPL.exe" [2005-05-19 32768]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-08-08 634880]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-07-18 438272]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-06-07 208896]
"eLockMonitor"="c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe" [2006-03-31 16384]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"BisonBar"="c:\windows\BUtilityBar\BisonBar.exe" [2006-09-08 245760]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-11-27 1032376]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-17 136600]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-07-21 16261632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Neil\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2007-4-18 45056]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-5-12 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19660:TCP"= 19660:TCP:BitComet 19660 TCP
"19660:UDP"= 19660:UDP:BitComet 19660 UDP

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [14/11/2009 18:35 114768]
R1 PREVXTdi;PREVX TDI filter;c:\windows\system32\drivers\pxtdi.sys [17/05/2007 22:09 27784]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [14/11/2009 18:35 20560]
R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [18/04/2007 09:10 17664]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [18/04/2007 09:10 90112]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [06/05/2007 00:37 106808]
S1 jllevziw;jllevziw;\??\c:\windows\system32\drivers\jllevziw.sys --> c:\windows\system32\drivers\jllevziw.sys [?]
S2 SDManager;SDManager;\??\c:\program files\SpywareDetector\SDManager.sys --> c:\program files\SpywareDetector\SDManager.sys [?]
S3 PREVXEmulator;PREVX Emulator driver;c:\windows\system32\drivers\PxEmu.sys [17/05/2007 22:09 107784]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [17/04/2009 23:03 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [17/04/2009 23:03 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [17/04/2009 23:03 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [17/04/2009 23:03 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [17/04/2009 23:03 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [17/04/2009 23:03 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [17/04/2009 23:03 110120]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-595798811-1796927190-1171272016-1006Core1ca5a7898a33b13.job
- c:\documents and settings\Neil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-15 18:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm080YYGB&fl=0&ptb=hfzOkEhJzDfX_u60wOYhYQ&url=http://www.uk.ask.com/web&q={searchTerms}&l=zu&o=sb
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm080YYGB
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
FF - ProfilePath - c:\documents and settings\Neil\Application Data\Mozilla\Firefox\Profiles\pl4t5jss.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.atcomet.com/b/
FF - component: c:\documents and settings\Neil\Application Data\Mozilla\Firefox\Profiles\pl4t5jss.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-15 12:25
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-11-15 12:28
ComboFix-quarantined-files.txt 2009-11-15 12:28
ComboFix2.txt 2009-11-14 14:17

Pre-Run: 24,694,685,696 bytes free
Post-Run: 24,955,617,280 bytes free

- - End Of File - - D5FF6F35BA60C170F58C6A1486C2900F
Upload was successful

Attached Files

ComboFix.txt (14.0 KB, 4 views)

skylir

The laptop has been in excellent working order since I did ComboFix.It was so slow before and took too long to get online. But that is all sorted now. Thank-you.
Skylir

Attached Files

ActiveScan.txt (19.3 KB, 1 views)

forhockey

Hi skylir,

Great news. We're almost there so please stick with me.

Please delete ComboFix from your desktop.

Download an updated copy of ComboFix from either one of the links below:

Link 1
Link 2

Note: Make sure you save the file as Combo-Fix to your desktop

Double click on Combo-Fix and post the results from C:\ComboFix.txt

skylir

Combo-Fix log.

ComboFix 09-11-16.05 - Neil 16/11/2009 13:39..1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.148 [GMT 0:00]
Running from: c:\documents and settings\Neil\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1356 [VPS 091116-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-10-16 to 2009-11-16 )))))))))))))))))))))))))))))))
.

2009-11-15 15:51 . 2009-06-30 09:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-15 15:51 . 2009-11-15 15:51 -------- d-----w- c:\program files\Panda Security
2009-11-14 18:35 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-14 18:35 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-14 18:35 . 2009-09-15 11:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-14 18:35 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-14 18:35 . 2009-09-15 11:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-14 18:35 . 2009-09-15 11:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-14 18:35 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-14 18:35 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-14 18:34 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-14 18:34 . 2009-11-14 18:34 -------- d-----w- c:\program files\Alwil Software
2009-11-14 14:08 . 2008-04-14 01:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-14 14:08 . 2008-04-14 01:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-14 13:57 . 2009-11-14 13:57 -------- d-----w- C:\Combo-Fix11524C
2009-11-13 16:01 . 2009-11-13 16:01 -------- d-----w- C:\Combo-Fix
2009-11-11 22:46 . 2009-11-11 22:46 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-11 22:46 . 2009-11-11 22:46 -------- d-----w- c:\program files\DivX
2009-11-11 20:11 . 2009-11-11 20:11 282 ----a-w- c:\windows\system32\drivers\ohxilzkh.dat
2009-11-11 20:11 . 2009-11-11 20:11 -------- d-----w- c:\windows\system32\MpEngineStore
2009-11-09 13:40 . 2009-11-09 13:41 -------- d--h--w- c:\windows\PIF
2009-11-06 21:40 . 2009-11-06 21:40 1924440 ----a-w- c:\documents and settings\Neil\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-10-30 16:26 . 2009-10-30 16:26 -------- d-----w- c:\program files\Trend Micro
2009-10-23 15:39 . 2009-10-23 15:39 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 10:18 . 2009-11-05 03:21 6672 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-31 17:42 . 2009-02-06 16:05 1 ----a-w- c:\documents and settings\Neil\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-10-15 23:31 . 2009-10-15 23:31 282 ----a-w- c:\windows\system32\drivers\uanxvcmo.dat
2009-10-15 22:55 . 2009-10-15 22:55 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-08 20:47 . 2009-10-08 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-08 20:47 . 2009-10-08 20:47 -------- d-----w- c:\program files\Common Files\iS3
2009-10-08 20:47 . 2009-10-08 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-11 15:18 . 2004-08-10 04:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 22:03 . 2004-08-10 04:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 09:08 . 2006-01-09 11:02 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 09:00 . 2004-08-10 04:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-11-12 19:42 . 2008-03-23 17:27 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-11-12 19:42 . 2008-03-23 17:27 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-11-12 19:42 . 2008-03-23 17:27 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-11-12 19:42 . 2008-03-23 17:27 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-11-12 19:42 . 2008-03-23 17:27 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-14_14.11.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-16 12:04 . 2009-11-16 12:04 16384 c:\windows\Temp\Perflib_Perfdata_ec.dat
+ 2009-11-16 12:06 . 2009-11-16 12:06 16384 c:\windows\Temp\Perflib_Perfdata_56c.dat
+ 2009-11-16 12:04 . 2009-11-16 12:04 16384 c:\windows\Temp\Perflib_Perfdata_118.dat
+ 2009-08-04 14:06 . 2009-08-04 14:06 132352 c:\windows\Downloaded Program Files\as2stubie.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-25 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-11-27 1032376]
"Google Update"="c:\documents and settings\Neil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-15 133104]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2007-02-05 476728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="c:\windows\RUNXMLPL.exe" [2005-05-19 32768]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-25 786521]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-08-08 634880]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-07-18 438272]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-06-07 208896]
"eLockMonitor"="c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe" [2006-03-31 16384]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"BisonBar"="c:\windows\BUtilityBar\BisonBar.exe" [2006-09-08 245760]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-11-27 1032376]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-17 136600]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-07-21 16261632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Neil\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2007-4-18 45056]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-5-12 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\MsnMsgr.Exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19660:TCP"= 19660:TCP:BitComet 19660 TCP
"19660:UDP"= 19660:UDP:BitComet 19660 UDP

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [15/11/2009 15:51 28552]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [14/11/2009 18:35 114768]
R1 PREVXTdi;PREVX TDI filter;c:\windows\system32\drivers\pxtdi.sys [17/05/2007 22:09 27784]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [14/11/2009 18:35 20560]
R2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [18/04/2007 09:10 17664]
R2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [18/04/2007 09:10 90112]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [06/05/2007 00:37 106808]
S1 jllevziw;jllevziw;\??\c:\windows\system32\drivers\jllevziw.sys --> c:\windows\system32\drivers\jllevziw.sys [?]
S2 SDManager;SDManager;\??\c:\program files\SpywareDetector\SDManager.sys --> c:\program files\SpywareDetector\SDManager.sys [?]
S3 PREVXEmulator;PREVX Emulator driver;c:\windows\system32\drivers\PxEmu.sys [17/05/2007 22:09 107784]
S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [17/04/2009 23:03 83880]
S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [17/04/2009 23:03 15016]
S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [17/04/2009 23:03 110632]
S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [17/04/2009 23:03 104616]
S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [17/04/2009 23:03 25512]
S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [17/04/2009 23:03 100648]
S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [17/04/2009 23:03 110120]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-595798811-1796927190-1171272016-1006Core1ca5a7898a33b13.job
- c:\documents and settings\Neil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-15 18:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUxdm080YYGB&fl=0&ptb=hfzOkEhJzDfX_u60wOYhYQ&url=http://www.uk.ask.com/web&q={searchTerms}&l=zu&o=sb
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm080YYGB
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
FF - ProfilePath - c:\documents and settings\Neil\Application Data\Mozilla\Firefox\Profiles\pl4t5jss.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.atcomet.com/b/
FF - component: c:\documents and settings\Neil\Application Data\Mozilla\Firefox\Profiles\pl4t5jss.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-16 13:50
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2020)
c:\windows\system32\WININET.dll
c:\windows\system32\MSNCHATHOOK.DLL
c:\windows\system32\sysenv.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\MFC71U.DLL
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-16 13:52
ComboFix-quarantined-files.txt 2009-11-16 13:52
ComboFix2.txt 2009-11-15 12:31
ComboFix3.txt 2009-11-14 14:17

Pre-Run: 24,636,817,408 bytes free
Post-Run: 24,717,066,240 bytes free

- - End Of File - - 8BC0DE4323078CF5F37D56B2DC2DC7FB

Attached Files

Combo-Fix.txt (14.0 KB, 2 views)

forhockey

Hi skylir,

Well done, your logs are clean! There are just a few more things I would like you to do.


The following procedure will clear out ComboFix.exe, as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /Uninstall

----------------------------------------------------------------

Re-enable Anti-virus Protection

Please make sure you re-enable avast! antivirus. You don't want your system to be unprotected.

Microsoft Updates

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Malware Prevention Tools

These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.

• SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
• IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here
• MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
• McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.
• SpywareGuard - real-time protection that detects and blocks spyware before it can execute.

Alternative Web Browsers

Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

• Firefox
• Opera

Firewalls

If you do not have a firewall, here are a few free ones available for personal use:

Understanding and Using Firewalls

• Comodo Firewall Pro
• ZoneAlarm
• OutPost Firewall

Informational Reading

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

• How Did I Get Infected In The First Place?
• PC SAFETY AND SECURITY
• THE ANTI-SPYWARE TUTORIAL
• STRONG PASSWORDS

Please respond to this thread one more time so we can mark this thread as resolved.