Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

My CPU keeps going to 100%!? [Closed]

Started by Hexzar , Mar 14 2009 11:24 AM

This topic is locked

#1
Hexzar

Posted 14 March 2009 - 11:24 AM

Member

Member
89 posts

Right, here is the original problem topic i made in the vista forums - http://www.geekstogo...ep-t232149.html . It's really really annoying, i start my laptop up and it literally starts to lag, i open up google chrome browser and it's still laggy, i check the cpu and its going from 3% straight to 100% and it's really really messing up my laptop :S So please can someone help me thanks.

1. I ran the malbytes scan, it found 4 infections which i removed (one needed rebooting). Here's the log from it -

Malwarebytes' Anti-Malware 1.34
Database version: 1846
Windows 6.0.6001 Service Pack 1

14/03/2009 00:07:44
mbam-log-2009-03-14 (00-07-44).txt

Scan type: Quick Scan
Objects scanned: 60278
Time elapsed: 23 minute(s), 21 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\Users\Taz\AppData\Roaming\Microsoft\Windows\lsass.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdapihe (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass service (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Taz\AppData\Local\anavigamepixohay.dll (Trojan.Agent) -> Delete on reboot.
C:\Users\Taz\AppData\Roaming\Microsoft\Windows\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.

2. I then ran a zonalarm antivirus scan and it found nothing.

3. I did a Hijackthis log and here's the results -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:42:33, on 14/03/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Users\Taz\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Taz\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\SwiftKit\SwiftKit.exe
C:\Windows\system32\Taskmgr.exe
C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\mmc.exe
C:\Windows\System32\mspaint.exe
C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer...p;m=aspire_7530
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [eAudio] "C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE Systemboot
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [cgi-bin] C:\Windows\cgi-bin.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Taz\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - (no CLSID) - (no file)
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8591 bytes

4. I then did a OTListIt2 log -

OTListIt logfile created on: 14/03/2009 17:10:12 - Run 1
OTListIt2 by OldTimer - Version 2.0.3.6 Folder = C:\Users\Taz\Downloads
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.19 Gb Available Physical Memory | 59.64% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys;

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.44 Gb Total Space | 62.07 Gb Free Space | 55.70% Space Free | Partition Type: NTFS
Drive D: | 111.44 Gb Total Space | 109.38 Gb Free Space | 98.15% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-PC
Current User Name: Taz
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Windows\system32\nvvsvc.exe (NVIDIA Corporation)
PRC - C:\Windows\System32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
PRC - C:\Windows\System32\ZoneLabs\avsys\ScanningProcess.exe ()
PRC - C:\Windows\System32\ZoneLabs\avsys\ScanningProcess.exe ()
PRC - C:\Windows\Explorer.EXE (Microsoft Corporation)
PRC - C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
PRC - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
PRC - C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe (Acer Inc.)
PRC - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe (Egis Incorporated)
PRC - C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe (Acer Incorporated)
PRC - C:\Users\Taz\AppData\Local\Temp\RtkBtMnt.exe (Realtek Semiconductor Corp.)
PRC - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe (NewTech Infosystems, Inc.)
PRC - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe (Egis Incorporated)
PRC - C:\Program Files\Acer\Empowering Technology\Service\ETService.exe ()
PRC - C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
PRC - C:\Acer\Mobility Center\MobilityService.exe ()
PRC - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe (NewTech InfoSystems, Inc.)
PRC - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe ()
PRC - C:\Windows\system32\DRIVERS\xaudio.exe (Conexant Systems, Inc.)
PRC - C:\Windows\system32\wbem\unsecapp.exe (Microsoft Corporation)
PRC - C:\Windows\system32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\Program Files\Launch Manager\QtZgAcer.EXE (Dritek System Inc.)
PRC - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
PRC - C:\Windows\ehome\ehtray.exe (Microsoft Corporation)
PRC - C:\Windows\system32\wbem\unsecapp.exe (Microsoft Corporation)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\Users\Taz\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
PRC - C:\Windows\ehome\ehmsas.exe (Microsoft Corporation)
PRC - C:\Program Files\Synaptics\SynTP\SynTPHelper.exe (Synaptics, Inc.)
PRC - C:\Program Files\SwiftKit\SwiftKit.exe (Bluelight Developments)
PRC - C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)
PRC - C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)
PRC - C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)
PRC - C:\Program Files\Safari\Safari.exe (Apple Inc.)
PRC - C:\Users\Taz\Downloads\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (BUNAgentSvc [Auto | Running]) -- C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe (NewTech Infosystems, Inc.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (eDataSecurity Service [Auto | Running]) -- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe (Egis Incorporated)
SRV - (ehRecvr [On_Demand | Stopped]) -- C:\Windows\ehome\ehRecvr.exe (Microsoft Corporation)
SRV - (ehSched [On_Demand | Stopped]) -- C:\Windows\ehome\ehsched.exe (Microsoft Corporation)
SRV - (ehstart [Auto | Stopped]) -- C:\Windows\ehome\ehstart.dll (Microsoft Corporation)
SRV - (ETService [Auto | Running]) -- C:\Program Files\Acer\Empowering Technology\Service\ETService.exe ()
SRV - (FLEXnet Licensing Service [On_Demand | Stopped]) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (gusvc [On_Demand | Stopped]) -- File not found
SRV - (idsvc [Unknown | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (LightScribeService [Auto | Running]) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe (Hewlett-Packard Company)
SRV - (Microsoft Office Groove Audit Service [On_Demand | Stopped]) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (MobilityService [Auto | Running]) -- C:\Acer\Mobility Center\MobilityService.exe ()
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (NTIBackupSvc [Auto | Running]) -- C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe (NewTech InfoSystems, Inc.)
SRV - (NTISchedulerSvc [Auto | Running]) -- C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe ()
SRV - (nvsvc [Auto | Running]) -- C:\Windows\system32\nvvsvc.exe (NVIDIA Corporation)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (vsmon [Auto | Running]) -- C:\Windows\System32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
SRV - (WinDefend [Auto | Stopped]) -- C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
SRV - (XAudioService [Auto | Running]) -- C:\Windows\system32\DRIVERS\xaudio.exe (Conexant Systems, Inc.)

========== Driver Services (SafeList) ==========

DRV - (adfs [Auto | Running]) -- C:\Windows\System32\drivers\adfs.sys (Adobe Systems, Inc.)
DRV - (adp94xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (adpahci [Disabled | Stopped]) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (adpu160m [Disabled | Stopped]) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (adpu320 [Disabled | Stopped]) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (aic78xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (aliide [Disabled | Stopped]) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (arc [Disabled | Stopped]) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (arcsas [Disabled | Stopped]) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (athr [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\athr.sys (Atheros Communications, Inc.)
DRV - (b57nd60x [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\b57nd60x.sys (Broadcom Corporation)
DRV - (BCM43XX [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\bcmwl6.sys (Broadcom Corporation)
DRV - (BrFiltLo [On_Demand | Stopped]) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrFiltUp [On_Demand | Stopped]) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (Brserid [Disabled | Stopped]) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrSerWdm [Disabled | Stopped]) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm [Disabled | Stopped]) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (BrUsbSer [On_Demand | Stopped]) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (cmdide [Disabled | Stopped]) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (DKbFltr [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\DKbFltr.sys (Dritek System Inc.)
DRV - (E1G60 [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\E1G60I32.sys (Intel Corporation)
DRV - (elxstor [Disabled | Stopped]) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (HpCISSs [Disabled | Stopped]) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (HSFHWAZL [On_Demand | Stopped]) -- C:\Windows\system32\DRIVERS\VSTAZL3.SYS (Conexant Systems, Inc.)
DRV - (HSF_DPV [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\HSX_DPV.sys (Conexant Systems, Inc.)
DRV - (HSXHWAZL [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\HSXHWAZL.sys (Conexant Systems, Inc.)
DRV - (iaStorV [Disabled | Stopped]) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (iirsp [Disabled | Stopped]) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (int15 [Auto | Running]) -- C:\Windows\system32\drivers\int15.sys (Acer, Inc.)
DRV - (IntcAzAudAddService [On_Demand | Running]) -- C:\Windows\system32\drivers\RTKVHDA.sys (Realtek Semiconductor Corp.)
DRV - (iteatapi [Disabled | Stopped]) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (iteraid [Disabled | Stopped]) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (KLIF [System | Running]) -- C:\Windows\system32\DRIVERS\klif.sys (Kaspersky Lab)
DRV - (LSI_FC [Disabled | Stopped]) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (LSI_SAS [Disabled | Stopped]) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (LSI_SCSI [Disabled | Stopped]) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (mdmxsdk [Auto | Running]) -- C:\Windows\system32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (megasas [Disabled | Stopped]) -- C:\Windows\system32\drivers\megasas.sys (LSI Corporation)
DRV - (MegaSR [Disabled | Stopped]) -- C:\Windows\system32\drivers\megasr.sys (LSI Corporation, Inc.)
DRV - (Mraid35x [Disabled | Stopped]) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (nfrd960 [Disabled | Stopped]) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (NTIDrvr [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\NTIDrvr.sys (NewTech Infosystems, Inc.)
DRV - (ntrigdigi [Disabled | Stopped]) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (NVHDA [On_Demand | Running]) -- C:\Windows\system32\drivers\nvhda32v.sys (NVIDIA Corporation)
DRV - (nvlddmkm [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\nvlddmkm.sys (NVIDIA Corporation)
DRV - (nvraid [Disabled | Stopped]) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nvsmu [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\nvsmu.sys (NVIDIA Corporation)
DRV - (nvstor [Disabled | Stopped]) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (nvstor32 [Boot | Running]) -- C:\Windows\system32\DRIVERS\nvstor32.sys (NVIDIA Corporation)
DRV - (PSDFilter [Boot | Running]) -- C:\Windows\system32\DRIVERS\psdfilter.sys (Egis Incorporated)
DRV - (PSDNServ [Auto | Running]) -- C:\Windows\system32\DRIVERS\PSDNServ.sys (Egis Incorporated)
DRV - (psdvdisk [Auto | Running]) -- C:\Windows\system32\DRIVERS\PSDVdisk.sys (Egis Incorporated)
DRV - (ql2300 [Disabled | Stopped]) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (ql40xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (RTSTOR [On_Demand | Running]) -- C:\Windows\system32\drivers\RTSTOR.SYS (Realtek Semiconductor Corp.)
DRV - (secdrv [Auto | Running]) -- C:\Windows\System32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (SiSRaid4 [Disabled | Stopped]) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (Symc8xx [Disabled | Stopped]) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (Sym_hi [Disabled | Stopped]) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (Sym_u3 [Disabled | Stopped]) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (SynTP [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\SynTP.sys (Synaptics, Inc.)
DRV - (UBHelper [Boot | Running]) -- C:\Windows\System32\drivers\UBHelper.sys (NewTech Infosystems Corporation)
DRV - (uliahci [Disabled | Stopped]) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (UlSata [Disabled | Stopped]) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (ulsata2 [Disabled | Stopped]) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (viaide [Disabled | Stopped]) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (Vsdatant [System | Running]) -- C:\Windows\system32\DRIVERS\vsdatant.sys (Check Point Software Technologies LTD)
DRV - (vsmraid [Disabled | Stopped]) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (winachsf [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\HSX_CNXT.sys (Conexant Systems, Inc.)
DRV - (winbondcir [On_Demand | Running]) -- C:\Windows\system32\DRIVERS\winbondcir.sys (Winbond Electronics Corporation)
DRV - (XAudio [Auto | Running]) -- C:\Windows\system32\DRIVERS\xaudio.sys (Conexant Systems, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer...p;m=aspire_7530
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://global.acer.com;
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b} -> %SystemRoot%\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION [C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\] -> [2009/02/15 13:31:28 00,000,000 | ---D | M]

O1 HOSTS File: (794 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 127.0.0.1 activate.adobe.com
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll File not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (Egis)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - Reg Error: Key error. File not found
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll File not found
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O4 - HKLM..\Run: [eAudio] "C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe" (Acer Incorporated)
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe (Egis Incorporated)
O4 - HKLM..\Run: [ePower_DMC] C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe (Acer Inc.)
O4 - HKLM..\Run: [eRecoveryService] File not found
O4 - HKLM..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" (Microsoft Corporation)
O4 - HKLM..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE Systemboot (Dritek System Inc.)
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe (Acer Incorporated)
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide (Microsoft Corporation)
O4 - HKLM..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [cgi-bin] C:\Windows\cgi-bin.exe ()
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Google Update] "C:\Users\Taz\AppData\Local\Google\Update\GoogleUpdate.exe" /c (Google Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [@%SystemRoot%\system32\nlasvc.dll,-1000] - C:\Windows\system32\NLAapi.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [@%SystemRoot%\system32\napinsp.dll,-1000] - C:\Windows\system32\napinsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [@%SystemRoot%\system32\pnrpnsp.dll,-1000] - C:\Windows\system32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [@%SystemRoot%\system32\pnrpnsp.dll,-1001] - C:\Windows\system32\pnrpnsp.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Sites: internet ([]about in Internet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_12)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\autoexec.bat () - [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[2009/03/14 16:41:47 | 00,001,878 | ---- | C] () -- C:\Users\Taz\Desktop\HijackThis.lnk
[2009/03/14 16:41:45 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/03/14 16:27:14 | 00,032,973 | ---- | C] () -- C:\Users\Taz\Desktop\transfer 3.jpg
[2009/03/14 16:24:55 | 00,058,879 | ---- | C] () -- C:\Users\Taz\Desktop\transfer 2.jpg
[2009/03/14 16:23:39 | 00,050,534 | ---- | C] () -- C:\Users\Taz\Desktop\transfer 1.jpg
[2009/03/13 23:38:58 | 00,000,000 | ---D | C] -- C:\Users\Taz\AppData\Roaming\Malwarebytes
[2009/03/13 23:38:47 | 00,000,822 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/13 23:38:45 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/03/13 23:38:41 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/03/13 23:38:38 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/03/13 23:38:38 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/03/13 22:40:04 | 00,216,474 | ---- | C] () -- C:\Users\Taz\Desktop\prob.jpg
[2009/03/13 20:29:41 | 00,125,487 | ---- | C] () -- C:\Users\Taz\Desktop\problem 2.jpg
[2009/03/13 20:28:19 | 00,196,247 | ---- | C] () -- C:\Users\Taz\Desktop\problem 1.jpg
[2009/03/13 20:23:45 | 10,622,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmp.dll
[2009/03/13 20:23:43 | 00,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\spwmp.dll
[2009/03/13 20:23:40 | 08,147,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmploc.DLL
[2009/03/13 20:23:40 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msdxm.ocx
[2009/03/13 20:23:40 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxmasf.dll
[2009/03/13 20:23:08 | 00,268,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\schannel.dll
[2009/03/13 20:22:51 | 02,033,152 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2009/03/11 10:52:51 | 00,268,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\schannel(137).dll
[2009/03/09 20:48:05 | 00,008,224 | ---- | C] () -- C:\Users\Taz\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/03/07 11:46:09 | 00,000,000 | ---D | C] -- C:\Users\Taz\AppData\Local\{4B73687E-B299-43FC-B003-6E1D22CD86B1}
[2009/03/05 10:56:31 | 00,000,000 | ---D | C] -- C:\Users\Taz\Documents\Downloads
[2009/03/05 10:56:22 | 00,001,996 | ---- | C] () -- C:\Users\Taz\Desktop\Google Chrome.lnk
[2009/03/05 10:52:18 | 00,000,848 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1482803467-2361875880-1312049289-1000.job
[2009/03/01 15:34:42 | 00,000,792 | ---- | C] () -- C:\Users\Taz\Desktop\SopCast.lnk
[2009/03/01 15:34:39 | 00,000,000 | ---D | C] -- C:\Program Files\SopCast
[2009/02/27 23:07:36 | 00,000,947 | ---- | C] () -- C:\Users\Taz\Desktop\Launch Internet Explorer Browser.lnk
[2009/02/26 20:20:40 | 00,026,624 | -HS- | C] () -- C:\Windows\System32\proto.dll
[2009/02/25 16:31:19 | 00,000,000 | ---D | C] -- C:\.jagex_cache_32
[2009/02/24 14:33:14 | 00,171,760 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat
[2009/02/22 15:09:44 | 00,000,950 | ---- | C] () -- C:\Users\Taz\Desktop\Revolution Media.lnk
[2009/02/22 15:08:46 | 00,000,000 | ---D | C] -- C:\Program Files\Revolution Media 3.0.0
[2009/02/22 15:04:45 | 00,000,000 | ---D | C] -- C:\Users\Taz\AppData\Roaming\Runtime Revolution
[2009/02/20 22:45:30 | 00,000,000 | ---D | C] -- C:\Users\Taz\AppData\Roaming\Apple Computer
[2009/02/20 22:45:30 | 00,000,000 | ---D | C] -- C:\Users\Taz\AppData\Local\Apple Computer
[2009/02/20 22:44:48 | 00,000,000 | ---D | C] -- C:\Program Files\Safari
[2009/02/20 22:44:31 | 00,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2009/02/20 22:44:30 | 00,000,000 | ---D | C] -- C:\ProgramData\Apple
[2009/02/19 21:14:41 | 00,048,913 | ---- | C] () -- C:\Windows\UninstVeetleTVPlayer.exe
[2009/02/19 21:14:41 | 00,000,000 | ---D | C] -- C:\Program Files\Veetle
[2009/02/19 19:31:48 | 00,000,000 | -H-- | C] () -- C:\Users\Taz\Documents\Default.rdp
[2009/02/19 11:19:19 | 00,000,000 | ---D | C] -- C:\Users\Taz\AppData\Roaming\Ventrilo
[2009/02/19 11:19:08 | 00,000,000 | ---D | C] -- C:\Program Files\Ventrilo
[2009/02/19 11:19:07 | 00,000,262 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/02/19 11:17:48 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/02/18 18:16:37 | 00,000,000 | ---D | C] -- C:\Program Files\SystemRequirementsLab
[2009/02/18 18:16:29 | 00,000,000 | ---D | C] -- C:\Users\Taz\AppData\Roaming\SystemRequirementsLab
[2009/02/16 19:41:06 | 00,000,000 | ---D | C] -- C:\Users\Taz\AppData\Roaming\teamspeak2
[2009/02/16 19:40:58 | 00,034,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lhacm.acm
[2009/02/16 19:40:48 | 00,000,000 | ---D | C] -- C:\Program Files\Teamspeak2_RC2
[2009/02/15 20:32:15 | 00,000,000 | ---D | C] -- C:\Users\Taz\AppData\Roaming\FileZilla
[2009/02/15 20:32:11 | 00,001,789 | ---- | C] () -- C:\Users\Public\Desktop\FileZilla Client.lnk
[2009/02/15 20:32:06 | 00,000,000 | ---D | C] -- C:\Program Files\FileZilla FTP Client
[2009/02/15 13:21:48 | 00,097,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\infocardapi.dll
[2009/02/15 13:21:47 | 00,105,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
[2009/02/15 13:21:46 | 00,622,080 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\icardagt.exe
[2009/02/15 13:21:46 | 00,043,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHostProxy.dll
[2009/02/15 13:21:46 | 00,037,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\infocardcpl.cpl
[2009/02/15 13:21:46 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\icardres.dll
[2009/02/15 13:21:44 | 00,781,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationNative_v0300.dll
[2009/02/15 13:21:40 | 00,326,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PresentationHost.exe
[2009/02/15 13:08:10 | 00,096,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dfshim.dll
[2009/02/15 13:07:59 | 00,282,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mscoree.dll
[2009/02/15 13:07:56 | 00,041,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\netfxperf.dll
[2009/02/15 13:07:21 | 00,158,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mscorier.dll
[2009/02/15 13:07:07 | 00,083,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mscories.dll
[2009/02/15 12:38:16 | 00,428,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\EncDec.dll
[2009/02/15 12:38:15 | 00,217,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisrndr.ax
[2009/02/15 12:38:09 | 00,293,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\psisdecd.dll
[2009/02/15 12:38:08 | 00,177,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mpg2splt.ax
[2009/02/15 12:38:08 | 00,080,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSNP.ax
[2009/02/14 19:37:38 | 00,001,891 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 8.lnk
[2009/02/13 15:53:59 | 00,000,000 | ---D | C] -- C:\Users\Taz\Documents\Clan
[2009/02/13 11:01:43 | 03,580,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.dll
[2009/02/13 11:01:40 | 06,069,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieframe.dll
[2009/02/13 11:01:39 | 01,166,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\urlmon.dll
[2009/02/13 11:01:39 | 00,827,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wininet.dll
[2009/02/13 11:01:38 | 00,671,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mstime.dll
[2009/02/13 11:01:38 | 00,458,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2009/02/13 11:01:38 | 00,270,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iertutil.dll
[2009/02/13 11:01:38 | 00,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2009/02/13 11:01:37 | 01,383,424 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb

========== Files - Modified Within 30 Days ==========

[2009/03/14 17:08:41 | 75,355,424 | -HS- | M] () -- C:\Windows\System32\drivers\fidbox.dat
[2009/03/14 16:51:39 | 00,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/03/14 16:51:39 | 00,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/03/14 16:41:47 | 00,001,878 | ---- | M] () -- C:\Users\Taz\Desktop\HijackThis.lnk
[2009/03/14 16:27:15 | 00,032,973 | ---- | M] () -- C:\Users\Taz\Desktop\transfer 3.jpg
[2009/03/14 16:24:56 | 00,058,879 | ---- | M] () -- C:\Users\Taz\Desktop\transfer 2.jpg
[2009/03/14 16:23:40 | 00,050,534 | ---- | M] () -- C:\Users\Taz\Desktop\transfer 1.jpg
[2009/03/14 15:54:17 | 00,027,649 | ---- | M] () -- C:\ProgramData\nvModes.001
[2009/03/14 15:42:23 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/03/14 15:18:30 | 00,027,649 | ---- | M] () -- C:\ProgramData\nvModes.dat
[2009/03/14 12:01:45 | 00,000,848 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1482803467-2361875880-1312049289-1000.job
[2009/03/14 11:07:08 | 00,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/03/14 11:07:08 | 00,600,378 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/03/14 11:07:08 | 00,105,852 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/03/14 11:02:32 | 00,000,000 | ---- | M] () -- C:\Windows\System32\LogConfigTemp.xml
[2009/03/14 11:01:58 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/03/14 11:01:56 | 00,349,222 | -H-- | M] () -- C:\Windows\System32\drivers\vsconfig.xml
[2009/03/14 11:01:45 | 29,510,32832 | -HS- | M] () -- C:\hiberfil.sys
[2009/03/14 00:25:08 | 00,905,384 | -HS- | M] () -- C:\Windows\System32\drivers\fidbox.idx
[2009/03/14 00:24:42 | 01,525,986 | -H-- | M] () -- C:\Users\Taz\AppData\Local\IconCache.db
[2009/03/13 23:38:47 | 00,000,822 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/13 22:40:45 | 00,216,474 | ---- | M] () -- C:\Users\Taz\Desktop\prob.jpg
[2009/03/13 22:16:51 | 02,303,448 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/03/13 20:56:03 | 00,026,624 | -HS- | M] () -- C:\Windows\System32\proto.dll
[2009/03/13 20:53:53 | 00,102,256 | ---- | M] () -- C:\Windows\System32\GDIPFONTCACHEV1.DAT
[2009/03/13 20:50:53 | 00,008,224 | ---- | M] () -- C:\Users\Taz\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/03/13 20:29:41 | 00,125,487 | ---- | M] () -- C:\Users\Taz\Desktop\problem 2.jpg
[2009/03/13 20:28:20 | 00,196,247 | ---- | M] () -- C:\Users\Taz\Desktop\problem 1.jpg
[2009/03/10 08:58:34 | 59,001,632 | -HS- | M] () -- C:\Windows\System32\drivers\fidbox(254).dat
[2009/03/10 08:37:38 | 00,349,222 | -H-- | M] () -- C:\Windows\System32\drivers\vsconfig(256).xml
[2009/03/09 22:21:35 | 00,791,816 | -HS- | M] () -- C:\Windows\System32\drivers\fidbox(255).idx
[2009/03/09 19:43:26 | 00,000,959 | ---- | M] () -- C:\rollback.ini
[2009/03/09 17:05:46 | 00,002,583 | ---- | M] () -- C:\Users\Taz\Desktop\Microsoft Office Access 2007.lnk
[2009/03/08 22:17:09 | 00,027,136 | ---- | M] () -- C:\Users\Taz\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/08 17:17:40 | 00,002,627 | ---- | M] () -- C:\Users\Taz\Desktop\Microsoft Office Word 2007.lnk
[2009/03/05 10:56:22 | 00,001,996 | ---- | M] () -- C:\Users\Taz\Desktop\Google Chrome.lnk
[2009/03/01 20:22:41 | 32,837,8611 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2009/03/01 15:34:42 | 00,000,792 | ---- | M] () -- C:\Users\Taz\Desktop\SopCast.lnk
[2009/02/27 23:07:36 | 00,000,947 | ---- | M] () -- C:\Users\Taz\Desktop\Launch Internet Explorer Browser.lnk
[2009/02/27 23:07:36 | 00,000,476 | -HS- | M] () -- C:\Users\Taz\Desktop\desktop.ini
[2009/02/25 20:54:59 | 24,768,960 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mrt.exe
[2009/02/24 14:33:14 | 00,171,760 | -H-- | M] () -- C:\Windows\System32\mlfcache.dat
[2009/02/22 15:09:44 | 00,000,950 | ---- | M] () -- C:\Users\Taz\Desktop\Revolution Media.lnk
[2009/02/19 21:14:41 | 00,048,913 | ---- | M] () -- C:\Windows\UninstVeetleTVPlayer.exe
[2009/02/19 19:31:48 | 00,000,000 | -H-- | M] () -- C:\Users\Taz\Documents\Default.rdp
[2009/02/19 11:19:10 | 00,000,262 | ---- | M] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/02/17 13:27:09 | 00,001,024 | RH-- | M] () -- C:\Users\Public\Documents\NTIMP3.dll
[2009/02/16 19:40:58 | 00,034,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\lhacm.acm
[2009/02/15 20:32:11 | 00,001,789 | ---- | M] () -- C:\Users\Public\Desktop\FileZilla Client.lnk
[2009/02/14 19:37:38 | 00,001,891 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 8.lnk
< End of report >

5. I then did a rooter scan -

Microsoft Windows Vista Home Edition (6.0.6001) Service Pack 1

C:\ [Fixed] - NTFS - (Total:114115 Mo/Free:2121 Mo)
D:\ [Fixed] - NTFS - (Total:114116 Mo/Free:1412 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)

14/03/2009|17:20

----------------------\\ Processes..

--Locked-- [System Process]
--Locked-- System
---------- \SystemRoot\System32\smss.exe
---------- C:\Windows\system32\csrss.exe
---------- C:\Windows\system32\wininit.exe
---------- C:\Windows\system32\csrss.exe
---------- C:\Windows\system32\services.exe
---------- C:\Windows\system32\lsass.exe
---------- C:\Windows\system32\lsm.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\system32\nvvsvc.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\System32\svchost.exe
---------- C:\Windows\System32\svchost.exe
---------- C:\Windows\system32\svchost.exe
--Locked-- audiodg.exe
---------- C:\Windows\system32\SLsvc.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\system32\winlogon.exe
---------- C:\Windows\system32\svchost.exe
--Locked-- vsmon.exe
---------- C:\Windows\system32\rundll32.exe
--Locked-- ScanningProcess.exe
---------- C:\Windows\System32\spoolsv.exe
--Locked-- ScanningProcess.exe
---------- C:\Windows\system32\taskeng.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\system32\taskeng.exe
---------- C:\Windows\system32\Dwm.exe
---------- C:\Windows\Explorer.EXE
---------- C:\Windows\RtHDVCpl.exe
---------- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
---------- C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
---------- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
---------- C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe
---------- C:\Users\Taz\AppData\Local\Temp\RtkBtMnt.exe
---------- C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
---------- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
---------- C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
---------- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
---------- C:\Acer\Mobility Center\MobilityService.exe
---------- C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
---------- C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\System32\svchost.exe
---------- C:\Windows\system32\SearchIndexer.exe
---------- C:\Windows\system32\DRIVERS\xaudio.exe
---------- C:\Windows\system32\wbem\unsecapp.exe
---------- C:\Windows\system32\wbem\wmiprvse.exe
---------- C:\Program Files\Launch Manager\QtZgAcer.EXE
---------- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
--Locked-- zlclient.exe
---------- C:\Windows\System32\rundll32.exe
---------- C:\Windows\ehome\ehtray.exe
---------- C:\Windows\system32\wbem\unsecapp.exe
---------- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
---------- C:\Program Files\Internet Explorer\iexplore.exe
---------- C:\Users\Taz\AppData\Local\Google\Update\GoogleUpdate.exe
---------- C:\Windows\ehome\ehmsas.exe
---------- C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
---------- C:\Program Files\SwiftKit\SwiftKit.exe
---------- C:\Windows\system32\taskeng.exe
---------- C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
---------- C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
---------- C:\Users\Taz\AppData\Local\Google\Chrome\Application\chrome.exe
---------- C:\Program Files\Safari\Safari.exe
---------- C:\Users\Taz\Downloads\OTListIt2.exe
---------- C:\Windows\notepad.exe
---------- C:\Windows\notepad.exe
---------- C:\Windows\system32\NOTEPAD.EXE
---------- C:\Windows\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!

----------------------\\ Cracks & Keygens..

1 - "C:\Rooter$\Rooter_1.txt" - 14/03/2009|17:21

----------------------\\ Scan completed at 17:21

ps. Straight after the malbytes scan i also did a ATF Cleaner (removed 51mb worth of stuff).

Edited by Hexzar, 17 March 2009 - 02:31 PM.

#2
Hexzar

Posted 16 March 2009 - 03:47 PM

Member

Topic Starter
Member
89 posts

This is the third day. Please can someone help me, i feel like my laptop is getting worser and worser =/

#3
XmichouX

Posted 17 March 2009 - 11:52 AM

Trusted Helper

Retired Staff
1,292 posts

Welcome to the site!

My name's XmichouX and I'll be helping clean up your computer.

I'm currently looking over your log. I am still in training here, so there might be a delay between my replies as they need to be checked by an expert before I can post them. I'll need a bit of time to research your log fully, so please bear with me.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:

To make sure that you receive an email when I reply to this topic, please click here and check that this topic is listed under Malware Removal - HijackThis™ Logs Go Here.
Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad click on Format | Uncheck Word Wrap)
Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!
Make sure you reply to this thread using the Add Reply button:

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Regards,

#4
Hexzar

Posted 17 March 2009 - 02:23 PM

Member

Topic Starter
Member
89 posts

Thank you !!!!!!!!!

And i've read your message and fully understand

#5
XmichouX

Posted 18 March 2009 - 07:50 AM

Trusted Helper

Retired Staff
1,292 posts

Hi,

I want you post the full Rooter log please.

Regards,

#6
Hexzar

Posted 18 March 2009 - 09:31 AM

Member

Topic Starter
Member
89 posts

Microsoft Windows Vista Home Edition (6.0.6001) Service Pack 1

C:\ [Fixed] - NTFS - (Total:114115 Mo/Free:460 Mo)
D:\ [Fixed] - NTFS - (Total:114116 Mo/Free:1338 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)

18/03/2009|15:28

----------------------\\ Processes..

--Locked-- [System Process]
--Locked-- System
---------- \SystemRoot\System32\smss.exe
---------- C:\Windows\system32\csrss.exe
---------- C:\Windows\system32\wininit.exe
---------- C:\Windows\system32\csrss.exe
---------- C:\Windows\system32\services.exe
---------- C:\Windows\system32\lsass.exe
---------- C:\Windows\system32\lsm.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\system32\nvvsvc.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\System32\svchost.exe
---------- C:\Windows\System32\svchost.exe
---------- C:\Windows\system32\svchost.exe
--Locked-- audiodg.exe
---------- C:\Windows\system32\SLsvc.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\system32\winlogon.exe
---------- C:\Windows\system32\svchost.exe
--Locked-- vsmon.exe
---------- C:\Windows\system32\rundll32.exe
--Locked-- ScanningProcess.exe
---------- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
---------- C:\Windows\System32\spoolsv.exe
--Locked-- ScanningProcess.exe
---------- C:\Windows\system32\taskeng.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
---------- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
---------- C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
---------- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
---------- C:\Acer\Mobility Center\MobilityService.exe
---------- C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
---------- C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
---------- C:\Windows\system32\svchost.exe
---------- C:\Windows\System32\svchost.exe
---------- C:\Windows\system32\SearchIndexer.exe
---------- C:\Windows\system32\DRIVERS\xaudio.exe
---------- C:\Windows\system32\wbem\unsecapp.exe
---------- C:\Windows\system32\wbem\wmiprvse.exe
---------- C:\Windows\system32\wbem\unsecapp.exe
---------- C:\Windows\system32\taskeng.exe
---------- C:\Windows\system32\Dwm.exe
---------- C:\Windows\Explorer.EXE
---------- C:\Windows\RtHDVCpl.exe
---------- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
---------- C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe
---------- C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
---------- C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe
---------- C:\Windows\system32\wbem\unsecapp.exe
---------- C:\Program Files\Launch Manager\QtZgAcer.EXE
---------- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
--Locked-- zlclient.exe
---------- C:\Windows\System32\rundll32.exe
---------- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
---------- C:\Windows\ehome\ehtray.exe
---------- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
---------- C:\Users\Taz\AppData\Local\Google\Update\GoogleUpdate.exe
---------- C:\Users\Taz\AppData\Local\Temp\RtkBtMnt.exe
---------- C:\Windows\ehome\ehmsas.exe
---------- C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
---------- C:\Program Files\Microsoft Office\Office12\MSACCESS.EXE
---------- C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
---------- C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
---------- C:\Windows\system32\Taskmgr.exe
---------- C:\Windows\system32\taskeng.exe
---------- C:\Windows\System32\svchost.exe
---------- C:\Windows\system32\taskeng.exe
---------- C:\Windows\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!

1 - "C:\Rooter$\Rooter_1.txt" - 14/03/2009|17:21
2 - "C:\Rooter$\Rooter_2.txt" - 18/03/2009|14:55
3 - "C:\Rooter$\Rooter_3.txt" - 18/03/2009|15:30

----------------------\\ Scan completed at 15:30

#7
XmichouX

Posted 19 March 2009 - 11:52 AM

Trusted Helper

Retired Staff
1,292 posts

Hi,

You know, Zone Labs takes so much ressources, it's maybe for that that your PC's running slowly too..
Is it only a Firewall or is it complet ?

Did you set this setting :

O1 - Hosts: 127.0.0.1 activate.adobe.com

~ I Strongly advise you to delete all your cracks and to remove all your P2P softwares.
It's nowadays the principal vector of infections.

~~ Looking at your system now, one or more of the identified infections is a backdoor Trojan.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

1) Run OTList2.exe

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTLI
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
PRC - C:\Windows\System32\ZoneLabs\avsys\ScanningProcess.exe ()
PRC - C:\Windows\System32\ZoneLabs\avsys\ScanningProcess.exe ()
PRC - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [cgi-bin] C:\Windows\cgi-bin.exe ()

:Files
C:\Users\Taz\Downloads\Camtasia
C:\Users\Taz\Downloads\Camtasia
C:\Users\Taz\Downloads\Photoshop

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then post a new OTL2 log ( don't check the boxes beside LOP Check or Purity this time )

Please go to VirScan
Copy and paste the following file path into the Suspicious files to scan box.
o C:\WINDOWS\system32\proto.dll
Click on the Upload button
Once the Scan has completed, click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

Regards,

#8
Hexzar

Posted 19 March 2009 - 01:00 PM

Member

Topic Starter
Member
89 posts

Hi, I just don't understand what hte problem could be. It's not zonealarm, I mean my laptop is like 2 months old, 4 gig ram (2.7gig physical), 2.1gigz processor... It was fast just 4/5 days ago and then i just don't know what happened =/ I go on youtube and it nearly kills the laptop, i try to open up another browser and it's major lagg. It's never done this before, and i've done many scans and it's made hardly any difference...

1. Please could you elaborate in more detail as to what you mean by this

O1 - Hosts: 127.0.0.1 activate.adobe.com

2. Here's you OT Log -

========== OTLISTIT ==========
Process explorer.exe killed successfully!
No active process named vsmon.exe was found!
No active process named ScanningProcess.exe was found!
No active process named ScanningProcess.exe was found!
No active process named zlclient.exe was found!
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\cgi-bin deleted successfully.
File C:\Windows\cgi-bin.exe not found.
========== FILES ==========
C:\Users\Taz\Downloads\Camtasia moved successfully.
File/Folder C:\Users\Taz\Downloads\Camtasia not found.
C:\Users\Taz\Downloads\Photoshop\cRaCkInG-kIt\cRaCkInG-kIt\CS4 Cracking Kit moved successfully.
C:\Users\Taz\Downloads\Photoshop\cRaCkInG-kIt\cRaCkInG-kIt moved successfully.
C:\Users\Taz\Downloads\Photoshop\cRaCkInG-kIt moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe_Photoshop_CS4_Extended\Adobe Photoshop CS4 Extended\CS4 Cracking Kit moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe_Photoshop_CS4_Extended\Adobe Photoshop CS4 Extended moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe_Photoshop_CS4_Extended moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\resources\scripts moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\resources\media\img moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\resources\media\css moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\resources\media moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\resources\common\scripts moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\resources\common\info moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\resources\common\error moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\resources\common\alert1 moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\resources\common moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\resources moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\redist moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\kuler2.0-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeXMPPanelsAll moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeWinSoftLinguisticsPluginAll_x64 moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeWinSoftLinguisticsPluginAll moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeVideoProfilesCS2-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeTypeSupport9-mul-x64 moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeTypeSupport9-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeSuiteSharedConfiguration-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeServiceManager-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeSearchforHelp-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobePhotoshop11-Support moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobePhotoshop11-Driver moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobePhotoshop11-Core_x64 moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobePhotoshop11-Core moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobePDFSettings9-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobePDFSettings9-ja_JP moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobePDFL9-mul-x64 moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobePDFL9-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeOutputModuleAll moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeLinguisticsAll_x64 moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeLinguisticsAll moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeFontsAllx64 moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeFontsAll moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeExtensionManager2All moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeExtendScriptToolkit3.0.0All moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeDrivex64All moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeDriveAll moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeDeviceCentral2-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeDefaultLanguage2-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeCSIx64All moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeCSIAll moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeConnect-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeColorPhotoshop2-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeColorNA_Recommended2-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeColorNA_ExtraSettings2-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeColorJA_Recommended2-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeColorJA_ExtraSettings2-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeColorEU_Recommended2-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeColorEU_ExtraSettings2-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeColorCommonSetRGB2-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeColorCommonSetCMYK2-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeCMaps2-mul-x64 moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeCMaps2-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeCameraRaw5.0All-x64 moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeCameraRaw5.0All moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeBridge3All moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeAUM6.0All moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeAMP-mul\Adobe AIR\Versions\1.0\Resources moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeAMP-mul\Adobe AIR\Versions\1.0 moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeAMP-mul\Adobe AIR\Versions moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeAMP-mul\Adobe AIR moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeAMP-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeAMP-fr_FR moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeALMAnchorService2-mul-x64 moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeALMAnchorService2-mul moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeAIR1.0\Adobe AIR\Versions\1.0\Resources moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeAIR1.0\Adobe AIR\Versions\1.0 moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeAIR1.0\Adobe AIR\Versions moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeAIR1.0\Adobe AIR moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads\AdobeAIR1.0 moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\payloads moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\DeviceCentral2LP-fr_CA\SharedSupport moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\DeviceCentral2LP-fr_CA\Assets moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\DeviceCentral2LP-fr_CA moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\DeviceCentral2LP-es_MX\SharedSupport moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\DeviceCentral2LP-es_MX\Assets moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\DeviceCentral2LP-es_MX moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\DeviceCentral2LP-en_US\SharedSupport moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\DeviceCentral2LP-en_US\Assets moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\DeviceCentral2LP-en_US moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\DeviceCentral2LP-en_GB\SharedSupport moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\DeviceCentral2LP-en_GB\Assets moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\DeviceCentral2LP-en_GB moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-fr_CA_x64\SharedSupport moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-fr_CA_x64\Assets moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-fr_CA_x64 moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-fr_CA\SharedSupport moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-fr_CA\Assets moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-fr_CA moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-es_MX_x64\SharedSupport moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-es_MX_x64\Assets moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-es_MX_x64 moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-es_MX\SharedSupport moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-es_MX\Assets moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-es_MX moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-en_US_x64\SharedSupport moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-en_US_x64\Assets moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-en_US_x64 moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-en_US\SharedSupport moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-en_US\Assets moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-en_US moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-en_GB_x64\SharedSupport moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-en_GB_x64\Assets moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-en_GB_x64 moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-en_GB\SharedSupport moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-en_GB\Assets moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions\AdobePhotoshop11-en_GB moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\extensions moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4\Deployment moved successfully.
C:\Users\Taz\Downloads\Photoshop\Adobe CS4 moved successfully.
C:\Users\Taz\Downloads\Photoshop moved successfully.
========== COMMANDS ==========
File delete failed. C:\Users\Taz\AppData\Local\Temp\etilqs_dqMrGtRioLFfj1y scheduled to be deleted on reboot.
File delete failed. C:\Users\Taz\AppData\Local\Temp\RtkBtMnt.exe scheduled to be deleted on reboot.
File delete failed. C:\Users\Taz\AppData\Local\Temp\~DF1F2A.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Taz\AppData\Local\Temp\~DF25BF.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\Windows\temp\ZLT07a58.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.3.6 log created on 03192009_181121

Files moved on Reboot...
File C:\Users\Taz\AppData\Local\Temp\etilqs_dqMrGtRioLFfj1y not found!
C:\Users\Taz\AppData\Local\Temp\RtkBtMnt.exe moved successfully.
C:\Users\Taz\AppData\Local\Temp\~DF1F2A.tmp moved successfully.
C:\Users\Taz\AppData\Local\Temp\~DF25BF.tmp moved successfully.
File C:\Windows\temp\ZLT07a58.TMP not found!

Registry entries deleted on Reboot...

3. And here is your proto.dll scan result - (clipboard copy didn't work for some reason)

Scanner results : 38% Scanner(14/37) found malware!
Time : 2009/03/19 18:45:33 (GMT)
Scanner Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.0.0.32 20090318163345 2009-03-18
Trojan.Win32.Dursg!IK
2.471
AhnLab V3 2009.03.20.00 2009.03.20 2009-03-20
-
1.078
AntiVir 7.9.0.120 7.1.2.192 2009-03-19
TR/Crypt.XPACK.Gen
1.951
Antiy 2.0.18 20090319.2221056 2009-03-19
-
0.121
Authentium 5.1.1 200903191510 2009-03-19
W32/Trojan2.FUQT (Exact)
1.090
AVAST! 3.0.1 090319-0 2009-03-19
Win32:Trojan-gen {Other}
0.874
AVG 7.5.52.442 270.11.15/2004 2009-03-16
Agent.AZGT
1.956
BitDefender 7.81008.2800899 7.24294 2009-03-20
-
2.609
CA (VET) 9.0.0.143 31.6.6406 2009-03-19
-
5.337
ClamAV 0.94.2 9141 2009-03-20
-
0.011
Comodo 3.8 1066 2009-03-18
TrojWare.Win32.Buzus.~IP
0.528
CP Secure 1.1.0.715 2009.03.20 2009-03-20
-
7.486
Dr.Web 4.44.0.9170 2009.03.19 2009-03-19
Trojan.DownLoad.28439
4.207
F-Prot 4.4.4.56 20090319 2009-03-19
W32/Trojan2.FUQT (exact)
1.083
F-Secure 5.51.6100 2009.03.19.11 2009-03-19
-
4.895
Fortinet 2.81-3.117 10.175 2009-03-18
-
0.264
GData 19.4079/19.268 20090319 2009-03-19
Win32:Trojan-gen {Other} [Engine:B]
3.368
Ikarus T3.1.01.48 2009.03.19.72448 2009-03-19
Trojan.Win32.Dursg
4.820
JiangMin 11.0.706 2009.03.19 2009-03-19
-
2.446
Kaspersky 5.5.10 2009.03.19 2009-03-19
-
0.043
KingSoft 2009.2.5.15 2009.3.19.20 2009-03-19
-
0.634
McAfee 5.3.00 5558 2009-03-19
-
2.642
Microsoft 1.4502 2009.03.19 2009-03-19
-
4.246
mks_vir 2.01 2009.03.19 2009-03-19
-
2.705
Norman 6.00.06 6.00.00 2009-03-19
-
8.009
nProtect 20090319.01 3349088 2009-03-19
Trojan/W32.Buzus.66560.E
4.658
Panda 9.05.01 2009.03.19 2009-03-19
-
1.650
Quick Heal 10.00 2009.03.19 2009-03-19
-
2.023
Rising 20.0 21.21.32.00 2009-03-19
-
0.814
Sophos 2.84.1 4.39 2009-03-20
-
2.141
Sunbelt 5049 5049 2009-03-18
Trojan.Crypt.XPACK.Gen
0.555
Symantec 1.3.0.24 20090319.017 2009-03-19
-
0.047
The Hacker 6.3.2.7 v00285 2009-03-19
-
0.558
Trend Micro 8.700-1004 5.906.01 2009-03-19
-
0.026
VBA32 3.12.10.1 20090318.1617 2009-03-18
Win32.Agent.OTV
1.723
ViRobot 20090319 2009.03.19 2009-03-19
-
0.413
VirusBuster 4.5.11.10 10.102.15/983661 2009-03-19
Trojan.Buzus.CXK
1.209
NOTICE: It may be false positive by some scanners when they found a malware, so you should judge it by yourself.

Report link - http://virscan.org/r...0219eaf582.html

Edited by Hexzar, 19 March 2009 - 01:03 PM.

#9
XmichouX

Posted 20 March 2009 - 01:10 PM

Trusted Helper

Retired Staff
1,292 posts

Hi,

1)

Launch Malware Bytes' Anti-Malware
Update it.
Then, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

2) Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Regards,

#10
Hexzar

Posted 21 March 2009 - 07:38 AM

Member

Topic Starter
Member
89 posts

It found no malicious problems...

Malwarebytes' Anti-Malware 1.34
Database version: 1880
Windows 6.0.6001 Service Pack 1

21/03/2009 13:36:44
mbam-log-2009-03-21 (13-36-44).txt

Scan type: Quick Scan
Objects scanned: 61514
Time elapsed: 14 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

As for the kasper thing, it doesn't work in google chrome, so when i try in IE7, it doesn't work either. It gets to the updating but then crashes, i'll try and print screen you the message.

#11
XmichouX

Posted 21 March 2009 - 12:16 PM

Trusted Helper

Retired Staff
1,292 posts

Hi,

Okay.

#12
Hexzar

Posted 21 March 2009 - 03:19 PM

Member

Topic Starter
Member
89 posts

Guess i have no option but to rebuild eh... ?

#13
Hexzar

Posted 22 March 2009 - 04:19 PM

Member

Topic Starter
Member
89 posts

kasper

Sunday, March 22, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, March 22, 2009 14:18:32
Records in database: 1950646
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
Scan statistics
Files scanned 125163
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 03:10:34

File name Threat name Threats count
C:\Users\Taz\AppData\Roaming\Microsoft\Windows\mes32.exe Infected: Trojan.Win32.Agent.bwoc 1
The selected area was scanned.

#14
XmichouX

Posted 25 March 2009 - 12:37 AM

Trusted Helper

Retired Staff
1,292 posts

Hi,

Run OTList2.exe

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTLI
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

:Files
C:\Users\Taz\AppData\Roaming\Microsoft\Windows\mes32.exe
C:\WINDOWS\system32\proto.dll

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then post a new OTL2 log ( don't check the boxes beside LOP Check or Purity this time )

Regards,

#15
Rorschach112

Posted 29 March 2009 - 11:19 AM

Ralphie

Retired Staff
47,710 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.