[Jmac22]

I have an Aspire 4730 laptop with Vista that was showing a huge amount of "bytes sent" activity. On a speed test my download was great but uploading was 1% of what it should have been. Sites were opeing very slow. I tried all the usual suspects for removal to no avail until I found Combofix. I disabled the necessary programs and ran it. I now have a log and would like to have an expert in these matters look it over and point me in the right direction as to how to conclude this work. In the meantime, I will leave the laptop paused as-is. Thank you for any help.

[Advertisements]

Hi jmac22,

Sorry for the delay.

Welcome to Geekstogo. My name is Salagubang and I'll be helping you with this problem.

• Please read all of my response through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you
  
• English is not my first language, so please do not use slang or idioms, as this makes it difficult to understand for me.

+++++++++++++++++++++++++++++++++++++++++++

Lets see your logs.

[Salagubang]

Hi jmac22,

Sorry for the delay.

Welcome to Geekstogo. My name is Salagubang and I'll be helping you with this problem.

• Please read all of my response through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you
  
• English is not my first language, so please do not use slang or idioms, as this makes it difficult to understand for me.

+++++++++++++++++++++++++++++++++++++++++++

Lets see your logs.

[Jmac22]

Hi Salagubang,

Below you will find my Combofix log.
After running Combofix, I reinstalled AVG 2011 free addition.
I ran a scan with AVG.
I updated and ran a scan with Malwarebytes
I downloaded and installed Spyware Guard and Spyware Blaster.
I've been using the laptop since then and it has been performing quite well.
However, I do not know if there is something more I should have done after running Combofix.
Your evaluation of my Combofix log and any recommendation you can give me are much appreciated.






ComboFix 11-03-18.01 - Karri 03/18/2011 21:05:49.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1977.1055 [GMT -4:00]
Running from: c:\users\Karri\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\ccrpTmr6.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-02-19 to 2011-03-19 )))))))))))))))))))))))))))))))
.
.
2011-03-19 01:17 . 2011-03-19 01:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-18 23:21 . 2011-03-18 23:21 -------- dc----w- c:\programdata\{870E601A-FE70-4098-94B2-6E9963FCAA51}
2011-03-14 17:50 . 2011-03-14 17:50 -------- d--h--w- c:\programdata\Common Files
2011-03-09 15:52 . 2010-12-29 17:41 323072 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 15:52 . 2010-12-29 17:41 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 15:52 . 2010-12-29 17:39 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 15:52 . 2010-12-29 17:41 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 15:52 . 2010-12-17 16:43 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 15:52 . 2010-12-17 15:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-08 07:50 . 2011-02-10 00:37 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 05:57 . 2011-02-10 00:37 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:25 . 2011-02-10 00:38 2038784 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 14:57 . 2011-01-12 16:09 409600 ----a-w- c:\windows\system32\odbc32.dll
2010-12-20 23:09 . 2010-07-08 17:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-07-08 17:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-20 15:40 . 2011-02-10 00:37 833024 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 15:37 . 2011-02-10 00:37 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 14:12 . 2011-02-10 00:37 389632 ----a-w- c:\windows\system32\html.iec
2010-12-20 13:51 . 2011-02-10 00:37 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-10 16:44 . 2009-12-10 12:41 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-07-30 00:52 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-15 68856]
"SmileboxTray"="c:\users\Karri\AppData\Roaming\Smilebox\SmileboxTray.exe" [2009-06-08 266888]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-04-29 321328]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-20 6244896]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-07-30 526896]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 28672]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-07-02 850440]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-22 159744]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-10 30192]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-08-01 405504]
"ArcadeDeluxeAgent"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe" [2008-07-24 147456]
"CLMLServer"="c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe" [2008-07-24 167936]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-07-19 167936]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2010-12-30 274608]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-30 136176]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-26 131072]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-09-10 30192]
R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys [2008-08-11 33024]
R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys [2008-08-11 41344]
R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys [2008-08-11 39936]
R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys [2008-08-11 59904]
S2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl [2008-07-19 61424]
S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
S2 CLHNService;CLHNService;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [2008-01-17 81504]
S2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-06-02 24576]
S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-26 45056]
S2 NTIPPKernel;NTIPPKernel;c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [2008-01-17 122368]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-05-31 93968]
S3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28.sys [2008-07-01 388096]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-30 20:46]
.
2011-03-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-30 20:46]
.
2011-02-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-926228760-4219634866-1347585790-1000.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 16:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=0109&m=aspire_4730z
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
Trusted Zone: plaxo.com\www
FF - ProfilePath - c:\users\Karri\AppData\Roaming\Mozilla\Firefox\Profiles\y77hk2h8.default\
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cc6e974&v=6.010.006.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{b9b97401-98e1-4942-930d-c36652dab7f2} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{B9B97401-98E1-4942-930D-C36652DAB7F2} - (no file)
HKLM-Run-eRecoveryService - (no file)
AddRemove-StepMania - c:\users\Karri\Documents\Rose's Folder\StepMania\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-18 21:18
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-03-18 21:30:27
ComboFix-quarantined-files.txt 2011-03-19 01:30
.
Pre-Run: 60,033,789,952 bytes free
Post-Run: 60,056,997,888 bytes free
.
- - End Of File - - 3411411849D27C1D0F7231E5CAE2B101


Thank you for your help.

[Salagubang]

Hi jmac22,

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

[Jmac22]

Hi Salagubang,

Before I do what you instructed me, could you please explain my Combofix log to me.
Tell me if there are any problems that you see.
If you could provide a brief summary of what combofix found I would appreciate that.

Thanks.

[Salagubang]

Hi Jmac22,

You have been infected with an information stealer installed on your computer.

Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a way of accessing a computer system that bypasses security mechanisms and can steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.
If your computer was used for online banking, has credit card information or other sensitive data on it, I suggest you do the following.

• All passwords should be changed to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed using a different computer and not the infected one. If you use the infected computer, an attacker may get the new passwords and transaction information.
• Banking and credit card institutions should be notified of the possible security breach.

c:\windows\system32\ccrpTmr6.dll

Ref: http://www.symantec....-070715-1911-99

Spyware.ChatWatch is a spyware program that can record online chat conversations.

You need to do a system scan for remnants.

[Jmac22]

OK,

I will do the scan and report back to you soon.

Thank you for the information.

JMac

[Salagubang]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.