TechSpot

Trying to tame my temp directory that may be virused and breeding files

By tricsim
Dec 29, 2010
  1. Hi all,
    I have a problem similar to many posters with the temp folder.

    I have a vista home premuim running on ACER aspire 6920 notebook.

    Some time ago i noticed that my temp file (user...appdata... local\temp) folder was full to 5 gig of directories and files. I removed all the temp files (except a few that would not budge) and essentailly I had loads of space.
    That was only for a short time and suddenly my temp folder was clogged again.

    With the size if my drive and lack of time I put fixing off to a rainy day.

    That was until a couple of days ago when I received a call from an alleged MSpartner in India who may have got my details legitimately or by foul means.

    He was persuasive and suggested I look at my event log administrator custom view and I told him I had 8700 + events with quite a few RED errors. He said that was terrible and suggested I run the command prefetch and again he said that the loads of entries were terrible and I must have a poly morphic virus.

    He gave me the company website and his phone number and he was satisfied ti ring back in an hour.

    I fobbed him off an hour later and started looking at various areas including my old friend the growing temp file.

    To start the ball rolling I ran a full scan of my virus checker AVG 2011 and found no errors.

    I ran a check with PCtools Spyware / antivirus and no infections.

    I then had a more detailed look at temp again and found numerous copies of loads of files with names that started with temp1_<.somename.>, temp2_<somename>....temp29_<somename> filing up to 43700 files.

    I ran AVG pc tuneup and the temp files were deleted and then came flooding back.

    With the strong suspicion I had a virus I searched for a site the identified the full temp symptoms and found this forum.

    I located the 8 steps post and started the process.

    Running TFC the temp files went and have not flooded back so that may be fixed but I continued to run the other steps and record the log files. None showed any infection .

    I now wonder if any one can give the scenario some meaning and perhaps convince me that I have overcome the problem. I should add that the temp folder is having temp files added very slowly, I'm upto 20 or so files!.

    Also is the possibility of a poly morphic virus detectable?

    Excuse my long winded post.

    I can't see how to attach files at this time

    tricsim
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    As to the polymorphic question- I'll know more when I see the logs.
     
  3. tricsim

    tricsim TS Rookie Topic Starter

    results of 8 step check

    Hi Bobbye,
    Logs

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5419

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 7.0.6002.18005

    30/12/10 10:55:43 AM
    mbam-log-2010-12-30 (10-55-43).txt

    Scan type: Quick scan
    Objects scanned: 159035
    Time elapsed: 7 minute(s), 3 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-30 11:11:50
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.BBCO
    Running: 0nlbep7s.exe; Driver: C:\Users\simon\AppData\Local\Temp\pwrcypog.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----



    DDS (Ver_10-12-12.02) - NTFSx86
    Run by simon at 11:23:53.90 on 30/12/10
    Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_21
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2038.806 [GMT 11:00]

    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\brsvc01a.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\brss01a.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
    C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
    C:\Acer\Empowering Technology\eNet\eNet Service.exe
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Acer\Mobility Center\MobilityService.exe
    c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Program Files\Cyberlink\Shared files\RichVideo.exe
    C:\Windows\System32\tcpsvcs.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\VisualSVN Server\bin\httpd.exe
    C:\Windows\system32\svchost.exe -k iissvcs
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
    C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
    C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\VisualSVN Server\bin\httpd.exe
    C:\Windows\system32\svchost.exe -k HPService
    C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
    C:\Program Files\Roland\VSC32\Vsc32Cnf.exe
    C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Cyberlink\PowerCinema\PCMService.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Launch Manager\QtZgAcer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Acer\Empowering Technology\eAudio\eAudio.exe
    C:\Program Files\Brownie\BrStsWnd.exe
    C:\Windows\System32\SupportAppXL\AutoDect.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\WinFast\WFDTV\WFWIZ.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Free Download Manager\fdm.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Little Alarm Clock\Little Alarm Clock.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Remote\SimHID.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe
    C:\Program Files\Free Sticky Notes\freenote.exe
    C:\Windows\system32\igfxext.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\ehome\ehsched.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Brownie\brpjp04a.exe
    C:\Users\simon\AppData\Local\Temp\RtkBtMnt.exe
    C:\Windows\ehome\ehRecvr.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\simon\Desktop\dds.scr
    C:\Windows\system32\conime.exe

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    mStart Page = hxxp://en.au.acer.yahoo.com
    mDefault_Page_URL = hxxp://en.au.acer.yahoo.com
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    uURLSearchHooks: H - No File
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    uRun: [WinFast Schedule] c:\program files\winfast\wfdtv\WFWIZ.exe
    uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [Free Download Manager] "c:\program files\free download manager\fdm.exe" -autorun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [Little Alarm Clock] "c:\program files\little alarm clock\Little Alarm Clock.exe" /startup
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [WinFastDTV] c:\program files\winfast\wfdtv\DTVSchdl.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [vscvol.exe] c:\program files\roland\vsc32\vscvol.exe
    mRun: [vsc32cnf.exe] c:\program files\roland\vsc32\vsc32cnf.exe
    mRun: [Talk] "c:\program files\nch swift sound\talk\talk.exe" -logon
    mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [PLFSet] rundll32.exe c:\windows\PLFSet.dll,PLFDefSetting
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [PCMService] "c:\program files\cyberlink\powercinema\PCMService.exe"
    mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
    mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [eAudio] "c:\acer\empowering technology\eaudio\eAudio.exe"
    mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
    mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
    mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
    mRun: [autodetect] c:\windows\system32\supportappxl\AutoDect.exe
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    StartupFolder: c:\users\simon\appdata\roaming\micros~1\windows\printe~1\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Supervisor.exe
    StartupFolder: c:\users\simon\appdata\roaming\micros~1\windows\printe~1\startm~1\programs\startup\shortc~1.lnk - c:\program files\free sticky notes\freenote.exe
    StartupFolder: c:\users\simon\appdata\roaming\micros~1\windows\printe~1\startm~1\programs\startup\simhid~1.lnk - c:\program files\remote\SimHID.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\simhid.lnk - c:\program files\remote\SimHID.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
    IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
    IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
    IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\simon\appdata\roaming\mozilla\firefox\profiles\skiy5uuc.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://au.my.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d18a603&v=6.010.023.001&i=23&tp=ab&iy=b&ychte=au&lng=en-GB&q=
    FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
    FF - Ext: AVG Security Toolbar em:version=6.010.023.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igeared
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: printpdf: printpdf@pavlov.net - %profile%\extensions\printpdf@pavlov.net
    FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
    FF - Ext: Download Manager Tweak: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB} - %profile%\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2010-10-9 6097]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
    R2 VisualSVNServer;VisualSVN Server;c:\program files\visualsvn server\httpd-wrapper.bat [2007-11-16 181]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
    R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
    R3 vsc32;Virtual Sound Canvas 3.2;c:\windows\system32\drivers\vsc.sys [2010-8-17 951284]
    R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2008-3-14 43008]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate1c99bbbf5d0b3ce;Google Update Service (gupdate1c99bbbf5d0b3ce);c:\program files\google\update\GoogleUpdate.exe [2009-3-3 133104]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-12-28 517448]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-21 179712]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-5-25 7168]
    S3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-3-12 464384]
    S3 RDID1009;EDIROL UM-1;c:\windows\system32\drivers\Rdwm1009.sys [2007-1-23 56832]
    S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2010-10-9 299923]
    S3 UDTT2BDA;DTV-DVB USB2 DVB-T receiver;c:\windows\system32\drivers\UDTT2BDA.sys [2010-1-7 50560]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-11 47128]
    S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-11 369688]

    =============== Created Last 30 ================

    2010-12-29 23:47:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-29 23:47:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-29 23:47:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-29 04:16:33 -------- dc----w- C:\repositories
    2010-12-29 03:28:25 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-12-29 03:27:01 2409784 begin_of_the_skype_highlighting**************01 2409784******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************01 2409784******end_of_the_skype_highlighting ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2010-12-29 01:25:44 -------- d-----w- c:\users\simon\appdata\roaming\Malwarebytes
    2010-12-29 01:24:05 -------- d-----w- c:\progra~2\Malwarebytes
    2010-12-29 00:40:14 -------- d-----w- c:\program files\CCleaner
    2010-12-28 06:28:15 -------- d-----w- c:\users\simon\appdata\roaming\AVG
    2010-12-27 23:47:01 -------- d-----w- c:\users\simon\appdata\local\AVG Security Toolbar
    2010-12-27 14:45:17 -------- d-----w- c:\users\simon\appdata\roaming\AVG10
    2010-12-27 14:43:36 -------- d--h--w- c:\progra~2\Common Files
    2010-12-27 14:43:15 -------- d-----w- c:\progra~2\AVG Security Toolbar
    2010-12-27 14:40:18 -------- d-----w- c:\windows\system32\drivers\AVG
    2010-12-27 14:24:15 -------- d-----w- c:\progra~2\AVG10
    2010-12-27 13:01:54 -------- d-----w- c:\progra~2\MFAData
    2010-12-27 04:41:27 -------- d-----w- c:\progra~2\PC Tools
    2010-12-18 11:35:40 -------- dc----w- C:\MinGW
    2010-12-18 10:32:32 -------- d-----w- c:\program files\Little Alarm Clock
    2010-12-16 03:26:49 -------- d-----w- c:\users\simon\appdata\local\PackageAware
    2010-12-15 04:49:57 -------- d-----w- c:\users\simon\fldigi.files
    2010-12-15 02:54:11 -------- d-----w- c:\windows\pss
    2010-12-12 12:16:08 -------- dc----w- C:\1bb91348428a57db6a859ccf
    2010-12-11 12:55:54 25600 ----a-w- c:\program files\common files\microsoft shared\dao\remove.exe
    2010-12-11 12:55:31 -------- d-----w- c:\program files\weather fax 2000
    2010-12-09 19:59:00 -------- d-----w- c:\users\simon\NBEMS.files
    2010-12-09 13:19:41 -------- d-----w- c:\program files\Fldigi-3.20.32
    2010-12-07 17:12:38 251728 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-12-05 12:28:52 -------- dc----w- C:\ASOFT

    ==================== Find3M ====================

    2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
    2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
    2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
    2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
    2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-18 13:37:35 81920 ----a-w- c:\windows\system32\consent.exe
    2010-10-18 13:31:24 2038272 ----a-w- c:\windows\system32\win32k.sys

    ============= FINISH: 11:25:00.14 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 03/03/09 5:22:00 AM
    System Uptime: 30/12/10 11:14:52 AM (0 hours ago)

    Motherboard: Acer, Inc. | | Chapala
    Processor: Intel(R) Core(TM)2 Duo CPU T5550 @ 1.83GHz | U2E1 | 1000/166mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 69 GiB total, 9.137 GiB free.
    D: is FIXED (NTFS) - 66 GiB total, 7.127 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Microsoft 6to4 Adapter
    Device ID: ROOT\*6TO4MP\0000
    Manufacturer: Microsoft
    Name: 6TO4 Adapter
    PNP Device ID: ROOT\*6TO4MP\0000
    Service: tunnel

    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Broadcom NetLink (TM) Gigabit Ethernet
    Device ID: PCI\VEN_14E4&DEV_1693&SUBSYS_01211025&REV_02\4&1D1097F2&0&00E5
    Manufacturer: Broadcom
    Name: Broadcom NetLink (TM) Gigabit Ethernet
    PNP Device ID: PCI\VEN_14E4&DEV_1693&SUBSYS_01211025&REV_02\4&1D1097F2&0&00E5
    Service: b57nd60x

    Class GUID: {36fc9e60-c465-11cf-8056-444553540000}
    Description: USB Mass Storage Device
    Device ID: USB\VID_04F9&PID_018C&MI_02\6&1A12D135&2&0002
    Manufacturer: Compatible USB storage device
    Name: USB Mass Storage Device
    PNP Device ID: USB\VID_04F9&PID_018C&MI_02\6&1A12D135&2&0002
    Service: USBSTOR

    Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
    Description: Photosmart C4380 series
    Device ID: ROOT\IMAGE\0000
    Manufacturer: HP
    Name: Photosmart C4380 series
    PNP Device ID: ROOT\IMAGE\0000
    Service: StillCam

    Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
    Description: Photosmart C4380 series
    Device ID: ROOT\MULTIFUNCTION\0000
    Manufacturer: HP
    Name: Photosmart C4380 series
    PNP Device ID: ROOT\MULTIFUNCTION\0000
    Service:

    ==== System Restore Points ===================


    ==== Installed Programs ======================

    "Minimal SYStem 1.0.10"
    32 Bit HP CIO Components Installer
    ABC Amber HLP Converter
    Acer Crystal Eye webcam
    Acer eAudio Management
    Acer eDataSecurity Management
    Acer eLock Management
    Acer Empowering Technology
    Acer eNet Management
    Acer ePower Management
    Acer ePresentation Management
    Acer eSettings Management
    Acer GridVista
    Acer Mobility Center Plug-In
    Acer ScreenSaver
    Acrobat.com
    ActiveState ActiveTcl Release
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3.1
    AIO_Scan
    Any Video Converter 3.0.7
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ASIO4ALL
    Audacity 1.3.7 (Unicode)
    AutoIt v3.3.0.0
    AVG 2011
    AVG PC Tuneup 2011
    Band-in-a-Box 2008 12PAK Video
    Band-in-a-Box 2008 New Features
    Band-in-a-Box 2008.5 (Build 262)
    Belkin 54Mbps Wireless Network Adapter
    Bonjour
    Bookworm Deluxe
    Broadcom Gigabit Integrated Controller
    Brother HL-2140
    Brother MFL-Pro Suite
    BufferChm
    C4380
    C4380_Help
    C4F Developer Kit 2008
    Cards_Calendar_OrderGift_DoMorePlugout
    CCleaner
    CDex extraction audio
    Compare It!
    Compte Bancaire v5.0
    Cool PDF Reader 3.0
    Copy
    Crystal Reports for .NET Framework 2.0 (x86)
    CustomerResearchQFolder
    Data Access Objects (DAO) 3.5
    Destination Component
    DeviceDiscovery
    DeviceManagementQFolder
    DocProc
    DocProcQFolder
    e-tax 2009
    e-tax 2010
    EDIROL UM-1 Driver
    eSupportQFolder
    Eureka's 3D Chess Master
    Express Burn
    Express Talk
    Fax
    FCharts
    ffdshow [rev 2527] [2008-12-19]
    FFmpeg 2009-01-08 for Audacity
    Fldigi 3.20.32
    Foxit Reader
    Free Download Manager 3.0
    Free Sticky Notes 2.0
    GanttProject
    GnuCash 2.2.9
    Google Earth Plug-in
    Google Update Helper
    GPBaseService
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB945282)
    Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946040)
    Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946308)
    Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947540)
    Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947789)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
    HP Customer Participation Program 10.0
    HP Imaging Device Functions 10.0
    HP Photosmart All-In-One Driver Software 10.0 Rel .2
    HP Photosmart Essential 2.5
    HP Solution Center 10.0
    HP Update
    HPPhotoSmartDiscLabel_PaperLabel
    HPPhotoSmartDiscLabel_PrintOnDisc
    HPPhotoSmartDiscLabelContent1
    hpphotosmartdisclabelplugin
    HPPhotoSmartPhotobookWebPack1
    HPProductAssistant
    IncredibleCharts Pro
    Intel PROSet Wireless
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PROSet/Wireless WiFi Software
    Intel® Matrix Storage Manager
    Introduction to CSharp Programming Language
    Introduction to Visual Cplusplus 2008 Express Edition
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 21
    Junk Mail filter update
    JVComm32
    LAME v3.98.2 for Audacity
    Launch Manager
    LD-TIFF to PDF
    LightScribe 1.4.142.1
    Little Alarm Clock
    Little Registry Cleaner
    Little Registry Optimizer
    Mahjong Escape Ancient China
    Malwarebytes' Anti-Malware
    MarketResearch
    Mercurial 1.5.2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft .NET Framework 4 Multi-Targeting Pack
    Microsoft Application Error Reporting
    Microsoft ASP.NET MVC 2
    Microsoft ASP.NET MVC 2 - VWD Express 2010 Tools
    Microsoft Choice Guard
    Microsoft Help Viewer 1.0
    Microsoft Office XP Professional with FrontPage
    Microsoft Silverlight
    Microsoft Silverlight 3 SDK
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft SQL Server 2008
    Microsoft SQL Server 2008 Common Files
    Microsoft SQL Server 2008 Database Engine Services
    Microsoft SQL Server 2008 Database Engine Shared
    Microsoft SQL Server 2008 Management Studio
    Microsoft SQL Server 2008 Native Client
    Microsoft SQL Server 2008 Policies
    Microsoft SQL Server 2008 R2 Management Objects
    Microsoft SQL Server 2008 RsFx Driver
    Microsoft SQL Server 2008 Setup Support Files
    Microsoft SQL Server Compact 3.5 SP1 Query Tools English
    Microsoft SQL Server Compact 3.5 SP2 ENU
    Microsoft SQL Server Database Publishing Wizard 1.4
    Microsoft SQL Server System CLR Types
    Microsoft Visual Basic 2010 Express - ENU
    Microsoft Visual C# 2008 Express Edition with SP1 - ENU
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
    Microsoft Visual C++ 2008 Samples
    Microsoft Visual C++ 2010 x86 Runtime - 10.0.30319
    Microsoft Visual C++ 2010 Express - ENU
    Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
    Microsoft Visual Studio Tools for Applications 2.0 - ENU
    Microsoft Visual Web Developer 2010 Express - ENU
    Microsoft Web Platform Installer 2.0
    MinGW-Get version 0.1-alpha-5
    MozBackup 1.4.9
    Mozilla Firefox (3.6.13)
    Mozilla Thunderbird (3.1.7)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MusicBee
    NetDeviceManager
    NTI Backup NOW! 4.7
    NTI CD & DVD-Maker
    OCR Software by I.R.I.S. 10.0
    OpenOffice.org 3.2
    Orion
    PanoStandAlone
    PaperPort
    PDU Support Files
    PENTAX Digital Camera Utility
    PG Music DirectX Plugins 1.3.4.1
    Picasa 3
    PIXELA ImageMixer
    PL-2303 USB-to-Serial
    PowerCinema
    PS_AIO_02_ProductContext
    PS_AIO_02_Software
    PS_AIO_02_Software_Min
    PSSWCORE
    Python 2.6.5
    Quartz AudioMaster Freeware
    QuickTime
    Realtek High Definition Audio Driver
    RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02
    Sailing Directions (Enroute) - Pub 127 -- East Coast of Australia and New Zealand (10th Ed) 2010
    Sailing Directions (Enroute) - Pub 175 -- North, West, and South Coasts of Australia (9th Ed) 2008
    Scan
    SeaClear II
    SeaTTY V2.30
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Windows Media Encoder (KB2447961)
    Security Update for Windows Media Encoder (KB979332)
    SimHID Setup
    Skype Toolbars
    Skype™ 4.2
    SolutionCenter
    Sony USB Driver
    Sql Server Customer Experience Improvement Program
    Status
    SumatraPDF
    Synaptics Pointing Device Driver
    Telstra Turbo Connection Manager
    TextPad 5
    TextPad British Dictionary
    TomTom HOME 2.6.2.1586
    TomTom HOME Visual Studio Merge Modules
    Toolbox
    TortoiseSVN 1.4.8.12137 (32 bit)
    TrayApp
    TreeSize Free V2.4
    TurboCAD Professional v12
    TurboCAD Symbols
    U232 P9/P25 V7.2.98
    Ulead VideoStudio 7 SE Basic
    UnloadSupport
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VC 9.0 Runtime
    VideoPad Video Editor
    VideoToolkit01
    Virtual Sound Canvas 3.2
    Virtual Sound Canvas DXi
    Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
    VisualSVN Server 1.0.1
    WavePad Sound Editor
    Weather Fax 2000 Sound Card Edition
    Web Deployment Tool
    WebReg
    Winbond CIR Drivers
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Media Center Edition MPEG Codec Plug-in
    Windows Media Encoder 9 Series
    Windows Media Player Firefox Plugin
    WinFast Codec-TS SDK
    WinFast De-interlace SDK
    WinFast Multimedia Driver Installation
    WinFast PVR2
    WinFast TT-SB SDK
    Winmail Reader 1.1.12
    WinZip
    Wireless Broadband
    WXTide32
    Yahoo! Toolbar
    ZTreeWin (remove only)

    ==== End Of File ===========================



    Thanks for your help

    Tricsim
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You have a large number of processes running! I wouldn't be surprised if you told me you slowed down after surfing a while or the loading and shutting down took a while!

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===========================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.[/b
     
  5. tricsim

    tricsim TS Rookie Topic Starter

    results of eset and combofix

    Bobbye,
    You are right that turn on and off are slowed but browsing has not been a problem however the scans by the above programs seemed to have found a SOME NASTYS . I would really like to know how it got it and why it was not detected by windows defender or avg ( multifacet anti virrus ). Was this virus one of the poly morphic?

    Anyway results of scans

    ESETSmartInstaller@High as downloader log:
    Can not open internetESETSmartInstaller@High as downloader log:
    Can not open internet# version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=b2a42746c66e8848ade24c76b7cfaf59
    # end=stopped
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-01-01 01:03:30
    # local_time=2011-01-02 12:03:30 (+1000, AUS Eastern Daylight Time)
    # country="Australia"
    # lang=1033
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=1032 16777213 100 95 0 37212683 0 0
    # compatibility_mode=5892 16776574 100 100 35473972 131415419 0 0
    # compatibility_mode=8192 67108863 100 0 635 635 0 0
    # scanned=44931
    # found=0
    # cleaned=0
    # scan_time=718
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6419
    # api_version=3.0.2
    # EOSSerial=b2a42746c66e8848ade24c76b7cfaf59
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2011-01-02 03:54:49
    # local_time=2011-01-02 02:54:49 (+1000, AUS Eastern Daylight Time)
    # country="Australia"
    # lang=1033
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=1024 16777215 100 0 0 0 0 0
    # compatibility_mode=5892 16776573 100 100 35515824 131457271 0 0
    # compatibility_mode=8192 67108863 100 0 42487 42487 0 0
    # scanned=383703
    # found=8
    # cleaned=0
    # scan_time=12346
    C:\Downloads\software\registrybooster.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.url Win32/Adware.ADON application (unable to clean) 00000000000000000000000000000000 I
    C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\eBay.url Win32/Adware.ADON application (unable to clean) 00000000000000000000000000000000 I
    C:\Users\simon\AppData\Downloads\registrybooster.exe a variant of Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
    D:\software\INSTALLS\registryfix.exe a variant of Win32/Adware.ErrorClean application (unable to clean) 00000000000000000000000000000000 I
    D:\software\INSTALLS\SpySpotterWebInstall.exe Win32/Adware.SpySpotter application (unable to clean) 00000000000000000000000000000000 I
    D:\software\spyware software\SpySpotterWebInstall.exe Win32/Adware.SpySpotter application (unable to clean) 00000000000000000000000000000000 I
    D:\software\utilities\registryfix.exe a variant of Win32/Adware.ErrorClean application (unable to clean) 00000000000000000000000000000000 I




    ComboFix 10-12-29.02 - simon 02/01/11 15:54:25.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2038.811 [GMT 11:00]
    Running from: c:\users\simon\Desktop\ComboFix.exe
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\VisualSVN Server\httpd-wrapper.bat
    c:\users\simon\EULA.txt
    c:\windows\system32\spool\prtprocs\w32x86\ppbiPr.dll
    c:\windows\winhelp.ini

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_VisualSVNServer


    ((((((((((((((((((((((((( Files Created from 2010-12-02 to 2011-01-02 )))))))))))))))))))))))))))))))
    .

    2011-01-02 05:13 . 2011-01-02 05:13 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-01-01 12:40 . 2011-01-01 12:40 -------- d-----w- c:\program files\ESET
    2010-12-31 04:03 . 2010-12-31 04:08 -------- d-----w- c:\users\simon\vista issues
    2010-12-29 23:47 . 2010-12-20 07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-29 23:47 . 2010-12-29 23:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-29 23:47 . 2010-12-20 07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-29 04:16 . 2011-01-02 04:45 -------- dc----w- C:\repositories
    2010-12-29 03:28 . 2010-10-28 13:20 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-12-29 03:27 . 2010-11-03 10:51 2409784 begin_of_the_skype_highlighting**************51 2409784******end_of_the_skype_highlighting ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2010-12-29 01:25 . 2010-12-29 01:25 -------- d-----w- c:\users\simon\AppData\Roaming\Malwarebytes
    2010-12-29 01:24 . 2010-12-29 01:24 -------- d-----w- c:\programdata\Malwarebytes
    2010-12-29 00:40 . 2010-12-29 00:40 -------- d-----w- c:\program files\CCleaner
    2010-12-27 14:45 . 2010-12-27 14:45 -------- d-----w- c:\users\simon\AppData\Roaming\AVG10
    2010-12-27 14:43 . 2010-12-27 14:43 -------- d--h--w- c:\programdata\Common Files
    2010-12-27 14:24 . 2011-01-02 00:17 -------- d-----w- c:\programdata\AVG10
    2010-12-27 13:01 . 2011-01-02 00:04 -------- d-----w- c:\programdata\MFAData
    2010-12-27 04:41 . 2010-12-27 14:22 -------- d-----w- c:\programdata\PC Tools
    2010-12-18 11:35 . 2010-12-18 11:42 -------- dc----w- C:\MinGW
    2010-12-18 10:32 . 2010-12-18 10:36 -------- d-----w- c:\program files\Little Alarm Clock
    2010-12-16 03:26 . 2010-12-16 03:26 -------- d-----w- c:\users\simon\AppData\Local\PackageAware
    2010-12-15 10:07 . 2010-12-15 10:07 -------- d-----w- c:\windows\Sun
    2010-12-15 04:49 . 2010-12-15 04:53 -------- d-----w- c:\users\simon\fldigi.files
    2010-12-12 12:16 . 2010-12-12 12:16 -------- dc----w- C:\1bb91348428a57db6a859ccf
    2010-12-11 12:55 . 1998-04-06 07:00 25600 ----a-w- c:\program files\Common Files\Microsoft Shared\DAO\remove.exe
    2010-12-11 12:55 . 2010-12-15 04:54 -------- d-----w- c:\program files\weather fax 2000
    2010-12-09 19:59 . 2010-12-09 19:59 -------- d-----w- c:\users\simon\NBEMS.files
    2010-12-09 13:19 . 2010-12-09 13:19 -------- d-----w- c:\program files\Fldigi-3.20.32
    2010-12-05 12:28 . 2010-12-18 12:01 -------- dc----w- C:\ASOFT

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
    @="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
    [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
    2008-01-03 09:00 39472 ------w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinFast Schedule"="c:\program files\WinFast\WFDTV\WFWIZ.exe" [2009-03-11 2912256]
    "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-08 251240]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-08 26100520]
    "Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2010-04-28 3727411]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "Little Alarm Clock"="c:\program files\Little Alarm Clock\Little Alarm Clock.exe" [2008-09-12 326144]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinFastDTV"="c:\program files\WinFast\WFDTV\DTVSchdl.exe" [2009-10-02 90112]
    "vscvol.exe"="c:\program files\Roland\VSC32\vscvol.exe" [2000-02-08 36864]
    "vsc32cnf.exe"="c:\program files\Roland\VSC32\vsc32cnf.exe" [2000-02-06 36864]
    "Talk"="c:\program files\NCH Swift Sound\Talk\talk.exe" [2010-03-09 917508]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2008-01-24 102400]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-05-22 7514656]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "PLFSet"="c:\windows\PLFSet.dll" [2007-04-25 45056]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
    "PCMService"="c:\program files\CyberLink\PowerCinema\PCMService.exe" [2007-07-30 159744]
    "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
    "NvSvc"="c:\windows\system32\nvsvc.dll" [2008-03-11 92704]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-11 88608]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-11 8534560]
    "LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-01-02 707080]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
    "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-11-22 178712]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
    "eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-10-10 1286144]
    "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-23 114688]
    "BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-06-11 3618104]
    "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-02-15 622592]
    "autodetect"="c:\windows\system32\SupportAppXL\AutoDect.exe" [2008-08-07 91648]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

    c:\users\simon\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Start Menu\Programs\Startup\
    Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe [2008-3-14 323584]
    Shortcut to Free Sticky Notes.LNK - c:\program files\Free Sticky Notes\freenote.exe [2002-6-20 49152]
    SimHID.exe.lnk - c:\program files\Remote\SimHID.exe [2007-6-8 421888]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    SimHID.lnk - c:\program files\Remote\SimHID.exe [2007-6-8 421888]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-3-5 106560]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "MIDI4"=vscapi.dll
    "WAVE3"=vscapi.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate1c99bbbf5d0b3ce;Google Update Service (gupdate1c99bbbf5d0b3ce);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 133104]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
    R3 DBGV;DBGV;c:\users\simon\Downloads\usb snoopy\sniffusb-0.13\sniffusb\dbgview\DBGV.SYS [x]
    R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-08-12 7168]
    R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-11 47128]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 04:52]

    2011-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 04:52]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uDefault_Search_URL = hxxp://www.google.com/ie
    mStart Page = hxxp://en.au.acer.yahoo.com
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
    IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
    IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
    IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\simon\AppData\Roaming\Mozilla\Firefox\Profiles\skiy5uuc.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://au.my.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d18a603&v=6.010.023.001&i=23&tp=ab&iy=b&ychte=au&lng=en-GB&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: printpdf: printpdf@pavlov.net - %profile%\extensions\printpdf@pavlov.net
    FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
    FF - Ext: Download Manager Tweak: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB} - %profile%\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    .
    - - - - ORPHANS REMOVED - - - -

    URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe
    AddRemove-British Dictionary - c:\program files\TextPad 4\Spelling\DeIsL1.isu
    AddRemove-Quartz AudioMaster Freeware - c:\program files\DigitalSoundPlanet\Quartz AudioMaster Freeware 460E\DeIsL1.isu



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-02 16:19
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\windows\TEMP\TMP0000001A1CE395F81CBBF27B 524288 bytes executable

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(2756)
    c:\program files\TortoiseSVN\bin\tortoisesvn.dll
    c:\program files\TortoiseSVN\bin\intl3_svn.dll
    c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\WLANExt.exe
    c:\windows\system32\brss01a.exe
    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
    c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
    c:\acer\Empowering Technology\eNet\eNet Service.exe
    c:\program files\Intel\WiFi\bin\EvtEng.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\acer\Mobility Center\MobilityService.exe
    c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    c:\program files\Cyberlink\Shared files\RichVideo.exe
    c:\windows\System32\tcpsvcs.exe
    c:\program files\TomTom HOME 2\TomTomHOMEService.exe
    c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
    c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
    c:\acer\Empowering Technology\ePower\ePowerSvc.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\ehome\ehsched.exe
    c:\windows\ehome\ehRecvr.exe
    c:\windows\system32\sdclt.exe
    c:\program files\TortoiseSVN\bin\TSVNCache.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-02 16:32:34 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-02 05:32

    Pre-Run: 17,898,364,928 bytes free
    Post-Run: 17,271,906,304 bytes free

    - - End Of File - - 7616AAB0B5EDEE218301B490454FD2BD
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Can you give me some detail on this please?
    I'm reading this as follows: a person claiming to be from a Microsoft Partner, located in India calls you and tells you to check for the errors in the Event Viewer. Then he suggested that based on some 'prefetch' command he had you run, that you had a polymorphic virus infection. Then he gave you a website for his company and asked you to call him back.

    Is that reasonably close? You were very vague as to how he knew about you or your problems, whether you asked someone for support and he was the result. Did you by chance allow him to remotely connect to your computer in order to view/fix it?
     
  7. tricsim

    tricsim TS Rookie Topic Starter

    That's close. The only thing that should be clarified is that the prefetch command run in the run box looks like a legit command that goes direct to the prefetch folder and displays all the files that are waiting for loads of apps to use.

    He did not get any permission from me to access my computer.

    All he did was ask me to look at the events and prefetch folder and tell him how many event and how many prefetch files. I told him and then he said "you have a poly morphic virus because you have too many events and too many prefetch files"
    I know enough to know that this is probably bull-**** and that was why I asked for his company details etc and said when he called back an hour later I was not interested in his products.

    The company name XXXsite deletedXXXX and the local phone number for aus is "XXphone deletedXXX" I did not ring the number and I suspect it redirects to a call center in India.

    The company is selling anti virus programs for $90 per year. Until the call I'd never heard of it.

    I also don't know how the guy found my home number and name but it could have been random selected from the phone directory or ?


    On the scan results that I sent what do I do next with the 8 infected files that eset scanner found? (and were not deleted)

    Edit: URL and phone number deleted for security.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You've been had! There is no legitimate company in the world that I'm aware of who makes cold calls to solicit paid computer support!

    Comparing apples to oranges and coming up with this crock conclusion should have made you hang up instantly!
    Don't ever accept a call like this! He was a telemarketer and in a dangerous cyber-field. That person now has your name and phone number and any information you gave to him about your computer system.
    ==============================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      
      :Files 
      C:\Downloads\software\registrybooster.exe 
      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.url 
      C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\eBay.url 
      C:\Users\simon\AppData\Downloads\registrybooster.exe 
      D:\software\INSTALLS\registryfix.exe 
      D:\software\INSTALLS\SpySpotterWebInstall.exe 
      D:\software\spyware software\SpySpotterWebInstall.exe 
      D:\software\utilities\registryfix.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =========================================
    Please take the ebay URL off of your Startup menu.
    I didn't see Registry Fix installed, but if it is, please uninstall it.

    I'll be back after lunch for Combifux. In the meantime, you can go ahead and run HijackThis:

    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  9. tricsim

    tricsim TS Rookie Topic Starter


    • This program appears to be now OTM

      Log from OTM

      All processes killed
      ========== PROCESSES ==========
      ========== FILES ==========
      C:\Downloads\software\registrybooster.exe moved successfully.
      File/Folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.url not found.
      File/Folder C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\eBay.url not found.
      C:\Users\simon\AppData\Downloads\registrybooster.exe moved successfully.
      D:\software\INSTALLS\registryfix.exe moved successfully.
      D:\software\INSTALLS\SpySpotterWebInstall.exe moved successfully.
      D:\software\spyware software\SpySpotterWebInstall.exe moved successfully.
      D:\software\utilities\registryfix.exe moved successfully.
      ========== COMMANDS ==========

      [EMPTYTEMP]

      User: All Users

      User: Default
      ->Temp folder emptied: 0 bytes
      ->Temporary Internet Files folder emptied: 0 bytes

      User: Default User
      ->Temp folder emptied: 0 bytes
      ->Temporary Internet Files folder emptied: 0 bytes

      User: Public
      ->Temp folder emptied: 0 bytes

      User: simon
      ->Temp folder emptied: 0 bytes
      ->Temporary Internet Files folder emptied: 708856 bytes
      ->Java cache emptied: 0 bytes
      ->FireFox cache emptied: 74435147 bytes
      ->Flash cache emptied: 1141 bytes

      %systemdrive% .tmp files removed: 0 bytes
      %systemroot% .tmp files removed: 0 bytes
      %systemroot%\System32 .tmp files removed: 0 bytes
      %systemroot%\System32\drivers .tmp files removed: 0 bytes
      Windows Temp folder emptied: 86656 bytes
      %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
      %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
      %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
      RecycleBin emptied: 54995868 bytes

      Total Files Cleaned = 124.00 mb


      OTM by OldTimer - Version 3.1.17.2 log created on 01062011_002843

      Files moved on Reboot...

      Registry entries deleted on Reboot...

      HijackThis.log
      Logfile of Trend Micro HijackThis v2.0.4
      Scan saved at 12:48:01 AM, on 06/01/11
      Platform: Windows Vista SP2 (WinNT 6.00.1906)
      MSIE: Internet Explorer v7.00 (7.00.6002.18005)
      Boot mode: Normal

      Running processes:
      C:\Windows\system32\Dwm.exe
      C:\Windows\Explorer.EXE
      C:\Windows\system32\taskeng.exe
      C:\Windows\notepad.exe
      C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
      C:\Program Files\Roland\VSC32\Vsc32Cnf.exe
      C:\Program Files\Synaptics\SynTP\SynTPStart.exe
      C:\Program Files\Common Files\Java\Java Update\jusched.exe
      C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
      C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
      C:\Windows\System32\igfxpers.exe
      C:\Program Files\Cyberlink\PowerCinema\PCMService.exe
      C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
      C:\Windows\system32\igfxsrvc.exe
      C:\Program Files\Windows Media Player\wmpnscfg.exe
      C:\Program Files\Launch Manager\QtZgAcer.EXE
      C:\Program Files\iTunes\iTunesHelper.exe
      C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
      C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
      C:\Windows\System32\hkcmd.exe
      C:\Acer\Empowering Technology\eAudio\eAudio.exe
      C:\Program Files\Brownie\BrStsWnd.exe
      C:\Program Files\AVG\AVG2011\avgtray.exe
      C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
      C:\Windows\System32\SupportAppXL\AutoDect.exe
      C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
      C:\Program Files\WinFast\WFDTV\WFWIZ.exe
      C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
      C:\Program Files\Skype\Phone\Skype.exe
      C:\Program Files\Little Alarm Clock\Little Alarm Clock.exe
      C:\Program Files\Free Download Manager\fdm.exe
      C:\Windows\ehome\ehtray.exe
      C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
      C:\Program Files\WinZip\WZQKPICK.EXE
      C:\Acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe
      C:\Program Files\Free Sticky Notes\freenote.exe
      C:\Program Files\Remote\SimHID.exe
      C:\Windows\ehome\ehmsas.exe
      C:\Windows\system32\igfxext.exe
      C:\Windows\system32\igfxsrvc.exe
      C:\Program Files\Brownie\brpjp04a.exe
      C:\Windows\system32\wbem\unsecapp.exe
      C:\Users\simon\AppData\Local\Temp\RtkBtMnt.exe
      C:\Program Files\AVG\AVG2011\Identity Protection\agent\bin\avgidsmonitor.exe
      C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
      C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
      C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
      C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
      C:\Windows\Explorer.exe
      C:\Program Files\Mozilla Firefox\firefox.exe
      C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
      C:\Windows\system32\taskeng.exe
      C:\Windows\system32\sdclt.exe
      C:\Hijackthis\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
      R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
      O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
      O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
      O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2011\avgssie.dll
      O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
      O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG2011\Toolbar\IEToolbar.dll
      O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
      O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
      O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
      O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
      O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG2011\Toolbar\IEToolbar.dll
      O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
      O4 - HKLM\..\Run: [vscvol.exe] C:\Program Files\Roland\VSC32\vscvol.exe
      O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Program Files\Roland\VSC32\vsc32cnf.exe
      O4 - HKLM\..\Run: [Talk] "C:\Program Files\NCH Swift Sound\Talk\talk.exe" -logon
      O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
      O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
      O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
      O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
      O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
      O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
      O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
      O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
      O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
      O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
      O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
      O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
      O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
      O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2011\avgtray.exe
      O4 - HKLM\..\Run: [autodetect] C:\Windows\system32\SupportAppXL\AutoDect.exe
      O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
      O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
      O4 - HKCU\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
      O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
      O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
      O4 - HKCU\..\Run: [Little Alarm Clock] "C:\Program Files\Little Alarm Clock\Little Alarm Clock.exe" /startup
      O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
      O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
      O4 - Startup: Empowering Technology.lnk = ?
      O4 - Startup: Shortcut to Free Sticky Notes.LNK = C:\Program Files\Free Sticky Notes\freenote.exe
      O4 - Startup: SimHID.exe.lnk = C:\Program Files\Remote\SimHID.exe
      O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
      O4 - Global Startup: SimHID.lnk = C:\Program Files\Remote\SimHID.exe
      O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
      O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
      O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
      O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
      O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
      O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
      O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
      O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG2011\Toolbar\IEToolbar.dll
      O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2011\avgpp.dll
      O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
      O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
      O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
      O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
      O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG2011\Toolbar\ToolbarBroker.exe
      O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2011\Identity Protection\Agent\Bin\AVGIDSAgent.exe
      O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2011\avgwdsvc.exe
      O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
      O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\Windows\system32\brsvc01a.exe
      O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
      O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
      O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
      O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
      O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
      O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
      O23 - Service: Google Update Service (gupdate1c99bbbf5d0b3ce) (gupdate1c99bbbf5d0b3ce) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
      O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
      O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
      O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
      O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
      O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
      O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
      O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
      O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
      O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
      O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

      --
      End of file - 12935 bytes

      Pease note only Hijackthis.log found.
      Thanks
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If I did not mention this before, I would like to do so now: you have a great number of processes running that appear to be on Startup. After boot, they continue to run in the background. These use system resources that can cause the system to slow down as you surf and add more temporary internet files. Most of the 20+ programs starting on boot can be called up as you need them rather than run all the time.

    You do not need the printer or related process, (HP Imaging Center, Paper Port) media players, Cyberlink or other burning programs, Sticky notes, etc. And most of the Services that show running (023) can be set to Manual startup rather than Automatic.

    Are you aware of and did you intentionally set the following?
    SimHID.exe.lnk - c:\program files\Remote\SimHID.exe [2007-6-8 421888]
    Identified as follows:
    Simhid.exe
    Simulate keystrokes in any Windows program with an IR receiver. - SimHID - YUAN High-Tech Development Co. Ltd. The Process is packed and/or encrypted using a software packing process

    I also find description> SimHID Remote Communicator> possibly for the TV?
     
  11. tricsim

    tricsim TS Rookie Topic Starter

    After running Hijackthis etc, have I completed all the test scanning?

    What is the status of my machine wrt viruses?

    Do I need to do any more steps to eliminate the found virused files?

    Is the prospect a of a poly morphic virus real?

    Thanks
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\users\simon\Downloads\usb snoopy\sniffusb-0.13\sniffusb\dbgview\DBGV.SYS
    c:\program files\Remote\SimHID.exe
    
    DDS::
    uStart Page = about:blank
    uURLSearchHooks: H - No File
    
    Extra::
    Firefox::
    File::
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    Firefox-: - Profile - c:\users\simon\AppData\Roaming\Mozilla\Firefox\Profiles\skiy5uuc.default\
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=-
    Driver::
    DBGV
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

    c:\program files\Remote\SimHID.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
    O4 - Startup: SimHID.exe.lnk = C:\Program Files\Remote\SimHID.exe
    O4 - Global Startup: SimHID.lnk = C:\Program Files\Remote\SimHID.exe


    Close all Windows except HijackThis and click on "Fix Checked".
    ======================================
    I have not seen any evidence of a polymorphic virus infection. You would be wise to discount anything the telemarketer said to you. But I will mention just once more: you have too many processes starting on boot and running in the background. As long as you run all these processes, you are more at risk for malware due to their internet access.

    Let me know how the system runs after this. If there are no more problems, I'll have you remove the cleaning tools.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please note: I'll give you one more day to finish up. IF you don't reply, I'll close the thread.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Per PM: This thread is still Active.

    My reply a week ago:
    IF you ran the script and checked the HJT entries I instructed you to and if the problems have been resolved:
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thanks for the update. I'll close the thread now.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I am temporarily reopening this thread. The PMs you have sent are contradictory. The thread was still open when you tried to post. I closed it only after the 2nd PM with the update.

    Please advise as to what the status it.
     
  17. tricsim

    tricsim TS Rookie Topic Starter

    I am happy problem has gone and diagnostic s/w removed.

    Problem with logging on to thread was due to user name mix up.

    THanks for your help
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welccome. If a problem comes up in the future, don't think it is always malware. System setting and user mistakes should always be checked before posting for help.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...