Solved Trying to tame my temp directory that may be virused and breeding files

Status
Not open for further replies.

tricsim

Posts: 13   +0
Hi all,
I have a problem similar to many posters with the temp folder.

I have a vista home premuim running on ACER aspire 6920 notebook.

Some time ago i noticed that my temp file (user...appdata... local\temp) folder was full to 5 gig of directories and files. I removed all the temp files (except a few that would not budge) and essentailly I had loads of space.
That was only for a short time and suddenly my temp folder was clogged again.

With the size if my drive and lack of time I put fixing off to a rainy day.

That was until a couple of days ago when I received a call from an alleged MSpartner in India who may have got my details legitimately or by foul means.

He was persuasive and suggested I look at my event log administrator custom view and I told him I had 8700 + events with quite a few RED errors. He said that was terrible and suggested I run the command prefetch and again he said that the loads of entries were terrible and I must have a poly morphic virus.

He gave me the company website and his phone number and he was satisfied ti ring back in an hour.

I fobbed him off an hour later and started looking at various areas including my old friend the growing temp file.

To start the ball rolling I ran a full scan of my virus checker AVG 2011 and found no errors.

I ran a check with PCtools Spyware / antivirus and no infections.

I then had a more detailed look at temp again and found numerous copies of loads of files with names that started with temp1_<.somename.>, temp2_<somename>....temp29_<somename> filing up to 43700 files.

I ran AVG pc tuneup and the temp files were deleted and then came flooding back.

With the strong suspicion I had a virus I searched for a site the identified the full temp symptoms and found this forum.

I located the 8 steps post and started the process.

Running TFC the temp files went and have not flooded back so that may be fixed but I continued to run the other steps and record the log files. None showed any infection .

I now wonder if any one can give the scenario some meaning and perhaps convince me that I have overcome the problem. I should add that the temp folder is having temp files added very slowly, I'm upto 20 or so files!.

Also is the possibility of a poly morphic virus detectable?

Excuse my long winded post.

I can't see how to attach files at this time

tricsim
 
If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

As to the polymorphic question- I'll know more when I see the logs.
 
results of 8 step check

Hi Bobbye,
Logs

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5419

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

30/12/10 10:55:43 AM
mbam-log-2010-12-30 (10-55-43).txt

Scan type: Quick scan
Objects scanned: 159035
Time elapsed: 7 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-12-30 11:11:50
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.BBCO
Running: 0nlbep7s.exe; Driver: C:\Users\simon\AppData\Local\Temp\pwrcypog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----



DDS (Ver_10-12-12.02) - NTFSx86
Run by simon at 11:23:53.90 on 30/12/10
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2038.806 [GMT 11:00]

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\brsvc01a.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\brss01a.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\Windows\System32\tcpsvcs.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\VisualSVN Server\bin\httpd.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\VisualSVN Server\bin\httpd.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\Roland\VSC32\Vsc32Cnf.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Cyberlink\PowerCinema\PCMService.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Brownie\BrStsWnd.exe
C:\Windows\System32\SupportAppXL\AutoDect.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Little Alarm Clock\Little Alarm Clock.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Remote\SimHID.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe
C:\Program Files\Free Sticky Notes\freenote.exe
C:\Windows\system32\igfxext.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Users\simon\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\simon\Desktop\dds.scr
C:\Windows\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://en.au.acer.yahoo.com
mDefault_Page_URL = hxxp://en.au.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uRun: [WinFast Schedule] c:\program files\winfast\wfdtv\WFWIZ.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Free Download Manager] "c:\program files\free download manager\fdm.exe" -autorun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Little Alarm Clock] "c:\program files\little alarm clock\Little Alarm Clock.exe" /startup
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [WinFastDTV] c:\program files\winfast\wfdtv\DTVSchdl.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [vscvol.exe] c:\program files\roland\vsc32\vscvol.exe
mRun: [vsc32cnf.exe] c:\program files\roland\vsc32\vsc32cnf.exe
mRun: [Talk] "c:\program files\nch swift sound\talk\talk.exe" -logon
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PLFSet] rundll32.exe c:\windows\PLFSet.dll,PLFDefSetting
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PCMService] "c:\program files\cyberlink\powercinema\PCMService.exe"
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [eAudio] "c:\acer\empowering technology\eaudio\eAudio.exe"
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [autodetect] c:\windows\system32\supportappxl\AutoDect.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
StartupFolder: c:\users\simon\appdata\roaming\micros~1\windows\printe~1\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Supervisor.exe
StartupFolder: c:\users\simon\appdata\roaming\micros~1\windows\printe~1\startm~1\programs\startup\shortc~1.lnk - c:\program files\free sticky notes\freenote.exe
StartupFolder: c:\users\simon\appdata\roaming\micros~1\windows\printe~1\startm~1\programs\startup\simhid~1.lnk - c:\program files\remote\SimHID.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\simhid.lnk - c:\program files\remote\SimHID.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\simon\appdata\roaming\mozilla\firefox\profiles\skiy5uuc.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://au.my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d18a603&v=6.010.023.001&i=23&tp=ab&iy=b&ychte=au&lng=en-GB&q=
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: AVG Security Toolbar em:version=6.010.023.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igeared
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: printpdf: printpdf@pavlov.net - %profile%\extensions\printpdf@pavlov.net
FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
FF - Ext: Download Manager Tweak: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB} - %profile%\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2010-10-9 6097]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
R2 VisualSVNServer;VisualSVN Server;c:\program files\visualsvn server\httpd-wrapper.bat [2007-11-16 181]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 vsc32;Virtual Sound Canvas 3.2;c:\windows\system32\drivers\vsc.sys [2010-8-17 951284]
R3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2008-3-14 43008]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c99bbbf5d0b3ce;Google Update Service (gupdate1c99bbbf5d0b3ce);c:\program files\google\update\GoogleUpdate.exe [2009-3-3 133104]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-12-28 517448]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-21 179712]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-5-25 7168]
S3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-3-12 464384]
S3 RDID1009;EDIROL UM-1;c:\windows\system32\drivers\Rdwm1009.sys [2007-1-23 56832]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2010-10-9 299923]
S3 UDTT2BDA;DTV-DVB USB2 DVB-T receiver;c:\windows\system32\drivers\UDTT2BDA.sys [2010-1-7 50560]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-11 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-11 369688]

=============== Created Last 30 ================

2010-12-29 23:47:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-29 23:47:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-29 23:47:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-29 04:16:33 -------- dc----w- C:\repositories
2010-12-29 03:28:25 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-29 03:27:01 2409784 begin_of_the_skype_highlighting**************01 2409784******end_of_the_skype_highlighting begin_of_the_skype_highlighting**************01 2409784******end_of_the_skype_highlighting ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-12-29 01:25:44 -------- d-----w- c:\users\simon\appdata\roaming\Malwarebytes
2010-12-29 01:24:05 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-29 00:40:14 -------- d-----w- c:\program files\CCleaner
2010-12-28 06:28:15 -------- d-----w- c:\users\simon\appdata\roaming\AVG
2010-12-27 23:47:01 -------- d-----w- c:\users\simon\appdata\local\AVG Security Toolbar
2010-12-27 14:45:17 -------- d-----w- c:\users\simon\appdata\roaming\AVG10
2010-12-27 14:43:36 -------- d--h--w- c:\progra~2\Common Files
2010-12-27 14:43:15 -------- d-----w- c:\progra~2\AVG Security Toolbar
2010-12-27 14:40:18 -------- d-----w- c:\windows\system32\drivers\AVG
2010-12-27 14:24:15 -------- d-----w- c:\progra~2\AVG10
2010-12-27 13:01:54 -------- d-----w- c:\progra~2\MFAData
2010-12-27 04:41:27 -------- d-----w- c:\progra~2\PC Tools
2010-12-18 11:35:40 -------- dc----w- C:\MinGW
2010-12-18 10:32:32 -------- d-----w- c:\program files\Little Alarm Clock
2010-12-16 03:26:49 -------- d-----w- c:\users\simon\appdata\local\PackageAware
2010-12-15 04:49:57 -------- d-----w- c:\users\simon\fldigi.files
2010-12-15 02:54:11 -------- d-----w- c:\windows\pss
2010-12-12 12:16:08 -------- dc----w- C:\1bb91348428a57db6a859ccf
2010-12-11 12:55:54 25600 ----a-w- c:\program files\common files\microsoft shared\dao\remove.exe
2010-12-11 12:55:31 -------- d-----w- c:\program files\weather fax 2000
2010-12-09 19:59:00 -------- d-----w- c:\users\simon\NBEMS.files
2010-12-09 13:19:41 -------- d-----w- c:\program files\Fldigi-3.20.32
2010-12-07 17:12:38 251728 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-12-05 12:28:52 -------- dc----w- C:\ASOFT

==================== Find3M ====================

2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-18 13:37:35 81920 ----a-w- c:\windows\system32\consent.exe
2010-10-18 13:31:24 2038272 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 11:25:00.14 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 03/03/09 5:22:00 AM
System Uptime: 30/12/10 11:14:52 AM (0 hours ago)

Motherboard: Acer, Inc. | | Chapala
Processor: Intel(R) Core(TM)2 Duo CPU T5550 @ 1.83GHz | U2E1 | 1000/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 69 GiB total, 9.137 GiB free.
D: is FIXED (NTFS) - 66 GiB total, 7.127 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0000
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0000
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Broadcom NetLink (TM) Gigabit Ethernet
Device ID: PCI\VEN_14E4&DEV_1693&SUBSYS_01211025&REV_02\4&1D1097F2&0&00E5
Manufacturer: Broadcom
Name: Broadcom NetLink (TM) Gigabit Ethernet
PNP Device ID: PCI\VEN_14E4&DEV_1693&SUBSYS_01211025&REV_02\4&1D1097F2&0&00E5
Service: b57nd60x

Class GUID: {36fc9e60-c465-11cf-8056-444553540000}
Description: USB Mass Storage Device
Device ID: USB\VID_04F9&PID_018C&MI_02\6&1A12D135&2&0002
Manufacturer: Compatible USB storage device
Name: USB Mass Storage Device
PNP Device ID: USB\VID_04F9&PID_018C&MI_02\6&1A12D135&2&0002
Service: USBSTOR

Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: Photosmart C4380 series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: Photosmart C4380 series
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam

Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart C4380 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C4380 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:

==== System Restore Points ===================


==== Installed Programs ======================

"Minimal SYStem 1.0.10"
32 Bit HP CIO Components Installer
ABC Amber HLP Converter
Acer Crystal Eye webcam
Acer eAudio Management
Acer eDataSecurity Management
Acer eLock Management
Acer Empowering Technology
Acer eNet Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Acer Mobility Center Plug-In
Acer ScreenSaver
Acrobat.com
ActiveState ActiveTcl Release
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.1
AIO_Scan
Any Video Converter 3.0.7
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASIO4ALL
Audacity 1.3.7 (Unicode)
AutoIt v3.3.0.0
AVG 2011
AVG PC Tuneup 2011
Band-in-a-Box 2008 12PAK Video
Band-in-a-Box 2008 New Features
Band-in-a-Box 2008.5 (Build 262)
Belkin 54Mbps Wireless Network Adapter
Bonjour
Bookworm Deluxe
Broadcom Gigabit Integrated Controller
Brother HL-2140
Brother MFL-Pro Suite
BufferChm
C4380
C4380_Help
C4F Developer Kit 2008
Cards_Calendar_OrderGift_DoMorePlugout
CCleaner
CDex extraction audio
Compare It!
Compte Bancaire v5.0
Cool PDF Reader 3.0
Copy
Crystal Reports for .NET Framework 2.0 (x86)
CustomerResearchQFolder
Data Access Objects (DAO) 3.5
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DocProc
DocProcQFolder
e-tax 2009
e-tax 2010
EDIROL UM-1 Driver
eSupportQFolder
Eureka's 3D Chess Master
Express Burn
Express Talk
Fax
FCharts
ffdshow [rev 2527] [2008-12-19]
FFmpeg 2009-01-08 for Audacity
Fldigi 3.20.32
Foxit Reader
Free Download Manager 3.0
Free Sticky Notes 2.0
GanttProject
GnuCash 2.2.9
Google Earth Plug-in
Google Update Helper
GPBaseService
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
HP Customer Participation Program 10.0
HP Imaging Device Functions 10.0
HP Photosmart All-In-One Driver Software 10.0 Rel .2
HP Photosmart Essential 2.5
HP Solution Center 10.0
HP Update
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
IncredibleCharts Pro
Intel PROSet Wireless
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless WiFi Software
Intel® Matrix Storage Manager
Introduction to CSharp Programming Language
Introduction to Visual Cplusplus 2008 Express Edition
iTunes
Java Auto Updater
Java(TM) 6 Update 21
Junk Mail filter update
JVComm32
LAME v3.98.2 for Audacity
Launch Manager
LD-TIFF to PDF
LightScribe 1.4.142.1
Little Alarm Clock
Little Registry Cleaner
Little Registry Optimizer
Mahjong Escape Ancient China
Malwarebytes' Anti-Malware
MarketResearch
Mercurial 1.5.2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft ASP.NET MVC 2
Microsoft ASP.NET MVC 2 - VWD Express 2010 Tools
Microsoft Choice Guard
Microsoft Help Viewer 1.0
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft Silverlight 3 SDK
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Management Studio
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server 2008 Policies
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server 2008 Setup Support Files
Microsoft SQL Server Compact 3.5 SP1 Query Tools English
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server Database Publishing Wizard 1.4
Microsoft SQL Server System CLR Types
Microsoft Visual Basic 2010 Express - ENU
Microsoft Visual C# 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
Microsoft Visual C++ 2008 Samples
Microsoft Visual C++ 2010 x86 Runtime - 10.0.30319
Microsoft Visual C++ 2010 Express - ENU
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Microsoft Visual Studio Tools for Applications 2.0 - ENU
Microsoft Visual Web Developer 2010 Express - ENU
Microsoft Web Platform Installer 2.0
MinGW-Get version 0.1-alpha-5
MozBackup 1.4.9
Mozilla Firefox (3.6.13)
Mozilla Thunderbird (3.1.7)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MusicBee
NetDeviceManager
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
OCR Software by I.R.I.S. 10.0
OpenOffice.org 3.2
Orion
PanoStandAlone
PaperPort
PDU Support Files
PENTAX Digital Camera Utility
PG Music DirectX Plugins 1.3.4.1
Picasa 3
PIXELA ImageMixer
PL-2303 USB-to-Serial
PowerCinema
PS_AIO_02_ProductContext
PS_AIO_02_Software
PS_AIO_02_Software_Min
PSSWCORE
Python 2.6.5
Quartz AudioMaster Freeware
QuickTime
Realtek High Definition Audio Driver
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02
Sailing Directions (Enroute) - Pub 127 -- East Coast of Australia and New Zealand (10th Ed) 2010
Sailing Directions (Enroute) - Pub 175 -- North, West, and South Coasts of Australia (9th Ed) 2008
Scan
SeaClear II
SeaTTY V2.30
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Windows Media Encoder (KB2447961)
Security Update for Windows Media Encoder (KB979332)
SimHID Setup
Skype Toolbars
Skype™ 4.2
SolutionCenter
Sony USB Driver
Sql Server Customer Experience Improvement Program
Status
SumatraPDF
Synaptics Pointing Device Driver
Telstra Turbo Connection Manager
TextPad 5
TextPad British Dictionary
TomTom HOME 2.6.2.1586
TomTom HOME Visual Studio Merge Modules
Toolbox
TortoiseSVN 1.4.8.12137 (32 bit)
TrayApp
TreeSize Free V2.4
TurboCAD Professional v12
TurboCAD Symbols
U232 P9/P25 V7.2.98
Ulead VideoStudio 7 SE Basic
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC 9.0 Runtime
VideoPad Video Editor
VideoToolkit01
Virtual Sound Canvas 3.2
Virtual Sound Canvas DXi
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
VisualSVN Server 1.0.1
WavePad Sound Editor
Weather Fax 2000 Sound Card Edition
Web Deployment Tool
WebReg
Winbond CIR Drivers
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Center Edition MPEG Codec Plug-in
Windows Media Encoder 9 Series
Windows Media Player Firefox Plugin
WinFast Codec-TS SDK
WinFast De-interlace SDK
WinFast Multimedia Driver Installation
WinFast PVR2
WinFast TT-SB SDK
Winmail Reader 1.1.12
WinZip
Wireless Broadband
WXTide32
Yahoo! Toolbar
ZTreeWin (remove only)

==== End Of File ===========================



Thanks for your help

Tricsim
 
You have a large number of processes running! I wouldn't be surprised if you told me you slowed down after surfing a while or the loading and shutting down took a while!

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
===========================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2
http://www.forospyware.com/sUBs/ComboFix.exe
  • Double click combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Query- Recovery Console image
    RcAuto1.gif

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes it will open a text window. Please paste that log in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.[/b
 
results of eset and combofix

Bobbye,
You are right that turn on and off are slowed but browsing has not been a problem however the scans by the above programs seemed to have found a SOME NASTYS . I would really like to know how it got it and why it was not detected by windows defender or avg ( multifacet anti virrus ). Was this virus one of the poly morphic?

Anyway results of scans

ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internet# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=b2a42746c66e8848ade24c76b7cfaf59
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-01-01 01:03:30
# local_time=2011-01-02 12:03:30 (+1000, AUS Eastern Daylight Time)
# country="Australia"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1032 16777213 100 95 0 37212683 0 0
# compatibility_mode=5892 16776574 100 100 35473972 131415419 0 0
# compatibility_mode=8192 67108863 100 0 635 635 0 0
# scanned=44931
# found=0
# cleaned=0
# scan_time=718
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=b2a42746c66e8848ade24c76b7cfaf59
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-01-02 03:54:49
# local_time=2011-01-02 02:54:49 (+1000, AUS Eastern Daylight Time)
# country="Australia"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776573 100 100 35515824 131457271 0 0
# compatibility_mode=8192 67108863 100 0 42487 42487 0 0
# scanned=383703
# found=8
# cleaned=0
# scan_time=12346
C:\Downloads\software\registrybooster.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.url Win32/Adware.ADON application (unable to clean) 00000000000000000000000000000000 I
C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\eBay.url Win32/Adware.ADON application (unable to clean) 00000000000000000000000000000000 I
C:\Users\simon\AppData\Downloads\registrybooster.exe a variant of Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
D:\software\INSTALLS\registryfix.exe a variant of Win32/Adware.ErrorClean application (unable to clean) 00000000000000000000000000000000 I
D:\software\INSTALLS\SpySpotterWebInstall.exe Win32/Adware.SpySpotter application (unable to clean) 00000000000000000000000000000000 I
D:\software\spyware software\SpySpotterWebInstall.exe Win32/Adware.SpySpotter application (unable to clean) 00000000000000000000000000000000 I
D:\software\utilities\registryfix.exe a variant of Win32/Adware.ErrorClean application (unable to clean) 00000000000000000000000000000000 I




ComboFix 10-12-29.02 - simon 02/01/11 15:54:25.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.2038.811 [GMT 11:00]
Running from: c:\users\simon\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\VisualSVN Server\httpd-wrapper.bat
c:\users\simon\EULA.txt
c:\windows\system32\spool\prtprocs\w32x86\ppbiPr.dll
c:\windows\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_VisualSVNServer


((((((((((((((((((((((((( Files Created from 2010-12-02 to 2011-01-02 )))))))))))))))))))))))))))))))
.

2011-01-02 05:13 . 2011-01-02 05:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-01 12:40 . 2011-01-01 12:40 -------- d-----w- c:\program files\ESET
2010-12-31 04:03 . 2010-12-31 04:08 -------- d-----w- c:\users\simon\vista issues
2010-12-29 23:47 . 2010-12-20 07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-29 23:47 . 2010-12-29 23:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-29 23:47 . 2010-12-20 07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-29 04:16 . 2011-01-02 04:45 -------- dc----w- C:\repositories
2010-12-29 03:28 . 2010-10-28 13:20 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-29 03:27 . 2010-11-03 10:51 2409784 begin_of_the_skype_highlighting**************51 2409784******end_of_the_skype_highlighting ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-12-29 01:25 . 2010-12-29 01:25 -------- d-----w- c:\users\simon\AppData\Roaming\Malwarebytes
2010-12-29 01:24 . 2010-12-29 01:24 -------- d-----w- c:\programdata\Malwarebytes
2010-12-29 00:40 . 2010-12-29 00:40 -------- d-----w- c:\program files\CCleaner
2010-12-27 14:45 . 2010-12-27 14:45 -------- d-----w- c:\users\simon\AppData\Roaming\AVG10
2010-12-27 14:43 . 2010-12-27 14:43 -------- d--h--w- c:\programdata\Common Files
2010-12-27 14:24 . 2011-01-02 00:17 -------- d-----w- c:\programdata\AVG10
2010-12-27 13:01 . 2011-01-02 00:04 -------- d-----w- c:\programdata\MFAData
2010-12-27 04:41 . 2010-12-27 14:22 -------- d-----w- c:\programdata\PC Tools
2010-12-18 11:35 . 2010-12-18 11:42 -------- dc----w- C:\MinGW
2010-12-18 10:32 . 2010-12-18 10:36 -------- d-----w- c:\program files\Little Alarm Clock
2010-12-16 03:26 . 2010-12-16 03:26 -------- d-----w- c:\users\simon\AppData\Local\PackageAware
2010-12-15 10:07 . 2010-12-15 10:07 -------- d-----w- c:\windows\Sun
2010-12-15 04:49 . 2010-12-15 04:53 -------- d-----w- c:\users\simon\fldigi.files
2010-12-12 12:16 . 2010-12-12 12:16 -------- dc----w- C:\1bb91348428a57db6a859ccf
2010-12-11 12:55 . 1998-04-06 07:00 25600 ----a-w- c:\program files\Common Files\Microsoft Shared\DAO\remove.exe
2010-12-11 12:55 . 2010-12-15 04:54 -------- d-----w- c:\program files\weather fax 2000
2010-12-09 19:59 . 2010-12-09 19:59 -------- d-----w- c:\users\simon\NBEMS.files
2010-12-09 13:19 . 2010-12-09 13:19 -------- d-----w- c:\program files\Fldigi-3.20.32
2010-12-05 12:28 . 2010-12-18 12:01 -------- dc----w- C:\ASOFT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ------w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFast Schedule"="c:\program files\WinFast\WFDTV\WFWIZ.exe" [2009-03-11 2912256]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-08 251240]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-08 26100520]
"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2010-04-28 3727411]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Little Alarm Clock"="c:\program files\Little Alarm Clock\Little Alarm Clock.exe" [2008-09-12 326144]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFastDTV"="c:\program files\WinFast\WFDTV\DTVSchdl.exe" [2009-10-02 90112]
"vscvol.exe"="c:\program files\Roland\VSC32\vscvol.exe" [2000-02-08 36864]
"vsc32cnf.exe"="c:\program files\Roland\VSC32\vsc32cnf.exe" [2000-02-06 36864]
"Talk"="c:\program files\NCH Swift Sound\Talk\talk.exe" [2010-03-09 917508]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2008-01-24 102400]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-05-22 7514656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-25 45056]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"PCMService"="c:\program files\CyberLink\PowerCinema\PCMService.exe" [2007-07-30 159744]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2008-03-11 92704]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-11 88608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-11 8534560]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-01-02 707080]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-11-22 178712]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-10-10 1286144]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-23 114688]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-06-11 3618104]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-02-15 622592]
"autodetect"="c:\windows\system32\SupportAppXL\AutoDect.exe" [2008-08-07 91648]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\users\simon\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Start Menu\Programs\Startup\
Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe [2008-3-14 323584]
Shortcut to Free Sticky Notes.LNK - c:\program files\Free Sticky Notes\freenote.exe [2002-6-20 49152]
SimHID.exe.lnk - c:\program files\Remote\SimHID.exe [2007-6-8 421888]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SimHID.lnk - c:\program files\Remote\SimHID.exe [2007-6-8 421888]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-3-5 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI4"=vscapi.dll
"WAVE3"=vscapi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c99bbbf5d0b3ce;Google Update Service (gupdate1c99bbbf5d0b3ce);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 133104]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 DBGV;DBGV;c:\users\simon\Downloads\usb snoopy\sniffusb-0.13\sniffusb\dbgview\DBGV.SYS [x]
R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2008-08-12 7168]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-11 47128]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2011-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 04:52]

2011-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 04:52]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://en.au.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\simon\AppData\Roaming\Mozilla\Firefox\Profiles\skiy5uuc.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://au.my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4d18a603&v=6.010.023.001&i=23&tp=ab&iy=b&ychte=au&lng=en-GB&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: printpdf: printpdf@pavlov.net - %profile%\extensions\printpdf@pavlov.net
FF - Ext: ReminderFox: {ada4b710-8346-4b82-8199-5de2b400a6ae} - %profile%\extensions\{ada4b710-8346-4b82-8199-5de2b400a6ae}
FF - Ext: Download Manager Tweak: {F8A55C97-3DB6-4961-A81D-0DE0080E53CB} - %profile%\extensions\{F8A55C97-3DB6-4961-A81D-0DE0080E53CB}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-AVG_TRAY - c:\program files\AVG\AVG10\avgtray.exe
AddRemove-British Dictionary - c:\program files\TextPad 4\Spelling\DeIsL1.isu
AddRemove-Quartz AudioMaster Freeware - c:\program files\DigitalSoundPlanet\Quartz AudioMaster Freeware 460E\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-02 16:19
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000001A1CE395F81CBBF27B 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2756)
c:\program files\TortoiseSVN\bin\tortoisesvn.dll
c:\program files\TortoiseSVN\bin\intl3_svn.dll
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Cyberlink\Shared files\RichVideo.exe
c:\windows\System32\tcpsvcs.exe
c:\program files\TomTom HOME 2\TomTomHOMEService.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehsched.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\system32\sdclt.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2011-01-02 16:32:34 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-02 05:32

Pre-Run: 17,898,364,928 bytes free
Post-Run: 17,271,906,304 bytes free

- - End Of File - - 7616AAB0B5EDEE218301B490454FD2BD
 
Can you give me some detail on this please?
I received a call from an alleged MSpartner in India who may have got my details legitimately or by foul means.

He was persuasive and suggested I look at my event log administrator custom view and I told him I had 8700 + events with quite a few RED errors. He said that was terrible and suggested I run the command prefetch and again he said that the loads of entries were terrible and I must have a poly morphic virus.

He gave me the company website and his phone number and he was satisfied ti ring back in an hour.
I'm reading this as follows: a person claiming to be from a Microsoft Partner, located in India calls you and tells you to check for the errors in the Event Viewer. Then he suggested that based on some 'prefetch' command he had you run, that you had a polymorphic virus infection. Then he gave you a website for his company and asked you to call him back.

Is that reasonably close? You were very vague as to how he knew about you or your problems, whether you asked someone for support and he was the result. Did you by chance allow him to remotely connect to your computer in order to view/fix it?
 
Can you give me some detail on this please?

I'm reading this as follows: a person claiming to be from a Microsoft Partner, located in India calls you and tells you to check for the errors in the Event Viewer. Then he suggested that based on some 'prefetch' command he had you run, that you had a polymorphic virus infection. Then he gave you a website for his company and asked you to call him back.

Is that reasonably close? You were very vague as to how he knew about you or your problems, whether you asked someone for support and he was the result. Did you by chance allow him to remotely connect to your computer in order to view/fix it?

That's close. The only thing that should be clarified is that the prefetch command run in the run box looks like a legit command that goes direct to the prefetch folder and displays all the files that are waiting for loads of apps to use.

He did not get any permission from me to access my computer.

All he did was ask me to look at the events and prefetch folder and tell him how many event and how many prefetch files. I told him and then he said "you have a poly morphic virus because you have too many events and too many prefetch files"
I know enough to know that this is probably bull-**** and that was why I asked for his company details etc and said when he called back an hour later I was not interested in his products.

The company name XXXsite deletedXXXX and the local phone number for aus is "XXphone deletedXXX" I did not ring the number and I suspect it redirects to a call center in India.

The company is selling anti virus programs for $90 per year. Until the call I'd never heard of it.

I also don't know how the guy found my home number and name but it could have been random selected from the phone directory or ?


On the scan results that I sent what do I do next with the 8 infected files that eset scanner found? (and were not deleted)

Edit: URL and phone number deleted for security.
 
You've been had! There is no legitimate company in the world that I'm aware of who makes cold calls to solicit paid computer support!

The only thing that should be clarified is that the prefetch command run in the run box looks like a legit command that goes direct to the prefetch folder and displays all the files that are waiting for loads of apps to use.

Comparing apples to oranges and coming up with this crock conclusion should have made you hang up instantly!
"you have a poly morphic virus because you have too many events and too many prefetch files"

Don't ever accept a call like this! He was a telemarketer and in a dangerous cyber-field. That person now has your name and phone number and any information you gave to him about your computer system.
==============================================
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code:
    :Processes	
    
    :Files 
    C:\Downloads\software\registrybooster.exe 
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.url 
    C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\eBay.url 
    C:\Users\simon\AppData\Downloads\registrybooster.exe 
    D:\software\INSTALLS\registryfix.exe 
    D:\software\INSTALLS\SpySpotterWebInstall.exe 
    D:\software\spyware software\SpySpotterWebInstall.exe 
    D:\software\utilities\registryfix.exe 
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=========================================
Please take the ebay URL off of your Startup menu.
I didn't see Registry Fix installed, but if it is, please uninstall it.

I'll be back after lunch for Combifux. In the meantime, you can go ahead and run HijackThis:

Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Extract it to a directory on your hard drive called c:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it.

  • This program appears to be now OTM

    Log from OTM

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\Downloads\software\registrybooster.exe moved successfully.
    File/Folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.url not found.
    File/Folder C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\eBay.url not found.
    C:\Users\simon\AppData\Downloads\registrybooster.exe moved successfully.
    D:\software\INSTALLS\registryfix.exe moved successfully.
    D:\software\INSTALLS\SpySpotterWebInstall.exe moved successfully.
    D:\software\spyware software\SpySpotterWebInstall.exe moved successfully.
    D:\software\utilities\registryfix.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: simon
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 708856 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 74435147 bytes
    ->Flash cache emptied: 1141 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 86656 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
    RecycleBin emptied: 54995868 bytes

    Total Files Cleaned = 124.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 01062011_002843

    Files moved on Reboot...

    Registry entries deleted on Reboot...

    HijackThis.log
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:48:01 AM, on 06/01/11
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v7.00 (7.00.6002.18005)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\notepad.exe
    C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
    C:\Program Files\Roland\VSC32\Vsc32Cnf.exe
    C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Cyberlink\PowerCinema\PCMService.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Launch Manager\QtZgAcer.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Windows\System32\hkcmd.exe
    C:\Acer\Empowering Technology\eAudio\eAudio.exe
    C:\Program Files\Brownie\BrStsWnd.exe
    C:\Program Files\AVG\AVG2011\avgtray.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Windows\System32\SupportAppXL\AutoDect.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\WinFast\WFDTV\WFWIZ.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Little Alarm Clock\Little Alarm Clock.exe
    C:\Program Files\Free Download Manager\fdm.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe
    C:\Program Files\Free Sticky Notes\freenote.exe
    C:\Program Files\Remote\SimHID.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\igfxext.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Brownie\brpjp04a.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Users\simon\AppData\Local\Temp\RtkBtMnt.exe
    C:\Program Files\AVG\AVG2011\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
    C:\Windows\Explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\sdclt.exe
    C:\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.au.acer.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2011\avgssie.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG2011\Toolbar\IEToolbar.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG2011\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
    O4 - HKLM\..\Run: [vscvol.exe] C:\Program Files\Roland\VSC32\vscvol.exe
    O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Program Files\Roland\VSC32\vsc32cnf.exe
    O4 - HKLM\..\Run: [Talk] "C:\Program Files\NCH Swift Sound\Talk\talk.exe" -logon
    O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
    O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
    O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
    O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2011\avgtray.exe
    O4 - HKLM\..\Run: [autodetect] C:\Windows\system32\SupportAppXL\AutoDect.exe
    O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
    O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [Little Alarm Clock] "C:\Program Files\Little Alarm Clock\Little Alarm Clock.exe" /startup
    O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - Startup: Empowering Technology.lnk = ?
    O4 - Startup: Shortcut to Free Sticky Notes.LNK = C:\Program Files\Free Sticky Notes\freenote.exe
    O4 - Startup: SimHID.exe.lnk = C:\Program Files\Remote\SimHID.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: SimHID.lnk = C:\Program Files\Remote\SimHID.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG2011\Toolbar\IEToolbar.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2011\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG2011\Toolbar\ToolbarBroker.exe
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2011\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2011\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\Windows\system32\brsvc01a.exe
    O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
    O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
    O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
    O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
    O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
    O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    O23 - Service: Google Update Service (gupdate1c99bbbf5d0b3ce) (gupdate1c99bbbf5d0b3ce) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
    O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
    O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

    --
    End of file - 12935 bytes

    Pease note only Hijackthis.log found.
    Thanks
 
If I did not mention this before, I would like to do so now: you have a great number of processes running that appear to be on Startup. After boot, they continue to run in the background. These use system resources that can cause the system to slow down as you surf and add more temporary internet files. Most of the 20+ programs starting on boot can be called up as you need them rather than run all the time.

You do not need the printer or related process, (HP Imaging Center, Paper Port) media players, Cyberlink or other burning programs, Sticky notes, etc. And most of the Services that show running (023) can be set to Manual startup rather than Automatic.

Are you aware of and did you intentionally set the following?
SimHID.exe.lnk - c:\program files\Remote\SimHID.exe [2007-6-8 421888]
Identified as follows:
Simhid.exe
Simulate keystrokes in any Windows program with an IR receiver. - SimHID - YUAN High-Tech Development Co. Ltd. The Process is packed and/or encrypted using a software packing process

I also find description> SimHID Remote Communicator> possibly for the TV?
 
After running Hijackthis etc, have I completed all the test scanning?

What is the status of my machine wrt viruses?

Do I need to do any more steps to eliminate the found virused files?

Is the prospect a of a poly morphic virus real?

Thanks
 
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
Code:
File::
c:\users\simon\Downloads\usb snoopy\sniffusb-0.13\sniffusb\dbgview\DBGV.SYS
c:\program files\Remote\SimHID.exe

DDS::
uStart Page = about:blank
uURLSearchHooks: H - No File

Extra::
Firefox::
File::
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
Firefox-: - Profile - c:\users\simon\AppData\Roaming\Mozilla\Firefox\Profiles\skiy5uuc.default\

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=-
Driver::
DBGV
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

c:\program files\Remote\SimHID.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O4 - Startup: SimHID.exe.lnk = C:\Program Files\Remote\SimHID.exe
O4 - Global Startup: SimHID.lnk = C:\Program Files\Remote\SimHID.exe


Close all Windows except HijackThis and click on "Fix Checked".
======================================
I have not seen any evidence of a polymorphic virus infection. You would be wise to discount anything the telemarketer said to you. But I will mention just once more: you have too many processes starting on boot and running in the background. As long as you run all these processes, you are more at risk for malware due to their internet access.

Let me know how the system runs after this. If there are no more problems, I'll have you remove the cleaning tools.
 
Please note: I'll give you one more day to finish up. IF you don't reply, I'll close the thread.
 
Per PM: This thread is still Active.

My reply a week ago:
Let me know how the system runs after this. If there are no more problems, I'll have you remove the cleaning tools.

IF you ran the script and checked the HJT entries I instructed you to and if the problems have been resolved:
Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin
 
I am temporarily reopening this thread. The PMs you have sent are contradictory. The thread was still open when you tried to post. I closed it only after the 2nd PM with the update.

Please advise as to what the status it.
 
I am happy problem has gone and diagnostic s/w removed.

Problem with logging on to thread was due to user name mix up.

THanks for your help
 
You're welccome. If a problem comes up in the future, don't think it is always malware. System setting and user mistakes should always be checked before posting for help.
 
Status
Not open for further replies.
Back